Solved

Nat overload works but additional ip nat inside source static entries do not

Posted on 2011-03-19
2
499 Views
Last Modified: 2012-05-11
The Problem:

I am transitioning from a Cisco-871 to Cisco-1841.  For the most part I copied and pasted the code.  The nating worked as shown below on the 871.  However, on the 1841 as soon as I input the inside static nat entries the servers no longer can reach the public network (Internet) but they are still reachable internally.  I have also tried pinging the pub IP from a remote location for those server that I have entered the inside static routes for and I receive no replies.  I have searched the web for a while now and I am at a loss.  I am thinking I may be running up against a bug on the IOS i am running.  c1841-adventerprisek9-mz.124-15.T7.bin

The Desired end result:
I have 5 servers behind this router that I need one to one nat entries for.
 
no aaa new-model
clock timezone PST -8
clock summer-time PST recurring
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.8.1 10.10.8.127
!
ip dhcp pool Office
   import all
   network 10.10.8.0 255.255.255.0
   default-router 10.10.8.1
   dns-server 10.10.8.8
!
!
no ip bootp server
ip domain name 
ip inspect name CBAC tcp
ip inspect name CBAC udp
!
multilink bundle-name authenticated
!
!
!
!
username 
archive
 log config
  hidekeys
!
!
!
!
ip ssh time-out 60
ip ssh version 2
!
class-map match-any sip
 match ip dscp cs3
 match access-group 100
 match protocol sip
class-map match-any rtp
 match ip dscp ef
 match protocol rtp audio
!
!
policy-map queue
 class rtp
  priority percent 40
 class sip
  bandwidth percent 9
 class class-default
  fair-queue
policy-map shape
 class class-default
  shape average 5000000
  service-policy queue
!
!
!
!
interface FastEthernet0/0
 description WAN INT
 ip address 98.x.x.148 255.255.255.240
 ip access-group Firewall in
 no ip redirects
 no ip unreachables
 ip mtu 1492
 ip nat outside
 ip inspect CBAC out
 ip virtual-reassembly
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 ip address 10.10.8.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed 100
 full-duplex
!
interface Serial0/0/0
 no ip address
 shutdown
 no fair-queue
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 98.x.x.145
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map mapnatavoid interface FastEthernet0/0 overload
ip nat inside source static 10.10.8.9 98.x.x.149 extendable
ip nat inside source static 10.10.8.5 98.x.x.150 extendable
ip nat inside source static 10.10.8.7 98.x.x.151 extendable
ip nat inside source static 10.10.8.6 98.x.x.152 extendable
ip nat inside source static 10.10.8.12 98.x.x.153 extendable
!
ip access-list extended Firewall
 permit udp any host 98.x.x.150 eq 5060
 permit udp any host 98.x.x.150 range 10000 20000
 permit tcp any host 98.x.x.150 eq 5222
 permit tcp any host 98.x.x.150 eq 843
 permit tcp any host 98.x.x.150 eq 443
 permit tcp any host 98.x.x.150 eq 5269
 permit tcp any host 98.x.x.150 eq www
 permit tcp any host 98.x.x.153 eq 5721
 permit tcp any host 98.x.x.153 eq 443
 permit tcp any host 98.x.x.152 eq www
 permit tcp any host 98.x.x.152 eq 443
 permit tcp any host 98.x.x.151 eq www
 permit tcp any host 98.x.x.151 eq 443
 permit tcp any host 98.x.x.151 eq 4158
 permit tcp any host 98.x.x.151 eq 6051
 permit tcp any host 98.x.x.151 eq 6054
 permit tcp any host 98.x.x.151 eq 6151
 permit tcp any host 98.x.x.149 eq 22
 permit tcp any host 98.x.x.149 eq ftp
 permit tcp any host 98.x.x.149 eq ftp-data
 permit tcp any host 98.x.x.149 gt 1023
 permit icmp any host 98.x.x.152 echo
 permit icmp any host 98.x.x.152 echo-reply
 permit icmp any host 98.x.x.150 echo
 permit icmp any host 98.x.x.150 echo-reply
 permit icmp any host 98.x.x.148 echo
 permit icmp any host 98.x.x.148 echo-reply
 permit icmp any host 98.x.x.153 echo
 permit icmp any host 98.x.x.153 echo-reply
 permit icmp any host 98.x.x.151 echo
 permit icmp any host 98.x.x.151 echo-reply
 deny   tcp any range 0 65535 any range 0 65535
 deny   udp any range 0 65535 any range 0 65535
 deny   ip 10.0.0.0 0.255.255.255 any
 deny   ip 172.16.0.0 0.15.255.255 any
 deny   ip 192.168.0.0 0.0.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip host 255.255.255.255 any
 deny   ip host 0.0.0.0 any
 deny   ip any any log
ip access-list extended vpnnatavoid
 permit ip 10.10.8.0 0.0.0.255 any
!
access-list 100 permit udp any any eq 5060
snmp-server community 
!
!
!
!
route-map mapnatavoid permit 1
 match ip address vpnnatavoid
!
!
!
!
control-plane

Open in new window

0
Comment
Question by:sdteknet
  • 2
2 Comments
 

Accepted Solution

by:
sdteknet earned 0 total points
ID: 35171170
#1 It helps to get sleep.

#2 It helps to power cycle the cable modem.
0
 

Author Closing Comment

by:sdteknet
ID: 35171174
The Cisco syntax was correct, but I never power cycled my cable modem after I swapped routers.  Power cycling the modem resolved the issue.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now