Solved

Disabling NAT on my Cisco 1720

Posted on 2004-10-20
8
318 Views
Last Modified: 2006-11-17
I have a Cisco 1720.  When configured as our border gateway router, it was setup with NAT.  I have since been interested in deploying a Linux Based Iptables Firewall right behind the router because I would like to add other services to the network and better protect them.

My thoughts are that I need to disable the Nat on the 1720 Router and Route our external address on the serial interface to the FastEther0 interface on the router.  From there the Firewall will route back and forth directly to the router on one IP address.  The firewall would be configured with Masquarading, or LINUX termed NAT.

Well, here is my problem.  I'm just playing right now to see if I can figure it out.  When trying to erase the commands in the Router Config regarding the NAT Pool, the router is telling me that I cannot do that because the pool is currently in use.  What gives?

Thanks,

Deeky

0
Comment
Question by:deeky
  • 2
  • 2
  • 2
  • +2
8 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 12363864
On the interfaces, look for a "ip nat inside" and "ip nat outside". Remove those wherever you find them.

-Don
0
 

Author Comment

by:deeky
ID: 12364045
I have been able to successfully remove the ip nat inside and ip nat outside from each interface.  My problem lies at the configure commands:

ip nat pool ovrd xxx.xxx.93.78 xxx.xxx.93.78 netmask 255.255.255.252
ip nat pool natpool xxx.xxx.93.78 xxx.xxx.93.78 prefix-length 24
ip nat inside source list 1 pool natpool overload

I cannot remove these, it tells me that "natpool" - which I guess is the name assigned to the pool of addresses used by NAT is being used and cannot be removed.

I don't quite even have a good grasp of what these three lines are doing, can you explain?

Thanks,  I included the entire configuration for your viewing pleasure.

Deeky


Building configuration...

Current configuration : 1205 bytes
!
! No configuration change since last restart
!
version 12.1
service config
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname YorkCClub
!
enable secret
enable password
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
ip name-server xxx.xxx.86.20
ip name-server xxx.xxx.64.20
!
!
!
!
interface Serial0
 ip address xxx.xxx.93.78 255.255.255.0
 ip nat outside
 service-module t1 timeslots 1-7
!
interface FastEthernet0
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 speed auto
 half-duplex
 no cdp enable
!
ip default-gateway xxx.xxx.93.77
ip nat pool ovrd xxx.xxx.93.78 xxx.xxx.93.78 netmask 255.255.255.252
ip nat pool natpool xxx.xxx.93.78 xxx.xxx.93.78 prefix-length 24
ip nat inside source list 1 pool natpool overload
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.xxx.93.77
ip route 192.168.1.0 255.255.255.0 192.168.10.2
no ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
login
!
no scheduler allocate
end
0
 
LVL 11

Expert Comment

by:PennGwyn
ID: 12364318
> My thoughts are that I need to disable the Nat on the 1720 Router and Route our external address on the serial interface to
> the FastEther0 interface on the router.  From there the Firewall will route back and forth directly to the router on one IP
> address.  The firewall would be configured with Masquarading, or LINUX termed NAT.

I don't like the sound of this -- it seems *very* confused about topology and configuration.

Your NAT configuration means that your public addresses are all on the provider-facing side of the router.  To put them anywhere else, it's not sufficient to remove NAT -- you also need to DO SOMETHING ELSE with them.

On the other hand, the firewall is perfectly capable of filtering traffic without also doing NAT.  So you could achieve what you need without removing NAT from the router.

--

> interface Serial0
>  ip address xxx.xxx.93.78 255.255.255.0

It is HIGHLY UNLIKELY that this is the correct subnet mask for this interface.  Everything else suggests that the mask should be 255.255.255.252, which is more typical of a serial interface.

> ip default-gateway xxx.xxx.93.77

This is consistent with that.

> ip nat pool ovrd xxx.xxx.93.78 xxx.xxx.93.78 netmask 255.255.255.252

So is this.

> ip nat pool natpool xxx.xxx.93.78 xxx.xxx.93.78 prefix-length 24

This is not.  This is kind of consistent with the netmask you've got (255.255.255.0 == prefix-length 24), which is probably incorrect.

> ip nat inside source list 1 pool natpool overload

With the more likely netmask and pool, you only have ONE public address, and it's on the serial interface of your router.  All internal addresses will get mapped to this one public address, re-mapping port numbers as necessary.  (This kind of NAT is sometimes called PAT.)  If you take NAT off the router, inbound traffic will reach the router and STOP there.  That's not what you want.

--

Let's fix it:

> interface FastEthernet0
> ip address 192.168.10.1 255.255.255.0
 
Change to

interface FastEthernet0
 ip address 192.168.101.1 255.255.255.0
 
ip route 192.168.10.0 255.255.255.0 192.168.101.2

And then configure the iptables box with two NICs:

eth0:
 192.168.101.2 255.255.255.0

eth1:
 192.168.10.1 255.255.255.0

default gateway:
 192.168.101.1

eth0 plugs, via a crossover cable, into the ethernet port of the 1720.  eth1 plugs into your LAN hub/switch.

0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 12364602
If none of your interfaces have an "ip nat inside" or "ip nat outside" then NAT is disabled. The other commands have no effect even though they're there.

-Don
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:deeky
ID: 12364709
Hi PennGwyn:

First off, thank you for the excellent information.

Basically, when we brought the company up on a network and had a company install our router, the router's only job was to use 1 public address and NAT it with about 25 computers in our building.  All other ports are closed.

Nowadays, we are heading toward hosting a mail server and website within our own building.  We also would like to add a "Public" wireless segment that would only see the internet.  It would also be nice to VPN back in for various tasks and monitoring.

I just want to say something and see if you can agree or disagree and explain.  By the way, points are increasing.

Our current situation with the router sitting between us and the internet would not gain any more benefits by having a firewall.  The firewall comes into play when we need to open ports to the outside world for services inside our network (like pcanywhere, Mail Server, Web Server).  Once those ports are open, this is where somebody could hit us with denial of service and other types of attacks.

Am I in a ballpark with my logic at this point?
0
 
LVL 43

Assisted Solution

by:JFrederick29
JFrederick29 earned 75 total points
ID: 12368565
You need to use the command:

clear ip nat translation *

Then you should be able to remove the NAT pool using the no form of the commands.
0
 
LVL 4

Accepted Solution

by:
brownmetals earned 75 total points
ID: 12371989
Hi there.

As JFrederick suggested, you'll need to use teh "clear ip nat translations*" command to clear the IP Nat Address Table.

To prevent users from establishing a new NAT connection while you're working on this, I'd suggest doing this when the users are not using the internet connection, or possibly disconnecting the ethernet cable the users use to access the router.

Once the NAT Address table is cleared, you can then eliminate the nat config lines (below) using the "no" command in front of them.

ip nat pool ovrd xxx.xxx.93.78 xxx.xxx.93.78 netmask 255.255.255.252
ip nat pool natpool xxx.xxx.93.78 xxx.xxx.93.78 prefix-length 24
ip nat inside source list 1 pool natpool overload

Just a reminder, once you've elminated these NAT config lines from the router, be sure to copy the running configuiration to the startup configuration so that when the router is rebooted, you'll maintain the new settings.

#copy running-config startup-config

Good luck!
Jay
0
 
LVL 4

Expert Comment

by:brownmetals
ID: 12372231
I'm glad this was helpful!

Thanks for the answer & grade.

Continued luck on the project!
Jay
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now