troubleshooting Question

Setting up Static NAT and either Dynamic NAT or Overload on Cisco 1721

Avatar of adamwitherspoon
adamwitherspoonFlag for United States of America asked on
RoutersNetwork ManagementNetwork Architecture
3 Comments1 Solution1388 ViewsLast Modified:
How do I turn on NAT and also have Static NAT?

This may be a "dumb" question...
I am not a Cisco trained professional. So bear with me. If I change the the eth 0 from 66.x.x.128 /28 and have private addressing, how will packets destined to 66.x.x.128 - 254 know where to go? In other words, right now packets destined for my network 66.x.x.128 come to the serial interface from the T1 and get forwarded via the Eth0 to their destination on the inside network. Outbound traffic goes via the eth0 forwarded through ser0 to t1 and are on their way. If I change the eth0 to, will those same packets from the ser0 be forwarded to the eth0 interface? If so, and that is how things work, will packets destined to the 66.x.x.128 network, say 66.x.x.139 get forwarded to if that is the way they are statically "mapped" by NAT?

here is what I have got:

Cisco 1721 Router with one Eth, one Ser.
I have a block of public IP addresses. /28
NAT is turned off. Currently the site has about 115 addresses available in DHCP pool- not enough.
Current eth interface is configured as 66.x.x.128 /28 so the whole pool is public (don't ask me why, i didn't set it up)
I want to turn NAT on and create a private network: Broadcast (510 IPs)
I want to enable Static NAT to map a series of public IPs to internal private IPs. i.e. 66.x.x.130-139 (for all ports, protocols) The reason: I have 8 Aironet 1200 Wireless AP that I want to create static NAT entries for so I can access/manage them via the public IPs also I have a server I want to remotely administer and I don't want to have to go through a VPN.

I want to also create a DHCP pool on the 1721: - that can operate like normal NAT/PAT
If I do this, I do not need to setup a VPN right? I can just forward the publics to their public counterparts (which will be static IPs as well) adn all will be well... I am hoping.

Also, if anyone can give me a better access list configuration, like a standard one that lets most traffic through, I would appreciate it, but that is not needed to get points.

Mainly I just want to know if it is feasible and what the conf would look like.


Here is the router's conf:

router#show run
Building configuration...

Current configuration : 1502 bytes
! No configuration change since last restart
version 12.3
service timestamps debug datetime msec
service timestamps log datetime
no service password-encryption
hostname xxxxxxx
enable password xxxxxxx
clock timezone HST -10
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
ip dhcp-server 66.x.x.139
no ftp-server write-enable
interface FastEthernet0
 ip address 66.x.x.129
 speed 100
interface Serial0
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
interface Serial0.1 point-to-point
 ip address 66.y.y.138
 frame-relay interface-dlci 16  
ip classless
ip route 66.y.y.137
no ip http server
access-list 115 deny   icmp any any redirect
access-list 115 deny   ip any
access-list 115 deny   ip any
access-list 115 deny   ip host any
access-list 115 deny   tcp any any eq 135
access-list 115 deny   udp any any eq 135
access-list 115 deny   udp any any eq netbios-ns
access-list 115 deny   udp any any eq netbios-dgm
access-list 115 deny   tcp any any eq 139
access-list 115 deny   udp any any eq netbios-ss
access-list 115 deny   tcp any any eq 445
access-list 115 deny   tcp any any eq 593
access-list 115 permit ip any any
line con 0
line aux 0
line vty 0 4
 password xxxxxxxxxx

Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 3 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 3 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros