Question

Cisco PAT question

Asked by: S0lar

Ok, here we go:
Cisco router 2851 with 4 interfaces:

int fe0/1/0 - ISP 1- main uplink, ip nat outside
int fe0/3/0 - ISP 2 - secondary uplink, ip nat outside
int ge0/0 - LAN, ip nat inside
int ge0/1 - LAN 2 - direct link to our second office (they have their ISP and don't use our uplinks) - ip nat outside

what we have working fine:
ip nat source static LAN.IP.ADD.RESS PORT ISP.1.ADDR.ESS_A  PORT
...
ip nat source LAN.IP.ADD.RESS PORT ISP.2.ADDR.ESS_B  PORT
..
what we want to have workin:
PAT   ISP1.ADDR.ESS.C => LAN2.IP.ADDR.ESS
the problem that AFAIK we need to make 2 translations:
a)first of all to change dst address when gettin packet on FE0/1/0 (to address LAN2.IP.ADDR.ESSC) - this thingy works ok!
b)and then to change src address when sending packet out from GE0/1 (because otherwise response to this packet will be sent via LAN2 default route to another ISP) - can't get it workin!!.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2008-02-23 at 14:16:29ID23187626
Topics

Network Routers

,

Broadband Internet

Participating Experts
1
Points
0
Comments
15

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco NAT/PAT Question
    Please i need help with the following configurations below: Some things are not too clear to me as regards the cisco nat/pat aspect 1. it seems as if the internal ip address 192.168.1.2 is being translated to 196.46.241.130 and also 80.88.144.21. Can someone please clarify t...
  2. setup NAT and PAT and DHCP in cisco router
    hi i have cisco router (2800) and i have one public ip address (X.X1.X2.X3) how i can setup NAT and PAT and DHCP for my internal network (my internal network is 172.16.0.0) thanks
  3. NAT & PAT
    I have a router 1841 and I want to make PAT to allow all my users to connect to the internet. Do I have to care about the number of users and PATing sessions. How many PAT sessions I can make on the router and how I can measure the ability of the router for PAT sessions

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: aconaway1Posted on 2008-02-25 at 14:57:24ID: 20980135

How don't see how point A is working.  Can you post a config?

 

by: S0larPosted on 2008-02-25 at 23:02:57ID: 20982157

Here's config:
everything working fine except:
ip nat inside source static tcp 172.16.1.29 20 AAA.AAA.AAA.172 20 extendable
ip nat inside source static tcp 172.16.1.29 21 AAA.AAA.AAA.172 21 extendable

because 172.16.1.x network is independent and has i it's own default route that's why we need to translate these packets once more, to make 172.16.1.29 host to recieve these packets with srcaddr of 172.16.1.2. So, i need help with this second static translation...

-------------------------
Current configuration : 3717 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c2851
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local group radius
aaa authorization exec default local
aaa authorization network default group radius if-authenticated
!
!
aaa session-id common
!
!
ip cef
!
!
no ip domain lookup
ip domain name xxxxxxxx.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip dhcp-server 10.0.0.x
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
 l2tp tunnel receive-window 1024
 ip pmtu
 ip mtu adjust
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username xxxxxx privilege 15 password 0 xxxxxxx
archive
 log config
  hidekeys
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
interface GigabitEthernet0/0
 description LAN
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description TO_LAN2
 ip address 172.16.1.2 255.255.255.224
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1/0
 description TO_ISP1
 ip address AAA.AAA.AAA.170 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/3/0
 description TO_ISP2
 ip address BBB.BBB.BBB.BB2 255.255.255.224
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet0/0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1400
 autodetect encapsulation ppp
 peer default ip address dhcp
 compress mppc
 ppp encrypt mppe auto
 ppp authentication ms-chap-v2 callin
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 AAA.AAA.AAA.169 10
ip route 0.0.0.0 0.0.0.0 BBB.BBB.BBB.BB1 50
ip route 192.168.193.0 255.255.255.0 10.0.0.254
ip route 192.168.200.0 255.255.255.0 10.0.0.254
ip route 192.168.212.0 255.255.255.0 172.16.1.3
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1/0 overload
ip nat inside source list 1 interface FastEthernet0/3/0 overload
ip nat inside source static tcp 10.0.0.10 20 AAA.AAA.AAA.171 20 extendable
ip nat inside source static tcp 10.0.0.10 21 AAA.AAA.AAA.171 21 extendable
ip nat inside source static tcp 10.0.0.2 25 AAA.AAA.AAA.171 25 extendable
ip nat inside source static tcp 10.0.0.7 443 AAA.AAA.AAA.171 443 extendable
ip nat inside source static tcp 172.16.1.29 20 AAA.AAA.AAA.172 20 extendable
ip nat inside source static tcp 172.16.1.29 21 AAA.AAA.AAA.172 21 extendable
ip nat inside source static tcp 10.0.0.10 20 BBB.BBB.BBB.BB2 20 extendable
ip nat inside source static tcp 10.0.0.10 21 BBB.BBB.BBB.BB2 21 extendable
ip nat inside source static tcp 10.0.0.2 25 BBB.BBB.BBB.BB2 25 extendable
ip nat inside source static tcp 10.0.0.7 443 BBB.BBB.BBB.BB2 443 extendable
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 permit 172.16.1.29
!
!
!
!
!
!
radius-server configure-nas
radius-server host 10.0.0.y auth-port 1645 acct-port 1646
radius-server key zzzzzzz
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password xxxxxxxxx
 transport input ssh
!
scheduler allocate 20000 1000
!
end

