cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
544
Views
0
Helpful
10
Replies

outside nat on router ---Urgent

ilnaiduccna
Level 1
Level 1

Hi Experts,

I have one global nat with IP 195.24.4.XX (i have some number of public IP's)

when i want configure outside nat to one private IP 10.246.6.XXX (SMTP server) with public IP 195.24.5.XX every time its going out through the global nated IP only

But i want the private IP 10.246.6.XXX should go through 195.24.5.XX only.

Can somebody help me please...

Regards,

Naidu.

10 Replies 10

Collin Clark
VIP Alumni
VIP Alumni

Can you post the NAT configuration?

Here's a working example-

ip nat inside source list 25 interface Vlan2 overload

ip nat inside source static 192.168.10.5 10.1.2.72 extendable

access-list 25 permit any

Vlan1 192.168.20.1 YES manual up up

Vlan2 10.1.2.71 YES manual up up

NVI0 unassigned NO unset up up

Loopback0 192.168.10.5 YES manual up up

Router#ping 10.1.2.17 source lo0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.1.2.17, timeout is 2 seconds:

Packet sent with a source address of 192.168.10.5

*Sep 8 19:52:41.403: NAT: s=192.168.10.5->10.1.2.72, d=10.1.2.17 [50].

*Sep 8 19:52:43.403: NAT: s=192.168.10.5->10.1.2.72, d=10.1.2.17 [51].

Capture from Workstation

No. Time Source Destination Protocol QoS Info

8093 12:50:04.688002 10.1.2.72 10.1.2.17 ICMP 0 Echo (ping) request

Frame 8093 (114 bytes on wire, 114 bytes captured)

Arrival Time: Jun 15, 2009 12:50:04.688002000

[Time delta from previous captured frame: 0.000483000 seconds]

[Time delta from previous displayed frame: 0.000483000 seconds]

[Time since reference or first frame: 1.881112000 seconds]

Frame Number: 8093

Frame Length: 114 bytes

Capture Length: 114 bytes

[Frame is marked: False]

[Protocols in frame: eth:ip:icmp:data]

[Coloring Rule Name: ICMP]

[Coloring Rule String: icmp]

Ethernet II, Src: Cisco_c9:8e:8c (00:1b:90:c9:8e:8c), Dst: HewlettP_4d:a6:0c (00:19:bb:4d:a6:0c)

Destination: HewlettP_4d:a6:0c (00:19:bb:4d:a6:0c)

Address: HewlettP_4d:a6:0c (00:19:bb:4d:a6:0c)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Source: Cisco_c9:8e:8c (00:1b:90:c9:8e:8c)

Address: Cisco_c9:8e:8c (00:1b:90:c9:8e:8c)

.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)

Type: IP (0x0800)

Internet Protocol, Src: 10.1.2.72 (10.1.2.72), Dst: 10.1.2.17 (10.1.2.17)

Version: 4

Header length: 20 bytes

Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)

0000 00.. = Differentiated Services Codepoint: Default (0x00)

.... ..0. = ECN-Capable Transport (ECT): 0

.... ...0 = ECN-CE: 0

Total Length: 100

Identification: 0x0037 (55)

Flags: 0x00

0... = Reserved bit: Not set

.0.. = Don't fragment: Not set

..0. = More fragments: Not set

Fragment offset: 0

Time to live: 255

Protocol: ICMP (0x01)

Header checksum: 0xa307 [correct]

[Good: True]

[Bad : False]

Source: 10.1.2.72 (10.1.2.72)

Destination: 10.1.2.17 (10.1.2.17)

Internet Control Message Protocol

Type: 8 (Echo (ping) request)

Code: 0 ()

Checksum: 0xad9c [correct]

Identifier: 0x000b

Sequence number: 0 (0x0000)

Data (72 bytes)

0000 00 00 00 00 42 6a 8e 38 ab cd ab cd ab cd ab cd ....Bj.8........

0010 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................

0020 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................

0030 ab cd ab cd ab cd ab cd ab cd ab cd ab cd ab cd ................

0040 ab cd ab cd ab cd ab cd ........

Data: 00000000426A8E38ABCDABCDABCDABCDABCDABCDABCDABCD...

Hi Colin,

========================================

ip nat inside source list 25 interface Vlan2 overload

ip nat inside source static 192.168.10.5 10.1.2.72 extendable

access-list 25 permit any

Vlan1 192.168.20.1 YES manual up up

Vlan2 10.1.2.71 YES manual up up

NVI0 unassigned NO unset up up

Loopback0 192.168.10.5 YES manual up up

=========================================

As per you said, we have to create access-list eg: 25 first.

Can you give me idea how to create access-list for this task (please find the below private SMTP server IP and public IP)

My present task is the private SMTP server IP (10.246.4.65)need to nated with 175.24.2.65

And when packet from private SMTP server going to outisde it should go with nated IP 175.24.2.65 only

We have one global nated IP 175.24.4.66 and everytime whatever private nated IP going through this global nated IP only but in this scenario it should not be like that, it should go through only the particular nated IP (175.24.2.65).

Thanks in advance.

Regards,

Naidu.

access-list 25 permit any

ip nat inside source list 25 interface [your outside interface]overload

ip nat inside source static 10.246.4.65 175.24.2.65 extendable

That should do it.

Hi Collin,

Thanks for you reply.

As you said access-list 25, we no need to define any access-list before implement(eg: access-list 25)?

If we have to define access-list 25, please give me idea how to define for this particular scenario.

The private SMTP server IP: 10.246.4.65

The public IP for NAT: 175.24.2.65

Outside interface: Fa0/0

Inside interface: Fa0/1

Please help me....

Regards,

Naidu.

The ACL tells NAT what IPs to translate. This owuld be your internal network. It looks like it would be 10.246.4.0

Hi Colin,

If it would works....then i think to define as like below

access-list 25 deny 10.246.4.65 0.0.255.255 175.24.2.67 0.0.255.255 (global nated IP)

as whatever packet going out though th global nated IP 175.24.2.67

I think if we deny as like above statement then it will not have any option, only option is the real nated IP (175.24.2.65).

Please correct me if i am wrong.

Regards,

Naidu.

Denying it isn't necessary (won't hurt anything either). Since there is a specific NAT configured for the host, the router will use that NAT'd IP instead of the global IP.

Hi Colin,

That is what my problem, the specific NAT configured for the host but the router was using global nated IP only instead of specific nated IP.

Regards,

Naidu.

Check my earlier post. I posted a working config and a packet capture verifying it works. You must have your NAT configuration configured differently.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: