07-29-2009 07:50 AM - edited 03-06-2019 07:00 AM
My static NAT configuration is somehow conflicting with my dynamic NAT configuration. Am I doing something wrong?
ip nat inside source list 1 interface GigabitEthernet0/0 overload
access-list 1 permit 192.168.126.0 0.0.0.255
access-list 1 permit 10.18.0.0 0.0.255.255
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.126.4 20 xx.xx.xx.19 20 extendable
ip nat inside source static tcp 192.168.126.5 25 xx.xx.xx.19 25 extendable
ip nat inside source static tcp 192.168.126.5 80 xx.xx.xx.19 80 extendable
ip nat inside source static tcp 192.168.126.5 443 xx.xx.xx.19 443 extendable
ip nat inside source static tcp 192.168.126.7 3101 xx.xx.xx.19 3101 extendable
ip nat inside source static tcp 192.168.126.4 3389 xx.xx.xx.19 3389 extendable
ip nat inside source static tcp 192.168.126.7 5901 xx.xx.xx.19 5901 extendable
ip nat inside source static tcp 192.168.126.20 25 xx.xx.xx.20 25 extendable
ip nat inside source static tcp 192.168.126.20 80 xx.xx.xx.20 80 extendable
interface GigabitEthernet0/0
description Outside Interface
ip address xx.xx.xx.18 255.255.255.248
ip access-group Incoming in
ip access-group Outgoing out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip mroute-cache
duplex auto
speed auto
ntp disable
no cdp enable
hold-queue 32 in
hold-queue 100 out
07-29-2009 10:23 AM
Hello Riley,
I would rewrite the ACL for deciding dynamic NAT with explicit denies for the hosts that are statically natted.
something like
access-list 1 deny host 192.168.126.4
access-list 1 deny host 192.168.126.5
access-list 1 deny host 192.168.126.7
access-list 1 permit 192.168.126.0 0.0.0.255
access-list 1 permit 10.18.0.0 0.0.255.255
to be sure that there won't be possible conflicts
Hope to help
Giuseppe
07-29-2009 01:42 PM
Thanks for the help.
I tried modifying the access list as you suggested but ran into problems. The host at 192.168.126.4 is my DNS server and the updates prevented it from forwarding queries to external DNS servers. I think I am running into problems because I dont' know general rules for configuring dynamic NAT to accomodate client PCs and static NAT to accomodate servers at the same time. From the issues I am having it seems there are general rules for dividing the two classes of hosts which I just don't know. My external interface has a .18 address which all my client PCs get NAT'ed through and then I have static NAT entries NAT'ing to .19 and .20 for internal services such as DNS, SMTP, HTTP etc. I thought that would divide the two however certain 'things' conflict, such as XBOX Live connections. If I remove my static NAT entries then I can connect to XBOX Live.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide