Solved

Cisco NAT overloading

Posted on 2006-11-03
10
732 Views
Last Modified: 2008-02-01
I am trying to configure a Cisco 837. I have most of what I want working but I am having some difficulty with the NAT rules.
I have a number of static IP addresses available to me and I would like to NAT groups of inside local IP addresses to single static global IP addresses. e.g:
192.168.0.1-192.168.0.191 nat to 1.1.1.153
192.168.0.192-192.168.0.223 nat to 1.1.1.155

I can get one group natted by applying a static IP to an interface and overloading that interface.
This is an extract of the working config I used:
----------------------------
interface Dialer0
 ip address 1.1.1.153 255.255.255.248
 ip mtu 1452
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname eircom
 ppp chap password 0 broadband1
 ppp pap sent-username eircom password 0 broadband1
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127
access-list 1 permit 192.168.0.128 0.0.0.63
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
----------------------------

I thought if I try to nat to a pool instead of an interface, this would enable me to create multiple single ip address pools and so solve the problem, however I can't get this to work at all. Here is the extract for this config:
----------------------------
interface Dialer0
 ip address 1.1.1.153 255.255.255.248
 ip mtu 1452
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname eircom
 ppp chap password 0 broadband1
 ppp pap sent-username eircom password 0 broadband1
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat inside source list 1 pool pool1
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127
access-list 1 permit 192.168.0.128 0.0.0.63
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
---------------------------

It is essentially the same with the exception of the line:
ip nat inside source list 1 pool pool1
replaces:
ip nat inside source list 1 interface Dialer0 overload


Any help would be greatly appreciated. I'm a newbie to IOS so if you spot the problem I'd also be grateful for an explanation too.

Thanks
0
Comment
Question by:windylad
  • 4
  • 3
10 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17868565
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255

ip nat inside source list 1 pool pool1 overload
access-list 1 permit 192.168.0.0 0.0.0.127

ip nat pool pool2 1.1.1.165 1.1.1.165 netmask 255.255.255.255

ip nat inside source list 2 pool pool2 overload
access-list 2 permit 192.168.0.0 0.0.0.63

Try these.

Cheers,
Rajesh

0
 

Author Comment

by:windylad
ID: 17879999
Thanks Rahjesh but no lucj with these.
Does anyone know if it is definitely possible to overload external global ip pools instead of overloading an interface?

Using the SDM, I can't see any option which allows an overload on a pool such as the IOS command: ip nat inside source list 1 pool pool1 overload
I could only enter it using the CLI
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17880826
It is still possible with the same command sets above.

Can you post your configuration here ?

Cheers,
Rajesh
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:windylad
ID: 17880889
Hi Rajesh,

Thanks for persevering. Here is the config after I added your suggestions:

Building configuration...

Current configuration : 3329 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
username x privilege 15 secret 5 y
no aaa new-model
ip subnet-zero
!
!
ip domain name yourdomain.com
ip name-server 1.2.3.4
ip name-server 1.2.3.5
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
no crypto isakmp enable
!
!
!
!
interface Ethernet0
 description $ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ETH-LAN$
 ip address 192.168.0.193 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  oam-pvc manage
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 ip address 1.1.1.153 255.255.255.248
 ip mtu 1452
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname x
 ppp chap password 0 broadband1
 ppp pap sent-username x password 0 y
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat pool pool2 1.1.1.156 1.1.1.156 netmask 255.255.255.255
ip nat inside source list 1 pool pool1 overload
ip nat inside source list 2 pool pool2 overload
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127 log
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.128 0.0.0.63 log
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 privilege level 15
 login local
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
!
end

0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
ID: 17880903
So with this, it doesn't work ? It should.

First do, clear ip nat translations *

Cheers,
Rajesh
0
 

Author Comment

by:windylad
ID: 17881257
Still nothing!
From the limited knowledge I have I agree it should work with these nat rules. Could there be something elsewhere in the config blocking access?

I don't have full time access to the dsl connection so I am limited to the testing I can do during working hours. I'll try your rules again tomorrow morning when there is less pressure from the users. If you have any other ideas (such as debug logs) I can try them at the same time
0
 

Author Comment

by:windylad
ID: 18067041
I agree with you rsivanandan, your suggestions should work. The problem must be somewhere else in the configuration. I'm awarding the points to you anyway as you have at least backed up my belief that it should work and at least I can concentrate elsewhere in the configuration.
0

Featured Post

Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Interface VLAN dependencies 6 56
BGP Network restrictions 6 45
Deny permission ACL 16 26
Cisco EIGRP Network 6 26
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

827 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question