Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

static 2-wat nat problem

I configurated dual ISP at router. as you see my configuration i have two subnet: 192.168.20.0 and 192.168.10.0

i do that subnet at dynamic NAT.and they are backup at each other. all of them are perfect working. dynamci nat working perfectly.

i have also one static nat for my mail server(192.168.10.7) i do static nat but the problem is occur.

when i want to access site i can not access and i do ping 4.2.2.2 do not reply at mail server.

but i see this at my nat translation.

ro Inside global      Inside local       Outside local      Outside global

icmp 81.21.95.12:512   192.168.10.7:512   4.2.2.2:512        4.2.2.2:512

tcp 81.21.95.12:4479   192.168.10.7:4479  64.191.223.35:80   64.191.223.35:80

tcp 81.21.95.12:4481   192.168.10.7:4481  64.191.223.35:80   64.191.223.35:80

tcp 81.21.95.12:4482   192.168.10.7:4482  64.191.223.35:80   64.191.223.35:80

tcp 81.21.95.12:4483   192.168.10.7:4483  208.50.223.240:80  208.50.223.240:80

tcp 81.21.95.12:4484   192.168.10.7:4484  208.50.223.240:80  208.50.223.240:80

tcp 81.21.95.12:4485   192.168.10.7:4485  208.50.223.240:80  208.50.223.240:80

udp 81.21.95.10:50462  192.168.10.86:50462 8.8.8.8:53        8.8.8.8:53

this is my pc ip 192.168.10.86 when i ping from my PC as you see the result:

*

*Mar 22 16:25:03.890: NAT*: s=192.168.10.86->81.x.x.10, d=4.2.2.2 [37441]

*Mar 22 16:25:03.974: NAT*: s=4.2.2.2, d=81.x.x.10->192.168.10.86 [10039]

this is my mail server result.

*Mar 22 16:25:07.426: NAT*: s=192.168.10.7->81.x.x.12, d=4.2.2.2 [3696]

no back nat translation.

what is the problem. what i must be change at my configuration.

configuration.

Primary#show run

Building configuration...

Current configuration : 4303 bytes

!

! Last configuration change at 11:48:43 UTC Thu Mar 22 2012

!

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Primary

!

boot-start-marker

boot-end-marker

!

!

no aaa new-model

!

!

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

multilink bundle-name authenticated

!

!

!

!

license udi pid CISCO2901/K9 sn FCZ1516C6A4

!

!

username teymur password 0 cisco

!

redundancy

!

!

track timer interface 5

!

track 1 interface GigabitEthernet0/0 line-protocol

!

track 2 ip sla 1 reachability

delay down 15 up 10

!

track 3 ip sla 2 reachability

delay down 15 up 10

!

!

!

!

crypto dynamic-map dynmap 10

reverse-route

!

!

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

interface GigabitEthernet0/0

no ip address

duplex auto

speed auto

!

!

interface GigabitEthernet0/0.116

description connected to ISP1

encapsulation dot1Q 116

ip address 81.x.x.10 255.255.255.248

ip nat outside

ip virtual-reassembly

!

interface GigabitEthernet0/0.859

description connected to ISP2

encapsulation dot1Q 859

ip address 85.x.x.114 255.255.255.240

ip nat outside

ip virtual-reassembly

!

interface GigabitEthernet0/1

description INSIDE

ip address 172.25.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip policy route-map Classify

duplex auto

speed auto

standby 1 ip 172.25.10.3

standby 1 priority 110

standby 1 preempt

standby 1 track 1 decrement 20

!

!

ip forward-protocol nd

ip forward-protocol udp isakmp

ip forward-protocol udp non500-isakmp

!

no ip http server

no ip http secure-server

!

ip nat translation timeout 30

ip nat inside source route-map ISP1 interface GigabitEthernet0/0.116 overload

ip nat inside source route-map ISP2 interface GigabitEthernet0/0.859 overload

i

p nat inside source static 192.168.10.7 81.21.95.12 route-map MAIL-Server

ip route 0.0.0.0 0.0.0.0 81.x.x.9

ip route 0.0.0.0 0.0.0.0 85.x.x.113

ip route 192.168.20.0 255.255.255.0 172.25.10.4

ip route 192.168.16.0 255.255.240.0 172.25.10.4

!

ip sla 1

icmp-echo 81.x.x.9 source-interface GigabitEthernet0/0.116

timeout 1000

threshold 1000

frequency 2

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 85.x.x.113 source-interface GigabitEthernet0/0.859

timeout 1000

threshold 1000

frequency 2

ip sla schedule 2 life forever start-time now

access-list 101 deny   ip host 192.168.10.7 any

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 permit ip host 192.168.20.10 any

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 104 permit ip 192.168.16.0 0.0.7.255 any

access-list 105 permit ip host 192.168.10.7 any

!

!

!

!

route-map MAIL-Server permit 10

match ip address 105

match interface GigabitEthernet0/0.116

!

!

route-map Classify permit 10

match ip address 103

set ip next-hop verify-availability 81.x.x.9 1 track 2

set ip next-hop verify-availability 85.x.x.113 2 track 3

!

route-map Classify permit 20

match ip address 104

set ip next-hop verify-availability 85.x.x.113 1 track 3

set ip next-hop verify-availability 81.x.x.9 2 track 2

!

route-map ISP2 permit 20

match ip address 102 101

match interface GigabitEthernet0/0.859

!

route-map ISP1 permit 10

match ip address 101 102

match interface GigabitEthernet0/0.116

!

!

!

control-plane

please help me. thanks

628
Views
0
Helpful
0
Replies
CreatePlease login to create content