MPLS PE NAT
I would like to start using NAT on our PE nodes but I cannot get it working. I have a lab setup with two vrf's terminating on the same node. In the lab I would like to NAT an address(Arguments sake a server) in the one VRF (Customer-C) to a unique address so that the other VRF (Customer-B) is able to reach this server via this address. I have the NAT statements in place and if I do a sh ip nat trans the nat shows up as active but if a I do a sh ip nat trans vrf there is nothing.
These are the commands I used:
ip nat pool inside1 60.60.60.1 60.60.60.254 netmask 255.255.255.0
ip nat inside source list test-nat pool inside1 vrf Customer-C
ip nat outside source static 50.50.50.1 60.60.60.1
ip access-list extended test-nat
permit ip 50.50.50.0 0.0.0.255 any
What am I doing wrong ? Any help would be appreciated.
I am not sure how you are attempting to make Customer B communicate with Customer C if you are using separate VRFs for them. There will not be any interaction between them unless they both tegether form a VPN with their routes contained in a single VRF. Once this is done, you can try to troubleshoot the NAT configuration.
Similar Messages
-
HI There,
I was wondering if an expert on FlexVPN would be able to comment on this..
I am looking to use FlexVPN hub and spoke deployment using the FLEXoMPLS feature... So I will have hub routers connected to remote routers via IPSec/GRE tunnels. This enables VRFs at hub and spokes to be joined via MPLS point-to-point link.
Can someone please confirm if it would be possible to NAT at the remote site with the VRF interface being on the inside and the IPSec/GRE tunnel in the global VRF on the outside??
Thanks in advance.
Lee.Well thanks for all the help but I am not going to be able to use this method, I am not going to be able to connect a cable at all the sites, I don't know If I can just wire an RJ-45 as a loopback plug maybe but still not a good method. Also when I reconfigure my linux box with both the networks it does not add the second network and I loose ASDM, I guess I shouldnt have changed the management interface. Is there any other method, what I was wondering does it send the syslog with the asa outside interface IP to the remote syslog IP, if so can or would a NAT static with the orig. working on the outside with the asa IP and the dest of the syslog translating to a single IP on the VPN network back on the outside interface... seems like a simple thing to ask to do, I kind of understand what is going on but seems there needs to be a check box to say this syslog server is over a vpn and it takes care of all the magic.
-
MPLS-VPN w/NAT for Internet connectivity.
We have implemented MPLS-VPN and site-to-site connectivity seems to be working fairly well. However, we are having strange issue when trying to access the Internet. For some odd reason, we are not able to get to some sites such as ebay.com, latimes.com, nytimes.com, moviefone.com. We are running dynamic NAT and the topology looks like this:
Laptop----CE-------PE-----NAT------BR-----Internet
This is a simple layout of what we have currently in the lab. NAT router is not running MPLS but we are using VRF to create sub-interfaces on FE connecting PE and NAT router for each customers. I have access-list allowing 10.x.x.x/8.
Laptop-CE - 10.0.0.8/30
CE-PE - 10.0.0.0/30
PE-NAT - 10.0.1.0/30
Also, we are able to ping, trace, ftp, use remote desktop, pcanywhere. It seems to be only affecting http. We've been working on this for couple of days now and we've hit a wall. Any help will be greatly appreciated.
JKI had a slightly different yet similar problem a few months ago on our mpls network with the CE devices, and turned out the DF bit had to be set to 0 to enable fragmentation _prior_ to traffic entering the core.
Fixed it right up by setting a policy on the ethernet port.
-Jeff -
I have a MPLS network in the private IP address space 172.16.1.X
One interface connects to a FatPipe appliance and has an IP address of 172.16.1.10 /30 and a gateway of 17216.1.9, the other side of the MPLS connects to a FatPipe appliance and has an IP address of 172.16.1.14 /30 and a gateway of 172.16.1.13. The FatPipe appliance connects on each end to an ASA5510 running asa8.44-1-k8.bin to its outside interface.
