Cisco NAT for Internal VLAN and NVR Server
Hi,
I have a Cisco 890 with IOS 15. Please help me solve the following two problems related to NAT.
1. I would like to access a NVR from both inside and outside the network using the same public IP.
2. I would like to access internal VLANs without any NAT between them.
If I configure ip nat enable, the first problem gets solved but the second does not.
If I configure ip nat inside/outside, the second problem gets solved but the first one does not.
Following is the configuration.
interface Null0
no ip unreachables
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
switchport mode trunk
no ip address
!
interface GigabitEthernet1
switchport access vlan 10
no ip address
!
interface GigabitEthernet2
switchport access vlan 10
no ip address
!
interface GigabitEthernet3
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet4
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet5
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet6
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet7
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
ip address 116.84.94.2 255.255.255.0
ip access-group inside in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no cdp enable
!
interface Virtual-Template1
ip unnumbered Vlan10
ip nat enable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
!
interface Vlan20
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat source list 1 interface GigabitEthernet8 overload
ip nat source list 2 interface GigabitEthernet8 overload
ip nat source static tcp 10.1.1.200 8880 interface GigabitEthernet8 8880
ip nat source static tcp 10.1.1.200 554 interface GigabitEthernet8 554
ip nat source static tcp 10.1.1.200 555 interface GigabitEthernet8 555
ip nat source static tcp 10.1.1.200 556 interface GigabitEthernet8 556
ip nat source static tcp 10.1.1.200 557 interface GigabitEthernet8 557
ip nat source static tcp 10.1.1.200 558 interface GigabitEthernet8 558
ip route 0.0.0.0 0.0.0.0 116.84.94.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh port 8522 rotary 1
ip ssh version 2
!
ip access-list extended inside
deny ip 0.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny udp any any eq ntp
deny udp any any eq snmp
deny udp any any eq snmptrap
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any packet-too-big
deny icmp any any
permit ip any any
ip access-list extended vty
deny tcp any any eq 22
permit ip any any
!
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
I have a Cisco 890 with IOS 15. Please help me solve the following two problems related to NAT.
1. I would like to access a NVR from both inside and outside the network using the same public IP.
2. I would like to access internal VLANs without any NAT between them.
If I configure ip nat enable, the first problem gets solved but the second does not.
If I configure ip nat inside/outside, the second problem gets solved but the first one does not.
Following is the configuration.
interface Null0
no ip unreachables
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface Ethernet0
no ip address
shutdown
!
interface GigabitEthernet0
switchport mode trunk
no ip address
!
interface GigabitEthernet1
switchport access vlan 10
no ip address
!
interface GigabitEthernet2
switchport access vlan 10
no ip address
!
interface GigabitEthernet3
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet4
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet5
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet6
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet7
switchport access vlan 10
no ip address
spanning-tree portfast
!
interface GigabitEthernet8
ip address 116.84.94.2 255.255.255.0
ip access-group inside in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
no cdp enable
!
interface Virtual-Template1
ip unnumbered Vlan10
ip nat enable
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.1.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
!
interface Vlan20
ip address 192.168.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat enable
ip virtual-reassembly in
ip verify unicast reverse-path
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat source list 1 interface GigabitEthernet8 overload
ip nat source list 2 interface GigabitEthernet8 overload
ip nat source static tcp 10.1.1.200 8880 interface GigabitEthernet8 8880
ip nat source static tcp 10.1.1.200 554 interface GigabitEthernet8 554
ip nat source static tcp 10.1.1.200 555 interface GigabitEthernet8 555
ip nat source static tcp 10.1.1.200 556 interface GigabitEthernet8 556
ip nat source static tcp 10.1.1.200 557 interface GigabitEthernet8 557
ip nat source static tcp 10.1.1.200 558 interface GigabitEthernet8 558
ip route 0.0.0.0 0.0.0.0 116.84.94.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh port 8522 rotary 1
ip ssh version 2
!
ip access-list extended inside
deny ip 0.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 224.0.0.0 31.255.255.255 any
deny ip 240.0.0.0 15.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny udp any any eq ntp
deny udp any any eq snmp
deny udp any any eq snmptrap
deny tcp any any fragments
deny udp any any fragments
deny ip any any fragments
permit icmp any any ttl-exceeded
permit icmp any any port-unreachable
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any packet-too-big
deny icmp any any
permit ip any any
ip access-list extended vty
deny tcp any any eq 22
permit ip any any
!
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am not sure if there is a way to go around the problem for ports where static NAT is configured.
Hi,
Try this:
Try this:
interface GigabitEthernet8
no ip nat enable
ip nat outside
!
interface Virtual-Template1
no ip nat enable
ip nat inside
!
interface Vlan10
no ip nat enable
ip nat inside
!
interface Vlan20
no ip nat enable
ip nat inside
no ip nat source list 1 interface GigabitEthernet8 overload
no ip nat source list 2 interface GigabitEthernet8 overload
ip nat source list 100 interface GigabitEthernet8 overload
!
access-list 100 deny ip 10.1.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 deny ip 192.168.0.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
ASKER
From IP 192.168.0.2, I am unable to access 10.1.1.200 on port 8880 while I am able to access 10.1.1.200 on the remaining ports not mentioned in the NAT. I am also able to access 116.84.94.2 on port 8880.
Please let me know how to fix this.