I currently have the following interface setting:
interface eth 0/2
ip address 192.168.100.1 255.255.255.0
ip address 208.122.124.185 255.255.255.248 secondary
ip access-policy Private
no awcp
no shutdown
This is my lab so I can do whatever I want...
I have a computer pluged into eth 0/2. When I do a whatsmyip.com or ipchicken its showing the wan of of the IAD and not the 208.122.124.185 so like a Mail server wont work. Typically we would have a whole other interface with the ip but we dont...
How can I get the 208.122.124.185/29 to work correctly as if it was not NAT'd.
More Config Below:
interface eth 0/2
ip address 192.168.100.1 255.255.255.0
ip address 208.122.124.185 255.255.255.248 secondary
ip access-policy Private
no awcp
no shutdown
ip access-list standard wizard-ics
remark Internet Connection Sharing
permit any
!
!
ip access-list extended self
remark Traffic to Total Access
permit ip any any log
!
ip access-list extended voip-sig
permit udp any any eq 5060
permit tcp any any eq 5060
!
ip access-list extended web-acl-6
remark ADMIN-ACCESS
permit tcp any any eq www log
permit tcp any any eq telnet log
permit udp any any eq snmp log
permit icmp any any echo log
!
ip access-list extended web-acl-7
remark SIP-ALLOW
permit tcp any any eq 5060 log
permit udp any any eq 5060 log
!
ip access-list extended web-acl-8
remark ALLOW-ALL
permit ip any any
!
!
!
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface gigabit-ethernet 0/1 overload
!
ip policy-class Public
allow list web-acl-7 self
allow list web-acl-8
allow list web-acl-6 self
I'm assuming that the computer connected to eth 0/2 is on a public address between 208.122.124.186 and .190 with a gateway of .185.
Make the following changes:
1. Restrict NAT to private addresses only.
ip access-list standard wizard-ics
remark Permit private for NAT
permit 192.168.100.0 0.0.0.255
no permit any
!
2. Create an ACL to allow public IPs on eth 0/2 out to Public
!
ip access-list standard public-eth02-list
permit 208.122.124.184 0.0.0.7
!
3. Modify the Private policy-class
!
ip policy-class Private
allow list self self
nat source list wizard-ics interface gigabit-ethernet 0/1 overload
allow list public-eth02-list policy Public
It might be cleaner to configure port eth 0/2 with two VLANs as two logical ports, one for the public and one for the private. Trunk that to a switch and configure access ports on the switch for your public and private subnets.
I agree with Jay's recommendation of creating VLAN's on the interface one Public, One Private. Below is an example of that configuration. Also sure it's just a typo but in your Nat Overload statement you are referencing a non existent port. On the switch that eth 02 connects to set the port as trunk port with allowed vlans 1,5. On the switchport connecting to the ISP set your switch port to access vlan 5, then make sure you have on untagged access port on vlan 1 connecting to the private side internal network somewhere. Also just checking I did not see ip media gateway primary anywhere is it eth 0/1 being used to connect to the sip provider?
Sample of a VLANed Interface:
interface eth 0/2
encapsulation 802.1q
no shutdown
!
interface eth 0/2.1
vlan-id 1 native
ip address 192.168.100.1 255.255.255.0
ip access-policy Private
no shutdown
interface eth 0/2.5
vlan-id 5
ip address 208.122.124.185 255.255.255.248
ip access-policy public
no shutdown
!
!
ip access-list extended OutsideToInside
!Used for any inbound connections to be allowed like management location or Sip Server
permit ip XX.XX.XX.XX 0.0.0.255 any
!
ip access-list extended self
remark Traffic to Netvanta
permit ip any any log
!
!
!
ip policy-class Private
allow list self self
nat source list NAT interface eth 0/2.5 overload
!
ip policy-class public
allow list OutsideToInside self
!
!
ip route 0.0.0.0 0.0.0.0 208.122.124.XXX