cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
New Contributor III

Trying to get public ip with in a NAT'd interface to work outbound with its own ip address.

I currently have the following interface setting:

interface eth 0/2

  ip address  192.168.100.1  255.255.255.0

  ip address  208.122.124.185  255.255.255.248  secondary

  ip access-policy Private

  no awcp

  no shutdown

This is my lab so I can do whatever I want...

I have a computer pluged into eth 0/2. When I do a whatsmyip.com or ipchicken its showing the wan of of the IAD and not the 208.122.124.185 so like a Mail server wont work. Typically we would have a whole other interface with the ip but we dont...

How can I get the 208.122.124.185/29 to work correctly as if it was not NAT'd.

More Config Below:

interface eth 0/2

  ip address  192.168.100.1  255.255.255.0

  ip address  208.122.124.185  255.255.255.248  secondary

  ip access-policy Private

  no awcp

  no shutdown

ip access-list standard wizard-ics

  remark Internet Connection Sharing

  permit any

!

!

ip access-list extended self

  remark Traffic to Total Access

  permit ip any  any     log

!

ip access-list extended voip-sig

  permit udp any  any eq 5060  

  permit tcp any  any eq 5060 

!

ip access-list extended web-acl-6

  remark ADMIN-ACCESS

  permit tcp any  any eq www   log

  permit tcp any  any eq telnet   log

  permit udp any  any eq snmp    log

  permit icmp any  any  echo   log

!

ip access-list extended web-acl-7

  remark SIP-ALLOW

  permit tcp any  any eq 5060   log

  permit udp any  any eq 5060    log

!

ip access-list extended web-acl-8

  remark ALLOW-ALL

  permit ip any  any   

!

!

!

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface gigabit-ethernet 0/1 overload

!

ip policy-class Public

  allow list web-acl-7 self

  allow list web-acl-8

  allow list web-acl-6 self

Labels (1)
Tags (2)
0 Kudos
Reply
2 Replies
Highlighted
Honored Contributor
Honored Contributor

Re: Trying to get public ip with in a NAT'd interface to work outbound with its own ip address.

I'm assuming that the computer connected to eth 0/2 is on a public address between 208.122.124.186 and .190 with a gateway of .185.

Make the following changes:

1. Restrict NAT to private addresses only.

ip access-list standard wizard-ics

  remark Permit private for NAT

  permit 192.168.100.0 0.0.0.255

  no permit any

!

2. Create an ACL to allow public IPs on eth 0/2 out to Public

!

ip access-list standard public-eth02-list

permit 208.122.124.184 0.0.0.7

!

3. Modify the Private policy-class

!

ip policy-class Private

  allow list self self

  nat source list wizard-ics interface gigabit-ethernet 0/1 overload

  allow list public-eth02-list policy Public

It might be cleaner to configure port eth 0/2 with two VLANs as two logical ports, one for the public and one for the private. Trunk that to a switch and configure access ports on the switch for your public and private subnets.

Highlighted
Contributor III
Contributor III

Re: Trying to get public ip with in a NAT'd interface to work outbound with its own ip address.

I agree with Jay's recommendation of creating VLAN's on the interface one Public, One Private. Below is an example of that configuration.   Also sure it's just a typo but in your Nat Overload statement you are referencing a non existent port.  On the switch that eth 02 connects to set the port as trunk port with allowed vlans 1,5.  On the switchport connecting to the ISP set your switch port to access vlan 5, then make sure you have on untagged access port on vlan 1 connecting to the private side internal network somewhere.  Also just checking I did not see ip media gateway primary anywhere is it eth 0/1 being used to connect to the sip provider?

Sample of a VLANed Interface:

interface eth 0/2

  encapsulation 802.1q

  no shutdown

!

interface eth 0/2.1

  vlan-id 1 native

  ip address  192.168.100.1  255.255.255.0

  ip access-policy Private

  no shutdown

interface eth 0/2.5

  vlan-id 5

  ip address  208.122.124.185  255.255.255.248

  ip access-policy public

  no shutdown

!

!

ip access-list extended OutsideToInside

!Used for any inbound connections to be allowed like management location or Sip Server

  permit ip XX.XX.XX.XX 0.0.0.255  any       

!

ip access-list extended self

  remark Traffic to Netvanta

  permit ip any  any     log

!

!

!

ip policy-class Private

  allow list self self

  nat source list NAT interface eth 0/2.5 overload

!

ip policy-class public

  allow list OutsideToInside self

!

!

ip route 0.0.0.0 0.0.0.0 208.122.124.XXX