2 Replies Latest reply on Feb 10, 2017 7:00 AM by jwable

    Trying to get public ip with in a NAT'd interface to work outbound with its own ip address.

    apenichet New Member

      I currently have the following interface setting:

       

      interface eth 0/2

        ip address  192.168.100.1  255.255.255.0

        ip address  208.122.124.185  255.255.255.248  secondary

        ip access-policy Private

        no awcp

        no shutdown

       

      This is my lab so I can do whatever I want...

       

      I have a computer pluged into eth 0/2. When I do a whatsmyip.com or ipchicken its showing the wan of of the IAD and not the 208.122.124.185 so like a Mail server wont work. Typically we would have a whole other interface with the ip but we dont...

       

      How can I get the 208.122.124.185/29 to work correctly as if it was not NAT'd.

       

      More Config Below:

       

       

      interface eth 0/2

        ip address  192.168.100.1  255.255.255.0

        ip address  208.122.124.185  255.255.255.248  secondary

        ip access-policy Private

        no awcp

        no shutdown

      ip access-list standard wizard-ics

        remark Internet Connection Sharing

        permit any

      !

      !

      ip access-list extended self

        remark Traffic to Total Access

        permit ip any  any     log

      !

      ip access-list extended voip-sig

        permit udp any  any eq 5060  

        permit tcp any  any eq 5060 

      !

      ip access-list extended web-acl-6

        remark ADMIN-ACCESS

        permit tcp any  any eq www   log

        permit tcp any  any eq telnet   log

        permit udp any  any eq snmp    log

        permit icmp any  any  echo   log

      !

      ip access-list extended web-acl-7

        remark SIP-ALLOW

        permit tcp any  any eq 5060   log

        permit udp any  any eq 5060    log

      !

      ip access-list extended web-acl-8

        remark ALLOW-ALL

        permit ip any  any   

      !

      !

      !

      !

      ip policy-class Private

        allow list self self

        nat source list wizard-ics interface gigabit-ethernet 0/1 overload

      !

      ip policy-class Public

        allow list web-acl-7 self

        allow list web-acl-8

        allow list web-acl-6 self

        • Re: Trying to get public ip with in a NAT'd interface to work outbound with its own ip address.
          jayh Hall_of_Fame

          I'm assuming that the computer connected to eth 0/2 is on a public address between 208.122.124.186 and .190 with a gateway of .185.

           

          Make the following changes:

           

          1. Restrict NAT to private addresses only.

           

          ip access-list standard wizard-ics

            remark Permit private for NAT

            permit 192.168.100.0 0.0.0.255

            no permit any

          !

           

          2. Create an ACL to allow public IPs on eth 0/2 out to Public

           

          !

          ip access-list standard public-eth02-list

          permit 208.122.124.184 0.0.0.7

          !

           

          3. Modify the Private policy-class

           

          !

          ip policy-class Private

            allow list self self

            nat source list wizard-ics interface gigabit-ethernet 0/1 overload

            allow list public-eth02-list policy Public

           

          It might be cleaner to configure port eth 0/2 with two VLANs as two logical ports, one for the public and one for the private. Trunk that to a switch and configure access ports on the switch for your public and private subnets.

          1 of 1 people found this helpful
          • Re: Trying to get public ip with in a NAT'd interface to work outbound with its own ip address.
            jwable Frequent Visitor

            I agree with Jay's recommendation of creating VLAN's on the interface one Public, One Private. Below is an example of that configuration.   Also sure it's just a typo but in your Nat Overload statement you are referencing a non existent port.  On the switch that eth 02 connects to set the port as trunk port with allowed vlans 1,5.  On the switchport connecting to the ISP set your switch port to access vlan 5, then make sure you have on untagged access port on vlan 1 connecting to the private side internal network somewhere.  Also just checking I did not see ip media gateway primary anywhere is it eth 0/1 being used to connect to the sip provider?

             

            Sample of a VLANed Interface:

            interface eth 0/2

              encapsulation 802.1q

              no shutdown

            !

            interface eth 0/2.1

              vlan-id 1 native

              ip address  192.168.100.1  255.255.255.0

              ip access-policy Private

              no shutdown

            interface eth 0/2.5

              vlan-id 5

              ip address  208.122.124.185  255.255.255.248

              ip access-policy public

              no shutdown

            !

            !

            ip access-list extended OutsideToInside

            !Used for any inbound connections to be allowed like management location or Sip Server

              permit ip XX.XX.XX.XX 0.0.0.255  any       

            !

            ip access-list extended self

              remark Traffic to Netvanta

              permit ip any  any     log

            !

            !

            !

            ip policy-class Private

              allow list self self

              nat source list NAT interface eth 0/2.5 overload

            !

            ip policy-class public

              allow list OutsideToInside self

            !

            !

            ip route 0.0.0.0 0.0.0.0 208.122.124.XXX

            1 of 1 people found this helpful