Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 690
  • Last Modified:

Cisco Nat question inside/outside

Hello,

I currently have a 2811 cisco and our current configuration was working great until Verizon updated there DNS servers and took down our private network with them.  So they gave us the additions that we needed to make to the router and we did but when we made the changes to the Nat inside and Nat outside it worked for a day then all our air cards stopped working the day after.  So they told us we needed to change it back we did that now it worked for a couple hours and stopped.  Now Verizon told us we should add both dns entries into the nat area.  Can I add 2 nat inside addresses or is that not going to work.

Currently it looks like this
ip nat inside source static 10.1.1.20 66.174.95.44
ip nat outside source static 66.174.95.44 10.1.1.20

They want us to add this as well.
ip nat inside source static 10.1.1.20 198.224.189.236
ip nat outside source static 198.224.189.236 10.1.1.20

So it would end up looking like this here is the command I would have to type as well

config t
ip nat inside source static 10.1.1.20 198.224.189.236
ip nat outside source static 198.224.189.236 10.1.1.20
write mem

end result would be
ip nat inside source static 10.1.1.20 66.174.95.44
ip nat outside source static 66.174.95.44 10.1.1.20
ip nat inside source static 10.1.1.20 198.224.189.236
ip nat outside source static 198.224.189.236 10.1.1.20


------------------------------------------------------------------------------------------------------------

Here is the current run config
HBMC_GATEWAY#show run
Building configuration...
Current configuration : 3756 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HBMC_GATEWAY
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-15.T7.bin
boot-end-marker
!
logging buffered 4096
logging console critical
!
no aaa new-model
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
ip domain name loo
ip name-server 10.1.1.20
!
multilink bundle-name authenticated
!
!
!
!
!
username sgomez privilege 15 secret 5 $1$re3B$Zu1gprd.3swALO2.SI7Qa.
username admin privilege 15 secret 5 $1$C9F/$sxsCt/cJUDYwXHGuC99RO.
archive
 log config
  hidekeys
!
crypto keyring VZW
  pre-shared-key address 66.174.161.36 key VzWmPn31316
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp profile VZW
   keyring VZW
   match identity address 66.174.161.36 255.255.255.255
!
!
crypto ipsec transform-set vzw_vpntunnel esp-3des esp-md5-hmac
 mode transport
!
crypto map vpntunnel 50 ipsec-isakmp
 set peer 66.174.161.36
 set transform-set vzw_vpntunnel
 set isakmp-profile VZW
 match address GRE_MATCH
!
!
!
!
!
!
interface Tunnel0
 description Ohio
 ip address 10.2.0.2 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 ip policy route-map VZCARD
 tunnel source 66.216.153.86
 tunnel destination 66.174.161.36
!
interface FastEthernet0/0
 description ROUTED_BLOCK
 ip address 66.216.163.145 255.255.255.248
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description VW_SUBNET
 ip address 10.100.0.1 255.255.255.252
 ip nat inside
 ip virtual-reassembly
 duplex full
 speed 100
!
interface Serial0/0/0
 ip address 66.216.153.86 255.255.255.252
 crypto map vpntunnel
!
router bgp 65504
 no synchronization
 bgp log-neighbor-changes
 network 66.174.71.33 mask 255.255.255.255                  This was added today
 network 66.174.92.14 mask 255.255.255.255
 network 66.174.95.44 mask 255.255.255.255
 network 69.78.96.14 mask 255.255.255.255
 network 198.224.188.236 mask 255.255.255.255             These 2 were added 2 days ago Eric was Informed they added these new DNS records.  We made those changes and it worked for 1 day then stopped again.
 network 198.224.189.236 mask 255.255.255.255
 neighbor 10.2.0.1 remote-as 6167
 neighbor 10.2.0.1 default-originate
 no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 66.216.153.85
ip route 10.1.0.0 255.255.252.0 10.100.0.2
ip route 10.1.10.0 255.255.255.0 10.100.0.2
ip route 66.109.238.254 255.255.255.255 66.216.153.85
ip route 66.174.71.33 255.255.255.255 Null0                    This was added today
ip route 66.174.92.14 255.255.255.255 Null0
ip route 66.174.95.44 255.255.255.255 Null0
ip route 69.78.96.14 255.255.255.255 Null0
ip route 198.224.188.236 255.255.255.255 Null0               These 2 were added 2 days ago Eric was Informed they added these new DNS records.  We made those changes and it worked for 1 day then stopped again.
ip route 198.224.189.236 255.255.255.255 Null0
!
!
no ip http server
no ip http secure-server
ip nat inside source static 10.1.1.20 66.174.95.44              This was changed back to original state.  2 days ago it was changed to ip nat inside source static 10.1.1.20 198.224.189 236 and worked for 1 day.
ip nat outside source static 66.174.95.44 10.1.1.20            This was changed back to original state.  2 days ago it was changed to ip nat outside source static 198.224.189 236 10.1.1.20 and worked for 1 day.
!
ip access-list standard VZINTERNET
 permit 10.2.1.0 0.0.0.255
!
ip access-list extended GRE_MATCH
 permit gre host 66.216.153.86 host 66.174.161.36
ip access-list extended VPN_IN
 permit esp host 66.174.161.36 host 66.216.153.86
 permit udp host 66.174.161.36 host 66.216.153.86 eq isakmp
 permit icmp any host 66.216.153.86
 permit tcp any host 66.216.153.86 eq 22
!
access-list 7 permit 72.25.6.228
access-list 100 permit ip any host 66.174.161.36
access-list 101 deny   ip any any log
snmp-server community hyrule RO 7
no cdp run
!
!
route-map VZCARD permit 10
 match ip address VZINTERNET
 set ip next-hop 10.100.0.2
!
!
!
control-plane
!
alias exec s show ip int brief
alias exec c configure t
!
line con 0
 login local
line aux 0
 access-class 101 in
 no exec
line vty 0 4
 privilege level 15
 login local
 transport input ssh
line vty 5 15
 privilege level 15
 login local
 transport input ssh
line vty 16 988
 login
 transport input ssh
!
scheduler allocate 20000 1000
!
end
0
HB-IT
Asked:
HB-IT
1 Solution
 
HB-ITAuthor Commented:
ok side note the 10.1.1.20 is our DNS inside My company and the other address is Verizon's
0
 
AnuroopsunddCommented:
you can have multiple NAT Commands.

to check nat translations..put below command in router

show ip nat translations



http://www.techrepublic.com/blog/networking/configure-static-nat-for-inbound-connections/264
0
 
TimotiStCommented:
This looks like a pretty advanced config, with BGP and VPN with a GRE tunnel and null routes and whatnot.
Maybe you should contract a local network engineer, to sort it out for you, providing him with complete network topology maps.

Tamas
0

Featured Post

Veeam Disaster Recovery in Microsoft Azure

Veeam PN for Microsoft Azure is a FREE solution designed to simplify and automate the setup of a DR site in Microsoft Azure using lightweight software-defined networking. It reduces the complexity of VPN deployments and is designed for businesses of ALL sizes.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now