Support
Community

Anonymous · ‎04-24-2012

Hello all,

I am having troule configuring some one to one nats and wondering of some one could assist. not sure what I am oing wrong. I feel that I am close. I am currently working on a TA 912 (1st gen) runnning A1.02.00.E. I have a /29 block - 209.x.x.72/29 Would like to have three one to one nats. open on all ports

209.x.x.76 natted to 10.0.0.103
209.x.x.77 natted to 10.0.0.148
209.x.x.75 natted to 10.0.0.2

Here are some portions of the current config

interface eth 0/1

no snmp trap link-status

ip address 10.0.0.1 255.255.255.0

ip address 209.x.x.73 255.255.255.248 secondary

access-policy INSIDE100

no shutdown

interface ppp 1

ip address negotiated

ip address 209.x.x.76 255.255.255.255 secondary

ip address 209.x.x.77 255.255.255.255 secondary

ip address 209.x.x.78 255.255.255.255 secondary

access-policy OUTSIDE100

media-gateway ip primary

qos-policy out VOICE

max-reserved-bandwidth 85

no shutdown

cross-connect 1 t1 0/1 1 ppp 1

ip access-list extended WAN100

permit ip any host 209.x.x.76

ip access-list extended WAN200

permit ip any host 209.x.x.75

ip access-list extended WAN300

permit ip any host 209.x.x.77

ip access-list extended LAN100

permit ip host 10.0.0.103 any

ip access-list extended LAN200

permit ip host 10.0.0.2 any

ip access-list extended LAN300

permit ip host 10.0.0.148 any

ip access-list standard ALL

permit any

ip access-list extended NAT

permit ip 10.0.0.0 0.0.0.255 any

ip access-list extended publicLAN

permit ip any 209.x.x.72 0.0.0.7

!

ip access-list extended publicLAN_out

permit ip 209.x.x.72 0.0.0.7 any

ip policy-class INSIDE100

nat source list LAN100 address 209.x.x.76 overload

nat source list LAN200 address 209.x.x.75 overload

nat source list LAN300 address 209.x.x.77 overload

nat source list NAT interface ppp 1 overload

ip policy-class OUTSIDE100

allow list MGDR_TELNET

allow list ICMP

nat destination list WAN100 address 10.0.0.103

nat destination list WAN200 address 10.0.0.2

nat destination list WAN300 address 10.0.0.148

discard list ALL

Anonymous · ‎04-24-2012

Tonycaf,

Thanks for posting. After looking over your configuration, I do see a couple things we may need to modify. First, we need to add the 209.x.x.75 address to the PPP interface.

interface ppp 1

ip address 209.x.x.75 255.255.255.255 secondary

Also, you may have just omitted them, but verify that the access lists MGDR_TELNET and ICMP exist in your configuration. The traffic that matches on these access lists will not fall through to the "nat destination" rules below. Also, if those access lists do not exist in your configuration, they are treated as a "match all" which would also prevent this configuration from working as you would expect.

Lastly, a good way to determine how a unit is treating/mapping sessions is to use the "show ip policy-sessions" command. For example, lets say you planned to use the 209.x.x.76 as a web server. You could access a computer on the Internet and type that IP address into your web browser. As you do that, you can enter the "show ip policy-sessions" command to view that session as it flows through the unit. You should expect to see something similar to the following.

Policy class "OUTSIDE100":

tcp (600) -> INSIDE100

1.1.1.1 38491 209.x.x.76 80 d 10.0.0.103 80

You may have many other sessions, but these two lines would indicate that the traffic was forwarded to 10.0.0.103. Feel free to respond to this e-mail with any additional configuration you may have regarding the access lists, "show ip policy-sessions" output, or any further questions you may have.

Thanks!

David

View solution in original post

Anonymous · ‎04-24-2012

Tonycaf,

Thanks for posting. After looking over your configuration, I do see a couple things we may need to modify. First, we need to add the 209.x.x.75 address to the PPP interface.

interface ppp 1

ip address 209.x.x.75 255.255.255.255 secondary

Also, you may have just omitted them, but verify that the access lists MGDR_TELNET and ICMP exist in your configuration. The traffic that matches on these access lists will not fall through to the "nat destination" rules below. Also, if those access lists do not exist in your configuration, they are treated as a "match all" which would also prevent this configuration from working as you would expect.

Lastly, a good way to determine how a unit is treating/mapping sessions is to use the "show ip policy-sessions" command. For example, lets say you planned to use the 209.x.x.76 as a web server. You could access a computer on the Internet and type that IP address into your web browser. As you do that, you can enter the "show ip policy-sessions" command to view that session as it flows through the unit. You should expect to see something similar to the following.

Policy class "OUTSIDE100":

tcp (600) -> INSIDE100

1.1.1.1 38491 209.x.x.76 80 d 10.0.0.103 80

You may have many other sessions, but these two lines would indicate that the traffic was forwarded to 10.0.0.103. Feel free to respond to this e-mail with any additional configuration you may have regarding the access lists, "show ip policy-sessions" output, or any further questions you may have.

Thanks!

David

Anonymous · ‎04-26-2012

Thanks for the help on this. I did end up working with another co-worker and got this working properly

Anonymous · ‎04-26-2012

Tonycaf,

I went ahead and flagged this post as “Assumed Answered”. If the response on this thread assisted you, please mark it as Correct or Helpful as the case may be with the applicable buttons. This will make them visible and help other members of the community find solutions more easily.

Thanks!

David

Support
Community

Static one to one NAT

Re: Static one to one NAT

Re: Static one to one NAT

Re: Static one to one NAT

Re: Static one to one NAT

SupportCommunity

Static one to one NAT

Re: Static one to one NAT

Re: Static one to one NAT

Re: Static one to one NAT

Re: Static one to one NAT

Support
Community