sdteknet
asked on
Nat overload works but additional ip nat inside source static entries do not
The Problem:
I am transitioning from a Cisco-871 to Cisco-1841. For the most part I copied and pasted the code. The nating worked as shown below on the 871. However, on the 1841 as soon as I input the inside static nat entries the servers no longer can reach the public network (Internet) but they are still reachable internally. I have also tried pinging the pub IP from a remote location for those server that I have entered the inside static routes for and I receive no replies. I have searched the web for a while now and I am at a loss. I am thinking I may be running up against a bug on the IOS i am running. c1841-adventerprisek9-mz.1 24-15.T7.b in
The Desired end result:
I have 5 servers behind this router that I need one to one nat entries for.
I am transitioning from a Cisco-871 to Cisco-1841. For the most part I copied and pasted the code. The nating worked as shown below on the 871. However, on the 1841 as soon as I input the inside static nat entries the servers no longer can reach the public network (Internet) but they are still reachable internally. I have also tried pinging the pub IP from a remote location for those server that I have entered the inside static routes for and I receive no replies. I have searched the web for a while now and I am at a loss. I am thinking I may be running up against a bug on the IOS i am running. c1841-adventerprisek9-mz.1
The Desired end result:
I have 5 servers behind this router that I need one to one nat entries for.
no aaa new-model
clock timezone PST -8
clock summer-time PST recurring
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.8.1 10.10.8.127
!
ip dhcp pool Office
import all
network 10.10.8.0 255.255.255.0
default-router 10.10.8.1
dns-server 10.10.8.8
!
!
no ip bootp server
ip domain name
ip inspect name CBAC tcp
ip inspect name CBAC udp
!
multilink bundle-name authenticated
!
!
!
!
username
archive
log config
hidekeys
!
!
!
!
ip ssh time-out 60
ip ssh version 2
!
class-map match-any sip
match ip dscp cs3
match access-group 100
match protocol sip
class-map match-any rtp
match ip dscp ef
match protocol rtp audio
!
!
policy-map queue
class rtp
priority percent 40
class sip
bandwidth percent 9
class class-default
fair-queue
policy-map shape
class class-default
shape average 5000000
service-policy queue
!
!
!
!
interface FastEthernet0/0
description WAN INT
ip address 98.x.x.148 255.255.255.240
ip access-group Firewall in
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
ip inspect CBAC out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 10.10.8.1 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 98.x.x.145
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map mapnatavoid interface FastEthernet0/0 overload
ip nat inside source static 10.10.8.9 98.x.x.149 extendable
ip nat inside source static 10.10.8.5 98.x.x.150 extendable
ip nat inside source static 10.10.8.7 98.x.x.151 extendable
ip nat inside source static 10.10.8.6 98.x.x.152 extendable
ip nat inside source static 10.10.8.12 98.x.x.153 extendable
!
ip access-list extended Firewall
permit udp any host 98.x.x.150 eq 5060
permit udp any host 98.x.x.150 range 10000 20000
permit tcp any host 98.x.x.150 eq 5222
permit tcp any host 98.x.x.150 eq 843
permit tcp any host 98.x.x.150 eq 443
permit tcp any host 98.x.x.150 eq 5269
permit tcp any host 98.x.x.150 eq www
permit tcp any host 98.x.x.153 eq 5721
permit tcp any host 98.x.x.153 eq 443
permit tcp any host 98.x.x.152 eq www
permit tcp any host 98.x.x.152 eq 443
permit tcp any host 98.x.x.151 eq www
permit tcp any host 98.x.x.151 eq 443
permit tcp any host 98.x.x.151 eq 4158
permit tcp any host 98.x.x.151 eq 6051
permit tcp any host 98.x.x.151 eq 6054
permit tcp any host 98.x.x.151 eq 6151
permit tcp any host 98.x.x.149 eq 22
permit tcp any host 98.x.x.149 eq ftp
permit tcp any host 98.x.x.149 eq ftp-data
permit tcp any host 98.x.x.149 gt 1023
permit icmp any host 98.x.x.152 echo
permit icmp any host 98.x.x.152 echo-reply
permit icmp any host 98.x.x.150 echo
permit icmp any host 98.x.x.150 echo-reply
permit icmp any host 98.x.x.148 echo
permit icmp any host 98.x.x.148 echo-reply
permit icmp any host 98.x.x.153 echo
permit icmp any host 98.x.x.153 echo-reply
permit icmp any host 98.x.x.151 echo
permit icmp any host 98.x.x.151 echo-reply
deny tcp any range 0 65535 any range 0 65535
deny udp any range 0 65535 any range 0 65535
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
ip access-list extended vpnnatavoid
permit ip 10.10.8.0 0.0.0.255 any
!
access-list 100 permit udp any any eq 5060
snmp-server community
!
!
!
!
route-map mapnatavoid permit 1
match ip address vpnnatavoid
!
!
!
!
control-plane
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER