• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 331
  • Last Modified:

Disabling NAT on my Cisco 1720

I have a Cisco 1720.  When configured as our border gateway router, it was setup with NAT.  I have since been interested in deploying a Linux Based Iptables Firewall right behind the router because I would like to add other services to the network and better protect them.

My thoughts are that I need to disable the Nat on the 1720 Router and Route our external address on the serial interface to the FastEther0 interface on the router.  From there the Firewall will route back and forth directly to the router on one IP address.  The firewall would be configured with Masquarading, or LINUX termed NAT.

Well, here is my problem.  I'm just playing right now to see if I can figure it out.  When trying to erase the commands in the Router Config regarding the NAT Pool, the router is telling me that I cannot do that because the pool is currently in use.  What gives?

Thanks,

Deeky

0
deeky
Asked:
deeky
  • 2
  • 2
  • 2
  • +2
2 Solutions
 
Don JohnstonInstructorCommented:
On the interfaces, look for a "ip nat inside" and "ip nat outside". Remove those wherever you find them.

-Don
0
 
deekyAuthor Commented:
I have been able to successfully remove the ip nat inside and ip nat outside from each interface.  My problem lies at the configure commands:

ip nat pool ovrd xxx.xxx.93.78 xxx.xxx.93.78 netmask 255.255.255.252
ip nat pool natpool xxx.xxx.93.78 xxx.xxx.93.78 prefix-length 24
ip nat inside source list 1 pool natpool overload

I cannot remove these, it tells me that "natpool" - which I guess is the name assigned to the pool of addresses used by NAT is being used and cannot be removed.

I don't quite even have a good grasp of what these three lines are doing, can you explain?

Thanks,  I included the entire configuration for your viewing pleasure.

Deeky


Building configuration...

Current configuration : 1205 bytes
!
! No configuration change since last restart
!
version 12.1
service config
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname YorkCClub
!
enable secret
enable password
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
ip name-server xxx.xxx.86.20
ip name-server xxx.xxx.64.20
!
!
!
!
interface Serial0
 ip address xxx.xxx.93.78 255.255.255.0
 ip nat outside
 service-module t1 timeslots 1-7
!
interface FastEthernet0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 speed auto
 half-duplex
 no cdp enable
!
ip default-gateway xxx.xxx.93.77
ip nat pool ovrd xxx.xxx.93.78 xxx.xxx.93.78 netmask 255.255.255.252
ip nat pool natpool xxx.xxx.93.78 xxx.xxx.93.78 prefix-length 24
ip nat inside source list 1 pool natpool overload
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.93.77
ip route 192.168.1.0 255.255.255.0 192.168.10.2
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
login
!
no scheduler allocate
end
0
 
PennGwynCommented:
> My thoughts are that I need to disable the Nat on the 1720 Router and Route our external address on the serial interface to
> the FastEther0 interface on the router.  From there the Firewall will route back and forth directly to the router on one IP
> address.  The firewall would be configured with Masquarading, or LINUX termed NAT.

I don't like the sound of this -- it seems *very* confused about topology and configuration.

Your NAT configuration means that your public addresses are all on the provider-facing side of the router.  To put them anywhere else, it's not sufficient to remove NAT -- you also need to DO SOMETHING ELSE with them.

On the other hand, the firewall is perfectly capable of filtering traffic without also doing NAT.  So you could achieve what you need without removing NAT from the router.

--

> interface Serial0
>  ip address xxx.xxx.93.78 255.255.255.0

It is HIGHLY UNLIKELY that this is the correct subnet mask for this interface.  Everything else suggests that the mask should be 255.255.255.252, which is more typical of a serial interface.

> ip default-gateway xxx.xxx.93.77

This is consistent with that.

> ip nat pool ovrd xxx.xxx.93.78 xxx.xxx.93.78 netmask 255.255.255.252

So is this.

> ip nat pool natpool xxx.xxx.93.78 xxx.xxx.93.78 prefix-length 24

This is not.  This is kind of consistent with the netmask you've got (255.255.255.0 == prefix-length 24), which is probably incorrect.

> ip nat inside source list 1 pool natpool overload

With the more likely netmask and pool, you only have ONE public address, and it's on the serial interface of your router.  All internal addresses will get mapped to this one public address, re-mapping port numbers as necessary.  (This kind of NAT is sometimes called PAT.)  If you take NAT off the router, inbound traffic will reach the router and STOP there.  That's not what you want.

--

Let's fix it:

> interface FastEthernet0
> ip address 192.168.10.1 255.255.255.0
 
Change to

interface FastEthernet0
 ip address 192.168.101.1 255.255.255.0
 
ip route 192.168.10.0 255.255.255.0 192.168.101.2

And then configure the iptables box with two NICs:

eth0:
 192.168.101.2 255.255.255.0

eth1:
 192.168.10.1 255.255.255.0

default gateway:
 192.168.101.1

eth0 plugs, via a crossover cable, into the ethernet port of the 1720.  eth1 plugs into your LAN hub/switch.

0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 
Don JohnstonInstructorCommented:
If none of your interfaces have an "ip nat inside" or "ip nat outside" then NAT is disabled. The other commands have no effect even though they're there.

-Don
0
 
deekyAuthor Commented:
Hi PennGwyn:

First off, thank you for the excellent information.

Basically, when we brought the company up on a network and had a company install our router, the router's only job was to use 1 public address and NAT it with about 25 computers in our building.  All other ports are closed.

Nowadays, we are heading toward hosting a mail server and website within our own building.  We also would like to add a "Public" wireless segment that would only see the internet.  It would also be nice to VPN back in for various tasks and monitoring.

I just want to say something and see if you can agree or disagree and explain.  By the way, points are increasing.

Our current situation with the router sitting between us and the internet would not gain any more benefits by having a firewall.  The firewall comes into play when we need to open ports to the outside world for services inside our network (like pcanywhere, Mail Server, Web Server).  Once those ports are open, this is where somebody could hit us with denial of service and other types of attacks.

Am I in a ballpark with my logic at this point?
0
 
JFrederick29Commented:
You need to use the command:

clear ip nat translation *

Then you should be able to remove the NAT pool using the no form of the commands.
0
 
brownmetalsCommented:
Hi there.

As JFrederick suggested, you'll need to use teh "clear ip nat translations*" command to clear the IP Nat Address Table.

To prevent users from establishing a new NAT connection while you're working on this, I'd suggest doing this when the users are not using the internet connection, or possibly disconnecting the ethernet cable the users use to access the router.

Once the NAT Address table is cleared, you can then eliminate the nat config lines (below) using the "no" command in front of them.

ip nat pool ovrd xxx.xxx.93.78 xxx.xxx.93.78 netmask 255.255.255.252
ip nat pool natpool xxx.xxx.93.78 xxx.xxx.93.78 prefix-length 24
ip nat inside source list 1 pool natpool overload

Just a reminder, once you've elminated these NAT config lines from the router, be sure to copy the running configuiration to the startup configuration so that when the router is rebooted, you'll maintain the new settings.

#copy running-config startup-config

Good luck!
Jay
0
 
brownmetalsCommented:
I'm glad this was helpful!

Thanks for the answer & grade.

Continued luck on the project!
Jay
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now