Side “R”
FatPipe MPLS interface IP Address: 172.16.1.10 /30
FatPipe LAN interface IP address: 2rr.rr.2rr.193 /29
ASA outside interface IP address: 2rr.rr.2rr.194 /29
ASA inside interface IP address: 10.2.3.254 /24
Inside device: 10.2.2.15
Side “E”
FatPipe MPLS interface IP Address: 172.16.1.14 /30
FatPipe LAN interface IP address: 9e.eee.2ee.12 /29
ASA outside interface IP address: 9e.eee.2ee.13 /29
ASA inside interface IP address: 10.3.3.254 /24
Inside device: 10.3.2.15
What I would like to do is setup communication between the two devices and NOT NAT them, is this possible and how?Hi,
I am not sure I understood the setup.
Are you saying that WAN interface of 2 ASAs at different locations are connected to an ISP device which both provides external connectivity and connection between the 2 sites with the ASAs?
Also are you saying that both ASA firewalls are running the software 8.4(4)1 ? If so then this would mean that the old NAT0 format you mention above would not be supported as the new NAT format was introduced starting 8.3
Typically you would not need to configure any NAT in the new software if you dont want to perform NAT. But in your case I understood that both the outbound Internet traffic and the traffic towards the other site through a MPLS connection uses the same external interface. This would most likely mean that you have Dynamic PAT configuration that would match all traffic outbound from your "inside" network towads "outside" and therefore you would need NAT0 as you are attempting to do.
The typical NAT0 configuration format if you are using 8.3+ software level would be
Side R
object network LAN
subnet 10.3.2.0 255.255.255.0
object network REMOTE-LAN
subnet 10.2.2.0 255.255.255.0
nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
Side E
object network LAN
subnet 10.2.2.0 255.255.255.0
object network REMOTE-LAN
subnet 10.3.2.0 255.255.255.0
nat (inside,outside) 1 source static LAN LAN destination static REMOTE-LAN REMOTE-LAN
The above configurations would be placed at the top of the NAT configurations and would essentially handle that the traffic between the specified networks would be with the original IP addresses. This is because we define the real/mapped address/network with the same "object" and therefore don't do any NAT.
I would check what the actual network on Side E is since you mention in one place that it would be 10.2.3.0/24 and in the above configuration 10.2.2.0/24
Naturally before any configurations would have to confirm if I understood the setup correctly and if both ASAs are runing the newer software.
Hope this helps
- Jouni -
ASA 5505 to allow 2nd network segment through mpls
I have been having a heck of a time trying to configure my 5505 to allow the second segment on my network to use the internet.
Office 1 has a fiber internet connection, and all traffic flows fine.
Office 2 had gotten it's internet from AT&T, via a network based firewall injecting a default route into the mpls cloud.
both offices connunicate to each other through the mpls.
When we added the fiber to office 1, we had the mpls people change the default internet route to the inside address of the 5505 and things worked fine.
when AT&T attempted to remove the NBF defaut route, and inject the 5505's address as default, things didn't go so well.
AT&T claims that it is within my nat cmmands on the 5505, but won't tell me anything else. I assume that they are correct, and I assume that I am not good enough with the 5505 ASDM to tell it what to do.
Office 1 uses 10.10.30.xx addresses and Office 2 uses 10.10.10.xx - the 5505 inside interface is 10.10.30.2 the internal interfaces of the mpls are 10.10.30.1 and 10.10.10.1
I don't know what other information you would need, but am stuck here at Office 1 until I can get this working.
ThanksHi,
Ok, so IF I have not understood anything wrong (which is still possible ), it would seem to me that the network mask of the ASA is atleast one reason that will cause problems for WI LAN if they try to use the Internet through the ASA5505 on the PA site.
This is what I would presume will happen when a host on the WI LAN initiates a connection to the Internet
WI PC 10.10.10.10 sends a TCP SYN to initiate/open a TCP connection with a Web server on the Internet
The TCP SYN gets forwarded to the default gateway of the PC which is 10.10.10.1
The TCP SYN packet traverses the ISP MPLS network all the way to the PA Site
The PA Site 3900 has a default route probably towards PA ASA 10.10.30.2
TCP SYN gets forwarded from the PA 3900 to the PA ASA according to the above mentioned default route on the PA 3900
TCP SYN arrives on the ASA and gets forwarded to the Internet
TCP SYN,ACK from the Web server arrives on the ASA
ASA will ARP for the MAC address of the WI PC IP address of 10.10.10.10 because it thinks that the host is directly connected to the ASAs "inside" interface because of the "inside" interfaces large /16 network mask which contains addresses between 10.10.0.0 - 10.10.255.255
The ARP request sent from the ASA never receives a reply since the WI PC isnt directly connected
PA ASA will never be able to forward the traffic to the WI PC which is trying to open the connection to the Internet because of the above mentioned problem. Therefore the TCP connection from WI PC never succeeds and timeouts.
Now you might ask, why does the connections between the PA and WI LAN work. To my understanding is that because the traffic from the PA hosts gets first forwarded to the PA 3900 then they have a working route to the WI LAN. The same way the WI LAN has a working route towards the PA LAN since the ASA isnt not involed in anyway.
The PA Internet connection naturally works as the 10.10.30.0/24 hosts are directly connected to the ASA so the above mentioned ARP will not fail on their part and traffic is forwarded just fine between the PA LAN and the Internet.
So to my understanding the solution to this problem would be to change the PA ASA "inside" subnet mask from 255.255.0.0 to 255.255.255.0.
If you are unsure of the of this change I would suggest you do it when there is low network use (so you can revernt the change) Naturally if you are on the PA LAN then you can probably access the Console connection if something were to go wrong. I cant see any configurations on the PA ASA which would imply that you configure the device remotely through the Internet.
Hope I made sense and hope this helps
Naturally ask more if needed
- Jouni -
Centralize internet access in MPLS VPN
Can i implement Centralize internet access (the Hub CE Router to performs NAT) in cisco MPLS VPN solution?
If so, is there any example about that? i can't find it at CCO~
Thanks a lot~If you run dynamic routing protocol in PE-CE,like rip2,ospf,bgp,do the following task.
1:set a default route in HUB CE;and generate the default route under its dynamic protocol.
2:in other CEs, make sure they can learn this route.
If you run static route and vrf static route between CE and PE,do the following task.
1.set default route in HUB CE, and set default route in other CEs.
2.In all PEs,redistribute the connected and static rotues to address-family ipv4 of customer vrf.
3.set the customer vrf default route in all PE which connected your all CEs.
Note: make sure all PEs can reach the GW address of vrf deafult route. GW IP address is the interface of which HUB CE towards PE.
command: "ip route vrf 0.0.0.0 0.0.0.0 global.
TRY -
NAT is not working for VRF partially
Hello!
I have a diagram like this:
VRF_A and VRF_B have overlapping addressing plans from series 192.168.x.x.
As routing protocol in both of VRFs adopted RIP (I tried all, but effect much the same).
The closest to PE1 network is 172.16.0.0/24.
PE1:
ip vrf VRF_A rd 65001:1 route-target export 65001:1 route-target import 65001:1ip vrf VRF_B rd 65001:2 route-target export 65001:2 route-target import 65001:2ip nat inside source list 10 interface FastEthernet0/0 vrf VRF_A overloadip nat inside source list 10 interface FastEthernet0/0 vrf VRF_B overloadip route vrf VRF_A 0.0.0.0 0.0.0.0 FastEthernet0/0 172.16.0.1 globalip route vrf VRF_B 0.0.0.0 0.0.0.0 FastEthernet0/0 172.16.0.1 globalinterface FastEthernet0/0 ip address 172.16.0.24 255.255.255.0 ip nat outside duplex fullinterface FastEthernet1/0 ip vrf forwarding VRF_A ip address 192.168.0.2 255.255.255.0 ip nat inside duplex full
interface FastEthernet4/0 ip vrf forwarding VRF_B ip address 192.168.0.2 255.255.255.0 ip nat inside duplex full
When I try ti ping 172.16.0.1 from CE11, CE21 and from VRF_A and VRF_B on PE1 - all if fine! NAT is performed and ping is OK.
But when I tried to ping from others (PE2 and CE21 and CE22) NAT is not performed, I see 192.168.x.x at Internet Router and ping is failled.
I'm in stupor. What could it be??? And how to avoid this situation? Are there "exits"?
I forgot to mention that there is a full connectivity inside both of VRFs. Routing protocols and redistribution work fine.
Kind regard,
ElladIt's wrong:
PE1interface toward P1 ip nat insideinterface toward P2 ip nat inside
Here is PE1:Current configuration : 2829 bytes
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname PE1
boot-start-marker
boot-end-marker
no aaa new-model
ip subnet-zero
ip vrf VRF_A
rd 65001:1
route-target export 65001:1
route-target import 65001:1
ip vrf VRF_B
rd 65001:2
route-target export 65001:2
route-target import 65001:2
ip cef
ip audit po max-events 100
mpls label protocol ldp
interface Loopback0
ip address 10.0.2.1 255.255.255.255
interface FastEthernet0/0
ip address 172.16.0.24 255.255.255.0
ip nat outside
duplex full
interface FastEthernet1/0
ip vrf forwarding VRF_A
ip address 192.168.0.2 255.255.255.0
ip nat inside
duplex full
interface FastEthernet2/0 ip address 10.0.23.1 255.255.255.0
duplex full
tag-switching mtu 1512
tag-switching ip
interface FastEthernet3/0
ip address 10.0.24.1 255.255.255.0
duplex full
tag-switching mtu 1512
tag-switching ip
interface FastEthernet4/0
ip vrf forwarding VRF_B
ip address 192.168.0.2 255.255.255.0
ip nat inside
duplex full
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.255.255.255 area 0
router rip
version 2
no auto-summary
address-family ipv4 vrf VRF_B
redistribute bgp 65001 metric 1
network 192.168.0.0
no auto-summary
exit-address-family
router bgp 65001
no bgp default ipv4-unicast
bgp log-neighbor-changes
neighbor 10.0.5.1 remote-as 65001
neighbor 10.0.5.1 update-source Loopback0
address-family vpnv4
neighbor 10.0.5.1 activate
neighbor 10.0.5.1 next-hop-self
neighbor 10.0.5.1 send-community both
exit-address-family
address-family ipv4 vrf VRF_B
redistribute static
redistribute rip
no auto-summary
no synchronization
exit-address-family
address-family ipv4 vrf VRF_A
no auto-summary
no synchronization
exit-address-family
ip nat inside source list 10 interface FastEthernet0/0 vrf VRF_A overload
ip nat inside source list 10 interface FastEthernet0/0 vrf VRF_B overload
ip classless
ip route vrf VRF_A 0.0.0.0 0.0.0.0 FastEthernet0/0 172.16.0.1 global
ip route vrf VRF_B 0.0.0.0 0.0.0.0 FastEthernet0/0 172.16.0.1 global
no ip http server
no ip http secure-server
ip extcommunity-list 1 permit soo 65002:901
access-list 1 deny 10.1.8.1
access-list 1 deny 10.0.8.1
access-list 1 deny 10.1.2.1
access-list 1 deny 10.0.2.1
access-list 1 permit any
access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 permit 192.168.1.0 0.0.0.255
route-map rm-soo permit 10
set extcommunity soo 65002:901!
route-map rm-soo-action deny 10
match extcommunity 1
route-map rm-soo-action permit 20
match ip address 1
gatekeeper
shutdown
line con 0
exec-timeout 144 0
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login
end
1.0.5.1 is Loopback0 of P3. It's a route-reflector for all PEs. I study.
