NAT overload with some static NAT's and a block public IP's

Discussion in 'Cisco' started by Ronald de Leeuw, Jun 30, 2005.

  1. Please review the config below :

    interface GigabitEthernet0/0
    ip address 192.168.1.254 255.255.255.0
    ip nat inside
    no cdp enable
    !
    interface ATM0/0/0
    dsl equipment-type CPE
    dsl operating-mode GSHDSL symmetric annex B
    dsl linerate AUTO
    pvc 0/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 10
    !
    !
    interface Dialer10
    ip address 80.80.80.9 255.255.255.248
    ip nat outside
    encapsulation ppp
    dialer pool 10
    dialer persistent
    ppp authentication pap callin
    ppp pap sent-username user password pass
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer10 permanent
    !
    ip nat translation timeout 300
    ip nat inside source route-map RMP_DIALER10_OVERLOAD interface Dialer10
    overload
    ip nat inside source static tcp 192.168.1.2 25 80.80.80.14 25 extendable
    ip nat inside source static tcp 192.168.1.2 80 80.80.80.14 80 extendable
    ip nat inside source static tcp 192.168.1.2 443 80.80.80.14 443 extendable
    !
    ip access-list extended ACL_DIALER10_OVERLOAD
    permit ip 192.168.1.0 0.0.0.255 any
    !
    route-map RMP_DIALER10_OVERLOAD permit 10
    match ip address ACL_DIALER10_OVERLOAD
    match interface Dialer10
    !

    In this configuration any traffic to the Internet generated by the server on
    private IP 192.168.1.2 gets a source address 80.80.80.9 after the NAT
    overload (for which for some other reason's I have to use a route-map). I
    want this server 192.168.1.2 to be reachable on the Internet via public IP
    80.80.80.14 for a few select ports, which works fine. But I want the server
    to use another IP address from the public range than the one assigned to the
    dialer interface (80.80.80.14, which i'm also using for the inbound traffic
    to the server). How can I accomplish this?

    Ronald de Leeuw
     
    Ronald de Leeuw, Jun 30, 2005
    #1
    1. Advertisements

  2. Ronald de Leeuw

    djd Guest

    You could try creating a new nat pool and specifying the server as the
    only host to use it. You'll also have to deny this server from using
    the Dialer interface. Something like this should work (note that I
    guessed at the netmask for your registred address space):


    ip nat translation timeout 300
    !
    ! add a new pool and reference to it for the server:
    !
    ip nat pool SERVER_POOL 80.80.80.13 80.80.80.13 netmask 255.255.255.240
    ip nat inside source list SERVER_ACL pool SERVER_POOL overload
    !
    ip nat inside source route-map RMP_DIALER10_OVERLOAD interface Dialer10
    overload
    ip nat inside source static tcp 192.168.1.2 25 80.80.80.14 25 extendable
    ip nat inside source static tcp 192.168.1.2 80 80.80.80.14 80 extendable
    ip nat inside source static tcp 192.168.1.2 443 80.80.80.14 443 extendable
    !
    ! add a new acl for just the server:
    !
    ip acecss-list extended SERVER_ACL
    permit ip host 192.168.1.2 any
    !
    ! deny the server from using the dialer interface pool:
    !
    ip access-list extended ACL_DIALER10_OVERLOAD
    deny ip host 192.168.1.2 any
    permit ip 192.168.1.0 0.0.0.255 any
    !
    route-map RMP_DIALER10_OVERLOAD permit 10
    match ip address ACL_DIALER10_OVERLOAD
    match interface Dialer10


    HTH - Good luck!
     
    djd, Jul 3, 2005
    #2
    1. Advertisements

  3. Ronald de Leeuw

    djd Guest

    You could try creating a new nat pool and specifying the server as the
    only host to use it. You'll also have to deny this server from using
    the Dialer interface. Something like this should work (note that I
    guessed at the netmask for your registred address space):


    ip nat translation timeout 300
    !
    ! add a new pool and reference to it for the server:
    !
    ip nat pool SERVER_POOL 80.80.80.13 80.80.80.13 netmask 255.255.255.240
    ip nat inside source list SERVER_ACL pool SERVER_POOL overload
    !
    ip nat inside source route-map RMP_DIALER10_OVERLOAD interface Dialer10
    overload
    ip nat inside source static tcp 192.168.1.2 25 80.80.80.14 25 extendable
    ip nat inside source static tcp 192.168.1.2 80 80.80.80.14 80 extendable
    ip nat inside source static tcp 192.168.1.2 443 80.80.80.14 443 extendable
    !
    ! add a new acl for just the server:
    !
    ip acecss-list extended SERVER_ACL
    permit ip host 192.168.1.2 any
    !
    ! deny the server from using the dialer interface pool:
    !
    ip access-list extended ACL_DIALER10_OVERLOAD
    deny ip host 192.168.1.2 any
    permit ip 192.168.1.0 0.0.0.255 any
    !
    route-map RMP_DIALER10_OVERLOAD permit 10
    match ip address ACL_DIALER10_OVERLOAD
    match interface Dialer10


    HTH - Good luck!
     
    djd, Jul 3, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.