Link to home
Create AccountLog in
Avatar of johnritzer
johnritzerFlag for United States of America

asked on

1-1 nat incoming works but outgoing doesnt

i have a 1841 router with a T1 14 available static ips and i need this one to be a static 1-1 nat

ip nat inside source static 192.168.14.27 65.xx.xxx.230 extendable

but how do i make it to where when the local ip address needs to get out via the 65.xx.xxx.230 address and not the default ip route 0.0.0.0 0.0.0.0   method which it shows now 65.xx.xxx.226

thanks
thanks
Avatar of hypercube
hypercube
Flag of United States of America image

Well, the description is a bit too cryptic and the terms are loose....

Let's see if I understand:

T1 with 14 available public IPs.
I have no idea how you're connecting to this source of IPs....... you didn't say.

Cisco 1841 router - which I will assume has a single public IP of 65.xxx.xxx.230.

What has the public IP 65.xxx.xxx.226?  That's not mentioned.

I assume that the LAN is 192.168.14.0 / 255.255.255.0

Let's assume that the Cisco 1841 has a LAN address of 192.168.14.zzz.

*WHERE is* the default route pointing to 65.xxx.xxx.226?????  That's not mentioned.

The typical solutions are these:

1) Put a static persistent route in one or more workstations that point to a local LAN address that is "associated with" 65.xxx.xxx.226 - like a router or firewall with this as the public side address.  This is the "hard way" but it works.

2) Put a static peristent route in the LAN gateway device that will route such packets to the appropriate LAN address (and hence to the appropriate public address).

Example:

Cisco 1841  WAN: 65.xxx.xxx.230  LAN: 192.168.14.99
VPN device  WAN: 65.xxx.xxx.226  LAN: 192.168.14.222

First approach:
Workstation 192.168.14.2  Gateway 192.168.14.99
Persistent route 65.xxx.xxx.226 mask xxxxxxxxxx 192.168.14.222 metric 1

Second approach:
Workstation 192.16814.2 Gateway 192.168.14.99
(No special routes)
Cisco 1841 WAN: 65.xxx.xxx.230  LAN: 192.168.14.99
Persistent route 65.xxx.xxx.226 mask xxxxxxxxxx 192.168.14.222 metric 1

Since the destination IP is a public address, the Cisco 1841 would normally route it out to the WAN interface / to the internet.  But, with the route added, it will send the packets destined for 65.xxx.xxx.226 to 192.168.14.222 which should know what to do with those packets.

Now, calling it a VPN in the example is a bit of a misnomer because in that case the destination would usually be a private IP address in a different subnet at a remote site - and not a public IP address.
 
Avatar of johnritzer

ASKER

hey thanks for the reply i should of been a little more descriptive

heres my .226 interface first public IP

ip address 65.xx.xx.226 255.255.255.240
 ip access-group 199 in
 no ip redirects
 no ip unreachables
 ip directed-broadcast
 ip inspect Firewall out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable


interface FastEthernet0/1
 description $FW_INSIDE$
 ip address 192.168.11.254 255.255.255.0
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 ip directed-broadcast
 ip nat inside
 ip virtual-reassembly
 ip policy route-map NAT_Filter
 duplex auto
 speed auto







interface Serial0/0/0
description T1 circuit with XOs equipment
 ip address 64.xx.xx.10 255.255.255.252
 no ip redirects
 no ip unreachables
 encapsulation ppp



 service-module t1 timeslots 1-24


!
ip forward-protocol udp netbios-ss
ip route 0.0.0.0 0.0.0.0 64.xx.xx.9
ip route 192.168.14.0 255.255.255.0 192.168.11.2
!
ip http server
ip http authentication local
ip http secure-server

ip nat inside source static 192.168.14.27 65.105.209.230 extendable
(i tried doing this but no luck)


heres the ACLs 199 in and 102 in


access-list 102 deny   ip 65.xx.xx.0 0.0.0.127 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip host 192.168.11.28 192.168.254.0 0.0.0.255
access-list 102 permit ip any host 192.168.14.27
access-list 102 permit ip host 192.168.14.27 any
access-list 102 permit tcp any any eq 5060
access-list 102 permit ip host 192.168.14.2 192.168.254.0 0.0.0.255
access-list 102 permit ip 192.168.14.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 102 deny   ip 192.168.11.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 102 deny   icmp any 192.168.254.0 0.0.0.255
access-list 102 permit ip any any

access-list 199 permit ip any host 65.105.209.228
access-list 199 permit ip any any


basically 14.x is my Vlan 2 and 11.x is my Vlan 1 but i have the Voice vlan 2 14.x
going to a hp procurve as a switch as a default gateway and the switch for the ip route on there goes to 0.0.0.0 0.0.0.0 192.168.11.254


my goal is to have alternate routes with 2 different routers in my network use the dsl as mostly web and ftp downloading traffic but this T1 will be used as my voice (sip) with a 1-1 nat setup to the 192.168.14.2 for my phone system and the 192.168.14.27 which is my asterisk..



Hope that helps a bit thanks a bunch


You've introduced some new IP addresses / subnets that I don't recognize as being discussed.
this 1841 router is the router for just our T1

we also have a 800 series router just mainly used for Web traffic and used to be everything but now we have some statics we got for the T1 in the 1841 router .... that im not to sure on out to make it like when it goes out via internet to not use the default interface ip 65.xx.xx.226

and use the ip coming in from it

is there like a IF internal IP of 192.168.14.27 Goes out the route of 0.0.0.0 0.0.0.0 64.xx.xx.10 then use Static ip of 65.xx.xx.230 and not the 65.xx.xx.226 (the one for the FA0/0)




Thanks :)
It seems to me that your primary challenge is to split the traffic amongst the applications.  
You need a router with tagging and internal routing capabilities it seems.  Otherwise, how will you separate the traffic?
would this not work it works if I create a machine within my network as a static address and I point the GW to the 65.xx.xx.226


I'm wondering if it's just a routemap but I have no idea on how to configure them

Thanks

ASKER CERTIFIED SOLUTION
Avatar of hypercube
hypercube
Flag of United States of America image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer