Cisco NAT overloading
I am trying to configure a Cisco 837. I have most of what I want working but I am having some difficulty with the NAT rules.
I have a number of static IP addresses available to me and I would like to NAT groups of inside local IP addresses to single static global IP addresses. e.g:
192.168.0.1-192.168.0.191 nat to 1.1.1.153
192.168.0.192-192.168.0.22
I can get one group natted by applying a static IP to an interface and overloading that interface.
This is an extract of the working config I used:
--------------------------
interface Dialer0
ip address 1.1.1.153 255.255.255.248
ip mtu 1452
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname eircom
ppp chap password 0 broadband1
ppp pap sent-username eircom password 0 broadband1
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127
access-list 1 permit 192.168.0.128 0.0.0.63
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
--------------------------
I thought if I try to nat to a pool instead of an interface, this would enable me to create multiple single ip address pools and so solve the problem, however I can't get this to work at all. Here is the extract for this config:
--------------------------
interface Dialer0
ip address 1.1.1.153 255.255.255.248
ip mtu 1452
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname eircom
ppp chap password 0 broadband1
ppp pap sent-username eircom password 0 broadband1
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat inside source list 1 pool pool1
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127
access-list 1 permit 192.168.0.128 0.0.0.63
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
--------------------------
It is essentially the same with the exception of the line:
ip nat inside source list 1 pool pool1
replaces:
ip nat inside source list 1 interface Dialer0 overload
Any help would be greatly appreciated. I'm a newbie to IOS so if you spot the problem I'd also be grateful for an explanation too.
Thanks
I have a number of static IP addresses available to me and I would like to NAT groups of inside local IP addresses to single static global IP addresses. e.g:
192.168.0.1-192.168.0.191 nat to 1.1.1.153
192.168.0.192-192.168.0.22
I can get one group natted by applying a static IP to an interface and overloading that interface.
This is an extract of the working config I used:
--------------------------
interface Dialer0
ip address 1.1.1.153 255.255.255.248
ip mtu 1452
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname eircom
ppp chap password 0 broadband1
ppp pap sent-username eircom password 0 broadband1
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127
access-list 1 permit 192.168.0.128 0.0.0.63
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
--------------------------
I thought if I try to nat to a pool instead of an interface, this would enable me to create multiple single ip address pools and so solve the problem, however I can't get this to work at all. Here is the extract for this config:
--------------------------
interface Dialer0
ip address 1.1.1.153 255.255.255.248
ip mtu 1452
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname eircom
ppp chap password 0 broadband1
ppp pap sent-username eircom password 0 broadband1
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat inside source list 1 pool pool1
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127
access-list 1 permit 192.168.0.128 0.0.0.63
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
--------------------------
It is essentially the same with the exception of the line:
ip nat inside source list 1 pool pool1
replaces:
ip nat inside source list 1 interface Dialer0 overload
Any help would be greatly appreciated. I'm a newbie to IOS so if you spot the problem I'd also be grateful for an explanation too.
Thanks
ASKER
Thanks Rahjesh but no lucj with these.
Does anyone know if it is definitely possible to overload external global ip pools instead of overloading an interface?
Using the SDM, I can't see any option which allows an overload on a pool such as the IOS command: ip nat inside source list 1 pool pool1 overload
I could only enter it using the CLI
Does anyone know if it is definitely possible to overload external global ip pools instead of overloading an interface?
Using the SDM, I can't see any option which allows an overload on a pool such as the IOS command: ip nat inside source list 1 pool pool1 overload
I could only enter it using the CLI
It is still possible with the same command sets above.
Can you post your configuration here ?
Cheers,
Rajesh
Can you post your configuration here ?
Cheers,
Rajesh
ASKER
Hi Rajesh,
Thanks for persevering. Here is the config after I added your suggestions:
Building configuration...
Current configuration : 3329 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
username x privilege 15 secret 5 y
no aaa new-model
ip subnet-zero
!
!
ip domain name yourdomain.com
ip name-server 1.2.3.4
ip name-server 1.2.3.5
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
no crypto isakmp enable
!
!
!
!
interface Ethernet0
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.0.193 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
ip address 1.1.1.153 255.255.255.248
ip mtu 1452
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname x
ppp chap password 0 broadband1
ppp pap sent-username x password 0 y
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat pool pool2 1.1.1.156 1.1.1.156 netmask 255.255.255.255
ip nat inside source list 1 pool pool1 overload
ip nat inside source list 2 pool pool2 overload
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127 log
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.128 0.0.0.63 log
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
banner login ^C
--------------------------
--------------------------
^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
!
end
Thanks for persevering. Here is the config after I added your suggestions:
Building configuration...
Current configuration : 3329 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
username x privilege 15 secret 5 y
no aaa new-model
ip subnet-zero
!
!
ip domain name yourdomain.com
ip name-server 1.2.3.4
ip name-server 1.2.3.5
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
no crypto isakmp enable
!
!
!
!
interface Ethernet0
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 192.168.0.193 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/35
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
ip address 1.1.1.153 255.255.255.248
ip mtu 1452
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname x
ppp chap password 0 broadband1
ppp pap sent-username x password 0 y
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat pool pool2 1.1.1.156 1.1.1.156 netmask 255.255.255.255
ip nat inside source list 1 pool pool1 overload
ip nat inside source list 2 pool pool2 overload
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127 log
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.128 0.0.0.63 log
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
banner login ^C
--------------------------
--------------------------
^C
!
line con 0
login local
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Still nothing!
From the limited knowledge I have I agree it should work with these nat rules. Could there be something elsewhere in the config blocking access?
I don't have full time access to the dsl connection so I am limited to the testing I can do during working hours. I'll try your rules again tomorrow morning when there is less pressure from the users. If you have any other ideas (such as debug logs) I can try them at the same time
From the limited knowledge I have I agree it should work with these nat rules. Could there be something elsewhere in the config blocking access?
I don't have full time access to the dsl connection so I am limited to the testing I can do during working hours. I'll try your rules again tomorrow morning when there is less pressure from the users. If you have any other ideas (such as debug logs) I can try them at the same time
ASKER
I agree with you rsivanandan, your suggestions should work. The problem must be somewhere else in the configuration. I'm awarding the points to you anyway as you have at least backed up my belief that it should work and at least I can concentrate elsewhere in the configuration.
ip nat inside source list 1 pool pool1 overload
access-list 1 permit 192.168.0.0 0.0.0.127
ip nat pool pool2 1.1.1.165 1.1.1.165 netmask 255.255.255.255
ip nat inside source list 2 pool pool2 overload
access-list 2 permit 192.168.0.0 0.0.0.63
Try these.
Cheers,
Rajesh