Problem with ip address pool routing
Posted on 2006-10-22
I have one very wired problem, I don`t understand. Below I will use the example ip addresses in my scenario.
My ISP has assigned me ONE static WAN IP address: 83.261.45.11 and gateway: 83.261.45.1
Than after couple days I called my isp again and asked for 2 more ip addresses which are in the same subnet.
Also not in the same subnet as the first ip I got but those other 2 ip addresses I will them in the same subnet.
So I got than these ip addresses: 126.96.36.199 - 114
Than when I got the email from ISP this is what they told me:
"now we have routet the new subnet on to your ip 83.261.45.11 (my first static ip I got) the new subnet is:
Subnet mask: 255.255.255.252
Hosts: 188.8.131.52 - 184.108.40.206
also they tol me that THIS SUBNET IS ROUTET TO MY FIRST IP 83.261.45.11
And than I have configured my Cisco 2600 series router on this way:
I NAT-ed the wan ip 220.127.116.11 on to internal server which host DNS server.
Than I have created the access list and opened the port 53 both UDP and TCP.
After I did this I scaned this ip 18.104.22.168 from outside and I got the message that there is a service on the port 53
so this is ok this means that port 53 is opened and there is a dns server.
BUT IT WILL NOT WORK ! I tryed to run "cmd" "telnet" open 22.214.171.124 53 and I could not connect.
Below is my config :
encapsulation dot1Q 30
ip address 83.261.45.11 255.255.255.192
ip access-group ACL_CBAC in
ip nat outside
ip inspect cbac_in_to_out out
crypto map clientmap
ip nat pool outbound 126.96.36.199 188.8.131.52 netmask 255.255.255.252
ip nat inside source route-map RM_NAT pool outbound overload
ip access-list extended ACL_NAT
permit ip 172.16.0.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
route-map RM_NAT permit 20
match ip address ACL_NAT
ip nat inside source static tcp 10.0.0.7 53 184.108.40.206 53 extendable
ip access-list extended ACL_CBAC
permit udp any eq 53 any
permit tcp any eq 53 any
permit tcp any any eq 53
permit udp any any eq 53
ip inspect udp idle-time 15
ip inspect dns-timeout 7
ip inspect tcp idle-time 1800
ip inspect tcp finwait-time 1
ip inspect name cbac_in_to_out cuseeme timeout 3600
ip inspect name cbac_in_to_out ftp timeout 3600
ip inspect name cbac_in_to_out h323 timeout 3600
ip inspect name cbac_in_to_out netshow timeout 3600
ip inspect name cbac_in_to_out rcmd timeout 3600
ip inspect name cbac_in_to_out realaudio timeout 3600
ip inspect name cbac_in_to_out rtsp timeout 3600
ip inspect name cbac_in_to_out smtp timeout 3600
ip inspect name cbac_in_to_out sqlnet timeout 3600
ip inspect name cbac_in_to_out streamworks timeout 3600
ip inspect name cbac_in_to_out tcp timeout 3600
ip inspect name cbac_in_to_out tftp timeout 30
ip inspect name cbac_in_to_out udp timeout 15
ip inspect name cbac_in_to_out vdolive timeout 3600
ip inspect name cbac_in_to_out fragment maximum 256 timeout 1
ip audit po max-events 100
So I am not able to use DNS server it will not work, so I think the problem may be :
the ip 220.127.116.11 have not its DIRECT Gateway which the my first ip address uses.
Ip address: 83.261.45.11
BUT WHEN I CHANGE THE NAT, for example if I NAT from IP 83.261.45.11 WHICH is assigned to an interface than it WORKS.
So in all case NAT an ip address that is assigned to an router interface and which have its direct gateway it works fine.
BUT if I nat from addresses from POOL than the DNS will not work.
Any idea what the problem is ??