cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
583
Views
0
Helpful
6
Replies

Problem with NAT

william.tituana
Level 1
Level 1

Hi,

I have these case:

I'm attaching a diagram where appear a simple interconetion:

I have a host with a private IP address, which is being routed to manage purpose.

I want to configure an overload nat, just because i need the bluecoat device contact a site in Internet but no one could contact the blucoat from internet.

Problem is that i manage the bluecoat usign its private IP address, and it responds wery well if don't configure NAT. When I configure NAT, bluecoat can access to internet but i cannot manage it because its internal IP address do not respond.

is there an aditional command or any suggestion that i could configure in router, to get that internal ip of bluecoat responds to ping and ssh, although it is being nated in router?

this is part of router A configuration:

interface GigabitEthernet0/0

ip nat outside

!

interface GigabitEthernet0/0

ip address 192.168.199.1 255.255.255.248

ip nat inside

!

ip nat pool BLUECOAT 200.25.194.133 200.25.194.133 netmask 255.255.255.252

ip nat inside source list 11 pool BLUECOAT overload

!

access-list 11 permit 192.168.199.2

!

regards,

6 Replies 6

pauloroque
Level 1
Level 1

Yes. Just exclude your management addresses from the nat list. Your acl should be like this:

access-list 11 deny ADMINISTRATOR_NETWORK.

access-list 11 permit 192.168.199.2

PRoque

Hi paulo, thanks for your answer, I tryed the configuration but it still doesn't work.

My managment IP address is a public IP. when i don't configure NAT, private IP address of bluecoat responds ping and ssh. but it doesn't respond if i configure NAT.

Any other suggest?

Thanks

viyuan700
Level 5
Level 5

access-list 11 permit 192.168.199.2

i think the above command is not complete and can be reason for the problem as either you define as

access-list 11 permit host 192.168.199.2

access-list 11 permit 192.168.199.2 0.0.0.0 (using wildcard mask)

(single IP)

or

access-list 11 permit 192.168.199.0 0.0.0.255 (Range of IP who are allowed)

Since you are defining overload in your case i think you have to give wildcard mask to define a range for IP

vaisharm
Cisco Employee
Cisco Employee

William,

If you want to access BLUECOAT using the public IP, configure NAT as below:

!

ip nat pool BLUECOAT 200.25.194.133 200.25.194.133 netmask 255.255.255.252

ip nat inside source list 11 pool BLUECOAT overload

ip nat inside source static tcp 192.168.199.2 22 200.25.194.133 22

!

access-list 11 permit 192.168.199.2

!

However, if you want to access BLUECOAT using the private IP, try this:

ip nat pool BLUECOAT 200.25.194.133 200.25.194.133 netmask 255.255.255.252

ip nat inside source list 111 pool BLUECOAT overload

!

access-list 111 deny tcp host 192.168.199.2 eq 22

access-list 111 permit ip host 192.168.199.2 any

!

HTH,

~Vaibhav

thank you Vaibhav,

but it didn't work :-(

when I configure nat, bluecoat can access internet, but i cannot manage it using its internal private IP address

regards

William, I have recreated this and it worked fine for me. I was able to successfully ssh to the bluecoat device IP - 192.168.199.2 from the Admin device. I hope you have the routing set correctly.

Did you change the ACL and the source list to 111 and have you removed all other NAT statements?

---------

ip nat pool BLUECOAT 200.25.194.133 200.25.194.133 netmask 255.255.255.252

ip nat inside source list 111 pool BLUECOAT overload

access-list 111 deny tcp host 192.168.199.2 eq 22 host

access-list 111 permit ip host 192.168.199.2 any

---------

If it still does not work, initiate SSH from the Admin box and capture 'debug ip nat' from the NAT router. If you see hits for ssh traffic, it would mean that the NAT ACL is not denying the ssh traffic from getting NATted

Regards

~Vaibhav

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: