johnritzer
asked on
1-1 nat incoming works but outgoing doesnt
i have a 1841 router with a T1 14 available static ips and i need this one to be a static 1-1 nat
ip nat inside source static 192.168.14.27 65.xx.xxx.230 extendable
but how do i make it to where when the local ip address needs to get out via the 65.xx.xxx.230 address and not the default ip route 0.0.0.0 0.0.0.0 method which it shows now 65.xx.xxx.226
thanks
thanks
ip nat inside source static 192.168.14.27 65.xx.xxx.230 extendable
but how do i make it to where when the local ip address needs to get out via the 65.xx.xxx.230 address and not the default ip route 0.0.0.0 0.0.0.0 method which it shows now 65.xx.xxx.226
thanks
thanks
ASKER
hey thanks for the reply i should of been a little more descriptive
heres my .226 interface first public IP
ip address 65.xx.xx.226 255.255.255.240
ip access-group 199 in
no ip redirects
no ip unreachables
ip directed-broadcast
ip inspect Firewall out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.11.254 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
ip directed-broadcast
ip nat inside
ip virtual-reassembly
ip policy route-map NAT_Filter
duplex auto
speed auto
interface Serial0/0/0
description T1 circuit with XOs equipment
ip address 64.xx.xx.10 255.255.255.252
no ip redirects
no ip unreachables
encapsulation ppp
service-module t1 timeslots 1-24
!
ip forward-protocol udp netbios-ss
ip route 0.0.0.0 0.0.0.0 64.xx.xx.9
ip route 192.168.14.0 255.255.255.0 192.168.11.2
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static 192.168.14.27 65.105.209.230 extendable
(i tried doing this but no luck)
heres the ACLs 199 in and 102 in
access-list 102 deny ip 65.xx.xx.0 0.0.0.127 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip host 192.168.11.28 192.168.254.0 0.0.0.255
access-list 102 permit ip any host 192.168.14.27
access-list 102 permit ip host 192.168.14.27 any
access-list 102 permit tcp any any eq 5060
access-list 102 permit ip host 192.168.14.2 192.168.254.0 0.0.0.255
access-list 102 permit ip 192.168.14.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 102 deny ip 192.168.11.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 102 deny icmp any 192.168.254.0 0.0.0.255
access-list 102 permit ip any any
access-list 199 permit ip any host 65.105.209.228
access-list 199 permit ip any any
basically 14.x is my Vlan 2 and 11.x is my Vlan 1 but i have the Voice vlan 2 14.x
going to a hp procurve as a switch as a default gateway and the switch for the ip route on there goes to 0.0.0.0 0.0.0.0 192.168.11.254
my goal is to have alternate routes with 2 different routers in my network use the dsl as mostly web and ftp downloading traffic but this T1 will be used as my voice (sip) with a 1-1 nat setup to the 192.168.14.2 for my phone system and the 192.168.14.27 which is my asterisk..
Hope that helps a bit thanks a bunch
heres my .226 interface first public IP
ip address 65.xx.xx.226 255.255.255.240
ip access-group 199 in
no ip redirects
no ip unreachables
ip directed-broadcast
ip inspect Firewall out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
interface FastEthernet0/1
description $FW_INSIDE$
ip address 192.168.11.254 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
ip directed-broadcast
ip nat inside
ip virtual-reassembly
ip policy route-map NAT_Filter
duplex auto
speed auto
interface Serial0/0/0
description T1 circuit with XOs equipment
ip address 64.xx.xx.10 255.255.255.252
no ip redirects
no ip unreachables
encapsulation ppp
service-module t1 timeslots 1-24
!
ip forward-protocol udp netbios-ss
ip route 0.0.0.0 0.0.0.0 64.xx.xx.9
ip route 192.168.14.0 255.255.255.0 192.168.11.2
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static 192.168.14.27 65.105.209.230 extendable
(i tried doing this but no luck)
heres the ACLs 199 in and 102 in
access-list 102 deny ip 65.xx.xx.0 0.0.0.127 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip host 192.168.11.28 192.168.254.0 0.0.0.255
access-list 102 permit ip any host 192.168.14.27
access-list 102 permit ip host 192.168.14.27 any
access-list 102 permit tcp any any eq 5060
access-list 102 permit ip host 192.168.14.2 192.168.254.0 0.0.0.255
access-list 102 permit ip 192.168.14.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 102 deny ip 192.168.11.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 102 deny icmp any 192.168.254.0 0.0.0.255
access-list 102 permit ip any any
access-list 199 permit ip any host 65.105.209.228
access-list 199 permit ip any any
basically 14.x is my Vlan 2 and 11.x is my Vlan 1 but i have the Voice vlan 2 14.x
going to a hp procurve as a switch as a default gateway and the switch for the ip route on there goes to 0.0.0.0 0.0.0.0 192.168.11.254
my goal is to have alternate routes with 2 different routers in my network use the dsl as mostly web and ftp downloading traffic but this T1 will be used as my voice (sip) with a 1-1 nat setup to the 192.168.14.2 for my phone system and the 192.168.14.27 which is my asterisk..
