Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Problem with NAT for 1 inside machine

Status
Not open for further replies.
eclidad

eclidad

Technical User
Jan 5, 2005
81
Hi,

We've got an 1841 that is served by 2 blocks of public IP addresses from 2 ISPs. We've got 1 inside machine that has a static nat for port 5900. When it initiates a connection we want it to get a nat address from the pool that uses are T1. The inside address of this machine is 192.168.10.2. The route-maps for our nat pools are T1_Map (access-list 101) and Cable_Map (access-list 102). If I try and browse from 192.168.10.2 and then look at my access-lists on the router I see matches for access-list 105 but none for 101 or 102. The connection never completes. Access-list 104 is there for a policy based route.

We do a similar thing for 192.168.1.9 and it works here. The only difference I see is in how the static NAT is setup.

Thanks,
- Joel

Here's the important part of the config

ip nat pool T1_Pool A.B.C.247 A.B.C.249 netmask 255.255.255.240
ip nat pool Cable_Pool X.Y.Z.210 X.Y.Z.212 netmask 255.255.255.248
ip nat inside source route-map Cable_Map pool Cable_Pool overload
ip nat inside source route-map T1_Map pool T1_Pool overload
ip nat inside source static tcp 192.168.10.2 5900 A.B.C.251 5900 route-map VOIP_Map extendable
ip nat inside source static 192.168.1.9 A.B.C.252 route-map MX_Map
ip nat inside source static 192.168.3.10 A.B.C.253 route-map Cluster_Map

access-list 100 deny ip any 10.2.2.32 0.0.0.31
access-list 100 permit ip host 192.168.3.10 any
access-list 101 remark This list is applied to the T1 route map
access-list 101 remark for dynamic NAT to portal and T1
access-list 101 deny ip any 10.2.2.32 0.0.0.31
access-list 101 deny ip host 192.168.1.9 host A.B.C.242
access-list 101 deny ip host 192.168.1.9 host A.B.C.243
access-list 101 deny ip host 192.168.3.10 host A.B.C.242
access-list 101 deny ip host 192.168.3.10 host A.B.C.243
access-list 101 remark entries for .244 and .245 are temporary during new portal setup
access-list 101 deny ip host 192.168.1.9 host A.B.C.244
access-list 101 deny ip host 192.168.1.9 host A.B.C.245
access-list 101 deny ip host 192.168.3.10 host A.B.C.244
access-list 101 deny ip host 192.168.3.10 host A.B.C.245
access-list 101 permit ip host 192.168.3.10 any
access-list 101 permit ip host 192.168.3.11 any
access-list 101 permit ip host 192.168.3.12 any
access-list 101 permit ip host 192.168.10.2 any
access-list 101 permit ip host 192.168.1.9 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 A.B.C.240 0.0.0.15
access-list 102 remark This list is applied to the Cable route map
access-list 102 remark for dynamic NAT to rest of internet
access-list 102 deny ip any 10.2.2.32 0.0.0.31
access-list 102 deny ip 192.168.0.0 0.0.255.255 A.B.C.240 0.0.0.15
access-list 102 deny ip 209.237.163.240 0.0.0.15 any
access-list 102 deny ip host 192.168.3.10 any
access-list 102 deny ip host 192.168.3.11 any
access-list 102 deny ip host 192.168.3.12 any
access-list 102 deny ip host 192.168.10.2 any
access-list 102 deny ip host 192.168.1.9 any
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 103 remark This list is applied to the Vlan2 route map
access-list 103 remark to force routing of pacckets from vlan2 to internet
access-list 103 deny ip A.B.C.240 0.0.0.15 A.B.C.240 0.0.0.15
access-list 103 permit ip A.B.C.240 0.0.0.15 any
access-list 104 remark This list is applied to the StaticNat route map
access-list 104 remark to force routing for inside hosts that are statically
access-list 104 remark natted to one of the T1 ip addresses.
access-list 104 deny ip host 192.168.1.9 10.2.2.32 0.0.0.31
access-list 104 deny ip host 192.168.3.10 10.2.2.32 0.0.0.31
access-list 104 deny ip host 192.168.10.2 10.2.2.32 0.0.0.31
access-list 104 deny ip 192.168.0.0 0.0.255.255 A.B.C.240 0.0.0.15
access-list 104 permit ip host 192.168.1.9 any
access-list 104 permit ip host 192.168.3.10 any
access-list 104 permit ip host 192.168.3.11 any
access-list 104 permit ip host 192.168.3.12 any
access-list 104 permit ip host 192.168.10.2 any
access-list 105 deny ip any 10.2.2.32 0.0.0.31
access-list 105 permit ip host 192.168.10.2 any
access-list 106 deny ip any 10.2.2.32 0.0.0.31
access-list 106 permit ip host 192.168.1.9 any

route-map Vlan2_Map permit 10
match ip address 103
set default interface Serial0/0/0
!
route-map Static_Map permit 10
match ip address 104
set ip default next-hop R.S.T.49
!
route-map Cluster_Map permit 1
match ip address 100
!
route-map Cable_Map permit 10
match ip address 102
!
route-map VOIP_Map permit 1
match ip address 105
!
route-map T1_Map permit 10
match ip address 101
!
route-map MX_Map permit 1
match ip address 106
 
Status
Not open for further replies.

Similar threads

CPM86
  • Locked
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
381
CPM86
CPM86
DavidSigma
  • Locked
  • Question
CP7861 problem
Replies
0
Views
358
DavidSigma
DavidSigma
jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
464
jarod_paris
jarod_paris
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
249
badwolf1686
B
Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
353
Zero6
Zero6

Part and Inventory Search

Sponsor

Back
Top