08-22-2012 02:29 AM - edited 03-04-2019 05:20 PM
Hi there,
I have a strange problem with cisco 1921 static NAT. Part of staticly natted hosts are able to be aceesed from WAN and other aren't. For hosts like PC's remote access works (remote desktop) but for IP cameras or PBX it doesn't. All devices are properly configured with static adresses in network 192.168.1.0 and are fully accessed from LAN. I'm changing old linksys RV 042 router for Cisco 1921. With previous router all one-to-one nat translations worked. With new 1921 I get problems. Could you help me with it? This is my config:
Building configuration...
Current configuration : 4528 bytes
!
! Last configuration change at 11:06:59 PCTime Wed Aug 22 2012
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXX_ROUTER
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 kB/dVo2CJav1cnVAC1x4uvuUsXYvtYTifXj5JrDOhqk
!
no aaa new-model
!
clock timezone PCTime 1 0
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
no ipv6 cef
ip source-route
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.1.100 192.168.1.254
!
ip dhcp pool XXX_OFFICE_DHCP
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
!
no ip domain lookup
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1285045188
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1285045188
revocation-check none
rsakeypair TP-self-signed-1285045188
!
!
crypto pki certificate chain TP-self-signed-1285045188
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323835 30343531 3838301E 170D3132 30383232 30383433
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32383530
34353138 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C046 646AA9E8 1D16FCFD 19F0BF18 D4F23813 889A9E22 F281190D 35A8A1D9
8F4DF647 A50480D4 E451675D CCAF90AE DA6BC3FB 16148F15 43BEE9B9 A3E9373A
272D5C47 A2D5F235 D087E406 373F8246 BB431317 2AC65810 389AB25E AA56613A
CBA64710 5910D095 324223DC 58021AE1 F8CE7E08 957211D5 F9DFF5F8 0CE9DE97
EE930203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 140651B2 DEF031E4 AB300E91 7E9E590B 8CF593BB B2301D06
03551D0E 04160414 0651B2DE F031E4AB 300E917E 9E590B8C F593BBB2 300D0609
2A864886 F70D0101 05050003 81810071 10XXXX0 790D35FC 43897811 2DB68F35
AE5FB19F 3A2FF851 4A114906 9F2C0F58 B604F01D B1033362 74E405C3 273C99A5
E3F44397 78E5FCBE 5000DA42 FD66E46E 11239A13 D4B0D756 E312F152 F6EDE421
932D3F83 2A085C18 A91CA27B C603CFAF 331698FD 00B5D369 38243B71 A682BE13
2DD20FB3 4D619043 F30879C4 01D8F1
quit
license udi pid CISCO1921/K9 sn XXXXXXXXXXX
!
!
username admin privilege 15 password 0 XXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description NETIA_WAN
ip address 77.252.XXX.XXZ 255.255.255.192
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.99
encapsulation dot1Q 99
ip address 192.168.99.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/0/0
no ip address
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list INTERNET interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.1.2 77.252.XXX.XXA
ip nat inside source static 192.168.1.195 77.252.XXX.XXB
ip nat inside source static 192.168.1.3 77.252.XXX.XXC
ip nat inside source static 192.168.1.4 77.252.XXX.XXD
ip nat inside source static 192.168.1.229 77.252.XXX.XXE
ip nat inside source static 192.168.1.187 77.252.XXX.XXF
ip nat inside source static 192.168.1.205 77.252.XXX.XXG
ip nat inside source static 192.168.1.240 77.252.XXX.XXH
ip route 0.0.0.0 0.0.0.0 77.252.XXX.XXX
!
ip access-list standard INTERNET
permit any
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
08-22-2012 06:07 AM
Hi Piotr,
try to better define the ACL. At the moment you are combining overloading with static NAT for the same subnet. you should separate these ip spaces
Alessio
Update : 5 points to you then
08-22-2012 07:04 AM
Thanks Alessio for your suggestion. I did it but without proper result. I think I found the issue. I added two lines to running config:
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 600
I'm on CCNA level so I'm not able to explain why after adding these two lines to the config, static nat started to work properly for all hosts. Even if static nat is combined with overlaping subnet. Maybe in NAT translations table I had old dynamic translations created before static nat configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide