Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Cisco Nat question inside/outside

Posted on 2012-04-12
3
Medium Priority
?
689 Views
Last Modified: 2012-05-29
Hello,

I currently have a 2811 cisco and our current configuration was working great until Verizon updated there DNS servers and took down our private network with them.  So they gave us the additions that we needed to make to the router and we did but when we made the changes to the Nat inside and Nat outside it worked for a day then all our air cards stopped working the day after.  So they told us we needed to change it back we did that now it worked for a couple hours and stopped.  Now Verizon told us we should add both dns entries into the nat area.  Can I add 2 nat inside addresses or is that not going to work.

Currently it looks like this
ip nat inside source static 10.1.1.20 66.174.95.44
ip nat outside source static 66.174.95.44 10.1.1.20

They want us to add this as well.
ip nat inside source static 10.1.1.20 198.224.189.236
ip nat outside source static 198.224.189.236 10.1.1.20

So it would end up looking like this here is the command I would have to type as well

config t
ip nat inside source static 10.1.1.20 198.224.189.236
ip nat outside source static 198.224.189.236 10.1.1.20
write mem

end result would be
ip nat inside source static 10.1.1.20 66.174.95.44
ip nat outside source static 66.174.95.44 10.1.1.20
ip nat inside source static 10.1.1.20 198.224.189.236
ip nat outside source static 198.224.189.236 10.1.1.20


------------------------------------------------------------------------------------------------------------

Here is the current run config
HBMC_GATEWAY#show run
Building configuration...
Current configuration : 3756 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HBMC_GATEWAY
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-15.T7.bin
boot-end-marker
!
logging buffered 4096
logging console critical
!
no aaa new-model
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
ip domain name loo
ip name-server 10.1.1.20
!
multilink bundle-name authenticated
!
!
!
!
!
username sgomez privilege 15 secret 5 $1$re3B$Zu1gprd.3swALO2.SI7Qa.
username admin privilege 15 secret 5 $1$C9F/$sxsCt/cJUDYwXHGuC99RO.
archive
 log config
  hidekeys
!
crypto keyring VZW
  pre-shared-key address 66.174.161.36 key VzWmPn31316
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp profile VZW
   keyring VZW
   match identity address 66.174.161.36 255.255.255.255
!
!
crypto ipsec transform-set vzw_vpntunnel esp-3des esp-md5-hmac
 mode transport
!
crypto map vpntunnel 50 ipsec-isakmp
 set peer 66.174.161.36
 set transform-set vzw_vpntunnel
 set isakmp-profile VZW
 match address GRE_MATCH
!
!
!
!
!
!
interface Tunnel0
 description Ohio
 ip address 10.2.0.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 ip policy route-map VZCARD
 tunnel source 66.216.153.86
 tunnel destination 66.174.161.36
!
interface FastEthernet0/0
 description ROUTED_BLOCK
 ip address 66.216.163.145 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description VW_SUBNET
 ip address 10.100.0.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed 100
!
interface Serial0/0/0
 ip address 66.216.153.86 255.255.255.252
 crypto map vpntunnel
!
router bgp 65504
 no synchronization
 bgp log-neighbor-changes
 network 66.174.71.33 mask 255.255.255.255                  This was added today
 network 66.174.92.14 mask 255.255.255.255
 network 66.174.95.44 mask 255.255.255.255
 network 69.78.96.14 mask 255.255.255.255
 network 198.224.188.236 mask 255.255.255.255             These 2 were added 2 days ago Eric was Informed they added these new DNS records.  We made those changes and it worked for 1 day then stopped again.
 network 198.224.189.236 mask 255.255.255.255
 neighbor 10.2.0.1 remote-as 6167
 neighbor 10.2.0.1 default-originate
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 66.216.153.85
ip route 10.1.0.0 255.255.252.0 10.100.0.2
ip route 10.1.10.0 255.255.255.0 10.100.0.2
ip route 66.109.238.254 255.255.255.255 66.216.153.85
ip route 66.174.71.33 255.255.255.255 Null0                    This was added today
ip route 66.174.92.14 255.255.255.255 Null0
ip route 66.174.95.44 255.255.255.255 Null0
ip route 69.78.96.14 255.255.255.255 Null0
ip route 198.224.188.236 255.255.255.255 Null0               These 2 were added 2 days ago Eric was Informed they added these new DNS records.  We made those changes and it worked for 1 day then stopped again.
ip route 198.224.189.236 255.255.255.255 Null0
!
!
no ip http server
no ip http secure-server
ip nat inside source static 10.1.1.20 66.174.95.44              This was changed back to original state.  2 days ago it was changed to ip nat inside source static 10.1.1.20 198.224.189 236 and worked for 1 day.
ip nat outside source static 66.174.95.44 10.1.1.20            This was changed back to original state.  2 days ago it was changed to ip nat outside source static 198.224.189 236 10.1.1.20 and worked for 1 day.
!
ip access-list standard VZINTERNET
 permit 10.2.1.0 0.0.0.255
!
ip access-list extended GRE_MATCH
 permit gre host 66.216.153.86 host 66.174.161.36
ip access-list extended VPN_IN
 permit esp host 66.174.161.36 host 66.216.153.86
 permit udp host 66.174.161.36 host 66.216.153.86 eq isakmp
 permit icmp any host 66.216.153.86
 permit tcp any host 66.216.153.86 eq 22
!
access-list 7 permit 72.25.6.228
access-list 100 permit ip any host 66.174.161.36
access-list 101 deny   ip any any log
snmp-server community hyrule RO 7
no cdp run
!
!
route-map VZCARD permit 10
 match ip address VZINTERNET
 set ip next-hop 10.100.0.2
!
!
!
control-plane
!
alias exec s show ip int brief
alias exec c configure t
!
line con 0
 login local
line aux 0
 access-class 101 in
 no exec
line vty 0 4
 privilege level 15
 login local
 transport input ssh
line vty 5 15
 privilege level 15
 login local
 transport input ssh
line vty 16 988
 login
 transport input ssh
!
scheduler allocate 20000 1000
!
end
0
Comment
Question by:HB-IT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 

Author Comment

by:HB-IT
ID: 37840559
ok side note the 10.1.1.20 is our DNS inside My company and the other address is Verizon's
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37840827
you can have multiple NAT Commands.

to check nat translations..put below command in router

show ip nat translations



http://www.techrepublic.com/blog/networking/configure-static-nat-for-inbound-connections/264
0
 
LVL 17

Accepted Solution

by:
TimotiSt earned 1000 total points
ID: 37849286
This looks like a pretty advanced config, with BGP and VPN with a GRE tunnel and null routes and whatnot.
Maybe you should contract a local network engineer, to sort it out for you, providing him with complete network topology maps.

Tamas
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
how to add IIS SMTP to handle application/Scanner relays into office 365.
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seveā€¦

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question