Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Need help with a NAT issue

hi everyone.

I have a cisco 1720 router in production and I use the following commands to NAT outbound traffic and PAT inbound.

interface FastEthernet0

ip address 10.5.5.1 255.255.255.0

ip nat inside

speed auto

full-duplex

!

interface Serial0

ip address 207.207.169.90 255.255.255.252 secondary

ip address 207.207.169.38 255.255.255.252

ip nat outside

!

ip nat inside source list 1 interface Serial0 overload

ip nat inside source static tcp 10.5.5.10 6000 207.207.169.90 6000 extendable

Now, I have a video server that has an internal IP of 10.5.5.10 on port 6000.

When I am inside the 10 network, and I type http://10.5.5.10:6000, i can access the video server.

However, when I type in http://207.207.169.90:6000 while on the 10 net, i cannot reach this video server.

In essence, when I stay inside the router, it works. When I traverse the router, go out and come back in (even on a different address than the NAT address, my secondary) I cannot get this to work.

Can anyone help me on this? do you see anything wrong with the config or do you have a solution that could make this work?

Thanks for your input!

Darrel

  • WAN Routing and Switching
10 REPLIES
Purple

Re: Need help with a NAT issue

Hi,

That is how NAT works in this scenarios. What you are experiencing is normal behaviour; requests from outside the network pass through both the NAT inside and outside points. However, that is not the case when issuing the request from the inside network. There are ways to make this work using NAT-on-a-stick features but I don't recommend doing that...

Hope that helps - pls do rate the post if it does.

Paresh

New Member

Re: Need help with a NAT issue

Paresh,

oh no! that's not so good :(

You see we have an "external" website, which talks back to these video servers. When accessing this website from a "outside" source, everything works fine.

However, if a customer in the "inside' logs in to the external website, the video does not show up.

Would you say that I will have to put the video servers on the public address space in order for both external & interal customers to be able to get the video stream?

Thanks!

darrel

Silver

Re: Need help with a NAT issue

What I think if the inside user connects to external site then via that site to connect back the vido server will be ok.

However, why the inside user not use inside address to access the site ? You can setup the host file in the PC for inside user that if they use that hostname then it will go the video server w/ inside address. And for external user, just use the external address is fine.

Moreover, the location of the video server depends on the security policy and the requirement.

Purple

Re: Need help with a NAT issue

Darrel,

Why can't you just configure the internal customers to use the inside address ?

Paresh

New Member

Re: Need help with a NAT issue

Paresh & jackyoung

this is where it gets complex. The external webserver is just that; external. both internal and external customer log in to it. the webserver then (inside the code) pulls video on demand from the video server that's on the inside. So, the internal customer cannot simply connect to the video server, because our software actually runs on the external webserver.

So, the external website is unable to get the video when an internal user connects to it. An external user does not seem to have the problem :(

Darrel

Purple

Re: Need help with a NAT issue

Darrel,

You might be able try something like the following (assuming that 10.1.1.100 is the inside address of the server and 150.1.1.100 is the outside address)

interface loopback0

ip add 192.168.1.1 255.255.255.255

ip nat outside

!

interface fastethernet0

ip address 10.1.1.1 255.255.255.0

ip nat inside

ip policy route-map PolMap

!

route-map PolMap permit 10

match ip address 101

set interface loopback0

!

access-list 101 permit ip host 10.1.1.100 host 150.1.1.100

!

ip nat inside source static 10.1.1.100 host 150.1.1.100

Paresh

New Member

Re: Need help with a NAT issue

Hello Paresh,

let me see if I understand this correctly then. My current config would then be modified as follows? (the ADD statements)

ADD:

interface loopback0

ip add 192.168.1.1 255.255.255.255

ip nat outside

interface FastEthernet0

ip address 10.5.5.1 255.255.255.0

ip nat inside

speed auto

full-duplex

ADD: ip policy route-map PolMap

!

interface Serial0

ip address 207.207.169.90 255.255.255.252 secondary

ip address 207.207.169.38 255.255.255.252

ip nat outside

!

ip nat inside source list 1 interface Serial0 overload

ip nat inside source static tcp 10.5.5.10 6000 207.207.169.90 6000 extendable

ADD:

route-map PolMap permit 10

match ip address 101

set interface loopback0

!

ADD:

!

access-list 101 permit ip host 10.5.5.10 host 207.207.169.90

!

ip nat inside source static 10.5.5.10 host 207.207.169.90

Would this be correct? I am not sure that I fully understand this. Is it routing through the loopback, based on hitting the policy?

thank you so much!

Darrel

New Member

Re: Need help with a NAT issue

Paresh,

could you review this for me please?

Thanks!

Darrel

Re: Need help with a NAT issue

Hi Darel,

This may sound somewhat outrageous, however I would try to use a DMZ and then would try to avoid 'NATting on the Stick' situation.

I hope that helps.

Kind Regards,

Wilson Samuel

PS: Please rate if it helps.

140
Views
8
Helpful
10
Replies