Solved

Cisco NAT overloading

Posted on 2006-11-03
10
729 Views
Last Modified: 2008-02-01
I am trying to configure a Cisco 837. I have most of what I want working but I am having some difficulty with the NAT rules.
I have a number of static IP addresses available to me and I would like to NAT groups of inside local IP addresses to single static global IP addresses. e.g:
192.168.0.1-192.168.0.191 nat to 1.1.1.153
192.168.0.192-192.168.0.223 nat to 1.1.1.155

I can get one group natted by applying a static IP to an interface and overloading that interface.
This is an extract of the working config I used:
----------------------------
interface Dialer0
 ip address 1.1.1.153 255.255.255.248
 ip mtu 1452
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname eircom
 ppp chap password 0 broadband1
 ppp pap sent-username eircom password 0 broadband1
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127
access-list 1 permit 192.168.0.128 0.0.0.63
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
----------------------------

I thought if I try to nat to a pool instead of an interface, this would enable me to create multiple single ip address pools and so solve the problem, however I can't get this to work at all. Here is the extract for this config:
----------------------------
interface Dialer0
 ip address 1.1.1.153 255.255.255.248
 ip mtu 1452
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname eircom
 ppp chap password 0 broadband1
 ppp pap sent-username eircom password 0 broadband1
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat inside source list 1 pool pool1
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127
access-list 1 permit 192.168.0.128 0.0.0.63
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
---------------------------

It is essentially the same with the exception of the line:
ip nat inside source list 1 pool pool1
replaces:
ip nat inside source list 1 interface Dialer0 overload


Any help would be greatly appreciated. I'm a newbie to IOS so if you spot the problem I'd also be grateful for an explanation too.

Thanks
0
Comment
Question by:windylad
  • 4
  • 3
10 Comments
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255

ip nat inside source list 1 pool pool1 overload
access-list 1 permit 192.168.0.0 0.0.0.127

ip nat pool pool2 1.1.1.165 1.1.1.165 netmask 255.255.255.255

ip nat inside source list 2 pool pool2 overload
access-list 2 permit 192.168.0.0 0.0.0.63

Try these.

Cheers,
Rajesh

0
 

Author Comment

by:windylad
Comment Utility
Thanks Rahjesh but no lucj with these.
Does anyone know if it is definitely possible to overload external global ip pools instead of overloading an interface?

Using the SDM, I can't see any option which allows an overload on a pool such as the IOS command: ip nat inside source list 1 pool pool1 overload
I could only enter it using the CLI
0
 
LVL 32

Expert Comment

by:rsivanandan
Comment Utility
It is still possible with the same command sets above.

Can you post your configuration here ?

Cheers,
Rajesh
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:windylad
Comment Utility
Hi Rajesh,

Thanks for persevering. Here is the config after I added your suggestions:

Building configuration...

Current configuration : 3329 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
username x privilege 15 secret 5 y
no aaa new-model
ip subnet-zero
!
!
ip domain name yourdomain.com
ip name-server 1.2.3.4
ip name-server 1.2.3.5
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
no crypto isakmp enable
!
!
!
!
interface Ethernet0
 description $ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ETH-LAN$
 ip address 192.168.0.193 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  oam-pvc manage
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 ip address 1.1.1.153 255.255.255.248
 ip mtu 1452
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname x
 ppp chap password 0 broadband1
 ppp pap sent-username x password 0 y
!
ip nat pool pool1 1.1.1.155 1.1.1.155 netmask 255.255.255.255
ip nat pool pool2 1.1.1.156 1.1.1.156 netmask 255.255.255.255
ip nat inside source list 1 pool pool1 overload
ip nat inside source list 2 pool pool2 overload
ip nat inside source static 192.168.0.230 1.1.1.154 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.127 log
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.128 0.0.0.63 log
access-list 140 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 privilege level 15
 login local
 transport preferred all
 transport input telnet ssh
 transport output all
!
scheduler max-task-time 5000
!
end

0
 
LVL 32

Accepted Solution

by:
rsivanandan earned 500 total points
Comment Utility
So with this, it doesn't work ? It should.

First do, clear ip nat translations *

Cheers,
Rajesh
0
 

Author Comment

by:windylad
Comment Utility
Still nothing!
From the limited knowledge I have I agree it should work with these nat rules. Could there be something elsewhere in the config blocking access?

I don't have full time access to the dsl connection so I am limited to the testing I can do during working hours. I'll try your rules again tomorrow morning when there is less pressure from the users. If you have any other ideas (such as debug logs) I can try them at the same time
0
 

Author Comment

by:windylad
Comment Utility
I agree with you rsivanandan, your suggestions should work. The problem must be somewhere else in the configuration. I'm awarding the points to you anyway as you have at least backed up my belief that it should work and at least I can concentrate elsewhere in the configuration.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
cisco ubr7200 problem with  interface Wideband-Cable 1 11
Cisco 2960 Vlan create. 3 49
Website Routing Issue 3 32
Cisco iWAN 8 45
It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now