And all what you see above - Dynamipses. Internet router - real Ubuntu server. -
8.2 to 8.3 static nat question
So, in 8.2 If I had an inside interface at 10.10.10.1 and an mpls interface (sec-100) at 10.20.20.1, and I wanted traffic to traverse between the two to interfaces, I could write the following statement:
static (inside,mpls) 10.10.10.0 10.10.10.0 netmask 255.255.255.0
What would this look like in 8.3?
Thanks!Hi,
In the 8.3+ software levels you dont need any NAT configuration between 2 interfaces if you dont need to specifically NAT something.
If you have a Dynamic PAT configuration from "inside" to "mpls" that contains the networks behind "inside" as the source address then in this situation you would need another NAT configuration to enable communication from the "mpls" to "inside". (to enable bidirectional connection forming that is)
If there is no NAT configuration between "inside" and "mpls" at the moment then you wont need any NAT configuration. You will just have to make sure the traffic is allowed in the interface ACL. If your have equal "security-level" between the interfaces then you will have to make sure you have "same-security-traffic permit inter-interface" also configured
- Jouni -
Overlapping addresses in MPLS VPN
I know that you can have overlapping addresses in a MPLS VPN and that route distiguisher is used for distiguishing them, by converting IPv4 to VPNv4.
My question is that if an IP range of a Branch A overlapps with IP range of branch B of the same VPN, How could a host in Branch A ping any host in Branch B, if they are in a same subnet? I mean, how could the router (CE) know to forward it to PE ? if the range is directly connected (to CE).
I will apreciate any helpWithin a VPN the normal IP routing rules apply, eg. if you have 2 networks that overlap within a VPN you need to use NAT in one of the CE routers.
Hth,
Niels -
Hi,
I have a customer who wants VPN less access to Finesse server for agents from remote locations and for home agents.. we are thinking of using NAT here.
Summary of the Architecture: 2 DCs (UCCE Side A and Side B), centralized call termination, VGs in DCs, VXML gateways also in DCs. 9 agent locations connected via MPLS links to DCs, 1 outsourced agent location with 100 agents ( planning to go for mobile agents for outsourced agents)
It is mentioned in the below link that Finesse supports basic NAT between Finesse server and Finesse clients
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cust_contact/contact_center/finesse/finesse_1051/release/notes/CFIN_BK_R34A18D2_00_release-notes-for-cisco-finesse-1051/CFIN_BK_R34A18D2_00_release-notes-for-cisco-finesse_chapter_00.html#CFIN_RF_N6A0AC5F_00
I don't have much understanding of security concepts.. so looking for some help here.
1. Does NAT (one to mapping) between Finesse server and Finesse client means, each of the Finesse clients will also need one unique public ip mapped to each of the agent PCs?
2. What are the benefits and drawbacks of using Nating approach instead of using VPN access to Finesse servers?
3. Since it is mentioned that one to many mapping between Finesse servers and Finesse clinets is not supported, need to understand with an example of one to many scenario in contact enter world.
Thanks
NirmalHi, we have a similar setup for one of my clients and NAT works for us, for both inshouse and outsource sites which connects to us via the Public.
1. Does NAT (one to mapping) between Finesse server and Finesse client means, each of the Finesse clients will also need one unique public ip mapped to each of the agent PCs?
Ans. Why Public IPs? How is that one outsourced company connecting into the DCs network?
2. What are the benefits and drawbacks of using Nating approach instead of using VPN access to Finesse servers?
Ans. We tested both, and I think VPN works better as when they VPN they are technicaly a part of the network and then can access Finesse locally,
3. Since it is mentioned that one to many mapping between Finesse servers and Finesse clinets is not supported, need to understand with an example of one to many scenario in contact enter world.
Ans. One to many is when for eg 10 PCs behinds NAT but they talk to Finesse server as only 1 IP and teh NAT table manages the sessions to these 10 Finesse client PCs. One to One is when every PC gets a NATed IP to talk to outside workd / Finesse.
Kartik -
Hi, Community:
I've been trying to find the best solution for the following problem.
