Static/Dynamic NAT Conflict

Unanswered Question
Jul 29th, 2009

My static NAT configuration is somehow conflicting with my dynamic NAT configuration. Am I doing something wrong?

ip nat inside source list 1 interface GigabitEthernet0/0 overload

access-list 1 permit 192.168.126.0 0.0.0.255

access-list 1 permit 10.18.0.0 0.0.255.255

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.126.4 20 xx.xx.xx.19 20 extendable

ip nat inside source static tcp 192.168.126.5 25 xx.xx.xx.19 25 extendable

ip nat inside source static tcp 192.168.126.5 80 xx.xx.xx.19 80 extendable

ip nat inside source static tcp 192.168.126.5 443 xx.xx.xx.19 443 extendable

ip nat inside source static tcp 192.168.126.7 3101 xx.xx.xx.19 3101 extendable

ip nat inside source static tcp 192.168.126.4 3389 xx.xx.xx.19 3389 extendable

ip nat inside source static tcp 192.168.126.7 5901 xx.xx.xx.19 5901 extendable

ip nat inside source static tcp 192.168.126.20 25 xx.xx.xx.20 25 extendable

ip nat inside source static tcp 192.168.126.20 80 xx.xx.xx.20 80 extendable

interface GigabitEthernet0/0

description Outside Interface

ip address xx.xx.xx.18 255.255.255.248

ip access-group Incoming in

ip access-group Outgoing out

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

no ip mroute-cache

duplex auto

speed auto

ntp disable

no cdp enable

hold-queue 32 in

hold-queue 100 out

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 07/29/2009 - 10:23

Hello Riley,

I would rewrite the ACL for deciding dynamic NAT with explicit denies for the hosts that are statically natted.

something like

access-list 1 deny host 192.168.126.4

access-list 1 deny host 192.168.126.5

access-list 1 deny host 192.168.126.7

access-list 1 permit 192.168.126.0 0.0.0.255

access-list 1 permit 10.18.0.0 0.0.255.255

to be sure that there won't be possible conflicts

Hope to help

Giuseppe

rileymartin Wed, 07/29/2009 - 13:42

Thanks for the help.

I tried modifying the access list as you suggested but ran into problems. The host at 192.168.126.4 is my DNS server and the updates prevented it from forwarding queries to external DNS servers. I think I am running into problems because I dont' know general rules for configuring dynamic NAT to accomodate client PCs and static NAT to accomodate servers at the same time. From the issues I am having it seems there are general rules for dividing the two classes of hosts which I just don't know. My external interface has a .18 address which all my client PCs get NAT'ed through and then I have static NAT entries NAT'ing to .19 and .20 for internal services such as DNS, SMTP, HTTP etc. I thought that would divide the two however certain 'things' conflict, such as XBOX Live connections. If I remove my static NAT entries then I can connect to XBOX Live.

Actions

This Discussion