11-27-2011 11:12 AM - edited 03-04-2019 02:25 PM
Hi.
I have a cisco router with 2 Wan interfaces. (all of the addresses are Global Public address, none of them are private).
Dialer 0 (Wan 1) - IP address for this case is 10.10.10.10/32.
Fastethernet4 (Wan 2) - IP address for this case is 11.11.11.11/30.
Interface Vlan1 - IP address is 5.5.5.1/29. (these are global Ip addresses - not private)
My default route is 0.0.0.0/0 -> Fastethernet4 11.11.11.12.
I have port forwarding:
ip nat inside source static tcp 5.5.5.2 3389 10.10.10.10 3389.
DIaler0:
Ip nat outside.
Vlan 1:
ip nat inside.
My problem is that when I try RDP to 10.10.10.10 from the internet, I get the nat translation to -> 5.5.5.2 on 3389 tcp,
but the back route from the destination to the source, when the packet comes to the router it searches for te default route (because there is no specific route to this source from the internet) and it goes through Fastethernet 4 which has no Ip nat outside and the session wont close.
BTW, I can configure ip nat outside on Fast4, but I want to be able to RDP the host with 10.10.10.10 IP and with 5.5.5.2 IP.
when I RDP 10.10.10.10 it will go through the dialer0, and when I RDP 5.5.5.2 it will go through the ethernet.
how can I make the router take the flow that comes from the dialer and send it back to the dialer where it came from and not through the Default Route?
(the source Ip from the internet which creats the session always changes so I cant configure a PBR on Vlan1).
thank you,
Solved! Go to Solution.
11-28-2011 06:46 AM
How about NATing the source of incoming RDP packets to a particular/unique address/subnet and adding routes to unique source for both interfaces?
HTH.
11-28-2011 06:46 AM
How about NATing the source of incoming RDP packets to a particular/unique address/subnet and adding routes to unique source for both interfaces?
HTH.
11-28-2011 07:41 AM
That is a great idea actually.
I will then nat the destination of the dialer to the host, and nat the source to another IP address (x.x.x.x) and then route it to the dialer. that's sounds good.
how is the command's syntax goes?
I have already ip nat inside source static tcp y.y.y.y 3389 interface Dialer0 3389
what else should I do for this?
Thanks alot.
(int vlan 1 - ip nat inside - the host)
(int dialer0 - ip nat outside - Wan1).
edit:
I will then have to configure the outside global ip address manually, wont I?
and I dont know it, it always changes.
correcr me if I'm wrong.
Tnx.
11-28-2011 08:38 AM
Actually you can get away with NATing only the source addresses incoming from dialer-interface to say 10.200.x.x/16. Incoming sources from Ethernet interface can still go out the same way.
The solution would work only if deNAT occurs AFTER routing decision has taken place in router logic flow.
You'll have to use 'ip nat ouside source' for NAT. This link may be helpful:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml
Rais.
11-28-2011 10:43 AM
this is very helpful and very intresting (I didnt know about the add route command after ip nat outside).
I'll try it tommorow and update.
Tnx alot for now.
11-28-2011 10:54 PM
ok rais, thank you very much. it worked.
thank you for your great help.
edit:
BTW, the add route command after the nat outside didnt work, so I had to make a PBR for that.
do you have any idea why it didn't add it to the routing table?
as you can see here:
212.199.78.54 - global outside.
10.99.99.1 - Outside local
the nat takes place but the route doesnt.
ip nat outside source list SOURCE pool NATPOOL add-route
ip access-list extended SOURCE
permit tcp any host 80.179.39.165 eq 3389
ip nat pool NATPOOL 10.99.99.1 10.99.99.255 netmask 255.255.255.0
dodimat#sh ip nat translations | i 10.99.99
--- --- --- 10.99.99.1 212.199.78.54
tcp 80.179.39.165:3389 80.179.123.234:3389 10.99.99.1:11469 212.199.78.54:11469
dodimat#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 80.179.255.157 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 80.179.255.157, 1d15h
80.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C 80.179.39.165/32 is directly connected, Dialer0
C 80.179.123.232/29 is directly connected, Vlan1
L 80.179.123.233/32 is directly connected, Vlan1
C 80.179.255.156/30 is directly connected, FastEthernet4
L 80.179.255.158/32 is directly connected, FastEthernet4
212.199.17.0/32 is subnetted, 1 subnets
C 212.199.17.65 is directly connected, Dialer0
11-30-2011 02:17 AM
and is there any possibility that the router will route the packet back to the interface which it came from? without natting?
12-02-2011 06:02 AM
Yes, you can use vrfs/vpnv4 routes.
Thanks.
12-03-2011 03:16 AM
could you please explain? or redirect me to a url with explanation?
12-03-2011 04:12 AM
This may be a rather extensive change for your network.
Here is the link. You can think of your two interfaces as customers with 0/0 space.
HTH.
12-03-2011 04:26 AM
ok I know what is a VRF.
but let's say an end customer, only has 1 router with 2 wan interfaces.
how a vrf on the router will help me solve the problem of rouing the packet back the interface it came from.
there are only 3 interfaces.
WAN1
WAN2
VLAN1 - LAN.
if I'll configure
int WAN2
ip vrf forwarding XXX
how will it help me?
12-03-2011 05:55 AM
You will have to put your servers in at least two vrfs as well and exchange vpnv4 routes.
Thanks.
Message was edited by: RAIS AHMAD
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide