troubleshooting Question

Setting up Static NAT and either Dynamic NAT or Overload on Cisco 1721

Avatar of adamwitherspoon
adamwitherspoonFlag for United States of America asked on
RoutersNetwork ManagementNetwork Architecture
3 Comments1 Solution1388 ViewsLast Modified:
How do I turn on NAT and also have Static NAT?

This may be a "dumb" question...
I am not a Cisco trained professional. So bear with me. If I change the the eth 0 from 66.x.x.128 /28 and have private addressing, how will packets destined to 66.x.x.128 - 254 know where to go? In other words, right now packets destined for my network 66.x.x.128 come to the serial interface from the T1 and get forwarded via the Eth0 to their destination on the inside network. Outbound traffic goes via the eth0 forwarded through ser0 to t1 and are on their way. If I change the eth0 to 172.17.0.1, will those same packets from the ser0 be forwarded to the eth0 interface? If so, and that is how things work, will packets destined to the 66.x.x.128 network, say 66.x.x.139 get forwarded to 172.17.0.139 if that is the way they are statically "mapped" by NAT?

here is what I have got:

Cisco 1721 Router with one Eth, one Ser.
I have a block of public IP addresses. /28
NAT is turned off. Currently the site has about 115 addresses available in DHCP pool- not enough.
Current eth interface is configured as 66.x.x.128 /28 so the whole pool is public (don't ask me why, i didn't set it up)
I want to turn NAT on and create a private network: 172.17.0.1 255.255.254.0 Broadcast 172.17.1.255 (510 IPs)
I want to enable Static NAT to map a series of public IPs to internal private IPs. i.e. 66.x.x.130-139 172.17.0.10-19 (for all ports, protocols) The reason: I have 8 Aironet 1200 Wireless AP that I want to create static NAT entries for so I can access/manage them via the public IPs also I have a server I want to remotely administer and I don't want to have to go through a VPN.

I want to also create a DHCP pool on the 1721: 172.17.0.30 - 172.17.1.254 that can operate like normal NAT/PAT
---
If I do this, I do not need to setup a VPN right? I can just forward the publics to their public counterparts (which will be static IPs as well) adn all will be well... I am hoping.

Also, if anyone can give me a better access list configuration, like a standard one that lets most traffic through, I would appreciate it, but that is not needed to get points.

Mainly I just want to know if it is feasible and what the conf would look like.

Thanks.

Here is the router's conf:

router#show run
Building configuration...

Current configuration : 1502 bytes
!
! No configuration change since last restart
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime
no service password-encryption
!
hostname xxxxxxx
!
boot-start-marker
boot-end-marker
!
enable password xxxxxxx
!
clock timezone HST -10
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
!
ip dhcp-server 66.x.x.139
no ftp-server write-enable
!
!
!
!
interface FastEthernet0
 ip address 66.x.x.129 255.255.255.128
 speed 100
!
interface Serial0
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
 ip address 66.y.y.138 255.255.255.252
 frame-relay interface-dlci 16  
!
ip classless
ip route 0.0.0.0 0.0.0.0 66.y.y.137
no ip http server
!
access-list 115 deny   icmp any any redirect
access-list 115 deny   ip 127.0.0.0 0.255.255.255 any
access-list 115 deny   ip 224.0.0.0 31.255.255.255 any
access-list 115 deny   ip host 0.0.0.0 any
access-list 115 deny   tcp any any eq 135
access-list 115 deny   udp any any eq 135
access-list 115 deny   udp any any eq netbios-ns
access-list 115 deny   udp any any eq netbios-dgm
access-list 115 deny   tcp any any eq 139
access-list 115 deny   udp any any eq netbios-ss
access-list 115 deny   tcp any any eq 445
access-list 115 deny   tcp any any eq 593
access-list 115 permit ip any any
!
line con 0
line aux 0
line vty 0 4
 password xxxxxxxxxx
 login
!
!
end

Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 3 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros