Solved

Cisco Nat question inside/outside

Posted on 2012-04-12
3
671 Views
Last Modified: 2012-05-29
Hello,

I currently have a 2811 cisco and our current configuration was working great until Verizon updated there DNS servers and took down our private network with them.  So they gave us the additions that we needed to make to the router and we did but when we made the changes to the Nat inside and Nat outside it worked for a day then all our air cards stopped working the day after.  So they told us we needed to change it back we did that now it worked for a couple hours and stopped.  Now Verizon told us we should add both dns entries into the nat area.  Can I add 2 nat inside addresses or is that not going to work.

Currently it looks like this
ip nat inside source static 10.1.1.20 66.174.95.44
ip nat outside source static 66.174.95.44 10.1.1.20

They want us to add this as well.
ip nat inside source static 10.1.1.20 198.224.189.236
ip nat outside source static 198.224.189.236 10.1.1.20

So it would end up looking like this here is the command I would have to type as well

config t
ip nat inside source static 10.1.1.20 198.224.189.236
ip nat outside source static 198.224.189.236 10.1.1.20
write mem

end result would be
ip nat inside source static 10.1.1.20 66.174.95.44
ip nat outside source static 66.174.95.44 10.1.1.20
ip nat inside source static 10.1.1.20 198.224.189.236
ip nat outside source static 198.224.189.236 10.1.1.20


------------------------------------------------------------------------------------------------------------

Here is the current run config
HBMC_GATEWAY#show run
Building configuration...
Current configuration : 3756 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HBMC_GATEWAY
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-15.T7.bin
boot-end-marker
!
logging buffered 4096
logging console critical
!
no aaa new-model
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
ip domain name loo
ip name-server 10.1.1.20
!
multilink bundle-name authenticated
!
!
!
!
!
username sgomez privilege 15 secret 5 $1$re3B$Zu1gprd.3swALO2.SI7Qa.
username admin privilege 15 secret 5 $1$C9F/$sxsCt/cJUDYwXHGuC99RO.
archive
 log config
  hidekeys
!
crypto keyring VZW
  pre-shared-key address 66.174.161.36 key VzWmPn31316
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp profile VZW
   keyring VZW
   match identity address 66.174.161.36 255.255.255.255
!
!
crypto ipsec transform-set vzw_vpntunnel esp-3des esp-md5-hmac
 mode transport
!
crypto map vpntunnel 50 ipsec-isakmp
 set peer 66.174.161.36
 set transform-set vzw_vpntunnel
 set isakmp-profile VZW
 match address GRE_MATCH
!
!
!
!
!
!
interface Tunnel0
 description Ohio
 ip address 10.2.0.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 ip policy route-map VZCARD
 tunnel source 66.216.153.86
 tunnel destination 66.174.161.36
!
interface FastEthernet0/0
 description ROUTED_BLOCK
 ip address 66.216.163.145 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description VW_SUBNET
 ip address 10.100.0.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed 100
!
interface Serial0/0/0
 ip address 66.216.153.86 255.255.255.252
 crypto map vpntunnel
!
router bgp 65504
 no synchronization
 bgp log-neighbor-changes
 network 66.174.71.33 mask 255.255.255.255                  This was added today
 network 66.174.92.14 mask 255.255.255.255
 network 66.174.95.44 mask 255.255.255.255
 network 69.78.96.14 mask 255.255.255.255
 network 198.224.188.236 mask 255.255.255.255             These 2 were added 2 days ago Eric was Informed they added these new DNS records.  We made those changes and it worked for 1 day then stopped again.
 network 198.224.189.236 mask 255.255.255.255
 neighbor 10.2.0.1 remote-as 6167
 neighbor 10.2.0.1 default-originate
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 66.216.153.85
ip route 10.1.0.0 255.255.252.0 10.100.0.2
ip route 10.1.10.0 255.255.255.0 10.100.0.2
ip route 66.109.238.254 255.255.255.255 66.216.153.85
ip route 66.174.71.33 255.255.255.255 Null0                    This was added today
ip route 66.174.92.14 255.255.255.255 Null0
ip route 66.174.95.44 255.255.255.255 Null0
ip route 69.78.96.14 255.255.255.255 Null0
ip route 198.224.188.236 255.255.255.255 Null0               These 2 were added 2 days ago Eric was Informed they added these new DNS records.  We made those changes and it worked for 1 day then stopped again.
ip route 198.224.189.236 255.255.255.255 Null0
!
!
no ip http server
no ip http secure-server
ip nat inside source static 10.1.1.20 66.174.95.44              This was changed back to original state.  2 days ago it was changed to ip nat inside source static 10.1.1.20 198.224.189 236 and worked for 1 day.
ip nat outside source static 66.174.95.44 10.1.1.20            This was changed back to original state.  2 days ago it was changed to ip nat outside source static 198.224.189 236 10.1.1.20 and worked for 1 day.
!
ip access-list standard VZINTERNET
 permit 10.2.1.0 0.0.0.255
!
ip access-list extended GRE_MATCH
 permit gre host 66.216.153.86 host 66.174.161.36
ip access-list extended VPN_IN
 permit esp host 66.174.161.36 host 66.216.153.86
 permit udp host 66.174.161.36 host 66.216.153.86 eq isakmp
 permit icmp any host 66.216.153.86
 permit tcp any host 66.216.153.86 eq 22
!
access-list 7 permit 72.25.6.228
access-list 100 permit ip any host 66.174.161.36
access-list 101 deny   ip any any log
snmp-server community hyrule RO 7
no cdp run
!
!
route-map VZCARD permit 10
 match ip address VZINTERNET
 set ip next-hop 10.100.0.2
!
!
!
control-plane
!
alias exec s show ip int brief
alias exec c configure t
!
line con 0
 login local
line aux 0
 access-class 101 in
 no exec
line vty 0 4
 privilege level 15
 login local
 transport input ssh
line vty 5 15
 privilege level 15
 login local
 transport input ssh
line vty 16 988
 login
 transport input ssh
!
scheduler allocate 20000 1000
!
end
0
Comment
Question by:HB-IT
3 Comments
 

Author Comment

by:HB-IT
ID: 37840559
ok side note the 10.1.1.20 is our DNS inside My company and the other address is Verizon's
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37840827
you can have multiple NAT Commands.

to check nat translations..put below command in router

show ip nat translations



http://www.techrepublic.com/blog/networking/configure-static-nat-for-inbound-connections/264
0
 
LVL 17

Accepted Solution

by:
TimotiSt earned 500 total points
ID: 37849286
This looks like a pretty advanced config, with BGP and VPN with a GRE tunnel and null routes and whatnot.
Maybe you should contract a local network engineer, to sort it out for you, providing him with complete network topology maps.

Tamas
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
how to add IIS SMTP to handle application/Scanner relays into office 365.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now