I need to configure an existing 2600 router to use dynamic NAT for access to the web and ALSO I have (5) fixed IP addresses for use with an email server, a web server, and (3) future servers. I do not know the concept of how to set this up. I'm currently using dynamic NAT for the web and this seems OK but I dont know how to map my fixed servers. I assume this is done with static NAT. Do I need to add sub interfaces on the S0/0 T1 interface for each of these fixed IPs? Then do I somehow do static NAT on these fixed IPs to their respective servers? I guess this is common scenario but I'm lost. Any help would be greatly appreciated.
Steve - CCNA
no need to configure any subinterfaces, just do as many static PAT entries as you have servers .
web server at 10.1.1.2, mail server at 10.1.1.3 each with a different public IP:
ip nat inside source static tcp 10.1.1.2 80 210.x.x.3 80
ip nat inside source static tcp 10.1.1.3 25 210.x.x.4 25
You dont need to tell the router about your ip address. I just cross checked it in a setup with 4 routers in a chain(R1--R2--R3--R4)
Look at this sample config:
R2 (internet router):
ip address 10.1.2.2 255.255.255.0
description INTERNAL side
ip address 10.1.12.2 255.255.255.0
ip nat inside
description ISP side
ip address 192.168.23.2 255.255.255.0
ip nat outside
router ospf 1
network 10.1.12.0 0.0.0.255 area 0
default-information originate always
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
ip nat inside source list 101 interface FastEthernet0/1 overload
ip nat inside source static tcp 10.1.1.1 23 172.16.1.1 23 extendable
access-list 101 permit ip any any
Some explanation here: 10.1.0.0 belongs to R1 which is internal. 10.2.0.0 belongs to R2.
Then, 192.168.0.0 belongs to R3 and R4. R3 has a static route pointing at R2 for 172.16.1.1.
As you can see in the config, 172.16.1.1 is translated to 10.1.1.1 (loopback of R1).
All this works perfectly well. So, what we can learn from this, R2 doesnt have to advertise 172.16, as long as the routing itself is taken care of by itself or his surrounding devices.
Nowhere except in the static PAT command I posted. What counts is these are addresses reachable by your ISP because they will be used by people to contact your internal servers and the router will do the NAT and change the destination IP to the private addresses of the servers.
Thank you again.
I believe I was remiss in describing the entire situation.
1. There is a public address that is assigned to S0/0 and connects via T1 to our ISP.
2. There is an ADDITIONAL block of public IPs that are for our internal use. a. Mail Server b. Web Server c. Future
This do NOT appear anywhere in the router config EXCEPT in the NAT statements.
3. We use Postini to filter mail prior to our mail server.
4. We need OWA, pptp VPN, Blackberry messenger.
5. We have (1) FastEthernet interface for our internal LAN.
I set up JUST the NAT statements and could neither ping the local servers using the global address NOR send receive mail.
My thinking of the requried functionality is:
1. Web access via dynamic nat using the single public address in 1. above. This seems to work OK.
2. Expose the mail and web server to the outside. Here is where I think I need to sub-interface the S0/0 to include this block of Global addresses THEN use the static NAT statments you provided. ????
Thank you in advance for ANY additional insight you can provide. It is greatly appreciated.
Are the additional IP addresses you've been given in the same subnet as your external (Se0/0) IP address?
Can you please post the config of your Se0/0 interface (Just change the first two octets of the IP addresses and replace passwords / usernames with asterisks) but leave last 2 octets and network masks etc intact?
I suspect that you've been given a /29 subnet and that your Se0/0 interface is using one of the 5 available. Otherwisre I cannot see why they would give you 5 IP addresses.
They'd either give you the full /29 (8 IP addresses) in ADDITION to your existing external IP address, or they give you the /29 out of which the Broadcast/Network and ISP router IP addresses are taken (leaving 5 Available for your use)
Thanks for the responses.
The S0/0 assigned IP address is NOT in the block of /29 addresseses. My guess is that originally there was only the S0/0 address (which is what I am using for dynamic NAT) and then later a block of IPs was purchased. Yes it is a /29 block. IF I put a static route to route this block to my LAN interface AND put the public address on my servers NICs as an additional address, all seems to work and I can ping my servers. But I dont think this is the correct method. ??
If you are able to connect to the servers by putting real IP addresses on them, and a route on the router, then routing from your ISP seems to be absolutely fine, so that's good.
So, this is easy to sort... remove the route you added pointing to your internal network, and add a route to null0 for your /29 subnet... this gets it in your RIB without exposing your internal network.
ip route 126.96.36.199 255.255.255.248 null0
Then add static nat translations for each of the servers, either with static 1-1 NAT:
ip nat inside source static 192.168.10.10 188.8.131.52
Or using Port translations as described by Alain earlier:
ip nat inside source static tcp 10.1.1.2 80 184.108.40.206 80
ip nat inside source static tcp 10.1.1.3 25 220.127.116.11 25
You will also need to allow this traffic through on any ACLs or firewalls you have.
Apologies for the lack of formatting - I'm typing this on my phone :-)
Hope that helps!
Oh, and. Just to clarify...
The static route is not necessary, you don't need to have a route for these addresses on the device at all, you definately do NOT want a route pointing to an internal device or interface. I always do this (route NAT pools to null) on edge devices, as it prevents anyone in the future who is not familiar with the setup coming along, and adding a route inside, bypassing the NAT and potentially some security.
What Alain said right at the beginning of this thread is the correct answer... as long as the IP addresses are routed to your router's outside interface you need only the NAT statements, and the NAT inside/outside commands on the relevant interfaces of course.
It seems that what you are saying is the static NAT rules should work as Alain initially suggested with no additional required settings. But I tried that this last weekend and I could not ping, send mail, or hit the web server without adding the global addresses to the NIC of the server(s).
Do I understand correctly that there does not need to be an 'endpoint' for each global IP address? The ISP router simply sends requests for an address to the S0/0 interface, the static NAT statements translaste to local address and TCP accepts that as a connected datagram????
Sorry, but I seem to be getting more lost.
Pinging the servers won't work without first setting up ICMP translations, so that part is to be expected.
The static PAT entries are probably conflicting with the overload NAT you have in place....
This is fixable, but it will be easier to simply use 1-1 Static NAT instead... First remove the static PAT entries, and do the following for each server:
ip nat inside source static 192.168.10.10 18.104.22.168
Where 192.168.10.10 is the Server's internal IP, and 22.214.171.124 is the Public IP you want to translate it to.
Make sure you have a firewall or ACLs in place to protect these devices though as without them anyone from outside can hit any port on the translated devices.
If you are still having trouble, please post your config, as otherwise we're just shooting in the dark ;-)
Reading your post I assume that your public ip range is not being published. First thing you have to make sure is that your ISP is advertising your pa space, and pointing it to your router with a static route. Or do it your self using bgp.
Once that is settled you can continue using the nat statements as described by Alain earlier.
Does that make sense? Best regards, Valentijn
Sent from Cisco Technical Support iPhone App
You not need to do any sub interface for the rest of the public IP addresses.
You just need to make sure that the route is advertised via your internet provider for those public ip address what you have.
Once the above is confirmed and you have say 5 public ip address in hand then one of those ip tou can use for your static NAT (mail server).
Hope the above is understand and helpfull.
Please rate the helpfull posts.