Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7007
Views
15
Helpful
56
Replies

Static NAT issues

collinks2
Level 5
Level 5

‎01-21-2017 01:01 PM

Hello,

I am having issues with static NAT. I have public subnet that gives me 5 usuable addresses. I used one for my public interface on the Cisco router. I set up dynamic NAT with port overload and it's working very well.

However, I have an internal server which I want Internet users to access. I have configured static NAT use for this command :

Ip NAT inside source static 10.1.1.1 3.3.3.3 extendable  but I can't ping 10.1.1.1 from Internet. Can someone help?

Labels:
0 Helpful
56 Replies 56

Francesco Molino
VIP Alumni
VIP Alumni

‎01-21-2017 01:40 PM

Hi

Could you share your entire config by removing all confidential things?

If everything is configured correctly, it should work. 

You can do multiple things to troubleshoot and paste output right here in order that we can help you:

- traceroute from internet of your working public IP and not working public IP

- activating debug ip icmp on your router, try to ping from internet the non working public IP to see if packets are coming on the router

- Try to access internet from your internal host 10.1.1.1 and check what is the public IP seen on the internet

thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

collinks2
Level 5
Level 5
In response to Francesco Molino

‎01-22-2017 07:29 AM

Hello,

Please see attached files. The public ip and private ip have been replace with fake ip

hope to read from you

Preview file
1 KB
Preview file
2 KB
Preview file
4 KB
Preview file
8 KB
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to collinks2

‎01-22-2017 07:48 AM

Hi

Ok first of all, if you want to do static nat for 1 host with 1 specific IP, remote it from your pool:

ip nat pool PUBLIC-ADD 2.2.2.3  2.2.2.7 netmask 255.255.255.248

Then, as your machine is included in the global acl, I suggest to deny that machine and never hit that global rule:

ip access-list extended LAN-ADD
 deny ip host 10.108.13.11 any
 permit ip 10.108.13.0 0.0.0.255 any
 permit ip 10.108.15.0 0.0.0.255 any
 permit ip 10.108.14.0 0.0.0.255 any
 permit ip 172.16.17.0 0.0.0.255 any
 deny   ip 192.168.16.0 0.0.0.255 any
 permit ip any any

The rest seems to be ok. 

Test it otherwise I'll take a look in detail through a laptop as I'm on my iPhone right now.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

collinks2
Level 5
Level 5
In response to Francesco Molino

‎01-22-2017 08:51 AM

Hi, I have done that but it's still timing out. 2.2.2.2 is the public interface of the router. As I removed it from the pool, the Internet became slower. I think I should take another one. May be 2.2.2.7 while I end the pool with 2.2.2.6

0 Helpful

Georg Pauwen
VIP
VIP
In response to collinks2

‎01-22-2017 09:26 AM

Hello,

on a side note, your address pool 2.2.2.0/29 has hosts in the range from 2.2.2.1 through 2.2.2.6. You cannot use 2.2.2.7, this is the broadcast address.

Remove that address from the pool as well:

ip nat pool PUBLIC-ADD 2.2.2.1 2.2.2.6 netmask 255.255.255.248

0 Helpful

collinks2
Level 5
Level 5
In response to Georg Pauwen

‎01-22-2017 09:47 AM

Yes, I know I can't use it since it's broadcast address. My ip on the public interface of the router is 2.2.2.1/29.this ip is also my vpn gateway. Am having issues with the vpn gateway as am finding it difficult to connect.

But let's focus on resolving the static NAT issues first. I have denied the host 10.108.13.11 from the global all but the host  is still pinging the internet which is another challenge.

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to collinks2

‎01-22-2017 10:16 AM

OK if it is still pinging what ip nat you are seeing on the nat table translation?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

collinks2
Level 5
Level 5
In response to Francesco Molino

‎01-22-2017 10:29 AM

See the attachment file.

Preview file
2 KB
0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to collinks2

‎01-22-2017 10:34 AM

Does the ip 165.90.243.10 correspond to ip 2.2.2.2 you're mentioning in your example?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

collinks2
Level 5
Level 5
In response to Francesco Molino

‎01-22-2017 10:38 AM

Yes, it does and it has been excluded from the pool..

0 Helpful

Georg Pauwen
VIP
VIP
In response to collinks2

‎01-22-2017 10:58 AM

Hello,

since 2.2.2.2 is not a public address, what else is between your router and the Internet ? You mentioned a VPN gateway ?

0 Helpful

collinks2
Level 5
Level 5
In response to Georg Pauwen

‎01-22-2017 11:08 AM

2.2.2.2 corresponds to the public ip address 165.90.243.10. I decided to use 2.2.2.2 for security reasons. I am connected to the isp on 165.90.243.9

I configured ssl vpn on the Cisco router with the vpn gateway as 165.90.243.10.check the earlier attachment file (router. Config)

It baffles me a lot as static NAT is one of the simplest NAT configurations. There is no firewall or dmz

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to collinks2

‎01-22-2017 11:13 AM

I'm sorry but your nat is working and VPN not? Am i understanding good?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

collinks2
Level 5
Level 5
In response to Francesco Molino

‎01-22-2017 11:36 AM

Only the dynamic NAT/PAT overload is working very well. Static NAT is not working. Vpn is working only for Internet explorers but not for other Web browsers

0 Helpful
Customers Also Viewed These Support Documents