Solved

"IP NAT OUTSIDE" not working. Can't figure out why.

Posted on 2008-10-21
6
767 Views
Last Modified: 2012-05-05
I have a Cisco 1721 router where I need to translate the destination address for a client connection. The configuration I am using is below:

interface fasthethernet 1
ip address 172.16.195.49 255.255.255.0
ip nat inside

interface serial 0
ip address 10.10.10.4 255.255.255.0
ip nat outside

ip route 10.100.134.201 255.255.255.0 10.10.10.3
ip route 172.16.191.0 255.255.255.0 172.16.195.1

ip nat outside source static 10.100.134.201 192.168.134.201
ip nat outside source static 10.100.134.202 192.168.134.202
ip nat outside source static 10.100.134.203 192.168.134.203
ip nat outside source static 10.100.134.204 192.168.134.204
ip nat outside source static 10.100.134.205 192.168.134.205
ip nat outside source static 10.100.134.206 192.168.134.206
ip nat outside source static 10.100.134.199 192.168.134.199

I have users sourcing from 172.16.191.x that needed to reach 10.100.134.x but were routing 10.100.134.x through another client connection so we were asked if we can NAT there 10.100.134.x addresses to something else the users can route to. I picked the 192.168.134.x range since it's not in use.
The users are sourcing from the inside interface to 192.168.134.199 but can not establish a connection. I have "ip accounting" configured on both interfaces and see no traffic. I also ran "debug ip nat" and had the user try sourcing from 172.16.191.x to 192.168.134.199 and nothing comes up in the debug.

I verified routing, the user can ping the 172.16.195.48 interface and I see traffic passing through the firewall right before it hits the router but I see no translation on the router.

What am I missing???

Thanks for any help.

0
Comment
Question by:jjbbiirrdd_73
  • 3
  • 2
6 Comments
 
LVL 8

Expert Comment

by:MrJemson
ID: 22773061
Why the heck are you trying to nat a private address in the first place?
0
 

Author Comment

by:jjbbiirrdd_73
ID: 22773129
Well, I thought I explained that above, but we have another existing client that is using the 10.10.134.0/24 address space and this new client is also currently using this address space. I know it's not ideal and I inherited this network and in the process of re-architecting it. Regardless, why would'nt this work?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 22775718
The Firewall has a route to the 192.168.134.0/24 addresses via the router (172.16.195.49), right?  Also, add a route to the router for the NAT addresses (unless your default is via the Serial):

ip route 192.168.34.0/24 255.255.255.0 10.10.10.3  <--needs to be routed out NAT outside interface
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 43

Expert Comment

by:JFrederick29
ID: 22775727
Sorry, typo, should be:

ip route 192.168.134.0/24 255.255.255.0 10.10.10.3  <--needs to be routed out NAT outside interface
                           ^
0
 

Author Comment

by:jjbbiirrdd_73
ID: 22780133
That is probably it. I think I had the order of operation backwards when I was troubleshooting this. To fix this we basically reversed the inside and outside interfaces and did a static inside nat instead. But before we did the fix I did not have a default route set up or a route for 192.168.134.0/24  pointing to the serial interface. Can't believe I missed something as simple as that. Thanks for your help JFrederick29, it is most appreciated.
0
 

Author Closing Comment

by:jjbbiirrdd_73
ID: 31508910
Thanks for he quick and accurate response.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Configuring network clients can be a chore, especially if there are a large number of them or a lot of itinerant users.  DHCP dynamically manages this process, much to the relief of users and administrators alike!
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now