• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 845
  • Last Modified:

Configure NAT to enable multiple public ip adresses

In my current situation a enabled NAT so that people are able to connect to a webserver.
I have multiple public IP adresses that I want to use to go different webservers on the network.

The range is: 80.x.x.145 to 80.x.x.158 where the 80.x.x.145 is the IP of the router.

I want to be able to NAT 80.x.x.146 to an ip address 10.x.x.11 but in some way, or I forgot something, it doesn't work.
Can anybody see what I forgot or did wrong.

The configuration is added below
cisco878-nat-ee.txt
0
Sander Stad
Asked:
Sander Stad
  • 12
  • 11
1 Solution
 
tim1128Commented:
If you want the Source NAT from outside network 80.x.x.146 to 10.x.x.11 inside network the outside source static command should be:
ip nat outside source static tcp  80.x.x.146 80 10.x.x.11 80 extendable
ip nat outside source static tcp  80.x.x.146 443 10.x.x.11 443 extendable
0
 
Sander StadAuthor Commented:
I put in the new NAT entries but still i'm not able to connect to the website.

Do I have to put the 80.x.x.146 ip address on one of the interfaces ?
0
 
Vito_CorleoneCommented:
Your statements are backwards, it should be:

ip nat inside source static tcp <inside IP> <inside port> <outside IP> <outside port>

ip nat inside source static tcp 10.x.x.11 80 80.x.x.146 80
ip nat inside source static tcp 10.x.x.11 443 80.x.x.146 443

Are these 80.x.x.x addresses provided by your ISP? If your address is DHCP and you want to use the Dialer interface instead of an IP you could do:

ip nat inside source static tcp 10.x.x.11 80 interface dialer1 80
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
Vito_CorleoneCommented:
Something else that might be better for you is 1:1 NAT:

ip nat inside source static <inside IP> <outside IP>

ip nat inside source static 10.x.x.11 80.x.x.146

If you have multiple public IPs you can use this to map outside to inside by IP instead of port. So all traffic going to 80.x.x.146 will be forwarded to 10.x.x.11.

0
 
Sander StadAuthor Commented:
that's possible but it doesn't solve my problem.
I think the problem is that the public ip address can't be reached but I don't know why
0
 
Vito_CorleoneCommented:
You haven't tested whether your public IP works? Goto www.whatismyip.org, that will tell you the address. Then www.nmap-online.com can scan your IP and tell you what ports are listening.

Did you test it with the new config, with the private IP first instead of last like you had it?
0
 
Sander StadAuthor Commented:
I know what my ip is and I know the range. But I have an ip address 80.x.x.145 on the outside of my router and want to use 80.x.x.146 to be natted through on of t he servers.
0
 
Vito_CorleoneCommented:
If that IP is provided to you by your ISP, these statements should work:

ip nat inside source static tcp 10.x.x.11 80 80.x.x.146 80
ip nat inside source static tcp 10.x.x.11 443 80.x.x.146 443

or this:

ip nat inside source static 10.x.x.11 80.x.x.146

I don't see any issues with your config that would prevent this from working as long as that is a valid IP from your provider.
0
 
Sander StadAuthor Commented:
This is a valid IP from my service provider and that's what i created in the first place but how do I get this configuration that far that I can go to the location.
Do I have to set the 80.x.x.146 ip address on the interface in some way next to the other?

Because when I ping the address from an external server I don'tget a reply
0
 
Vito_CorleoneCommented:
Pinging a NATed address is not a good diagnostic tool. You can test it by using that NMAP link I gave you. You can scan the IP from outside, it should show you whether the port is listening or not.

Those NATed addresses won't ping unless you're doing a 1:1 translation or you're forwarding ICMP to them. You will also need to allow it through any ACLs.
0
 
Sander StadAuthor Commented:
I still don't have a solution to my problem. I'll try to explain my situation so maybe someone can help me.

I have a SDSL router configured with ppp to my ISP.
I have 13 usuable ip addresses ranging from 80.x.x.146 to 80.x.x.159. It is the following network 80.x.x.140/28.

I've got NAT already configured for a few servers but because I already used port 443 for another server I have to use another public ip address and NAT that to another server.
I had planned to use the 80.x.x.146 address.

In some way I can't get this configured because when I use NMap from an external server it still show closed ports. I tested the NAT with port 1000.

My question is simple. How can I NAT the ip address 80.x.x.146 to server 10.x.x.11 on port 443.
0
 
Vito_CorleoneCommented:
ip nat inside source static tcp 10.x.x.11 443 80.x.x.146 443

ip nat inside source static 10.x.x.11 80.x.x.146

Both of those commands will accomplish this. The first will use PAT to translate that port and IP, the second is 1:1 NAT which will just translate IP to IP. They both work. If it isn't working for you, there is another issue we need to figure out. If you have it working for other servers just copy that config and modify the IPs.
0
 
Sander StadAuthor Commented:
The NAT rules are installed but still when I go to the ip address from an external client it show me nothing.
When I use NMAP Online is show that the port isn't open.