 

by: aconaway1Posted on 2008-02-26 at 07:06:56ID: 20984904

Just to make sure I've got this right.

The 172.16.1.0/26 network is access through this router, but the default GW for that network is somewhere else, so, to get hosts to talk to 172.16.1.29 through this router, you want them to appear to .29 as .2 (the IF of the router).  At the same time, you want the .29 to appear as AAA.AAA.AAA.172.  Correct?

If that's the case, then we need to make some changes.  The lines

ip nat inside source static tcp 172.16.1.29 20 AAA.AAA.AAA.172 20 extendable
ip nat inside source static tcp 172.16.1.29 21 AAA.AAA.AAA.172 21 extendable

probably work, but, since you're not changing the source addresses, you're probably just not getting the traffic back.

How about trying this?

access-list 103 permit any 172.16.1.0 255.255.255.224
ip nat outside source list 103 interface FastEthernet0/3/0 overload

This should change the source address of hosts coming from the outside interface (F0/1/0 and F0/3/0) if they match ACL 103.

Let me know if that helps.

 

by: S0larPosted on 2008-02-26 at 07:58:17ID: 20985475

Yep, you are correct about my case :)

access-list 103 permit any 172.16.1.0 255.255.255.224
well, probaly you meant "access-list 103 permit ip any 172.16.1.0 255.255.255.224"?  because it is extended acl..
but i can't understand why i should use 'FastEthernet0/3/0' here?
ip nat outside source list 103 interface FastEthernet0/3/0 overload
As far as i can understand we need to change src addr to GigabitEther0/1 address....

 

by: aconaway1Posted on 2008-02-26 at 16:59:45ID: 20990501

You're right about the ACL.  Typo on my part.

Again, you're right about the interface to overload.  You want to appear as the IP on G0/1, so use that.

I must have been asleep when I wrote that.  Heh.

Glad it's working, though.

 

by: S0larPosted on 2008-02-26 at 22:40:22ID: 20991883

i haven't tested it yet :) I don't like to play with nat rules when connected to cisco remotely. I will check it on local console in next couple of days.

 

by: aconaway1Posted on 2008-02-27 at 08:22:52ID: 20995294

Real network guys make the change and have someone onsite power cycle the router if it breaks.  :)

Let me know if it still doesn't work.

 

by: S0larPosted on 2008-02-28 at 06:59:14ID: 21004310

Can't understand why, but it didn't work... Logically it should work because we are changing outside source address (outside local-outside global)...
but show ip access-list shows no hits to
-----------
Extended IP access list 101
    10 permit ip any host 172.16.1.29
c2851#
----------

 

by: S0larPosted on 2008-02-28 at 12:57:24ID: 21007968

played a bit with access-list 101
now it reads :
------------
Extended IP access list 101
    10 permit ip any host 172.16.1.29
    20 permit ip any host 87.245.160.172 (44 matches)
-------------
so we have matches now but....

#show nat stat
-------------------
-- Outside Source
[Id: 5] access-list 101 interface GigabitEthernet0/1 refcount 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
--------------------
very weird but looks like
'ip nat outside source list 101 interface GigabitEthernet0/1'
line does not work at all....

 

by: aconaway1Posted on 2008-02-28 at 19:06:14ID: 21010406

Can you drop the whole config down again?

 

by: S0larPosted on 2008-02-28 at 23:26:02ID: 21011519

here it is

-------------------------------
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname c2851
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxx
enable password xxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local group radius
aaa authorization exec default local
aaa authorization network default group radius if-authenticated
!
!
aaa session-id common
!
!
ip cef
!
!
no ip domain lookup
ip domain name xxxxxxxxx.com
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip dhcp-server 10.0.0.2
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 1
l2tp tunnel receive-window 1024
ip pmtu
ip mtu adjust
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username root privilege 15 password xxxxxxxxx
archive
log config
  hidekeys
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
interface GigabitEthernet0/0
description LAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map GEN-POLICY
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description LAN_TO_LAN2
ip address 172.16.1.2 255.255.255.224
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1/0
description UPLINK-ISP1
ip address ISP1.AAA.AAA.AA0 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/3/0
description UPLINK-ISP2
ip address ISP2.BBB.BBB.BB0 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1400
autodetect encapsulation ppp
peer default ip address dhcp
compress mppc
ppp encrypt mppe auto
ppp authentication ms-chap-v2 callin
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 ISP1.AAA.AAA.AA9 10
ip route 0.0.0.0 0.0.0.0 ISP2.BBB.BBB.BB9 50
ip route 192.168.193.0 255.255.255.0 10.0.0.254
ip route 192.168.200.0 255.255.255.0 10.0.0.254
ip route 192.168.212.0 255.255.255.0 172.16.1.1
!
!
no ip http server
no ip http secure-server
ip nat pool MAIL1-POOL ISP1.AAA.AAA.AA1 ISP1.AAA.AAA.AA1 prefix-length 24
ip nat pool FTP1-POOL ISP1.AAA.AAA.AA2 ISP1.AAA.AAA.AA2 prefix-length 24
ip nat inside source route-map ISP1-NAT interface FastEthernet0/1/0 overload
ip nat inside source route-map FTP1-NAT pool FTP1-POOL overload
ip nat inside source route-map MAIL1-NAT pool MAIL1-POOL overload
ip nat inside source route-map ISP2-NAT interface FastEthernet0/3/0 overload
ip nat inside source static tcp 10.0.0.10 20 ISP1.AAA.AAA.AA1 20 extendable
ip nat inside source static tcp 10.0.0.10 21 ISP1.AAA.AAA.AA1 21 extendable
ip nat inside source static tcp 10.0.0.2 25 ISP1.AAA.AAA.AA1 25 extendable
ip nat inside source static tcp 10.0.0.7 443 ISP1.AAA.AAA.AA1 443 extendable
ip nat inside source static 172.16.1.29 ISP1.AAA.AAA.AA2
ip nat inside source static tcp 10.0.0.10 20 ISP2.BBB.BBB.BB0 20 extendable
ip nat inside source static tcp 10.0.0.10 21 ISP2.BBB.BBB.BB0 21 extendable
ip nat inside source static tcp 10.0.0.2 25 ISP2.BBB.BBB.BB0 25 extendable
ip nat inside source static tcp 10.0.0.7 443 ISP2.BBB.BBB.BB0 443 extendable
ip nat outside source list 101 interface GigabitEthernet0/1
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 permit 172.16.1.29
access-list 101 permit ip any host ISP1.AAA.AAA.AA2
access-list 102 permit tcp any host ZZZ.ZZZ.ZZZ.ZZZ eq 22
access-list 103 permit tcp host 10.0.0.2 any eq smtp
access-list 104 permit ip 10.0.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 104 permit ip 10.0.0.0 0.0.255.255 172.16.0.0 0.0.255.255
!
!
!
route-map FTP1-NAT permit 10
match ip address 2
match interface FastEthernet0/1/0
!
route-map MAIL1-NAT permit 10
match ip address 103
match interface FastEthernet0/1/0
!
route-map GEN-POLICY permit 5
match ip address 102
set ip next-hop ISP2.BBB.BBB.GW
!
route-map ISP2-NAT permit 10
match ip address 1
match interface FastEthernet0/3/0
!
route-map ISP1-NAT deny 5
match ip address 102
!
route-map ISP1-NAT deny 6
match ip address 103
!
route-map ISP1-NAT deny 7
match ip address 104
!
route-map ISP1-NAT permit 10
match ip address 1
match interface FastEthernet0/1/0
!
!
!
radius-server configure-nas
radius-server host 10.0.0.2 auth-port 1645 acct-port 1646
radius-server key xxxxxxx
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxxxxx
transport input ssh
!
scheduler allocate 20000 1000
!
end

 

by: aconaway1Posted on 2008-03-04 at 05:19:33ID: 21040625

Can we do some experimentation?  I want to give a host on the outside its own static source translation on the inside.  Can you configure a static NAT for the outside host to a separate inside IP?

ip nat outside source The.source.ip.address some.other.inside.address

 

by: S0larPosted on 2008-03-04 at 05:56:21ID: 21040888

sure, give me address :)

 

by: aconaway1Posted on 2008-03-04 at 06:41:49ID: 21041363

Where are you testing from?  Use that address and assign yourself a new inside one.

 

by: S0larPosted on 2008-03-16 at 06:56:10ID: 21136941

tested. did not work.

but found another solution: double translation via NVI (not inside/outside NAT domains)

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...