got BIP connection from ISP, with block of public ip's (100.100.100.1/30)
PE end : 18.104.22.168 /30
CE end : 22.214.171.124 /30
There is server on the LAN side which I want to be accessed via public IP 100.100.100.2
how can i go about setting this using just 1 box (do not want to involve firewall for NAT , just 1 router - cisco 1841 )
topology and most important config in attachments...
now, PE and CE ip's are pingabe fine from net
server can be accessed from outside (via telnet for example no problem)
ISP is advertising routes to 126.96.36.199 and 100.100.100.1/30 via PE (80.80.808.1)
the issue is trace to my public IP (100.100.100.2)...it hits PE then CE ..then goes back to PE then to CE...then again back to PE then CE ..etc....
please see how ping and traceroutes looks like:
C:\user>ping 100.100.100.2 Pinging 100.100.100.2 with 32 bytes of data: Reply from 188.8.131.52: TTL expired in transit. Reply from 184.108.40.206: TTL expired in transit. Reply from 220.127.116.11: TTL expired in transit. Reply from 18.104.22.168: TTL expired in transit.
C:\user>tracert 100.100.100.2 Tracing route to [100.100.100.2] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 10.252.240.1 2 <1 ms <1 ms <1 ms 10.252.254.1 .. .. 6 16 ms 16 ms 16 ms 22.214.171.124 7 17 ms 16 ms 31 ms 126.96.36.199 8 30 ms 23 ms 25 ms [188.8.131.52] 9 23 ms 24 ms 23 ms 184.108.40.206 10 33 ms 57 ms 52 ms [220.127.116.11] 11 67 ms 35 ms 39 ms 18.104.22.168 12 39 ms 59 ms 70 ms [22.214.171.124] 13 101 ms 36 ms 44 ms 126.96.36.199 14 58 ms 45 ms 43 ms [188.8.131.52] 15 51 ms 62 ms 101 ms 184.108.40.206 ^C
I think I need to put route to 100.100.100.1/30 in my config ...is that right ?
Firstly it looks like all your hosts except for the server are NATing to your fa0/1.18 address of 220.127.116.11. Looking at your topology dont you want them to be NATing to the 100.100.100.1 address?
Anyway moving on to your question, you have statically NAT'd certain ports 25, 80, 110 & 443 to the 100.100.100.2 address but you have not statically NAT'd ICMP to the address. Can you reach your sever on port 25, 80, 110 & 443?
You can see that there is network connectivity to your CE for the 100.100.100.2 address as you are hitting the outside interface and bouncing back to the ISP. Alternatively you could just NAT 100.100.100.2 to the server on all ports by removing the extendable command, or else add one for ICMP.
as James said, you used the so called port-mapping so there's no surprise the ICMP follows the default gateway going back to the PE.
What you can do, if you really want to be able to ping the server, is to create a full static entry (not just for the ports) but then you'll need to put in place some filtering (ACL, FW inspect, etc) to protect the server from malicious traffic.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...