What I find curious is that I have th idea that I'm missing something with the external ip address. Don't I have to set this somewhere?
Now the external ip address is negotiated with the ISP and is the following 80.x.x.145.
0
 
Vito_CorleoneCommented:
You don't need that .146 IP anywhere, you just need it available from your use by the ISP and you need the "ip nat outside" command on the appropriate interface. One thing I see in your config is:

ip nat outside source static tcp 10.x.x.11 80 80.x.x.146 80 extendable
ip nat outside source static tcp 10.x.x.11 443 80.x.x.146 443 extendable

That should not be "outside", it should be "inside".
0
 
Sander StadAuthor Commented:
This is my current config
config.txt
0
 
Vito_CorleoneCommented:
Why is this command in there:

ip nat inside source list 10 pool external overload

And this:
interface Dialer0
 ip policy route-map NAT-loop

I don't see that route-map anywhere.

Also, you don't currently have a NAT statement for .146, port 443 in your config. One more thing, your NAT ACL has unusual lines:

access-list 101 permit ip 10.x.x.0 0.0.0.255 any

access-list 101 permit tcp any host 10.x.x.4 eq 1723
access-list 101 permit tcp any host 10.x.x.6 eq smtp
access-list 101 permit tcp any host 10.x.x.6 eq 443
access-list 101 permit tcp any host 10.x.x.5 eq 3101

What are you trying to accomplish with these bottom four lines?

0
 
Sander StadAuthor Commented:
I have tried so many things, also a route-map and removed it later on but didn't remove it from the interface. I removed it now.

The reason the it is not configured for 443 is because I want to test it with port 80. That rule is in there.

The other ACL's are used for other servers that are already using NAT but than with the ip address 80.x.x.145. That situation is already working.



0
 
Vito_CorleoneCommented:
Can you post a "sh ip route" please?
0
 
Sander StadAuthor Commented:
Gateway of last resort is 0.0.0.0 to network 0.0.0.0

     80.0.0.0/32 is subnetted, 1 subnets
C       80.x.x.145 is directly connected, Dialer0
     10.0.0.0/24 is subnetted, 2 subnets
C       10.100.0.0 is directly connected, Vlan1
C       10.200.0.0 is directly connected, Loopback0
     194.109.5.0/32 is subnetted, 1 subnets
C       194.109.5.221 is directly connected, Dialer0
S*   0.0.0.0/0 is directly connected, Dialer0

0
 
Vito_CorleoneCommented:
Post "sh int dialer0" and "sh ip int dialer0" also please.
0
 
Sander StadAuthor Commented:
show int dialer 0:
Dialer0 is up, line protocol is up (spoofing)
  Hardware is Unknown
  Internet address is 80.127.128.145/32
  MTU 1500 bytes, BW 56 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 18/255, rxload 18/255
  Encapsulation PPP, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 1 seconds on reset
  Interface is bound to Vi2
  Last input never, output never, output hang never
  Last clearing of "show interface" counters 07:28:05
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: weighted fair
  Output queue: 0/1000/64/0 (size/max total/threshold/drops)
     Conversations  0/0/16 (active/max active/max total)
     Reserved Conversations 0/0 (allocated/max allocated)
     Available Bandwidth 42 kilobits/sec
  5 minute input rate 4000 bits/sec, 0 packets/sec
  5 minute output rate 4000 bits/sec, 0 packets/sec
     91142 packets input, 60179684 bytes
     88385 packets output, 45179221 bytes
Bound to:
Virtual-Access2 is up, line protocol is up
  Hardware is Virtual Access interface
  MTU 1500 bytes, BW 2304 Kbit/sec, DLY 20000 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation PPP, LCP Open
  Listen: CDPCP
  Open: IPCP
  PPPoATM vaccess, cloned from Dialer0
  Vaccess status 0x44
  Bound to ATM0 VCD: 1, VPI: 2, VCI: 32, loopback not set
  Keepalive set (10 sec)
  DTR is pulsed for 5 seconds on reset
  Interface is bound to Di0 (Encapsulation PPP)
  Last input 00:00:42, output never, output hang never
  Last clearing of "show interface" counters 07:27:15
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 10000 bits/sec, 1 packets/sec
  5 minute output rate 5000 bits/sec, 1 packets/sec
     91152 packets input, 60179809 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     88397 packets output, 45179401 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 unknown protocol drops
     0 output buffer failures, 0 output buffers swapped out
     0 carrier transitions
---------------------------------------------------------------------------------------------------------
show ip int dialer0:
Dialer0 is up, line protocol is up
  Internet address is 80.127.128.145/32
  Broadcast address is 255.255.255.255
  Address determined by IPCP
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is disabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are never sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is enabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP CEF Feature Fast switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Policy routing is disabled
  Network address translation is enabled, interface in domain outside
  BGP Policy Mapping is disabled
0
 