As I understand it, for me to send IP traffic to an ISM or VSM on an ASR9k for CGN(ex: NAT44), the solution would be to use ABF and configure the ISM/VSM as next-hop for pre-NAT outgoing traffic. My question is this: ABF deployment guide says that ABF does not support mpls-labeled traffic, in other words if an IP-packet I want to NAT comes in labeled, ABF would not be able to catch it an redirect it to VSM so it would be NATed. Can anybody share a posible (best) solution to this scenario?
Thanks,
c.Thanks for your answer, nifevrie .
That's exactly the point, in my environment my PE (in this case a CMTS running mpls for l3vpn) has to have labels for L3VPN setup. This PE also has Internet access service. It connects to 2 ASR9000 P routers, that are the correct place for me to install an ISM or a VSM. So basically, the originating router would 'have to do PHP'.
So basically, for me to get to the CGN card, as far as I can tell, my 'only' option is the loop. I saw this being described in a CiscoLive presentation. Let's forget for a moment that is not an elegant solution, we're talking 10-20G of traffic here per POP. I cannot fathom telling my customer they have to invest in the CGN card AND 2-4 10G interfaces per loop, per ASR.
Seems to me it makes sense to work on ABF being able to catch mpls labels.
Regards,
c. -
Hi. I have an MPLS cloud on which i want to provide basic Internet connectivity for customers in the cloud. This will not be for VPN services, simply http, ftp etc (possibly some inbound NAT for webservers). I have a 7200VXR for the job. My plan is to set this up as an effective PE in the cloud and use 'NAT VRF AWARE' features to NAT networks in each VRF to Single public IP (currently this is 1 per VRF from a large pool). I cant see a reason for this not working but i wanted to get advice on this. I am also unsure as to how the public facing interface will be seen by the customer VRF since it will not be statically labeled with any VRF.
Any thoughts on this?
Thanks in advance.Hi Swaroop, I'm trying to follow your advice regarding the global default. I have 2 vrf's I'll be using called CUST1 and CUST2. Traffic will come into the e2/0.1 sub interface and should then be NATed to 210.10.10.17 (global interface not VRF). If i use static translations inside they work fine. Dynamic however translations do not seem to work. I have really tried to follow Cisco's documentation, but I'm not having much luck. Do you notice anything incorrect with the following.
interface Ethernet2/0.1
description "CUST1 Interface"
encapsulation dot1Q 10
ip vrf forwarding CUST1
ip address 172.16.1.10 255.255.255.252
ip nat inside
ip virtual-reassembly
interface FastEthernet0/0
description "OUTSIDE INT"
ip address 210.10.10.17 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex full
ip nat pool CUST1_POOL 210.10.10.17 210.10.10.17 netmask 255.255.255.0
ip nat inside source list 1 pool CUST1_POOL vrf CUST1 overload
access-list 1 permit 172.16.0.0 0.0.255.255 log
ip route vrf CUST1 0.0.0.0 0.0.0.0 FastEthernet0/0 210.10.10.254 global
Any help you can give me would be very appreciated.
Thanks
Dan. -
NAT dilemma: Interface Serial 0
I have 1 inside host (172.17.1.1) and 1 outside host (104.128.252.228), separated by a T1. I only have access to local router, I do not have acces to far end router.
The outside host (104.128.252.228), is expecting the inside host (172.17.1.1) to look like the serial0 interface (10.1.0.2), of the local router.
Traffic can orginate in either direction.(VoIP, SIP)
At the same time i need BGP to comunicate between local router serial0 (10.1.0.2), and the remote router (10.1.0.1),
The static NAT kills the BGP session, but VoIP works. "ip nat inside source static 172.17.1.1 interface Serial0/0/0:0"
Inside dynamic NAT works in both directions and keeps BGP up "ip nat inside source list 7 interface serial 0 overload"
IF......
traffic originates from inside and while translation is in table.
Once translation expires, inbound from remote host does not NAT.
and of course the "ip nat translation timeout never" and "ip nat inside source list 104 interface Serial0/0/0:0 reversable" , which sound perfect, do not work.
