06-15-2009 08:43 AM - edited 03-06-2019 06:16 AM
Hi Experts,
I have one global nat with IP 195.24.4.XX (i have some number of public IP's)
when i want configure outside nat to one private IP 10.246.6.XXX (SMTP server) with public IP 195.24.5.XX every time its going out through the global nated IP only
But i want the private IP 10.246.6.XXX should go through 195.24.5.XX only.
Can somebody help me please...
Regards,
Naidu.
06-15-2009 09:27 AM
Can you post the NAT configuration?
06-15-2009 09:57 AM
Here's a working example-
ip nat inside source list 25 interface Vlan2 overload
ip nat inside source static 192.168.10.5 10.1.2.72 extendable
access-list 25 permit any
Vlan1 192.168.20.1 YES manual up up
Vlan2 10.1.2.71 YES manual up up
NVI0 unassigned NO unset up up
Loopback0 192.168.10.5 YES manual up up
Router#ping 10.1.2.17 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.2.17, timeout is 2 seconds:
Packet sent with a source address of 192.168.10.5
*Sep 8 19:52:41.403: NAT: s=192.168.10.5->10.1.2.72, d=10.1.2.17 [50].
*Sep 8 19:52:43.403: NAT: s=192.168.10.5->10.1.2.72, d=10.1.2.17 [51].
Capture from Workstation
No. Time Source Destination Protocol QoS Info
8093 12:50:04.688002 10.1.2.72 10.1.2.17 ICMP 0 Echo (ping) request
Frame 8093 (114 bytes on wire, 114 bytes captured)
Arrival Time: Jun 15, 2009 12:50:04.688002000
[Time delta from previous captured frame: 0.000483000 seconds]
[Time delta from previous displayed frame: 0.000483000 seconds]
[Time since reference or first frame: 1.881112000 seconds]
Frame Number: 8093
Frame Length: 114 bytes
Capture Length: 114 bytes
[Frame is marked: False]
[Protocols in frame: eth:ip:icmp:data]
[Coloring Rule Name: ICMP]
[Coloring Rule String: icmp]
Ethernet II, Src: Cisco_c9:8e:8c (00:1b:90:c9:8e:8c), Dst: HewlettP_4d:a6:0c (00:19:bb:4d:a6:0c)
Destination: HewlettP_4d:a6:0c (00:19:bb:4d:a6:0c)
Address: HewlettP_4d:a6:0c (00:19:bb:4d:a6:0c)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Source: Cisco_c9:8e:8c (00:1b:90:c9:8e:8c)
Address: Cisco_c9:8e:8c (00:1b:90:c9:8e:8c)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
Type: IP (0x0800)
Internet Protocol, Src: 10.1.2.72 (10.1.2.72), Dst: 10.1.2.17 (10.1.2.17)
Version: 4
Header length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..0. = ECN-Capable Transport (ECT): 0
.... ...0 = ECN-CE: 0
Total Length: 100
Identification: 0x0037 (55)
Flags: 0x00
0... = Reserved bit: Not set
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset: 0
Time to live: 255
Protocol: ICMP (0x01)
Header checksum: 0xa307 [correct]
[Good: True]
[Bad : False]
Source: 10.1.2.72 (10.1.2.72)
Destination: 10.1.2.17 (10.1.2.17)
Internet Control Message Protocol
Type: 8 (Echo (ping) request)
Code: 0 ()
Checksum: 0xad9c [correct]
Identifier: 0x000b
Sequence number: 0 (0x0000)
Data (72 bytes)
0000 00 00 00 00 42 6a 8e 38 ab cd ab cd ab cd ab cd ....Bj.8........
0010 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0020 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0030 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................
0040 ab cd ab cd ab cd ab cd ........
Data: 00000000426A8E38ABCDABCDABCDABCDABCDABCDABCDABCD...
06-15-2009 09:43 PM
Hi Colin,
========================================
ip nat inside source list 25 interface Vlan2 overload
ip nat inside source static 192.168.10.5 10.1.2.72 extendable
access-list 25 permit any
Vlan1 192.168.20.1 YES manual up up
Vlan2 10.1.2.71 YES manual up up
NVI0 unassigned NO unset up up
Loopback0 192.168.10.5 YES manual up up
=========================================
As per you said, we have to create access-list eg: 25 first.
Can you give me idea how to create access-list for this task (please find the below private SMTP server IP and public IP)
My present task is the private SMTP server IP (10.246.4.65)need to nated with 175.24.2.65
And when packet from private SMTP server going to outisde it should go with nated IP 175.24.2.65 only
We have one global nated IP 175.24.4.66 and everytime whatever private nated IP going through this global nated IP only but in this scenario it should not be like that, it should go through only the particular nated IP (175.24.2.65).
Thanks in advance.
Regards,
Naidu.
06-16-2009 05:24 AM
access-list 25 permit any
ip nat inside source list 25 interface [your outside interface]overload
ip nat inside source static 10.246.4.65 175.24.2.65 extendable
That should do it.
06-16-2009 08:16 PM
Hi Collin,
Thanks for you reply.
As you said access-list 25, we no need to define any access-list before implement(eg: access-list 25)?
If we have to define access-list 25, please give me idea how to define for this particular scenario.
The private SMTP server IP: 10.246.4.65
The public IP for NAT: 175.24.2.65
Outside interface: Fa0/0
Inside interface: Fa0/1
Please help me....
Regards,
Naidu.
06-17-2009 05:40 AM
The ACL tells NAT what IPs to translate. This owuld be your internal network. It looks like it would be 10.246.4.0
06-18-2009 03:50 AM
Hi Colin,
If it would works....then i think to define as like below
access-list 25 deny 10.246.4.65 0.0.255.255 175.24.2.67 0.0.255.255 (global nated IP)
as whatever packet going out though th global nated IP 175.24.2.67
I think if we deny as like above statement then it will not have any option, only option is the real nated IP (175.24.2.65).
Please correct me if i am wrong.
Regards,
Naidu.
06-18-2009 05:24 AM
Denying it isn't necessary (won't hurt anything either). Since there is a specific NAT configured for the host, the router will use that NAT'd IP instead of the global IP.
06-18-2009 09:28 PM
Hi Colin,
That is what my problem, the specific NAT configured for the host but the router was using global nated IP only instead of specific nated IP.
Regards,
Naidu.
06-19-2009 04:39 AM
Check my earlier post. I posted a working config and a packet capture verifying it works. You must have your NAT configuration configured differently.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: