Static and Dynamic NAT Help

lrehanabbr · ‎05-08-2006

Hello.

I have a 2620 and new addressing scheme from ISP. They say:

SSIP = 38.x.x.129 /30 (configured on S0/0.

LAN (new) = 38.x.x.8 /29 (not configured - they will route to 38.x.x.129 /30)

I need to host 2 webservers on SSL ports, different public IP addresses from new LAN mapped to static NATs.

Interfaces I have on 2620 are S0/0, E0/0 and E0/1.

Attached is my current config. I want static 38.x.x.9 mapped to 10.1.1.4 (port 443)and static 38.x.x.130 mapped to 10.1.1.17 (ports 443 and 444).

I can't figure this out . . .

cisand2002 · ‎05-08-2006

Hello,

This is not clear enough to me.

what do you mean by:

LAN (new) = 38.112.56.8 /29 (not configured - they will route to 38.99.212.129 /30)

if ISP route 38.99.212.129/30. where are you going to use 38.112.56.8 /29 ?

for this request:

static 38.99.212.130 mapped to 10.1.1.17 (ports 443 and 444).

try

ip nat inside source static tcp 10.1.1.4 443 interface serial0/0 443

ip nat inside source static tcp 10.1.1.4 444 interface serial0/0 444

HTH

regards

cisand

lrehanabbr · ‎05-08-2006

I have 38.112.56.9 as an A record to get SSL service hosted inside my firewall on 10.1.1.4.

I also have 38.99.212.130 as a A record. The problem is coming in when I need to use the same port (443) for a different URL I'm hosting inside.

Under current config, stuff is getting in, but sometimes you have to refresh a couple of times - so not consistently.

If I try your suggestion:

ip nat inside source static tcp 10.1.1.4 443 interface serial0/0 443

ip nat inside source static tcp 10.1.1.4 444 interface serial0/0 444

This would replace:

ip nat inside source static tcp 10.1.1.4 443 38.112.56.9 443 extenable

ip nat inside source static tcp 10.1.1.4 444 38.112.56.9 444 extendable

Right? Binding the NAT directly to the serial . . .

Could I then use your suggestion to map all static "NAT'D" addresses?

Continuing like this:

ip nat inside source static tcp 10.1.1.17 443 interface serial0/0 443

ip nat inside source static tcp 10.1.1.17 444 interface serial0/0 444

Was I just over-complicating it?

Thanks so much for your time!

cisand2002 · ‎05-09-2006

Hello again,

I got your setup now.

I beleive that with a /30 network you will not be able to achieve this.

if you have:

ip nat inside source static tcp 10.1.1.4 443 interface serial0/0 443

ip nat inside source static tcp 10.1.1.4 444 interface serial0/0 444

ip nat inside source static tcp 10.1.1.17 443 interface serial0/0 443

ip nat inside source static tcp 10.1.1.17 444 interface serial0/0 444

this will not work. what happen when tarffic come to router using ouside global ip address on port 443. will it use 10.1.1.4 or 10.1.1.17 ? can not say.

What I suggest:

- either have a /29 from isp (price can be different)

- change outside global tcp port, i.e

ip nat inside source static tcp 10.1.1.4 443 interface serial0/0 443

ip nat inside source static tcp 10.1.1.4 444 interface serial0/0 444

ip nat inside source static tcp 10.1.1.17 443 interface serial0/0 11443

ip nat inside source static tcp 10.1.1.17 444 interface serial0/0 11444

but in this case remote end MUST be aware that to connect to 10.1.1.17 443 use serial0/0 11443

This can be with no added cost if you manage remote servers/ends.

HTH, if yes please rate.

cisand

lrehanabbr · ‎05-09-2006

You are sooooo close.

I have 38.112.56.8/29 that my ISP has assigned to me as my LAN. They say I must configure serial0/0 as 38.99.212.130/30. They are using 38.99.212.129/30 as their gateway and say they will route all 38.112.56.8/29 traffic to my router's serial0/0 (38.99.212.130/30).

So, what I'm trying to do is have an A record URL = 38.112.56.9 without remapping ports.

Is this a weird configuration from my ISP? I think they are using BGP. Do you think the only way is to remap the ports?

Thank you for your input!