Link to home
Start Free TrialLog in
Avatar of snowdog_2112
snowdog_2112Flag for United States of America

asked on

Cisco 1800 NAT using secondary ip

Cisco 1841 router
2 WAN connections (t1, cable)
s0 - t1
fa0/0 - inside (66.x.y.z, 192.168.97.1 secondary)
fa0/1 - cable (24.x.y.z)

I have a secondary ip on fa0/0: 192.168.97.1

On the firewall hanging off the inside which also has a secondary ip of 192.168.79.2.

I am NAT'ing some traffic from inside the firewall to 192.168.97.2.

I need to NAT that traffic to fa0/1 (cable).

I have:

ip nat inside source list 101 interface fa0/1 overload

access-list 101 permit ip 192.168.79.0 0.0.0.255 any
access-list 101 permit ip any 192.178.79.0 0.0.0.255

i also put an acl on the fa0/0 interface so i can see hits from 192.168.79.2 coming in.  The 101 acl shows no hits though.

I wonder if it has to do with that secondary IP on fa0/0.

Help?
Avatar of Istvan Kalmar
Istvan Kalmar
Flag of Hungary image

sometimes the secondary ip address is not working, please use the latest IOS, and that is wrong:
access-list 101 permit ip any 192.178.79.0 0.0.0.255

only that you need:
ip nat inside source list 101 interface fa0/1 overload

access-list 101 permit ip 192.168.79.0 0.0.0.255 any

Please show us the whole config
Avatar of snowdog_2112

ASKER

IOS is 12.4(15)T3

Is that new enough?

I can ping the 192.168.79.1 address from inside the firewall.


Building configuration...

Current configuration : 3367 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname router
!
boot-start-marker
boot system flash c1841-ipbasek9-mz.124-15.T3.bin
boot-end-marker
!
logging buffered 4096 alerts
!
no aaa new-model
ip cef
!
!
!
!
ip domain name domain.com
multilink bundle-name authenticated
!
!
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface Tunnel0
 ip address 209.x.y.z 255.255.255.254
 ip access-group in.outside in
 ip tcp adjust-mss 1436
 keepalive 10 3
 tunnel source FastEthernet0/1
 tunnel destination 209.x.y.z
 tunnel path-mtu-discovery
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 192.168.79.1 255.255.255.0 secondary
 ip address 66.z.y.x 255.255.255.248
 ip access-group 10 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 24.w.x.y 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0/0
 ip address 209.n.m.o 255.255.255.254
 ip access-group in.outside in
!
router bgp 64525
 bgp log-neighbor-changes
 neighbor 209.x.y.z remote-as 26785
 neighbor 209.x.y.z description Z via T1
 neighbor 209.x.y.z fall-over
 neighbor 209.x.y.z remote-as 26785
 neighbor 209.x.y.z description Netwurx via Tunnel via Charter
 neighbor 209.x.y.z fall-over
 !
 address-family ipv4
  neighbor 209.x.y.z activate
  neighbor 209.x.y.z prefix-list defaultroute-only in
  neighbor 209.x.y.z route-map prepend-one out
  neighbor 209.x.y.z activate
  neighbor 209.x.y.z prefix-list defaultroute-only in
  no auto-summary
  no synchronization
  network 66.z.y.x mask 255.255.255.248
 exit-address-family
!
ip forward-protocol nd
ip route 209.x.y.z 255.255.255.255 24.w.x.y
!
!
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool pool_charter_nat 24.w.x.y 24.w.x.y netmask 255.255.255.252
ip nat inside source list 101 interface FastEthernet0/1 overload
!
ip access-list extended in.outside
 permit ip 66.175.192.0 0.0.0.255 any
 permit ip any any
ip access-list extended nat_charter_acl
 permit ip 192.168.97.0 0.0.0.255 any
!
!
ip prefix-list defaultroute-only seq 1 permit 0.0.0.0/0
access-list 10 permit 192.168.79.0 0.0.0.255 log
access-list 10 permit any
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 permit ip 192.168.79.0 0.0.0.255 any
route-map prepend-one permit 10
 set as-path prepend 64525
!
!
!
control-plane
!
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 20000 1000
end
please download the latest 12.4.25T

what shows the:
sh ip nat trans
sh ip route
nothing in ip nat trans (i had checked that)

routes - note that the 66.x.y.z block is routed over a tunnel on the cable connection to the same ISP as the s0/0 link to provide "failover" simliar to bgp without having to negotiate bgp with cable provider.  So...209.w.x.y is the same ISP as 66.x.y.z - but connected in different cities.

Gateway of last resort is 209.w.x.96 to network 0.0.0.0

     209.w.x.0/31 is subnetted, 2 subnets
C       209.w.x.94 is directly connected, Serial0/0/0
C       209.w.x.96 is directly connected, Tunnel0
     209.a.b.0/32 is subnetted, 1 subnets
S       209.a.b.210 [1/0] via 24.z.y.x
     66.0.0.0/29 is subnetted, 1 subnets
C       66.x.y.200 is directly connected, FastEthernet0/0
C    192.168.79.0/24 is directly connected, FastEthernet0/0
     24.0.0.0/30 is subnetted, 1 subnets
C       24.z.y.x is directly connected, FastEthernet0/1
B*   0.0.0.0/0 [20/0] via 209.w.x.96, 15:50:54
Please change the config :

interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
 ip address 66.z.y.x 255.255.255.248 secondary
 ip address 192.168.79.1 255.255.255.0

and use the latest IOS
ASKER CERTIFIED SOLUTION
Avatar of snowdog_2112
snowdog_2112
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial