03-23-2012 10:59 PM - edited 03-07-2019 05:45 AM
Hi Dears.
I configurated dual ISP at router. as you see my configuration i have two subnet: 192.168.20.0 and 192.168.10.0
i do that subnet at dynamic NAT.and they are backup at each other. all of them are perfect working. dynamci nat working perfectly.
i have also one static nat for my mail server(192.168.10.7) i do static nat but the problem is occur.
when i want to access site i can not access and i do ping 4.2.2.2 do not reply at mail server.
but i see this at my nat translation.
ro Inside global Inside local Outside local Outside global
icmp 81.21.95.12:512 192.168.10.7:512 4.2.2.2:512 4.2.2.2:512
tcp 81.21.95.12:4479 192.168.10.7:4479 64.191.223.35:80 64.191.223.35:80
tcp 81.21.95.12:4481 192.168.10.7:4481 64.191.223.35:80 64.191.223.35:80
tcp 81.21.95.12:4482 192.168.10.7:4482 64.191.223.35:80 64.191.223.35:80
tcp 81.21.95.12:4483 192.168.10.7:4483 208.50.223.240:80 208.50.223.240:80
tcp 81.21.95.12:4484 192.168.10.7:4484 208.50.223.240:80 208.50.223.240:80
tcp 81.21.95.12:4485 192.168.10.7:4485 208.50.223.240:80 208.50.223.240:80
udp 81.21.95.10:50462 192.168.10.86:50462 8.8.8.8:53 8.8.8.8:53
this is my pc ip 192.168.10.86 when i ping from my PC as you see the result:
*
*Mar 22 16:25:03.890: NAT*: s=192.168.10.86->81.x.x.10, d=4.2.2.2 [37441]
*Mar 22 16:25:03.974: NAT*: s=4.2.2.2, d=81.x.x.10->192.168.10.86 [10039]
this is my mail server result.
*Mar 22 16:25:07.426: NAT*: s=192.168.10.7->81.x.x.12, d=4.2.2.2 [3696]
no back nat translation.
what is the problem. what i must be change at my configuration.
configuration.
Primary#show run
Building configuration...
Current configuration : 4303 bytes
!
! Last configuration change at 11:48:43 UTC Thu Mar 22 2012
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Primary
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2901/K9 sn FCZ1516C6A4
!
!
username teymur password 0 cisco
!
redundancy
!
!
track timer interface 5
!
track 1 interface GigabitEthernet0/0 line-protocol
!
track 2 ip sla 1 reachability
delay down 15 up 10
!
track 3 ip sla 2 reachability
delay down 15 up 10
!
!
!
!
crypto dynamic-map dynmap 10
reverse-route
!
!
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.116
description connected to ISP1
encapsulation dot1Q 116
ip address 81.x.x.10 255.255.255.248
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/0.859
description connected to ISP2
encapsulation dot1Q 859
ip address 85.x.x.114 255.255.255.240
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/1
description INSIDE
ip address 172.25.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map Classify
duplex auto
speed auto
standby 1 ip 172.25.10.3
standby 1 priority 110
standby 1 preempt
standby 1 track 1 decrement 20
!
!
ip forward-protocol nd
ip forward-protocol udp isakmp
ip forward-protocol udp non500-isakmp
!
no ip http server
no ip http secure-server
!
ip nat translation timeout 30
ip nat inside source route-map ISP1 interface GigabitEthernet0/0.116 overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/0.859 overload
i
p nat inside source static 192.168.10.7 81.21.95.12 route-map MAIL-Server
ip route 0.0.0.0 0.0.0.0 81.x.x.9
ip route 0.0.0.0 0.0.0.0 85.x.x.113
ip route 192.168.20.0 255.255.255.0 172.25.10.4
ip route 192.168.16.0 255.255.240.0 172.25.10.4
!
ip sla 1
icmp-echo 81.x.x.9 source-interface GigabitEthernet0/0.116
timeout 1000
threshold 1000
frequency 2
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 85.x.x.113 source-interface GigabitEthernet0/0.859
timeout 1000
threshold 1000
frequency 2
ip sla schedule 2 life forever start-time now
access-list 101 deny ip host 192.168.10.7 any
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit ip host 192.168.20.10 any
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
access-list 104 permit ip 192.168.16.0 0.0.7.255 any
access-list 105 permit ip host 192.168.10.7 any
!
!
!
!
route-map MAIL-Server permit 10
match ip address 105
match interface GigabitEthernet0/0.116
!
!
route-map Classify permit 10
match ip address 103
set ip next-hop verify-availability 81.x.x.9 1 track 2
set ip next-hop verify-availability 85.x.x.113 2 track 3
!
route-map Classify permit 20
match ip address 104
set ip next-hop verify-availability 85.x.x.113 1 track 3
set ip next-hop verify-availability 81.x.x.9 2 track 2
!
route-map ISP2 permit 20
match ip address 102 101
match interface GigabitEthernet0/0.859
!
route-map ISP1 permit 10
match ip address 101 102
match interface GigabitEthernet0/0.116
!
!
03-30-2012 06:08 AM
Is the mail server using the right I terrace as exit interface from the routing table ?
CN you add extendable keyword to the mail server nat command ?
04-02-2012 02:41 AM
Hi dear.
if i add extendable coomand to my static nat what this command do?
i know that the first static nat translation is done then dynamic and then pat.
my port redirection is not working. what is the problem??
look my nat translation:
ip nat inside source static tcp 192.168.10.7 443 x.x.x.12 9000 extendable route-map
Internet1
ip nat inside source static tcp 192.168.10.7 25 x.x.x.12 25 extendable route-map
Internet1
ip nat inside source static tcp 192.168.10.7 imap x.x.x.12 imap extendable route-map
Internet
this is my static nat translation and i do port static nat my other port is going dynamic nat translation as you see my configuration. but my static nat is not working.
04-03-2012 08:44 AM
Teymur,
it could be possible that traffic is not coming back on GigabitEthernet0/0.116 interface when packets are NATed to 81.21.95.12 ip
So I would suggest you to try the following steps:
- Add a static ARP entry for 81.21.95.12 ip having the MAC address of GigabitEthernet0/0 interface mapped and then test if it makes a difference of not
- please add a route for 192.168.10.0/24 pointing towards inside
- make changes in route-map MAIL-Server:
route-map MAIL-Server permit 10
no match ip address 105
match interface GigabitEthernet0/0.116
See if the above options help
Neeraj
04-03-2012 10:22 PM
Hi dear Neeraj. thank you for help me. i change my configuration as you wrote me
this is my last configuration. as we know sequence of nat first do static nat translation then dynamic and then PAT.
in my configuration the static nat is not working. i wrote static nat with ip protocol(ip nat inside source static 192.168.10.7 81.21.95.12 route-map MAIL-Server))) it is work but when i wrote like this it is not working(
ip nat inside source static tcp 192.168.10.7 443 81.x.x.12 9000 extendable route-map MAIL-Server
ip nat inside source static tcp 192.168.10.7 25 81.x.x.12 25 extendable route-map MAIL-Server
ip nat inside source static tcp 192.168.10.7 imap 81.x.x.12 imap extendable route-map MAIL-Server ))))
please look and say your advice.what is the problem??
!
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2901/K9 sn FCZ1516C6A4
!
!
username teymur password 0 cisco
!
redundancy
!
!
track timer interface 5
!
track 1 interface GigabitEthernet0/0 line-protocol
!
track 2 ip sla 1 reachability
delay down 15 up 10
!
track 3 ip sla 2 reachability
delay down 15 up 10
!
!
!
!
crypto dynamic-map dynmap 10
reverse-route
!
!
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface GigabitEthernet0/0
no ip address
duplex auto
speed auto
!
