cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2734
Views
15
Helpful
56
Replies

Static NAT issues

collinks2
Contributor
Contributor

Hello,

I am having issues with static NAT. I have public subnet that gives me 5 usuable addresses. I used one for my public interface on the Cisco router. I set up dynamic NAT with port overload and it's working very well.

However, I have an internal server which I want Internet users to access. I have configured static NAT use for this command :

Ip NAT inside source static 10.1.1.1 3.3.3.3 extendable  but I can't ping 10.1.1.1 from Internet. Can someone help?

56 Replies 56

Hi

Could you share your entire config by removing all confidential things?

If everything is configured correctly, it should work. 

You can do multiple things to troubleshoot and paste output right here in order that we can help you:

- traceroute from internet of your working public IP and not working public IP

- activating debug ip icmp on your router, try to ping from internet the non working public IP to see if packets are coming on the router

- Try to access internet from your internal host 10.1.1.1 and check what is the public IP seen on the internet

thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hello,

Please see attached files. The public ip and private ip have been replace with fake ip

hope to read from you

Hi

Ok first of all, if you want to do static nat for 1 host with 1 specific IP, remote it from your pool:

ip nat pool PUBLIC-ADD 2.2.2.3  2.2.2.7 netmask 255.255.255.248

Then, as your machine is included in the global acl, I suggest to deny that machine and never hit that global rule:

ip access-list extended LAN-ADD
 deny ip host 10.108.13.11 any
permit ip 10.108.13.0 0.0.0.255 any permit ip 10.108.15.0 0.0.0.255 any permit ip 10.108.14.0 0.0.0.255 any permit ip 172.16.17.0 0.0.0.255 any deny ip 192.168.16.0 0.0.0.255 any permit ip any any

The rest seems to be ok. 

Test it otherwise I'll take a look in detail through a laptop as I'm on my iPhone right now.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi, I have done that but it's still timing out. 2.2.2.2 is the public interface of the router. As I removed it from the pool, the Internet became slower. I think I should take another one. May be 2.2.2.7 while I end the pool with 2.2.2.6

Hello,

on a side note, your address pool 2.2.2.0/29 has hosts in the range from 2.2.2.1 through 2.2.2.6. You cannot use 2.2.2.7, this is the broadcast address.

Remove that address from the pool as well:

ip nat pool PUBLIC-ADD 2.2.2.1 2.2.2.6 netmask 255.255.255.248

Yes, I know I can't use it since it's broadcast address. My ip on the public interface of the router is 2.2.2.1/29.this ip is also my vpn gateway. Am having issues with the vpn gateway as am finding it difficult to connect.

But let's focus on resolving the static NAT issues first. I have denied the host 10.108.13.11 from the global all but the host  is still pinging the internet which is another challenge.

OK if it is still pinging what ip nat you are seeing on the nat table translation?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

See the attachment file.

Does the ip 165.90.243.10 correspond to ip 2.2.2.2 you're mentioning in your example?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Yes, it does and it has been excluded from the pool..

Hello,

since 2.2.2.2 is not a public address, what else is between your router and the Internet ? You mentioned a VPN gateway ?

2.2.2.2 corresponds to the public ip address 165.90.243.10. I decided to use 2.2.2.2 for security reasons. I am connected to the isp on 165.90.243.9

I configured ssl vpn on the Cisco router with the vpn gateway as 165.90.243.10.check the earlier attachment file (router. Config)

It baffles me a lot as static NAT is one of the simplest NAT configurations. There is no firewall or dmz

I'm sorry but your nat is working and VPN not? Am i understanding good?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Only the dynamic NAT/PAT overload is working very well. Static NAT is not working. Vpn is working only for Internet explorers but not for other Web browsers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers