Cisco NAT overloading

I am trying to configure a Cisco 837. I have most of what I want working but I am having some difficulty with the NAT rules.
I have a number of static IP addresses available to me and I would like to NAT groups of inside local IP addresses to single static global IP addresses. e.g:
192.168.0.1-192.168.0.191 nat to 1.1.1.153
192.168.0.192-192.168.0.223 nat to 1.1.1.155

I can get one group natted by applying a static IP to an interface and overloading that interface.
This is an extract of the working config I used:
----------------------------
interface Dialer0
 ip address 1.1.1.153 255.255.255.248
 ip mtu 1452
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname eircom
 ppp chap password 0 broadband1
 ppp pap sent-username eircom password 0 broadband1
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127
access-list 1 permit 192.168.0.128 0.0.0.63
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
----------------------------

I thought if I try to nat to a pool instead of an interface, this would enable me to create multiple single ip address pools and so solve the problem, however I can't get this to work at all. Here is the extract for this config:
----------------------------
interface Dialer0
 ip address 1.1.1.153 255.255.255.248
 ip mtu 1452
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname eircom
 ppp chap password 0 broadband1
 ppp pap sent-username eircom password 0 broadband1
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat inside source list 1 pool pool1
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127
access-list 1 permit 192.168.0.128 0.0.0.63
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
---------------------------

It is essentially the same with the exception of the line:
ip nat inside source list 1 pool pool1
replaces:
ip nat inside source list 1 interface Dialer0 overload


Any help would be greatly appreciated. I'm a newbie to IOS so if you spot the problem I'd also be grateful for an explanation too.

Thanks
windyladAsked:
Who is Participating?
 
rsivanandanCommented:
So with this, it doesn't work ? It should.

First do, clear ip nat translations *

Cheers,
Rajesh
0
 
rsivanandanCommented:
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255

ip nat inside source list 1 pool pool1 overload
access-list 1 permit 192.168.0.0 0.0.0.127

ip nat pool pool2 1.1.1.165 1.1.1.165 netmask 255.255.255.255

ip nat inside source list 2 pool pool2 overload
access-list 2 permit 192.168.0.0 0.0.0.63

Try these.

Cheers,
Rajesh

0
 
windyladAuthor Commented:
Thanks Rahjesh but no lucj with these.
Does anyone know if it is definitely possible to overload external global ip pools instead of overloading an interface?

Using the SDM, I can't see any option which allows an overload on a pool such as the IOS command: ip nat inside source list 1 pool pool1 overload
I could only enter it using the CLI
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
rsivanandanCommented:
It is still possible with the same command sets above.

Can you post your configuration here ?

Cheers,
Rajesh
0
 
windyladAuthor Commented:
Hi Rajesh,

Thanks for persevering. Here is the config after I added your suggestions:

Building configuration...

Current configuration : 3329 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
username x privilege 15 secret 5 y
no aaa new-model
ip subnet-zero
!
!
ip domain name yourdomain.com
ip name-server 1.2.3.4
ip name-server 1.2.3.5
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
no crypto isakmp enable
!
!
!
!
interface Ethernet0
 description $ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ETH-LAN$
 ip address 192.168.0.193 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  oam-pvc manage
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 ip address 1.1.1.153 255.255.255.248
 ip mtu 1452
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname x
 ppp chap password 0 broadband1
 ppp pap sent-username x password 0 y
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat pool pool2 1.1.1.156 1.1.1.156 netmask 255.255.255.255
ip nat inside source list 1 pool pool1 overload
ip nat inside source list 2 pool pool2 overload
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127 log
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.128 0.0.0.63 log
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 privilege level 15
 login local
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
!
end

0
 
windyladAuthor Commented:
Still nothing!
From the limited knowledge I have I agree it should work with these nat rules. Could there be something elsewhere in the config blocking access?

I don't have full time access to the dsl connection so I am limited to the testing I can do during working hours. I'll try your rules again tomorrow morning when there is less pressure from the users. If you have any other ideas (such as debug logs) I can try them at the same time
0
 
windyladAuthor Commented:
I agree with you rsivanandan, your suggestions should work. The problem must be somewhere else in the configuration. I'm awarding the points to you anyway as you have at least backed up my belief that it should work and at least I can concentrate elsewhere in the configuration.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.