!
interface GigabitEthernet0/0.116
description connected to ISP1
encapsulation dot1Q 116
ip address 81.x.x.10 255.255.255.248
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/0.859
description connected to ISP2
encapsulation dot1Q 859
ip address 85.x.x.114 255.255.255.240
ip nat outside
ip virtual-reassembly
!
interface GigabitEthernet0/1
description INSIDE
ip address 172.25.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map Classify
duplex auto
speed auto
standby 1 ip 172.25.10.3
standby 1 priority 110
standby 1 preempt
standby 1 track 1 decrement 20
!
!
ip forward-protocol nd
ip forward-protocol udp isakmp
ip forward-protocol udp non500-isakmp
!
no ip http server
no ip http secure-server
!
ip nat translation timeout 30
ip nat inside source route-map ISP1 interface GigabitEthernet0/0.116 overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/0.859 overload
ip nat inside source static tcp 192.168.10.7 443 81.x.x.12 9000 extendable route-map MAIL-Server
ip nat inside source static tcp 192.168.10.7 25 81.x.x.12 25 extendable route-map MAIL-Server
ip nat inside source static tcp 192.168.10.7 imap 81.x.x.12 imap extendable route-map MAIL-Server
ip route 0.0.0.0 0.0.0.0 81.x.x.x
ip route 0.0.0.0 0.0.0.0 85.x.x.x
ip route 192.168.10.0 255.255.255.0 172.25.10.4
ip route 192.168.16.0 255.255.240.0 172.25.10.4
!
ip sla 1
icmp-echo 81.x.x.x source-interface GigabitEthernet0/0.116
timeout 1000
threshold 1000
frequency 2
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 85.x.x.x source-interface GigabitEthernet0/0.859
timeout 1000
threshold 1000
frequency 2
ip sla schedule 2 life forever start-time now
access-list 101 permit ip 192.168.10.0 0.0.0.255
access-list 102 permit ip host 192.168.20.10 any
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
access-list 104 permit ip 192.168.20.0 0.0.0.255 any
route-map MAIL-Server permit 10
match interface GigabitEthernet0/0.116
!
!
route-map Classify permit 10
match ip address 103
set ip next-hop verify-availability 81.x.x.x 1 track 2
set ip next-hop verify-availability 85.x.x.x 2 track 3
!
route-map Classify permit 20
match ip address 104
set ip next-hop verify-availability 85.x.x.x.x 1 track 3
set ip next-hop verify-availability 81.x.x.x. 2 track 2
!
route-map Classify permit 30
match ip address 105
set ip next-hop verify-availability 81.x.x.x 1 track 2
!
route-map ISP2 permit 20
match ip address 102 101
match interface GigabitEthernet0/0.859
!
route-map ISP1 permit 10
match ip address 101 102
match interface GigabitEthernet0/0.116
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
event manager applet Track2down
event track 2 state down
action 1 cli command "enable"
action 2 cli command "clear ip nat translation *"
event manager applet track2UP
event track 2 state up
action 1 cli command "enable"
action 2 cli command "clear ip nat translation *"
event manager applet Track3Down
event track 3 state down
action 1 cli command "enable"
action 2 cli command "clear ip nat translation *"
event manager applet Track3Up
event track 3 state up
action 1 cli command "enable"
action 2 cli command "clear ip nat translation *"
!
end
04-04-2012 07:34 AM
your configuration looks fine to me, you might be hitting an IOS bug for Static Port translation
Try removing the route-map from the NAT commands and then check. config should look like this:
ip nat inside source static tcp 192.168.10.7 443 81.x.x.12 9000 extendable
ip nat inside source static tcp 192.168.10.7 25 81.x.x.12 25 extendable
ip nat inside source static tcp 192.168.10.7 imap 81.x.x.12 imap extendable
I seriously do not have any other suggestion, but as a last resort for testing you can think of upgrading the IOS on the router and a reload.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: