Static & Dynamic NAT|
|
|
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||
|
Posted by Jamie Watson on July 4, 2006, 11:31 am
Please log in for more thread options
PC's to use a pool. I have sucessfully done this using a basic ip nat inside source static command but found that is caused problems with the VPN for that device, I then turned to using route-map's, I can now ping the static device remotely but when I goto http://www.whatismyip.com or something along them lines external traffic is still getting natted to the pool, can anyone offer any advise? Thanks Jamie version 12.4 no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname rugby870 ! boot-start-marker boot-end-marker ! logging buffered 51200 warnings ! no aaa new-model ! resource policy ! ip cef table adjacency-prefix validate ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.117.1 192.168.117.75 ip dhcp excluded-address 192.168.117.201 192.168.117.254 ! ip dhcp pool sdm-pool import all network 192.168.117.0 255.255.255.0 default-router 192.168.117.1 netbios-name-server 192.168.117.4 195.111.111.20 netbios-node-type h-node dns-server 195.111.111.6 domain-name xxxx.local lease 3 ! ! ip domain name lanegroup.co.uk ip name-server 217.169.20.20 ip name-server 217.169.20.21 ! isdn switch-type basic-net3 ! crypto pki trustpoint TP-self-signed-1858581259 subject-name cn=IOS-Self-Signed-Certificate-1858581259 revocation-check none rsakeypair TP-self-signed-1858581259 ! crypto pki trustpoint TP-self-signed-549921670 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-549921670 revocation-check none rsakeypair TP-self-signed-549921670 ! ! crypto pki certificate chain TP-self-signed-1858581259 crypto pki certificate chain TP-self-signed-549921670 certificate self-signed 01 3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 35343939 32313637 30301E17 0D303630 34313231 39313633 385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3534 39393231 36373030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 BDE91BB6 0B6D3DB9 D092C4C4 A201657F 13329B0F BC59AD1D 841861DF AD394845 9B19F61D D37572DD 2B99C13B 29758D93 5F50065F 81317D55 1AB54070 A2B4234F 081813BD E4F35D43 152BCB42 A7B9BBD6 10929548 72D5A2FD AAB05B60 F6175162 792857E0 7A8A84BC FD227045 500A96B9 1DE02B4F 88377F0C 628666E7 98982977 02030100 01A37830 76300F06 03551D13 0101FF04 05300301 01FF3023 0603551D 11041C30 1A821872 75676279 3837302E 6C616E65 67726F75 702E636F 2E756B30 1F060355 1D230418 30168014 FD527973 7071990F 2036D67C 4D7F00F5 5B70DEF3 301D0603 551D0E04 160414FD 52797370 71990F20 36D67C4D 7F00F55B 70DEF330 0D06092A 864886F7 0D010104 05000381 81006F35 9BD7976A 3C80F145 86F0C409 71F28D82 8D08E186 82E24975 1CC7B592 F5E43ADB F5790317 C29BDB26 8B4AE378 A8380262 AFA9CCD7 4A05D3A9 CCD3F49A C3D67AD3 FAF28AAA DD72BE44 F7A442E7 CE2B3D5B E46BB881 257DEDC1 F1F9D760 78691543 1CEF00BB E15FA897 387925D7 0AD6A10B 16927310 1412EB93 C9193B6B 1F0F quit username xxxx privilege 15 secret 5 xxxx ! ! controller DSL 0 mode atm line-term cpe line-mode 2-wire line-zero dsl-mode shdsl symmetric annex B line-rate auto ! track 1 rtr 1 reachability ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 lifetime 1800 crypto isakmp key xxxx address xxxxx ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp set peer xxxx set transform-set ESP-3DES-SHA match address 115 ! ! ! ! interface BRI0 description $BACKUP_INTF_ATM0.1_TRACK_1$ no ip address encapsulation ppp shutdown dialer pool-member 2 isdn switch-type basic-net3 isdn point-to-point-setup no cdp enable ! interface ATM0 no ip address no atm ilmi-keepalive ! interface ATM0.1 point-to-point no snmp trap link-status pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 no cdp enable ! interface FastEthernet1 no cdp enable ! interface FastEthernet2 no cdp enable ! interface FastEthernet3 no cdp enable ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$ ip address 192.168.117.1 255.255.255.0 ip nat inside ip nat allow-static-host ip virtual-reassembly ip tcp adjust-mss 1452 crypto map SDM_CMAP_1 ! interface Dialer0 ip address negotiated ip nat outside ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname xxx ppp chap password 0 xxx ppp pap sent-username xxxx password 0 xxxx crypto map SDM_CMAP_1 ! ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat pool natoverload xx.xx.xx.xx xx.xx.xx.xx netmask 255.255.255.248 ip nat inside source list 120 pool natoverload overload ip nat inside source static tcp 192.168.117.101 5405 xx.xx.xx.xx 5405 extendab le ip nat inside source static 192.168.117.8 xx.xx.xx.xx route-map nonat ! logging trap debugging access-list 115 permit ip 192.168.117.0 0.0.0.255 195.111.111.0 0.0.0.255 access-list 115 permit ip 192.168.117.0 0.0.0.255 10.0.0.0 0.255.255.255 access-list 120 deny ip 192.168.117.0 0.0.0.255 195.111.111.0 0.0.0.255 access-list 120 deny ip 192.168.117.0 0.0.0.255 10.0.0.0 0.255.255.255 access-list 120 permit ip 192.168.117.0 0.0.0.255 any access-list 130 deny ip host 192.168.117.8 195.111.111.0 0.0.0.255 access-list 130 deny ip host 192.168.117.8 10.0.0.0 0.255.255.255 access-list 130 permit ip host 192.168.117.8 any dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit no cdp run ! ! ! route-map nonat permit 10 match ip address 130 ! ! control-plane ! ! line con 0 login local no modem enable transport output all line aux 0 transport output all line vty 0 4 privilege level 15 login local transport input telnet ssh transport output all ! ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end | ||||||||||||||||
|
Posted by on July 4, 2006, 2:37 pm
Please log in for more thread options I think that the only change that you need to make is as follows:- Caveat I have not tested this and have not used such complex NAT for years. Phew! Old: access-list 120 deny ip 192.168.117.0 0.0.0.255 195.111.111.0 0.0.0.255 access-list 120 deny ip 192.168.117.0 0.0.0.255 10.0.0.0 0.255.255.255 access-list 120 permit ip 192.168.117.0 0.0.0.255 any New:- access-list 120 deny ip 192.168.117.0 0.0.0.255 195.111.111.0 0.0.0.255 access-list 120 deny ip 192.168.117.0 0.0.0.255 10.0.0.0 0.255.255.255 access-list 120 deny ip host 192.168.117.8 any access-list 120 permit ip 192.168.117.0 0.0.0.255 any However all those numbers (ACL numbers) make my head swim so I worked it out like this. Let's say we have:- External address 1.1.1.1/29 (255.255.255.248) NAT pool 1.1.1.2 - 1.1.1.5 ACL.crypto permit ip 192.168.117.0 0.0.0.255 195.111.111.0 0.0.0.255 permit ip 192.168.117.0 0.0.0.255 10.0.0.0 0.255.255.255 ACL.NAT.static deny ip host 192.168.117.8 195.111.111.0 0.0.0.255 deny ip host 192.168.117.8 10.0.0.0 0.255.255.255 permit ip host 192.168.117.8 any ACL.NAT.poolnat deny ip 192.168.117.0 0.0.0.255 195.111.111.0 0.0.0.255 deny ip 192.168.117.0 0.0.0.255 10.0.0.0 0.255.255.255 ! ########################################### !!! ####### CRITICAL addition next line ####### ! ########################################### deny ip host 192.168.117.8 any permit ip 192.168.117.0 0.0.0.255 any ip nat pool POOL.nat 1.1.1.2 1.1.1.5 netmask 255.255.255.248 ip nat inside source list ACL.NAT.poolnat pool POOL.nat overload ip nat inside source static tcp 192.168.117.101 5405 1.1.1.x 5405 ip nat inside source static 192.168.117.81.1.1.5 route-map RM.NAT.static route-map RM.NAT.static permit 10 match ip address ACL.NAT.static Call it "Scottish Notation" if you like:-) Spelling is as intended. | ||||||||||||||||
|
Posted by Jamie Watson on July 5, 2006, 5:14 am
Please log in for more thread options Seems to have worked a treat. Thanks very much!!