Vito_CorleoneCommented:
I'm not seeing anything. Can you post "sh ip nat trans" please.
0
 
Sander StadAuthor Commented:
show ip nat trans:
Pro Inside global         Inside local          Outside local         Outside global
tcp 80.x.x.145:139    10.x.x.2:139        192.168.137.1:2299    192.168.137.1:2299
tcp 80.x.x.145:139    10.x.x.2:139        192.168.174.1:2021    192.168.174.1:2021
gre 80.x.x.145:256    10.x.x.4:256        83.86.85.194:256      83.86.85.194:256
tcp 80.x.x.145:1723   10.x.x.4:1723       82.95.140.59:1413     82.95.140.59:1413
tcp 80.x.x.145:1723   10.x.x.4:1723       83.86.85.194:50388    83.86.85.194:50388
tcp 80.x.x.145:1723   10.x.x.4:1723       94.211.77.150:51492   94.211.77.150:51492
tcp 80.x.x.145:1723   10.x.x.4:1723       ---                   ---
gre 80.x.x.145:9107   10.x.x.4:9107       83.86.85.194:9107     83.86.85.194:9107
gre 80.x.x.145:21005  10.x.x.4:21005      94.211.77.150:21005   94.211.77.150:21005
gre 80.x.x.145:32540  10.x.x.4:32540      94.211.77.150:32540   94.211.77.150:32540
gre 80.x.x.145:50274  10.x.x.4:50274      82.95.140.59:50274    82.95.140.59:50274
gre 80.x.x.145:62185  10.x.x.4:62185      82.95.140.59:62185    82.95.140.59:62185
tcp 80.x.x.145:3103   10.x.x.5:3103       ---                   ---
tcp 80.x.x.145:25     10.x.x.6:25         62.250.3.121:2460     62.250.3.121:2460
tcp 80.x.x.145:25     10.x.x.6:25         ---                   ---
tcp 80.x.x.145:443    10.x.x.6:443        ---                   ---
udp 80.x.x.145:46713  10.x.x.6:46713      192.168.174.1:1780    192.168.174.1:1780
udp 80.x.x.145:46714  10.x.x.6:46714      192.168.137.1:1779    192.168.137.1:1779
tcp 80.x.x.146:80     10.x.x.11:80        ---                   ---
udp 80.x.x.145:49152  10.x.x.69:49152     192.168.1.222:161     192.168.1.222:161
udp 80.x.x.145:49660  10.x.x.69:49660     194.109.6.66:53       194.109.6.66:53
tcp 80.x.x.145:50417  10.x.x.69:50417     69.63.187.17:80       69.63.187.17:80
tcp 80.x.x.145:50426  10.x.x.69:50426     66.102.13.18:80       66.102.13.18:80
tcp 80.x.x.145:50427  10.x.x.69:50427     66.102.13.189:80      66.102.13.189:80
tcp 80.x.x.145:50428  10.x.x.69:50428     66.102.13.18:80       66.102.13.18:80
udp 80.x.x.145:50941  10.x.x.69:50941     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:52267  10.x.x.69:52267     213.199.162.214:3544  213.199.162.214:3544
udp 80.x.x.145:52267  10.x.x.69:52267     213.199.162.215:3544  213.199.162.215:3544
udp 80.x.x.145:52292  10.x.x.69:52292     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:52334  10.x.x.69:52334     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:54476  10.x.x.69:54476     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:56703  10.x.x.69:56703     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:56807  10.x.x.69:56807     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:56888  10.x.x.69:56888     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:57937  10.x.x.69:57937     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:60589  10.x.x.69:60589     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:61652  10.x.x.69:61652     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:62078  10.x.x.69:62078     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:62534  10.x.x.69:62534     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:62593  10.x.x.69:62593     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:63957  10.x.x.69:63957     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:64032  10.x.x.69:64032     194.109.6.66:53       194.109.6.66:53
udp 80.x.x.145:65031  10.x.x.69:65031     194.109.6.66:53       194.109.6.66:53
tcp 80.x.x.145:1613   10.x.x.71:1613      209.85.229.103:80     209.85.229.103:80
tcp 80.x.x.145:51497  10.x.x.74:51497     208.43.202.8:80       208.43.202.8:80
udp 80.x.x.145:1026   10.x.x.75:1026      192.168.2.195:161     192.168.2.195:161
0
 
Sander StadAuthor Commented:
I solved the problem myself. It had nothing to do with the nat but with an internal IP confict.
My configuration was right in the first place. I'm going to give the points to victor for giving the right syntax.

Thanks for the effort though.
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

  • 12
  • 11
Tackle projects and never again get stuck behind a technical roadblock.
Join Now