Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco 1920 NAT issue

Hello I have the following issue:

I have a network with multiple Vlans which have diffrent rules. One of the rule is that for most of them they have access to the internet via NAT overload on interface g.g.g.146.(this works well) Also in this network I have a Mail/Web server which needs a public IP address that I don't have. So I made a new Vlan 14 (coresponding access-list 114) and put the server there. Now I forwarded some ports from g.g.g.146 (router external address) to a.a.a.10 (the server IP address) in order to be able to use my application from the internet.(this work also well) Now I am able to use the server from the internet for ex. on g.g.g.146 port 80 (HTTP) but not from inside my network. Let's say that I want to access g.g.g.146 port 80 from vlan 32 (corresponding access-list 132) it is not possible, if I try a.a.a.10 port 80 it works. It looks that the IP packets that are going out via NAT overload are not NATed again by the port forwarding.

Do you have any sugestion/advice what can I do in order to be able to use g.g.g.146 port address also from inside the network?

Here it is a configuration sample:

interface GigabitEthernet0/0

ip address g.g.g.146 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map clientmap

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/1.1

encapsulation dot1Q 11

ip address l.l.l.1 255.255.255.0

ip access-group 111 in

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.2

encapsulation dot1Q 10

ip address x.x.x.1 255.255.255.0

ip access-group 110 in

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.3

encapsulation dot1Q 32

ip address v.v.v.1 255.255.255.0

ip access-group 132 in

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.5

encapsulation dot1Q 14

ip address a.a.a.1 255.255.255.0

ip access-group 114 in

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.6

encapsulation dot1Q 8

ip address k.k.k.1 255.255.255.0

ip access-group 108 in

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.7

encapsulation dot1Q 23

ip address y.y.y.1 255.255.255.0

ip access-group 123 in

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.8

encapsulation dot1Q 7

ip address j.j.j.1 255.255.255.0

ip access-group 107 in

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.10

encapsulation dot1Q 27

ip address z.z.z.1 255.255.255.0

ip access-group 127 in

ip nat inside

ip virtual-reassembly in

!

ip local pool vpnpool1 t.t.t.20 t.t.t.29

ip default-gateway g.g.g.145

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip nat inside source static tcp a.a.a.10 25 g.g.g.146 25 extendable

ip nat inside source static tcp a.a.a.10 53 g.g.g.146 53 extendable

ip nat inside source static tcp a.a.a.10 80 g.g.g.146 80 extendable

ip nat inside source static tcp a.a.a.10 88 g.g.g.146 88 extendable

ip nat inside source static tcp a.a.a.10 110 g.g.g.146 110 extendable

ip nat inside source static tcp a.a.a.10 143 g.g.g.146 143 extendable

ip nat inside source static tcp a.a.a.10 443 g.g.g.146 443 extendable

ip nat inside source static tcp a.a.a.10 993 g.g.g.146 993 extendable

ip nat inside source static tcp a.a.a.10 995 g.g.g.146 995 extendable

ip route 0.0.0.0 0.0.0.0 g.g.g.145

ip route g.g.g.146 255.255.255.255 GigabitEthernet0/0

ip route x.x.x.0 255.255.255.0 GigabitEthernet0/1.2

ip route y.y.y.0 255.255.255.0 GigabitEthernet0/1.7

ip route z.z.z.0 255.255.255.0 GigabitEthernet0/1.10

!

access-list 100 remark --nat deny to vpn--

access-list 100 deny   ip t.t.t.0 0.0.0.255 any

access-list 100 deny   ip any t.t.t.0 0.0.0.255

access-list 100 remark --nat--

access-list 100 permit ip v.v.v.0 0.0.0.255 any

access-list 100 permit ip host j.j.j.100 any

access-list 100 permit ip host j.j.j.101 any

access-list 100 permit ip host j.j.j.102 any

access-list 100 permit ip l.l.l.0 0.0.0.255 any

access-list 100 permit ip x.x.x.0 0.0.0.255 any

access-list 100 permit ip z.z.z.0 0.0.0.255 any

access-list 100 permit ip host k.k.k.1 any

access-list 100 permit ip host k.k.k.10 any

access-list 100 permit ip host a.a.a.10 any

access-list 102 remark --VPN--

access-list 102 permit ip v.v.v.0 0.0.0.255 t.t.t.0 0.0.0.255

access-list 102 permit ip z.z.z.0 0.0.0.255 t.t.t.0 0.0.0.255

access-list 102 permit ip y.y.y.0 0.0.0.255 t.t.t.0 0.0.0.255

access-list 102 permit ip k.k.k.0 0.0.0.255 t.t.t.0 0.0.0.255

access-list 102 permit ip x.x.x.0 0.0.0.255 t.t.t.0 0.0.0.255

access-list 102 permit ip l.l.l.0 0.0.0.255 t.t.t.0 0.0.0.255

access-list 104 remark --nonat--

access-list 104 deny   ip z.z.z.0 0.0.0.255 t.t.t.0 0.0.0.255

access-list 104 permit ip z.z.z.0 0.0.0.255 any

access-list 107 remark --anvari--

access-list 107 permit ip host j.j.j.101 any

access-list 107 permit ip host j.j.j.102 any

access-list 107 permit ip host j.j.j.100 any

access-list 107 permit ip host j.j.j.195 any

access-list 107 permit ip host j.j.j.196 any

access-list 108 remark --anvari server eg--

access-list 108 permit ip host k.k.k.10 any

access-list 110 remark --PS--

access-list 110 permit ip x.x.x.0 0.0.0.255 x.x.x.0 0.0.0.255

access-list 110 permit ip x.x.x.0 0.0.0.255 k.k.k.0 0.0.0.255

access-list 110 permit ip x.x.x.0 0.0.0.255 t.t.t.0 0.0.0.255

access-list 110 permit ip x.x.x.0 0.0.0.255 any

access-list 111 remark --Server--

access-list 111 permit ip l.l.l.0 0.0.0.255 l.l.l.0 0.0.0.255

access-list 111 permit ip l.l.l.0 0.0.0.255 t.t.t.0 0.0.0.255

access-list 111 permit ip l.l.l.0 0.0.0.255 any

access-list 114 remark --mail/web--

access-list 114 permit ip host a.a.a.10 any

access-list 123 remark --Administrare--

access-list 123 permit ip y.y.y.0 0.0.0.255 any

access-list 127 remark --test--

access-list 127 deny   ip z.z.z.0 0.0.0.255 y.y.y.0 0.0.0.255

access-list 127 permit ip z.z.z.0 0.0.0.255 any

access-list 132 remark --icidem--

access-list 132 permit ip v.v.v.0 0.0.0.255 t.t.t.0 0.0.0.255

access-list 132 permit ip v.v.v.0 0.0.0.255 host x.x.x.10

access-list 132 permit ip v.v.v.0 0.0.0.255 host l.l.l.10

access-list 132 permit ip v.v.v.0 0.0.0.255 host l.l.l.11

access-list 132 permit ip v.v.v.0 0.0.0.255 host v.v.v.1

access-list 132 permit ip v.v.v.0 0.0.0.255 host a.a.a.10

access-list 132 deny   ip v.v.v.0 0.0.0.255 e.e.0.0 0.0.255.255

access-list 132 permit ip v.v.v.0 0.0.0.255 any

access-list 132 permit ip v.v.v.0 0.0.0.255 host g.g.g.146

!

Everyone's tags (3)
683
Views
0
Helpful
0
Replies