Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

static NAT translation question

Hello Cisco Community-

I am hoping someone can assist me with this.  Working with a Cisco 1920 router (v15.2).  I am trying to map an inside address (10.11.8.226) to an outside address (162.x.x.83) so an internal web address can be accessed from the outside.  There are a limited number of available external IP addresses, so a PAT pool (mapped to a single address) is being used for Internet access.  This static of course should not use this pool, but the external address that has been assigned to it.  I have added this command to the config:

 

ip nat inside source static 10.11.8.226 162.X.X.83

 

I have also added (and removed) several combinations to the a corresponding ACL, but I cannot get it to work.  I have attached a copy of the config before I started adding commands.  If anyone could help, I would appreciate it.

 

Thanks

Everyone's tags (1)
6 REPLIES
New Member

Hello, Did you entered the

Hello,

 

Did you entered the command ip nat inside / ip nat outside ?

 

Best regards,

New Member

Hi As per the configuration

Hi

 

As per the configuration attached it should be working. Could you please share the output "show ip nat translation | in 10.11.8.226 " after adding the Static NAT configuration. As you are using Crypto VPN configuration. What i have seen in several issues is that ideally the traffic should take static NAT, however it might be taking the dynamic translation. If it does show up in the output getting translated to PAT IP address in that case we'll have to deny the traffic in the NAT ACL. 

 

 ip access-list extended nonat

 deny   ip host 10.11.8.226 any                                      -------------------> Try this Statement. 
 deny   ip 10.11.8.0 0.0.0.255 10.110.8.0 0.0.0.255
 deny   ip 10.11.8.0 0.0.0.255 10.1.99.0 0.0.0.255
 deny   ip 10.110.8.0 0.0.0.255 10.1.99.0 0.0.0.255
 permit ip 10.11.8.0 0.0.0.255 any
 permit ip 10.110.8.0 0.0.0.255 any

 

 

Regards, 

HK

New Member

HK- I have added the deny at

HK-

 

I have added the deny at the top of the ACL as requested.  It does not appear that this traffic is being treated by this ACL as there are no translations.

tcp 162.X.X.83:80    10.11.8.226:80     ---                ---

When I do a show access-list nonat, I don't see any hits either

      5 deny ip host 10.11.8.226 any
    10 deny ip 10.11.8.0 0.0.0.255 10.110.8.0 0.0.0.255
    20 deny ip 10.11.8.0 0.0.0.255 10.1.99.0 0.0.0.255 (2152668 matches)
    30 deny ip 10.110.8.0 0.0.0.255 10.1.99.0 0.0.0.255 (2365399 matches)
    40 permit ip 10.11.8.0 0.0.0.255 any (11272238 matches)
    50 permit ip 10.110.8.0 0.0.0.255 any (2244 matches)

 

New Member

Hi, Please share the output

Hi,

 

Please share the output of "show ip nat stat" from the device.

 

Regards,

HK

New Member

HK-vol-vh-rtr1#show ip nat

HK-

vol-vh-rtr1#show ip nat stat
Total active translations: 551 (1 static, 550 dynamic; 551 extended)
Peak translations: 5062, occurred 7w0d ago
Outside interfaces:
  GigabitEthernet0/0
Inside interfaces:
  GigabitEthernet0/1, Serial0/0/0
Hits: 527487768  Misses: 0
CEF Translated packets: 518311279, CEF Punted packets: 6079898
Expired translations: 11257867
Dynamic mappings:
-- Inside Source
[Id: 1] route-map nat-map pool PAT-pool refcount 550
 pool PAT-pool: netmask 255.255.255.248
        start 162.X.X.82 end 162.X.X.82
        type generic, total addresses 1, allocated 1 (100%), misses 298

I hooked a server to the network and tried a different static.  When I go to the net, it shows the NAT pool IP, not the static.  For some reason the static is not being applied...

Ok, I have removed and re-added the static and now when I go the Internet I get the correct IP.  That's good.  Also, I put several permit and deny rules into the NONAT access-list.  I get matches on the outside (162.X.X.83) IP address, but still no outside-in access on this server.  Going out to the Internet from this server still works regardless of the rules I put in.

 

 

New Member

Ok. I got some assistance

Ok. I got some assistance with this outside of the forums.  The problem was with how the ACE should have been done and which ACL to use.

 

ip nat inside source static 10.11.8.226 162.X.X.83  -- This was correct

ip access-list extended outside-access-in
 135 permit tcp any host 162.X.X.83 eq 80              -- Changed IP to inside global
 

206
Views
0
Helpful
6
Replies
CreatePlease to create content