Cisco 1700 and SonicWall

I just purchased a SonicWall PRO-100 and would like to map my usable public IP addresses to the private IPs on the internal LAN using the firewalls "One-to-One" NAT mode.  My question is, do I leave the configuration as is (it is mapping each public IP to each internal server), or is there a command that tells the router that 65.33.108.187 - 65.33.108.190 are usable IP addresses so that I don't need to setup NAT on the router?



Building configuration...

Current configuration : 1514 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
enable secret 5 $1$G3nd$F9GpDcwpgmy18owDSEJBb0
enable password 7 120B0013130709163E7A
!
memory-size iomem 25
ip subnet-zero
!
!
no ip domain lookup
ip name-server 12.127.16.67
ip name-server 65.7.11.2
!
!
!
!
!
interface Loopback0
 no ip address
!
interface FastEthernet0
 ip address 120.0.0.150 255.255.255.0
 ip nat inside
 speed auto
 half-duplex
!
interface Serial0
 no ip address
 ip nat outside
 encapsulation frame-relay IETF
 no fair-queue
 service-module t1 timeslots 1-12
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 ip address 65.33.108.186 255.255.255.248
 ip nat outside
 frame-relay interface-dlci 16
!
router rip
 version 2
 passive-interface Serial0.1
 network 120.0.0.0
 no auto-summary
!
ip nat inside source list 1 interface Serial0.1 overload
ip nat inside source static 120.0.0.118 65.33.108.190
ip nat inside source static 120.0.0.62 65.33.108.189
ip nat inside source static 120.0.0.155 65.33.108.188
ip nat inside source static 120.0.0.4 65.33.108.187
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
no ip http server
!
access-list 1 permit 120.0.0.0 0.0.0.255
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
 exec-timeout 15 0
 password 7 0016160205570E141B
 login
line aux 0
 exec-timeout 15 0
 password 7 03165E0F0703245E5A
 login
line vty 0 4
 exec-timeout 15 0
 password 7 15000E0805262E363C
 login
!
!
end
subjasonthomasAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

lrmooreCommented:
With the subnet mask on the serial interface, and one of the useable addresses assigned there, you can only use the public addresses internally on the router, as you have with static NAT statements.
You might be able to ask your ISP for an IP address specificly for your serial interface with /30 mask. Then you can apply the existing address range to the Ethernet interface, and therefore to the outside interface of the firewall and let the firewall do all the nat and everything else.

redalert/redalert1 = if this looks familiar, I suggest you change it.
http://www.kazmier.com/computer/cisco-noswing.html

0
subjasonthomasAuthor Commented:
If I can get a /30 address for the router, what would be the command to apply the existing address range to the Ethernet interface?  Also, in short, why does the current config not allow me to do this?
0
lrmooreCommented:
The current config only allows that IP address range on the serial interface, or internally for NAT because of the subnet mask on the interface.
The subnet between your Ethernet interface and the firewall outside interface MUST be a different subnet than your serial interface.
In order to "transfer" the public IP addresses to the Ethernet side, you need a different subnet for your serial interface.

assume new address = 150.33.108.6/32
!
interface Serial0.1 point-to-point
 ip address 150.33.108.6 255.255.255.252
 no nat outside
!
interface FastEthernet0
 ip address 65.33.108.186 255.255.255.248
 no nat inside
!
no ip route 0.0.0.0 0.0.0.0 Serial0.1
ip route 0.0.0.0 0.0.0.0 150.33.108.5  <-- use explicit IP address of upstream vs the interface
!

done



0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

lrmooreCommented:
Typo..
>no nat inside
>no nat outside

should be
>no ip nat inside
>no ip nat outside
0
subjasonthomasAuthor Commented:
One quick thing, I just realized I had this info from the ISP:

(Unusable) Network IP: 65.33.108.184

Router Ethernet IP: 65.33.108.185
Your First Usable IP: 65.33.108.186
Your Last Usable IP: 65.33.108.190

(Unusable) Broadcast IP: 65.33.108.191

Subnet Mask for all IPs: 255.255.255.248

What is the story with the router ethernet IP?  Is that what I'm looking for? Is this router configured incorrectly?  Or do I still need a /30 address?
0
lrmooreCommented:
What some ISP's will do is use "ip unnumbered" on the serial interface, i.e.

Interface Serial 0.1
 ip unnumbered FastEthernet0
!
Interface FastEthernet0
 ip address 65.33.108.185 255.255.255.248
!
!  KEEP the default gateway as is:
ip route 0.0.0.0 0.0.0.0 Serial0.1


This configuration uses the same IP address for both interfaces. Not the most common setup, but it all depends on how the ISP has the routing set up for your subnet.

With this config, you can simply turn of the ip nat inside/outside, and assign the SonicWall 65.33.108.186 netmask 255.255.255.248

0
subjasonthomasAuthor Commented:
Ok, I understand, so basically I still need that /30 address to accomplish what I want?  
0
lrmooreCommented:
Not necessarily, if the ISP is expecting the ip unnumbered config...
It's up to them how they route that subnet to you..
It can't hurt to try the ip unnumbered config. Just don't save the changes and if it doesn't work, just reboot and be back to the existing/working config.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.