Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Simple NAT question - for someone knowledgeable

Hello,

I have a NAT question for a Cisco IOS router.

I have a static 1:1 Nat for a server behind my router like this:

ip nat inside source static 192.168.1.10 XYZ.XYZ.XYZ.10 route-map nonat  

(XYZ....10 is my public IP)

I also have a mask NAT (overload) for PC's and other servers that need to access the internet like this:

ip nat inside source route-map nonat interface INTERNET overload

INTERNET is another public IP address I own. "nonat" route-map bypasses nat for some VPN's etc.

My question/problem is that inbound traffic from the outside world to XYZ.XYZ.XYZ.10 gets happily natted to the server and communition (eg SMTP) works fine via this address. But if I simply browse out to the internet from my server it appears to come from the public IP address bound to interface INTERNET. e.g. the mask address.

I want it to appear to come from XYZ.XYZ.XYZ.10

How do I fix this?

Cheers, Simon.

4 REPLIES

Simple NAT question - for someone knowledgeable

This may be a solution:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic4

Just that , in the example, pool no-overload has a /24, in your case will have a /32 XYZ.XYZ...

Also the access list will contain only one /32 prefix.

Let me know if this helps you!

Cheers,

Calin

Simple NAT question - for someone knowlegeable

Hi Simon,

Your approach towards the situation is correct but you need to understand little that how the PAT works.

You have static PAT like below.
ip nat inside source static 192.168.1.10 XYZ.XYZ.XYZ.10 route-map nonat
What is the routep-map contains?


And if you have a static PAT then the server will be able to communicate with the used public IP on the ports you specified in the nat command only.
For internet i meant for rest of the communication the traffic will go through your global NAT which is...
ip nat inside source route-map nonat interface INTERNET overload


If you have a full nat like below, then the server (private ip) never use the global nat ip. It will use the only public IP which you used in your static nat.
ip nat inside source static 192.168.1.10 XYZ.XYZ.XYZ.10 extendable

Hope the above clear and understand you. Please let me know if you still have any doubts.


Please rate all the helpfull posts.
Regards,
Naidu.

New Member

Simple NAT question - for someone knowlegeable

Hi Naidu,

My route-map looks like this:

route-map nonat permit 10

match ip address 150   

ACL 150 looks like this:

access-list 150 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 150 permit ip 192.168.1.0 0.0.0.255 any

Do I need to change the route-map somehow? Because the server doees use the global nat 'interface INTERNET' not the public ip as specified in the static nat.

Thanks, Simon.

Simple NAT question - for someone knowledgeable

Hi Simon,

Can you tell me what you are going to achieve with the route-map you used in your static nat.
And is it not possible to use open static nat like below.. then your server never use the global nat IP it use the public ip only XYZ.XYZ.XYZ.10

ip nat inside source static 192.168.1.10 XYZ.XYZ.XYZ.10 extendable


Please rate all the helpfull posts.
Regards,
Naidu.

309
Views
0
Helpful
4
Replies
CreatePlease to create content