cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
442
Views
0
Helpful
2
Replies

Problem with combined Static and Dynamic NAT

Bob Burley
Level 1
Level 1

After two days I am still having trouble figuring out what I am missing here.

I have all users using dynamic NAT (PAT) to access the internet except now it is time to give one user a public IP address in order to run a server.

When I add the static NAT, the user can surf the net, but there is no access to the server from the outside interface.

It appears that packets from the outside are being translated to the inside address, but the server does not respond.

I hope someone can save me from spending another few days on this

The following portions of the config are from my test setup.

version 12.3

ip subnet-zero

no ip source-route

!

interface Ethernet0

description LAN Interface

ip address 192.168.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no cdp enable

!

interface Ethernet1

description WAN Interface

ip address 192.168.199.10 255.255.255.0

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

duplex auto

no cdp enable

!

ip classless

ip route 0.0.0.0 0.0.0.0 Ethernet1 192.168.199.1

!

ip nat inside source list 102 interface Ethernet1 overload

ip nat inside source static 192.168.10.45 192.168.199.12 extendable

!

access-list 102 remark LAN Filter

access-list 102 deny ip host 192.168.10.45 any

access-list 102 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 permit ip 172.16.20.0 0.0.3.255 any

access-list 102 permit ip 192.168.199.0 0.0.0.255 any

access-list 102 deny ip any any

!

access-list 103 remark WAN Filter

access-list 103 deny icmp any any redirect

access-list 103 deny ip host 255.255.255.255 any

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 deny ip 10.0.0.0 0.255.255.255 any

access-list 103 deny ip 172.16.0.0 0.15.255.255 any

access-list 103 permit ip 192.168.199.0 0.0.0.255 any

access-list 103 deny ip 192.168.0.0 0.0.255.255 any

access-list 103 permit ip any any

access-list 103 deny ip any any

1 Accepted Solution

Accepted Solutions

johnnylingo
Level 5
Level 5

Does the server have the correct default gateway?

Trying running a continuous ping to the outside network from the server, then "show ip nat trans | inc 192.168.10.45"

View solution in original post

2 Replies 2

johnnylingo
Level 5
Level 5

Does the server have the correct default gateway?

Trying running a continuous ping to the outside network from the server, then "show ip nat trans | inc 192.168.10.45"

I can't believe how dumb I can be sometimes

My "test server" was the web page from a cheap dlink router.  The dumb part was setting the "server IP" on the LAN side instead of the WAN side.

I could access the web page from the local subnet but not through the router.  I had just done a wireshark capture at the server and was puzzling over why the server was issuing an unanswered arp request when I spotted your post.

You get full credit for asking about the default gateway first thing :)

Thank you, now I can go home.

Bob.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: