?
Solved

Need help putting static nat on a router.

Posted on 2010-01-07
12
Medium Priority
?
307 Views
Last Modified: 2012-05-08
I have a router in a remote location.  I need to add a NAT to it of the following -

 NAT 10.10.14.136 to 10.210.4.67   the  10.10.14.136 is coming from me.   Here is the current router config.

no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
class-map match-all voice-priority
 match  dscp ef
!
!
policy-map POLICY1
 class voice-priority
  priority percent 40
  set dscp ef
 class class-default
  fair-queue
!
!
!
interface FastEthernet0/0
 ip address 10.254.1.70 255.255.255.252
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 192.168.253.6 255.255.255.252
 service-module t1 fdl ansi
 max-reserved-bandwidth 90
 service-policy output POLICY1
!
router bgp 65002
 no synchronization
 bgp log-neighbor-changes
 network 10.254.1.68 mask 255.255.255.252
 network 192.168.253.4 mask 255.255.255.252
 redistribute static
 neighbor 192.168.253.5 remote-as 1803
 neighbor 192.168.253.5 soft-reconfiguration inbound
 no auto-summary
!
ip forward-protocol nd
ip route 64.57.148.10 255.255.255.255 10.254.1.69
ip route 64.57.148.54 255.255.255.255 10.254.1.69
ip route 64.57.148.55 255.255.255.255 10.254.1.69
ip route 64.57.148.99 255.255.255.255 10.254.1.69
ip route 64.57.148.119 255.255.255.255 10.254.1.69
!
!
no ip http server
no ip http secure-server
!
!
!
control-plane
!
!
!
line con 0

 login
line aux 0
 
 login
 modem InOut
 transport input all
 stopbits 1
 flowcontrol hardware
line vty 0 4
 
 login
!
scheduler allocate 20000 1000
end
0
Comment
Question by:pclark6127
  • 6
  • 4
  • 2
12 Comments
 
LVL 4

Expert Comment

by:JDLoaner
ID: 26201465
What interface will that IP be going out?
0
 
LVL 4

Expert Comment

by:JDLoaner
ID: 26201482
ip nat inside source static IP  IP

with  "ip nat inside" and "ip nat outside" on the corresponding interfaces is one way to do it.
0
 
LVL 1

Author Comment

by:pclark6127
ID: 26201721
So, 10.10.14.136 is coming from me so that would NAT on their serial would that be "Outside"? and then we are going to 10..210.4.67 which is reached through the FastEthernet connection would this be the "Inside"?  

Thanks
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26201725
What JD said, plus you will at least need to specify "ip nat oustside" and "ip nat inside" on your appropriate interfaces. And, if you planning on NATing any internal hosts you will need something like this:

ip access-list extended NAT
 permit ip <IP subnet> <wildcard mask> any
!
ip nat inside source list NAT <outside IP or interface> overload
0
 
LVL 1

Author Comment

by:pclark6127
ID: 26201950
Here is now my new config.  Does this look correct?

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname

boot-start-marker
boot-end-marker
!
logging buffered 52400 debugging

!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
!
!
!
!
class-map match-all voice-priority
 match  dscp ef
!
!
policy-map POLICY1
 class voice-priority
  priority percent 40
  set dscp ef
 class class-default
  fair-queue
!
!
!
interface FastEthernet0/0
 ip address 10.254.1.70 255.255.255.252
 ip nat inside
 duplex auto
 speed auto
 no cdp enable
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 192.168.253.6 255.255.255.252
 ip nat outside
 service-module t1 fdl ansi
 max-reserved-bandwidth 90
 service-policy output POLICY1
!
router bgp 65002
 no synchronization
 bgp log-neighbor-changes
 network 10.254.1.68 mask 255.255.255.252
 network 192.168.253.4 mask 255.255.255.252
 redistribute static
 neighbor 192.168.253.5 remote-as 1803
 neighbor 192.168.253.5 soft-reconfiguration inbound
 no auto-summary
!
ip forward-protocol nd
ip route 64.57.148.10 255.255.255.255 10.254.1.69
ip route 64.57.148.54 255.255.255.255 10.254.1.69
ip route 64.57.148.55 255.255.255.255 10.254.1.69
ip route 64.57.148.99 255.255.255.255 10.254.1.69
ip route 64.57.148.119 255.255.255.255 10.254.1.69
!
!
no ip http server
no ip http secure-server
ip nat inside source static 10.10.14.136 10.210.4.67
!
!
!
control-plane
!
!
!
line con 0

 login
line aux 0
 
 login
 modem InOut
 transport input all
 stopbits 1
 flowcontrol hardware
line vty 0 4
 
 login
!
scheduler allocate 20000 1000
end
0
 
LVL 1

Author Comment

by:pclark6127
ID: 26202045
Now I can't get to any host on their side so something is wrong.
0
 
LVL 4

Expert Comment

by:JDLoaner
ID: 26202822
Here is my question: How are you NATing the address of 10.10.14.136 to 10.210.4.67 when neither of those networks even exist on this router?  If you have an address in the 10.10.14.x there is no way it is communicating on either interface of this router with the configuration you have.
0
 
LVL 1

Author Comment

by:pclark6127
ID: 26203399
This was my question to the guy on the other end their network engineer.  I told him I didn't think I could NAT this because they are not in the same ranges but he said  "Since the 10.10.14.136 is traversing this router, it can be NATed. I think it should just take a static NAT and marking your inside and outside interfaces."

If I do a sh nat statistics the hit count it 0 for this.  

I've never NAT'd anything like this.

I work on our ASA and some of our routers but I have other duties so I am not an expert at any one thing when it comes to routing so I have to defer to anyone that seems to know more than me when it comes to this.

If you don't think I can do it then let me know but he for some reason thinks I can.    
0
 
LVL 9

Expert Comment

by:Vito_Corleone
ID: 26203412
It might work if there's a route pointing that subnet to the interface that's NATing. I've never seen anyone do something like that though.
0
 
LVL 4

Expert Comment

by:JDLoaner
ID: 26203476
I just don't understand how you would be communicating with the Ethernet Interface of this router, its network is 10.254.1.70 255.255.255.252 which leaves 2 hosts for the rest of the network.. what is the IP address on your computer? are you able to ping that FE address? How are you connected to the router to configure it?
0
 
LVL 1

Author Comment

by:pclark6127
ID: 26203628
It's an MPLS connection I have a router I control on our end and then a router at their location.  I am very limited on what I can ping because of their security but I can ping my host at the far end.  I will say that they are behind a firewall on their end also and the router we have at their location is the last hope before their firewall.
0
 
LVL 1

Accepted Solution

by:
pclark6127 earned 0 total points
ID: 26366413
We were able to do this and it ended up working.  Basically since the address I was NATing was passing through the router even though the router was not directly connected to the network I was able to NAT the address and force it to connect to a specific address on the other end.  

I've never done it like that before either but it fixed our issue.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question