cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1369
Views
0
Helpful
1
Replies

Dual-WAN and port forwarding problem (NAT)

avorobyev
Level 1
Level 1

Hi! I've got 1811 on my network.

Try to connect my lan to 2 ISPs.

---

version 12.4

!

ip cef

!

multilink bundle-name authenticated

!

ip tcp synwait-time 10

!

track 10 rtr 110 reachability

delay down 30 up 60

!

track 11 rtr 111 reachability

delay down 30 up 60

!

interface FastEthernet0

description ptkom uplink$ETH-WAN$$FW_OUTSIDE$

ip address 192.168.116.14 255.255.255.0 secondary

ip address 85.95.147.3 255.255.255.192

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1

description enforta uplink$ETH-WAN$$FW_OUTSIDE$

ip address 79.122.164.134 255.255.255.252

no ip redirects

no ip proxy-arp

ip nat outside

ip virtual-reassembly

shutdown

duplex auto

speed auto

!

interface FastEthernet2

description EnfortaVPN

switchport access vlan 2

!

interface Vlan1

description Morozova LAN$ES_LAN$$FW_INSIDE$

ip address 192.168.52.254 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 85.95.147.1 track 10

ip route 0.0.0.0 0.0.0.0 79.122.164.133 track 11

ip route 79.122.164.132 255.255.255.252 FastEthernet1 permanent

ip route 85.95.147.0 255.255.255.192 FastEthernet0 permanent

ip route 172.16.248.0 255.255.255.240 172.16.248.17

ip route 172.16.248.32 255.255.255.240 172.16.248.17

ip route 192.168.6.0 255.255.255.0 172.16.248.2

ip route 192.168.7.0 255.255.255.0 172.16.248.34

!

!

ip nat inside source route-map RM-enforta interface FastEthernet1 overload

ip nat inside source route-map RM-ptkom interface FastEthernet0 overload

ip nat inside source static tcp 192.168.52.7 2443 79.122.164.134 2443 extendable

ip nat inside source static tcp 192.168.52.7 3389 79.122.164.134 3389 extendable

ip nat inside source static tcp 192.168.52.7 25 85.95.147.3 25 extendable

ip nat inside source static tcp 192.168.52.7 110 85.95.147.3 110 extendable

ip nat inside source static tcp 192.168.52.7 2443 85.95.147.3 2443 extendable

ip nat inside source static tcp 192.168.52.7 3389 85.95.147.3 3389 extendable

ip nat inside source static tcp 192.168.52.8 3389 85.95.147.3 3390 extendable

!

ip access-list extended LANs

permit ip 192.168.52.0 0.0.0.255 any

permit ip 192.168.6.0 0.0.0.255 any

permit ip 192.168.43.0 0.0.0.255 any

remark Put All inside LANs here

ip access-list extended NAT

remark SDM_ACL Category=18

deny ip any 192.168.6.0 0.0.0.255

deny ip any 192.168.7.0 0.0.0.255

deny ip any 192.168.52.0 0.0.0.255

permit ip 192.168.6.0 0.0.0.255 any

permit ip 192.168.7.0 0.0.0.255 any

permit ip 192.168.52.0 0.0.0.255 any

!

ip sla 110

icmp-echo 85.95.147.1 source-ip 85.95.147.3

frequency 10

ip sla schedule 110 life forever start-time now

ip sla 111

icmp-echo 79.122.164.133 source-ip 79.122.164.134

frequency 10

ip sla schedule 111 life forever start-time now

no logging trap

access-list 116 permit ip any 192.168.6.0 0.0.0.255

access-list 117 permit ip any 192.168.7.0 0.0.0.255

no cdp run

!

route-map RM-enforta permit 10

match ip address NAT

match interface FastEthernet1

!

route-map RM-ptkom permit 10

match ip address NAT

match interface FastEthernet0

!

!

end

---

Everything worked fine until i tried to add

the following (i have to access 192.168.227.0/24 with nat, but from 192.168.116.14 ip):

----

ip route 192.168.227.0 255.255.255.0 192.168.116.1

ip nat pool PortMAN 192.168.116.14 192.168.116.14 netmask 255.255.255.0

ip nat inside source route-map RM-PortMAN pool PortMAN overload

ip access-list extended PortMAN

permit ip any 192.168.116.0 0.0.0.255

permit ip any 192.168.227.0 0.0.0.255

route-map RM-PortMAN permit 10

match ip address PortMAN

match interface FastEthernet0

---

After that my port forwardings (from wan to lan) became inaccessible. I think because they come in from one route and get out from another.

What should i do?

Now, even after deletion of the rules, port forwardings do not work

Any ideas?

1 Reply 1

ldardon
Level 1
Level 1

I think there is no problem on your NAT. Anyhow issue the command

“Show ip nat translation” it will helps you to troubleshoot.

Ensure the ACL configuration and the route-map

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco