3 Replies Latest reply on Apr 26, 2012 10:39 AM by david

    Static one to one NAT

    tonycaf New Member

      Hello all,

      I am having troule configuring some one to one nats and wondering of some one could assist. not sure what I am oing wrong. I feel that I am close. I am currently working on a TA 912 (1st gen) runnning A1.02.00.E. I have a /29 block - 209.x.x.72/29 Would like to have three one to one nats. open on all ports

      1. 209.x.x.76 natted to
      2. 209.x.x.77 natted to
      3. 209.x.x.75 natted to 

      Here are some portions of the current config

      interface eth 0/1

        no snmp trap link-status

        ip address

        ip address  209.x.x.73 secondary

      access-policy INSIDE100

        no shutdown


      interface ppp 1

        ip address negotiated

        ip address  209.x.x.76 secondary

        ip address  209.x.x.77 secondary

        ip address  209.x.x.78 secondary

        access-policy OUTSIDE100

        media-gateway ip primary

        qos-policy out VOICE

        max-reserved-bandwidth 85

        no shutdown

        cross-connect 1 t1 0/1 1 ppp 1


      ip access-list extended WAN100

        permit ip any  host 209.x.x.76


      ip access-list extended WAN200

        permit ip any  host 209.x.x.75


      ip access-list extended WAN300

        permit ip any  host 209.x.x.77


      ip access-list extended LAN100

        permit ip host  any


      ip access-list extended LAN200

        permit ip host  any


      ip access-list extended LAN300

        permit ip host  any


      ip access-list standard ALL

        permit any


      ip access-list extended NAT

        permit ip  any


      ip access-list extended publicLAN

        permit ip any  209.x.x.72


      ip access-list extended publicLAN_out

        permit ip 209.x.x.72  any



      ip policy-class INSIDE100

        nat source list LAN100 address 209.x.x.76 overload

        nat source list LAN200 address 209.x.x.75 overload

        nat source list LAN300 address 209.x.x.77 overload

        nat source list NAT interface ppp 1 overload


      ip policy-class OUTSIDE100

        allow list MGDR_TELNET

        allow list ICMP

        nat destination list WAN100 address

        nat destination list WAN200 address

        nat destination list WAN300 address

        discard list ALL

        • Re: Static one to one NAT
          david Employee



          Thanks for posting.  After looking over your configuration, I do see a couple things we may need to modify.  First, we need to add the 209.x.x.75 address to the PPP interface.


          interface ppp 1

          ip address 209.x.x.75 secondary


          Also, you may have just omitted them, but verify that the access lists MGDR_TELNET and ICMP exist in your configuration.  The traffic that matches on these access lists will not fall through to the "nat destination" rules below.  Also, if those access lists do not exist in your configuration, they are treated as a "match all" which would also prevent this configuration from working as you would expect.


          Lastly, a good way to determine how a unit is treating/mapping sessions is to use the "show ip policy-sessions" command.  For example, lets say you planned to use the 209.x.x.76 as a web server.  You could access a computer on the Internet and type that IP address into your web browser.  As you do that, you can enter the "show ip policy-sessions" command to view that session as it flows through the unit.  You should expect to see something similar to the following.


          Policy class "OUTSIDE100":

          tcp (600) -> INSIDE100

    38491    209.x.x.76   80    d   80   


          You may have many other sessions, but these two lines would indicate that the traffic was forwarded to  Feel free to respond to this e-mail with any additional configuration you may have regarding the access lists, "show ip policy-sessions" output, or any further questions you may have.




          • Re: Static one to one NAT
            tonycaf New Member

            Thanks for the help on this. I did end up working with another co-worker and got this working properly

              • Re: Static one to one NAT
                david Employee



                I went ahead and flagged this post as “Assumed Answered”.  If the response on this thread assisted you, please mark it as Correct or Helpful as the case may be with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.