Dynamic/Static NAT combo works perfect if i use the following:
ip nat inside source list 7 interface serial 0 overload
ip nat inside source static tcp 172.17.1.1 80 10.1.0.2 80
But i don't know how to handle the range of udp/tcp ports required.
I'm thinking "port-map" next, tsting now.
THANKS,Hello Mickolay,
MPLS support on ASR901 is supported only on SVI. Its is not yet enabled for E1/ Serail interfaces.
In Cisco ASR 901 router, mpls ip is configured only on switch virtual interface (SVI). The router supports only a maximum of 60 MPLS enabled SVI interfaces.
Please find below link suggesting the same.
http://www.cisco.com/c/en/us/td/docs/wireless/asr_901/Configuration/Guide/b_asr901-scg/b_asr901-scg_chapter_01110.html#con_1053120
You can bind the interface in multilink and enable MPLS on it.
HTH,
Nikhil -
hi, i want to implement vrf aware nat and i want to create a single pool for all vrfs. when the traffic returns is there a way the ios identify which vrf the IP belongs to so i dont have to specify the pool for each vpn whit static routes? Thanks ahead- asanes
Hi,
As I understand you want to integrate NAT with MPLS based VPNs.
Follwing Cisco link should help:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftnatvpn.htm#wp1035671
Cheers,
Sultan. -
NATing issue (port forwarding) MPLS Outside address is a local address
I'm trying to figure out if what I've been asked to do is even possible.
Current topology for the office in question:
Internet -> ISP Gateway (no control) -> MPLS Cloud -> (10.1.1.0 outside) My 2800 Router (full control) -> Local network (10.10.10.0) Inside
We have a public IP address that is translated at the ISP gateway to an IP address on our local 10.10.10.0 network before it enters the MPLS cloud. As it enters my outside interface the destination address is already set to a 10.10.10.0 address (for example 10.10.10.1).
I have been asked to make additional network devices available from the public Internet, but I only have one public IP address assigned to our network.
Is it possible to utilize port forwarding in this situation? When the traffic comes into my router it's already addressed for the local network, it is passing from an outside to an inside interface. However the local IP address and the global IP address would both be a part of my local network, since the public IP address is NATed at the ISP gateway to an IP address on my local network.
So the 10.10.10.1 address is for our web server and needs 80 and 443 traffic pointed to it, we have a new surveillance system accessible via an app and an IP address on port 7001. Given what I've described above can you setup something like this:
ip nat source static tcp 10.10.10.80 7001 10.10.10.1 7001
I have no clue if you can even setup a NAT like this when the local and global are both in the same subnet. If anyone has experience with a scenario like this I would appreciate a little feedback.
Thanks in advance!Hello.
I would say, that the best solution would be to do static translations on ISP gateway (into different internal IP-addresses).
Maybe you are looking for
-
Ipod Touch 1st Generation General Questions.
I just read where the 1st generation Ipod Touch cannot upgrade software past 3.1.3. SO I assume all of the Apps I have seen and some I have downloaded that state I need newer software are not useable on the Touch I have? Oh man it appears I got somet
-
Setting default values to CUSTOMERH field during creation of ORDER?
Hi guys, Does anyone know of any BAdI that is called once during the ORDER creation? I have a CUSTOMERH field that needs to be set to 'X' during creation, and the user can de-select them anything. Anyone know how this can be achieved?? Many thanks in
-
Neither appear in the shared section of the Finder of the other. This is despite the fact that both are set up with my AppleID and have screen sharing turned on. To make the situation more interesting I have another computer on my home network, an ol
-
Sales Office and Sales Group Automatic Determination based on the Sold to P
Hello every one We need determine sales office and sales group based on sold to party master data in Activity Management in SAP CRM 2007. I want to know if there is a way to do it when we save the document. Any ideas???
-
Images not re-sizing to fit photo frames
When I insert images onto my keynote pages they do not re-size to fit the photo frame. I cannot find an option to make them fit . Also, unlike the text boxes, I cannot alter the photo frame. I am using iWork v3.0.2 that I bought with an older mac. I