> Jamie Watson wrote:
>> I am trying to give a PC on our network a Static NAT address and the
>> other >> PC's to use a pool. I have sucessfully done this using a basic ip nat >> inside >> source static command but found that is caused problems with the VPN for >> that device, I then turned to using route-map's, I can now ping the >> static >> device remotely but when I goto http://www.whatismyip.com or something >> along >> them lines external traffic is still getting natted to the pool, can >> anyone >> offer any advise? >
> I think that the only change that you need to make is as follows:- > Caveat I have not tested this and have not > used such complex NAT for years. Phew! > > Old: > access-list 120 deny ip 192.168.117.0 0.0.0.255 195.111.111.0 > 0.0.0.255 > access-list 120 deny ip 192.168.117.0 0.0.0.255 10.0.0.0 > 0.255.255.255 > access-list 120 permit ip 192.168.117.0 0.0.0.255 any > > New:- > access-list 120 deny ip 192.168.117.0 0.0.0.255 195.111.111.0 > 0.0.0.255 > access-list 120 deny ip 192.168.117.0 0.0.0.255 10.0.0.0 > 0.255.255.255 > access-list 120 deny ip host 192.168.117.8 any > access-list 120 permit ip 192.168.117.0 0.0.0.255 any > > However all those numbers (ACL numbers) make my head swim > so I worked it out like this. > > Let's say we have:- > > External address 1.1.1.1/29 (255.255.255.248) > > NAT pool 1.1.1.2 - 1.1.1.5 > > ACL.crypto > permit ip 192.168.117.0 0.0.0.255 195.111.111.0 0.0.0.255 > permit ip 192.168.117.0 0.0.0.255 10.0.0.0 0.255.255.255 > > ACL.NAT.static > deny ip host 192.168.117.8 195.111.111.0 0.0.0.255 > deny ip host 192.168.117.8 10.0.0.0 0.255.255.255 > permit ip host 192.168.117.8 any > > > ACL.NAT.poolnat > deny ip 192.168.117.0 0.0.0.255 195.111.111.0 0.0.0.255 > deny ip 192.168.117.0 0.0.0.255 10.0.0.0 0.255.255.255 > ! ########################################### > !!! ####### CRITICAL addition next line ####### > ! ########################################### > deny ip host 192.168.117.8 any > permit ip 192.168.117.0 0.0.0.255 any > > > ip nat pool POOL.nat 1.1.1.2 1.1.1.5 netmask 255.255.255.248 > > ip nat inside source list ACL.NAT.poolnat pool POOL.nat overload > ip nat inside source static tcp 192.168.117.101 5405 1.1.1.x 5405 > ip nat inside source static 192.168.117.81.1.1.5 route-map > RM.NAT.static > > route-map RM.NAT.static permit 10 > match ip address ACL.NAT.static > > Call it "Scottish Notation" if you like:-) > Spelling is as intended. > | ||||||||||||||||
|
Home Cabling GuideFinally, an instantly downloadable book that saves you thousands in home improvement dollars! Enjoy living in 21st century technology-advanced home while increasing its selling value and competitive advantage on the real estate market. Whether your cabling is for home office or high-tech leisure, you can wire your home yourself or learn "wirish" to speak with your cabling contractors in their language! Learn More |
> PC's to use a pool. I have sucessfully done this using a basic ip nat inside
> source static command but found that is caused problems with the VPN for
> that device, I then turned to using route-map's, I can now ping the static
> device remotely but when I goto http://www.whatismyip.com or something along
> them lines external traffic is still getting natted to the pool, can anyone
> offer any advise?