Hello all,
I am having troule configuring some one to one nats and wondering of some one could assist. not sure what I am oing wrong. I feel that I am close. I am currently working on a TA 912 (1st gen) runnning A1.02.00.E. I have a /29 block - 209.x.x.72/29 Would like to have three one to one nats. open on all ports
Here are some portions of the current config
interface eth 0/1
no snmp trap link-status
ip address 10.0.0.1 255.255.255.0
ip address 209.x.x.73 255.255.255.248 secondary
access-policy INSIDE100
no shutdown
interface ppp 1
ip address negotiated
ip address 209.x.x.76 255.255.255.255 secondary
ip address 209.x.x.77 255.255.255.255 secondary
ip address 209.x.x.78 255.255.255.255 secondary
access-policy OUTSIDE100
media-gateway ip primary
qos-policy out VOICE
max-reserved-bandwidth 85
no shutdown
cross-connect 1 t1 0/1 1 ppp 1
ip access-list extended WAN100
permit ip any host 209.x.x.76
ip access-list extended WAN200
permit ip any host 209.x.x.75
ip access-list extended WAN300
permit ip any host 209.x.x.77
ip access-list extended LAN100
permit ip host 10.0.0.103 any
ip access-list extended LAN200
permit ip host 10.0.0.2 any
ip access-list extended LAN300
permit ip host 10.0.0.148 any
ip access-list standard ALL
permit any
ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended publicLAN
permit ip any 209.x.x.72 0.0.0.7
!
ip access-list extended publicLAN_out
permit ip 209.x.x.72 0.0.0.7 any
ip policy-class INSIDE100
nat source list LAN100 address 209.x.x.76 overload
nat source list LAN200 address 209.x.x.75 overload
nat source list LAN300 address 209.x.x.77 overload
nat source list NAT interface ppp 1 overload
ip policy-class OUTSIDE100
allow list MGDR_TELNET
allow list ICMP
nat destination list WAN100 address 10.0.0.103
nat destination list WAN200 address 10.0.0.2
nat destination list WAN300 address 10.0.0.148
discard list ALL
Tonycaf,
Thanks for posting. After looking over your configuration, I do see a couple things we may need to modify. First, we need to add the 209.x.x.75 address to the PPP interface.
interface ppp 1
ip address 209.x.x.75 255.255.255.255 secondary
Also, you may have just omitted them, but verify that the access lists MGDR_TELNET and ICMP exist in your configuration. The traffic that matches on these access lists will not fall through to the "nat destination" rules below. Also, if those access lists do not exist in your configuration, they are treated as a "match all" which would also prevent this configuration from working as you would expect.
Lastly, a good way to determine how a unit is treating/mapping sessions is to use the "show ip policy-sessions" command. For example, lets say you planned to use the 209.x.x.76 as a web server. You could access a computer on the Internet and type that IP address into your web browser. As you do that, you can enter the "show ip policy-sessions" command to view that session as it flows through the unit. You should expect to see something similar to the following.
Policy class "OUTSIDE100":
tcp (600) -> INSIDE100
1.1.1.1 38491 209.x.x.76 80 d 10.0.0.103 80
You may have many other sessions, but these two lines would indicate that the traffic was forwarded to 10.0.0.103. Feel free to respond to this e-mail with any additional configuration you may have regarding the access lists, "show ip policy-sessions" output, or any further questions you may have.
Thanks!
David
Tonycaf,
Thanks for posting. After looking over your configuration, I do see a couple things we may need to modify. First, we need to add the 209.x.x.75 address to the PPP interface.
interface ppp 1
ip address 209.x.x.75 255.255.255.255 secondary
Also, you may have just omitted them, but verify that the access lists MGDR_TELNET and ICMP exist in your configuration. The traffic that matches on these access lists will not fall through to the "nat destination" rules below. Also, if those access lists do not exist in your configuration, they are treated as a "match all" which would also prevent this configuration from working as you would expect.
Lastly, a good way to determine how a unit is treating/mapping sessions is to use the "show ip policy-sessions" command. For example, lets say you planned to use the 209.x.x.76 as a web server. You could access a computer on the Internet and type that IP address into your web browser. As you do that, you can enter the "show ip policy-sessions" command to view that session as it flows through the unit. You should expect to see something similar to the following.
Policy class "OUTSIDE100":
tcp (600) -> INSIDE100
1.1.1.1 38491 209.x.x.76 80 d 10.0.0.103 80
You may have many other sessions, but these two lines would indicate that the traffic was forwarded to 10.0.0.103. Feel free to respond to this e-mail with any additional configuration you may have regarding the access lists, "show ip policy-sessions" output, or any further questions you may have.
Thanks!
David
Thanks for the help on this. I did end up working with another co-worker and got this working properly
Tonycaf,
I went ahead and flagged this post as “Assumed Answered”. If the response on this thread assisted you, please mark it as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily.
Thanks!
David