3 Replies Latest reply on Apr 26, 2012 10:39 AM by david

    Static one to one NAT

    tonycaf New Member

      Hello all,

      I am having troule configuring some one to one nats and wondering of some one could assist. not sure what I am oing wrong. I feel that I am close. I am currently working on a TA 912 (1st gen) runnning A1.02.00.E. I have a /29 block - 209.x.x.72/29 Would like to have three one to one nats. open on all ports

      1. 209.x.x.76 natted to 10.0.0.103
      2. 209.x.x.77 natted to 10.0.0.148
      3. 209.x.x.75 natted to 10.0.0.2 

      Here are some portions of the current config

      interface eth 0/1

        no snmp trap link-status

        ip address  10.0.0.1  255.255.255.0

        ip address  209.x.x.73  255.255.255.248 secondary

      access-policy INSIDE100

        no shutdown

       

      interface ppp 1

        ip address negotiated

        ip address  209.x.x.76  255.255.255.255 secondary

        ip address  209.x.x.77  255.255.255.255 secondary

        ip address  209.x.x.78  255.255.255.255 secondary

        access-policy OUTSIDE100

        media-gateway ip primary

        qos-policy out VOICE

        max-reserved-bandwidth 85

        no shutdown

        cross-connect 1 t1 0/1 1 ppp 1

       

      ip access-list extended WAN100

        permit ip any  host 209.x.x.76

       

      ip access-list extended WAN200

        permit ip any  host 209.x.x.75

       

      ip access-list extended WAN300

        permit ip any  host 209.x.x.77

       

      ip access-list extended LAN100

        permit ip host 10.0.0.103  any

       

      ip access-list extended LAN200

        permit ip host 10.0.0.2  any

       

      ip access-list extended LAN300

        permit ip host 10.0.0.148  any

       

      ip access-list standard ALL

        permit any

       

      ip access-list extended NAT

        permit ip 10.0.0.0 0.0.0.255  any

       

      ip access-list extended publicLAN

        permit ip any  209.x.x.72 0.0.0.7

      !

      ip access-list extended publicLAN_out

        permit ip 209.x.x.72 0.0.0.7  any

       

       

      ip policy-class INSIDE100

        nat source list LAN100 address 209.x.x.76 overload

        nat source list LAN200 address 209.x.x.75 overload

        nat source list LAN300 address 209.x.x.77 overload

        nat source list NAT interface ppp 1 overload

       

      ip policy-class OUTSIDE100

        allow list MGDR_TELNET

        allow list ICMP

        nat destination list WAN100 address 10.0.0.103

        nat destination list WAN200 address 10.0.0.2

        nat destination list WAN300 address 10.0.0.148

        discard list ALL

        • Re: Static one to one NAT
          david Employee

          Tonycaf,

           

          Thanks for posting.  After looking over your configuration, I do see a couple things we may need to modify.  First, we need to add the 209.x.x.75 address to the PPP interface.

           

          interface ppp 1

          ip address 209.x.x.75 255.255.255.255 secondary

           

          Also, you may have just omitted them, but verify that the access lists MGDR_TELNET and ICMP exist in your configuration.  The traffic that matches on these access lists will not fall through to the "nat destination" rules below.  Also, if those access lists do not exist in your configuration, they are treated as a "match all" which would also prevent this configuration from working as you would expect.

           

          Lastly, a good way to determine how a unit is treating/mapping sessions is to use the "show ip policy-sessions" command.  For example, lets say you planned to use the 209.x.x.76 as a web server.  You could access a computer on the Internet and type that IP address into your web browser.  As you do that, you can enter the "show ip policy-sessions" command to view that session as it flows through the unit.  You should expect to see something similar to the following.

           

          Policy class "OUTSIDE100":

          tcp (600) -> INSIDE100

            1.1.1.1  38491    209.x.x.76   80    d 10.0.0.103   80   

           

          You may have many other sessions, but these two lines would indicate that the traffic was forwarded to 10.0.0.103.  Feel free to respond to this e-mail with any additional configuration you may have regarding the access lists, "show ip policy-sessions" output, or any further questions you may have.

           

          Thanks!

          David

          • Re: Static one to one NAT
            tonycaf New Member

            Thanks for the help on this. I did end up working with another co-worker and got this working properly

              • Re: Static one to one NAT
                david Employee

                Tonycaf,

                 

                I went ahead and flagged this post as “Assumed Answered”.  If the response on this thread assisted you, please mark it as Correct or Helpful as the case may be with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.

                 

                Thanks!

                David