?
Solved

Help needed with NAT Translations on CISCO 1720 Router

Posted on 2003-03-02
11
Medium Priority
?
475 Views
Last Modified: 2010-04-17
This is my first time interfacing with a Cisco product.  I found configuring the router with Config Maker v2.6 was extremely easy.  However, I am having a terrible time understanding how to make NAT work in the following way:

Router's Public IP is x.x.252.90/24
Usable Public IP addresses are x.x.246.129-142/28
Router's private IP address is x.x.246.129/28
(However, I have not assigned this private IP address, instead I have assigned 192.168.1.254 as my Eth0 address)

I have configuree NAT for all users on the private network 192.168.1 on Eth0. I cannot translate external IP addresses to access my Web server, Exchange Server, and FTP server on the 192.168.1 subnet. External tracert's to my public IP's assigned to internal IP's all die at my router.

Throwing the configuration GUI aside, Could I ask for assistance with exact command lines needed to create the necessary STATIC NAT configuration for translating x.x.246.130:80 to 192.168.1.2 and x.x.246.131:25 to 192.168.1.1, and still have DYNAMIC NAT translations for all 30 users.

One more thing, Would it be more advantageous to install an Ethernet WIC card (which I do have)and route all x.x.246.0 traffic through Eth1 interface, and assign the public IP addreses to a second nic card on my servers? Why or Why not?  Can I still NAT my users if I did it this way?

Thank you.
0
Comment
Question by:DLockwood
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 3
11 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8052389
I would not suggest using a second WIC Eth card and adding a 2nd NIC on the servers for public interface. This would, in effect, create the requirement that each of your dual-homed servers become a firewall. No software running on Microsoft server will ever be a secure firewall - IMHO.

You could put your publicly accessible servers on another Ethernet port to create a "DMZ" and let the router control access between this DMZ port and the internal network.

Do you know if you have the firewall feature set on your router?

inbound static nat is fairly simple:

ip nat inside source static 192.168.1.15 x.x.246.130
ip nat inside source static 192.168.1.16 x.x.246.131

And on your access list for your nat pool, you need to exclude these statically assigned hosts, i.e.

ip nat inside source list 1 pool NAT-POOL overload
access-list 1 deny 192.168.1.15
access-list 1 deny 192.168.1.16
access-list 1 permit 192.168.1.0 0.0.0.255
0
 
LVL 7

Expert Comment

by:pedrow
ID: 8052769
hmmm...I have a couple of questions.

You've been given a small block of routable, public ip addresses (x.x.246.129-142/28)

Your serial interface (connection to your isp) has an ip address of x.x.252.90/24

Your inside 'e0' interface is addressed out of private rfc1918 space (192.168.1.254/24)

So, you're trying to assign the x.x.246.129-142/28 as your NAT pool of addresses?

If this is the case, I think I know why it's failing:
The NAT pool must come from a connected network. If these routable addresses aren't configured on any of your router's interfaces, the NAT function won't let you allocate them for translations.

If you don't want to assign this address range to a physical port(e0), you can create a loopback interface to the router and assign the routable block to that interface:

router# conf t
router(config)# int loopback 0
router(config-int)# ip address x.x.246.129 255.255.255.248
router(config-int)# end
router#

You can just assign the loopback0 address as your overload address and use the rest of the address pool for your static translations.

I'm not sure where lrmoore defined the pool itself (i.e. i don't know why he denies the statically natted hosts):

ip nat pool NAT-POOL x.x.246.129 x.x.246.129 prefix-length 29

You don't have to specifically deny the statically natted hosts from the overload pool...the router just knows because you've entered the static translations. You could also probably simplify it as well by doing something like this:

ip nat inside source list 1 interface Loopback 0 overload
access-list 1 permit 192.168.1.0 0.0.0.255




0
 
LVL 7

Expert Comment

by:pedrow
ID: 8052868
I guess my other comment would be that I'd agree with lrmoore  for using your public network on a separate interface of the router if you can swing it. And I also agree with lrmoore about using winders anything as a firewall (there's no differentiation between inbound vs. outbound traffic for starters). You'll have to do some thinking about what kinds of traffic you expect to see between this 'bastion host' LAN, the outside and the rest of your internal network.

I'm of the opinion that production servers that provide public services should never rely upon NAT. I look at it as one more thing to have to troubleshoot in case you've got some sort of availability issue. I've just seen too many  bugs over the years with NAT. When it comes to high-availability, you wanna eliminate potential problems where you can :)

If you do go this route, you can still nat your inside users the same way to the outside and it wouldn't NAT at all from your internal e0 lan and you're bastion host lan (Eth1?) because you won't be using the 'ip nat outside' command on that routable interface.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 79

Expert Comment

by:lrmoore
ID: 8053177
The deny statements in the acl came from this document for using both dynamic and static NAT at the same time:
http://www.cisco.com/warp/public/556/9.html

0
 
LVL 7

Expert Comment

by:pedrow
ID: 8054369
hmph...odd.

I use both static and dynamic as well and have never needed to deny nat for those statically natted hosts.

I think it's because the use of the static nat translation...When the traffic goes from inside to outside, there's already an existing translation for those statically natted hosts, so there's no need for the router to dynamically create one of the overload pool.

0
 

Author Comment

by:DLockwood
ID: 8061484
Here is what I have done, please advise what steps I have missed.

Per both your reponses, I entered in the following commands:

# ip nat pool NAT-POOL x.x.246.129 x.x.246.142 prefix-length 28
# ip nat inside source static 192.168.1.5 x.x.246.140
# ip nat inside source static 192.168.1.1 x.x.246.131
# ip nat inside source list 1 pool NAT-POOL overload
# access-list 1 deny 192.168.1.5
# access-list 1 deny 192.168.1.1
# access-list 1 permit 192.168.1.0 0.0.0.255

When I ping the x.x.246.140 (or any other NAT address) from the internet, I receive a "TTL expired in transit error" from my ISP's default gateway.

Here is my configuration: (192.168.1.5 is my FTP server, 192.168.1.1 is my Citrix / DNS server... 192.168.1.2 will be my web server once I get this working)
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname XYZ
!
no logging console
enable password 7 121E001917180517
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Serial0
 no ip address
 encapsulation frame-relay
 service-module t1 remote-alarm-enable
 service-module t1 fdl ansi
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 description connected to Internet
 ip address xx.xx.252.90 255.255.255.0
 frame-relay interface-dlci 16 IETF  
!
interface FastEthernet0
 description connected to Private Network
 ip address 192.168.1.253 255.255.255.0
 speed auto
!
router rip
 version 2
 passive-interface Serial0.1
 network 192.168.1.0
 no auto-summary
!
ip nat pool NAT-POOL xx.xx.246.129 xx.xx.246.142 prefix-length 28
ip nat inside source list 1 pool NAT-POOL overload
ip nat inside source static 192.168.1.1 xx.xx.246.131
ip nat inside source static 192.168.1.5 xx.xx.246.140
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
ip route xx.xx.252.0 255.255.255.0 Serial0.1 permanent
ip route 192.168.1.0 255.255.255.0 FastEthernet0 permanent
no ip http server
!
access-list 1 deny   192.168.1.1
access-list 1 deny   192.168.1.5
access-list 1 permit 192.168.1.0 0.0.0.255
!
line con 0
 exec-timeout 0 0
 password 7 130603135A5C5478
 login
line aux 0
line vty 0 1
 password 7 130603135A5C5478
 login
line vty 2 4
 login
!
no scheduler allocate
end

I hope this helps.  Thanks for all your efforts.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8061570
Try adding the "extendable" tag to the static nat

ip nat inside source static 192.168.1.1 xx.xx.246.131 extendable
ip nat inside source static 192.168.1.5 xx.xx.246.140 extendable

Are you sure your ISP has a route established to your nat pool? You can test by assigning a loopback interface one of the addresses, and try to ping it from the outside. If not successful, it could be a routing issue.

Suggest removing the two "permanent" route statements. These routes are connected and so these statements are redundent and I've seen some odd behavior with this setup.

Are you sure about the subnet mask on the serial interface? We normally see 255.255.255.252  and not a full class C on an internet-facing interface.


0
 
LVL 7

Expert Comment

by:pedrow
ID: 8062153
I wouldn't have the statically assigned nat translations included in your overload pool.

# ip nat pool NAT-POOL x.x.246.129 x.x.246.142 prefix-length 28
# ip nat inside source static 192.168.1.5 x.x.246.140
# ip nat inside source static 192.168.1.1 x.x.246.131

You can actually use a pretty darn small pool for the outbound NAT. Unless you're providing nat translations for hundreds of folks a couple addresses should suffice:

Try something like this:
ip nat pool NAT-POOL x.x.246.129 x.x.246.130 prefix-length 28

If you really need more addresses than two for your dynamic pool, I'd assign the static NAT translations from the top of your routable allocation and use the ones at the bottom for your dynamic translations.

You also don't seem to have configured this routable pool on any of your interfaces either as I had mentioned previously. You must have your NAT pool addresses configured on one of the connected router interfaces in order for the router to be able to allocate them. This is most likely the main reason for your NAT failure.

Try this:
!
int loopback0
ip address x.x.246.129 255.255.255.240
end
!

This way your router actually has the ip addresses to allocate to the nat pool :)

Right after you try pinging, tracerouting, httping from your inside hosts, try the following to see if things are working the way you like:

router> show ip nat translations
and
router> show ip nat statistics

If NAT is working properly, you'll see the table fill nicely. If you're still having problems, it might be the isp's route to your public addresses is hosed as lrmoore suggested.

Test by tracing to one of these addresses from some public route-server, like route-server.ip.att.net (telnet to it) and run a trace from there.
0
 

Author Comment

by:DLockwood
ID: 8073556
Apparently, this configuration is over my head.  I still cannot get Nat to translate to an internal IP following your commands.

However, due to a crisis, I was forced to assign  xx.xx.146.129/28 to the internal interface, and put my web servers on this segment.

I have opened the firewall on the router to allow all services to pass through.

I know this is not how it is going to stay, but I need to have the original goal of NAT Translations configured.  Is it possible to contact you directly for assistance?

Thank you.
0
 
LVL 7

Accepted Solution

by:
pedrow earned 1200 total points
ID: 8077390
Here's how the interface configs should look:
! lines starting with "!" are comments
!
interface Serial0
![no change]
!
interface Serial0.1 point-to-point
description connected to Internet
ip address xx.xx.252.90 255.255.255.0    ! is this really supposed to be 255.255.255.0?
frame-relay interface-dlci 16 IETF  
! this defines this serial interface as your outside interface
ip nat outside
!
interface FastEthernet0
description connected to Private Network
ip address 192.168.1.253 255.255.255.0
speed auto
ip nat inside
!
! This is critical
interface Loopback0
ip address xx.xx.246.129 255.255.255.240
!
! NAT pools config should look like this:
ip nat pool NAT-POOL x.x.246.129 x.x.246.130 prefix-length 28
ip nat inside source list 1 pool NAT-POOL overload
! I only use the extendable command with static port maps
ip nat inside source static 192.168.1.1 xx.xx.246.131
ip nat inside source static 192.168.1.5 xx.xx.246.140
!
! I don't worry about the deny's for the statically natted
! hosts...the router will see a pre-existing translation
! from the above lines and thus not use the NAT-POOL addresses
access-list 1 permit 192.168.1.0 0.0.0.255


hope this clarifies things.
0
 

Author Comment

by:DLockwood
ID: 8160346
I would like to add, it turns out the router configuration wasn't the sole issue with my configuration.  My web server, even though I was changing the default gateway, had a static route mapped pointing it to the previous DSL modem.  This was the reason for my failure, frustration, and confussion.    After deleting all the static gateway mappings on the server,  STATIC NAT TRANSLATIONS began to work.

Thank you very much for your assistance.
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Problem Description:   Couple of months ago we upgraded the ADSL line at our branch office from Home to Business line. The purpose of transforming the service to have static public IP’s. We were in need for public IP’s to publish our web resour…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question