Why did nat rules stop working on Cisco?

M

mrbalearic2019-04-10 08:58:17

Asterisk

mrbalearic, 2019-04-10 08:58:17

Good afternoon!
There is a Cisco C881.
Internet and telephony came via one wire plugged into the wan, they changed the Internet provider, left the telephony, plugged the wire into a regular port.
It was:

spoiler

interface FastEthernet4
description MTS Phone SIP
ip address 10.186.32.186 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet4.1536
description MTS internet
encapsulation dot1Q 1536
ip address 89.251.104.190 255.255.255.252
ip access-group PORT_FORWARDING in
ip nat enable
ip virtual-reassembly in
!
ip nat source list LOCAL_NAT interface FastEthernet4.1536 overload
ip nat inside source list SIP_NAT interface FastEthernet4 overload
ip nat inside source static udp 10.11.12.13 5060 interface FastEthernet4 5060
ip route 10.186.0.32 255.255.255.240 10.186.32.185
ip access-list extended SIP_NAT
permit ip host 10.11.12.13 10.186.0.32 0.0.0.15
!

It became:

spoiler

interface FastEthernet2
switchport access vlan 6
no ip address
!
interface Vlan6
description MTS Phone SIP
ip address 10.186.32.186 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
ip nat inside source static udp 10.11.12.13 5060 interface Vlan6 5060
ip nat inside source list SIP_NAT interface Vlan6 overload
ip route 10.186.0.32 255.255.255.240 10.186.32.185
ip access-list extended SIP_NAT
permit ip host 10.11.12.13 10.186.0.32 0.0.0.15
!

Why did the rules stop working? And MTS now sees our Ip asterisk 10.11.12.13, instead of 10.186.32.186
Accordingly, telephony does not work correctly. Nothing comes to us from them.

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

M

Mikhail Khorev, 2019-04-10
@KhoreffMikhail

I'll assume that it's the interfaces.
There are two NAT mechanisms - through ip nat inside|outside and through ip nat enable
You need to decide which mechanism you want to use and transfer everything to it.
And the config doesn't seem to be complete. In "it was" there is no ip nat inside
In "became" - generally only one interface with the IP address.
Was:
interface FastEthernet4
ip nat outside
!
interface FastEthernet4.1536
ip nat enable New
:
interface Vlan6
ip nat inside

M

mrbalearic, 2019-04-10
@mrbalearic

What exactly is missing? I posted only what applies to these moments. In "it became" did not begin to lay out the interface with the new Internet (Wan).
The bottom line is that I just transferred from wan to regular telephony, keeping all the settings and rules as they were. But they stopped working.
There, too, outside.. I made a mistake. Corrected in the post.

A

Aleksey Klimenko, 2019-04-11
@Santorio

Try to configure Policy NAT via route-map.
!
ip nat inside source route-map To-ISP1 interface GigabitEthernet0/1
route-map To-ISP1 permit 10
match ip address INTERNET-ACL
match interface GigabitEthernet0/1
!
ip nat inside source route-map To-ISP2 interface GigabitEthernet0/2
route-map To-ISP2 permit 10
match ip address INTERNET-ACL
match interface GigabitEthernet0/2
!
In INTERNET-ACL the traffic you are interested in.
This option works fine on 29xx routers, on 8xx series it worked on ios versions starting from 15.2 or 15.3, I don’t remember exactly.