Hope that helps a bit thanks a bunch
You've introduced some new IP addresses / subnets that I don't recognize as being discussed.
ASKER
this 1841 router is the router for just our T1
we also have a 800 series router just mainly used for Web traffic and used to be everything but now we have some statics we got for the T1 in the 1841 router .... that im not to sure on out to make it like when it goes out via internet to not use the default interface ip 65.xx.xx.226
and use the ip coming in from it
is there like a IF internal IP of 192.168.14.27 Goes out the route of 0.0.0.0 0.0.0.0 64.xx.xx.10 then use Static ip of 65.xx.xx.230 and not the 65.xx.xx.226 (the one for the FA0/0)
Thanks :)
we also have a 800 series router just mainly used for Web traffic and used to be everything but now we have some statics we got for the T1 in the 1841 router .... that im not to sure on out to make it like when it goes out via internet to not use the default interface ip 65.xx.xx.226
and use the ip coming in from it
is there like a IF internal IP of 192.168.14.27 Goes out the route of 0.0.0.0 0.0.0.0 64.xx.xx.10 then use Static ip of 65.xx.xx.230 and not the 65.xx.xx.226 (the one for the FA0/0)
Thanks :)
It seems to me that your primary challenge is to split the traffic amongst the applications.
You need a router with tagging and internal routing capabilities it seems. Otherwise, how will you separate the traffic?
You need a router with tagging and internal routing capabilities it seems. Otherwise, how will you separate the traffic?
ASKER
would this not work it works if I create a machine within my network as a static address and I point the GW to the 65.xx.xx.226
I'm wondering if it's just a routemap but I have no idea on how to configure them
Thanks
I'm wondering if it's just a routemap but I have no idea on how to configure them
Thanks
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Let's see if I understand:
T1 with 14 available public IPs.
I have no idea how you're connecting to this source of IPs....... you didn't say.
Cisco 1841 router - which I will assume has a single public IP of 65.xxx.xxx.230.
What has the public IP 65.xxx.xxx.226? That's not mentioned.
I assume that the LAN is 192.168.14.0 / 255.255.255.0
Let's assume that the Cisco 1841 has a LAN address of 192.168.14.zzz.
*WHERE is* the default route pointing to 65.xxx.xxx.226????? That's not mentioned.
The typical solutions are these:
1) Put a static persistent route in one or more workstations that point to a local LAN address that is "associated with" 65.xxx.xxx.226 - like a router or firewall with this as the public side address. This is the "hard way" but it works.
2) Put a static peristent route in the LAN gateway device that will route such packets to the appropriate LAN address (and hence to the appropriate public address).
Example:
Cisco 1841 WAN: 65.xxx.xxx.230 LAN: 192.168.14.99
VPN device WAN: 65.xxx.xxx.226 LAN: 192.168.14.222
First approach:
Workstation 192.168.14.2 Gateway 192.168.14.99
Persistent route 65.xxx.xxx.226 mask xxxxxxxxxx 192.168.14.222 metric 1
Second approach:
Workstation 192.16814.2 Gateway 192.168.14.99
(No special routes)
Cisco 1841 WAN: 65.xxx.xxx.230 LAN: 192.168.14.99
Persistent route 65.xxx.xxx.226 mask xxxxxxxxxx 192.168.14.222 metric 1
Since the destination IP is a public address, the Cisco 1841 would normally route it out to the WAN interface / to the internet. But, with the route added, it will send the packets destined for 65.xxx.xxx.226 to 192.168.14.222 which should know what to do with those packets.
Now, calling it a VPN in the example is a bit of a misnomer because in that case the destination would usually be a private IP address in a different subnet at a remote site - and not a public IP address.