Solved

Cisco 1700 and SonicWall

Posted on 2003-11-04
8
416 Views
Last Modified: 2012-05-04
I just purchased a SonicWall PRO-100 and would like to map my usable public IP addresses to the private IPs on the internal LAN using the firewalls "One-to-One" NAT mode.  My question is, do I leave the configuration as is (it is mapping each public IP to each internal server), or is there a command that tells the router that 65.33.108.187 - 65.33.108.190 are usable IP addresses so that I don't need to setup NAT on the router?



Building configuration...

Current configuration : 1514 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname router
!
enable secret 5 $1$G3nd$F9GpDcwpgmy18owDSEJBb0
enable password 7 120B0013130709163E7A
!
memory-size iomem 25
ip subnet-zero
!
!
no ip domain lookup
ip name-server 12.127.16.67
ip name-server 65.7.11.2
!
!
!
!
!
interface Loopback0
 no ip address
!
interface FastEthernet0
 ip address 120.0.0.150 255.255.255.0
 ip nat inside
 speed auto
 half-duplex
!
interface Serial0
 no ip address
 ip nat outside
 encapsulation frame-relay IETF
 no fair-queue
 service-module t1 timeslots 1-12
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 ip address 65.33.108.186 255.255.255.248
 ip nat outside
 frame-relay interface-dlci 16
!
router rip
 version 2
 passive-interface Serial0.1
 network 120.0.0.0
 no auto-summary
!
ip nat inside source list 1 interface Serial0.1 overload
ip nat inside source static 120.0.0.118 65.33.108.190
ip nat inside source static 120.0.0.62 65.33.108.189
ip nat inside source static 120.0.0.155 65.33.108.188
ip nat inside source static 120.0.0.4 65.33.108.187
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0.1
no ip http server
!
access-list 1 permit 120.0.0.0 0.0.0.255
snmp-server community public RO
snmp-server enable traps tty
!
line con 0
 exec-timeout 15 0
 password 7 0016160205570E141B
 login
line aux 0
 exec-timeout 15 0
 password 7 03165E0F0703245E5A
 login
line vty 0 4
 exec-timeout 15 0
 password 7 15000E0805262E363C
 login
!
!
end
0
Comment
Question by:subjasonthomas
  • 5
  • 3
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9682024
With the subnet mask on the serial interface, and one of the useable addresses assigned there, you can only use the public addresses internally on the router, as you have with static NAT statements.
You might be able to ask your ISP for an IP address specificly for your serial interface with /30 mask. Then you can apply the existing address range to the Ethernet interface, and therefore to the outside interface of the firewall and let the firewall do all the nat and everything else.

redalert/redalert1 = if this looks familiar, I suggest you change it.
http://www.kazmier.com/computer/cisco-noswing.html

0
 

Author Comment

by:subjasonthomas
ID: 9686954
If I can get a /30 address for the router, what would be the command to apply the existing address range to the Ethernet interface?  Also, in short, why does the current config not allow me to do this?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9687008
The current config only allows that IP address range on the serial interface, or internally for NAT because of the subnet mask on the interface.
The subnet between your Ethernet interface and the firewall outside interface MUST be a different subnet than your serial interface.
In order to "transfer" the public IP addresses to the Ethernet side, you need a different subnet for your serial interface.

assume new address = 150.33.108.6/32
!
interface Serial0.1 point-to-point
 ip address 150.33.108.6 255.255.255.252
 no nat outside
!
interface FastEthernet0
 ip address 65.33.108.186 255.255.255.248
 no nat inside
!
no ip route 0.0.0.0 0.0.0.0 Serial0.1
ip route 0.0.0.0 0.0.0.0 150.33.108.5  <-- use explicit IP address of upstream vs the interface
!

done



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9687035
Typo..
>no nat inside
>no nat outside

should be
>no ip nat inside
>no ip nat outside
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:subjasonthomas
ID: 9687060
One quick thing, I just realized I had this info from the ISP:

(Unusable) Network IP: 65.33.108.184

Router Ethernet IP: 65.33.108.185
Your First Usable IP: 65.33.108.186
Your Last Usable IP: 65.33.108.190

(Unusable) Broadcast IP: 65.33.108.191

Subnet Mask for all IPs: 255.255.255.248

What is the story with the router ethernet IP?  Is that what I'm looking for? Is this router configured incorrectly?  Or do I still need a /30 address?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9687318
What some ISP's will do is use "ip unnumbered" on the serial interface, i.e.

Interface Serial 0.1
 ip unnumbered FastEthernet0
!
Interface FastEthernet0
 ip address 65.33.108.185 255.255.255.248
!
!  KEEP the default gateway as is:
ip route 0.0.0.0 0.0.0.0 Serial0.1


This configuration uses the same IP address for both interfaces. Not the most common setup, but it all depends on how the ISP has the routing set up for your subnet.

With this config, you can simply turn of the ip nat inside/outside, and assign the SonicWall 65.33.108.186 netmask 255.255.255.248

0
 

Author Comment

by:subjasonthomas
ID: 9687992
Ok, I understand, so basically I still need that /30 address to accomplish what I want?  
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 50 total points
ID: 9688015
Not necessarily, if the ISP is expecting the ip unnumbered config...
It's up to them how they route that subnet to you..
It can't hurt to try the ip unnumbered config. Just don't save the changes and if it doesn't work, just reboot and be back to the existing/working config.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Suggested Solutions

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now