MikeG299
asked on
Cisco 1841 NAT config - help needed
* see attached network diagram (JPEG) *
need help with this design!
Take a look at the diagram:
I have two cisco 2810's that are configured and managed by AT&T (we can't touch or modify their config's), one located at site 1 and the other at site 2. Both are setup for T1 tying into a private network. The private network they tie into is however located in another part of the state.
As you can see, site one and site two are also connected via single mode fiber, the reason for this is because the data logger devices called out need be on the same network to work in conjunction with each other (and also NAT'd to the private 10. network). This is the reason I think another router that we can control needs to be in place. I have a spare cisco 1841 that I think can do the job.
What I need help with:
How to setup the 1841 for NAT routing (it has two FE ports).
Do I need to put another router at site two?
Should the two database systems assigned with 10.10 ip's be changed to local 192.168 ips and also NAT'd?
Thank you thank you thank you for anyone's help in this!
The 10.10 IP's with full class C are assigned by AT&T and are configured in the 2810's. Plenty of available IP's for NAT.
network.jpg
need help with this design!
Take a look at the diagram:
I have two cisco 2810's that are configured and managed by AT&T (we can't touch or modify their config's), one located at site 1 and the other at site 2. Both are setup for T1 tying into a private network. The private network they tie into is however located in another part of the state.
As you can see, site one and site two are also connected via single mode fiber, the reason for this is because the data logger devices called out need be on the same network to work in conjunction with each other (and also NAT'd to the private 10. network). This is the reason I think another router that we can control needs to be in place. I have a spare cisco 1841 that I think can do the job.
What I need help with:
How to setup the 1841 for NAT routing (it has two FE ports).
Do I need to put another router at site two?
Should the two database systems assigned with 10.10 ip's be changed to local 192.168 ips and also NAT'd?
Thank you thank you thank you for anyone's help in this!
The 10.10 IP's with full class C are assigned by AT&T and are configured in the 2810's. Plenty of available IP's for NAT.
network.jpg
ASKER
Hi Billy,
Pardon my lack of explanation; I'm still learning network design and how to configure cisco router's.
This is all about providing a path for the data loggers from site 1 & 2 called out in attached diagram to see each other. All of the devices will ultimately be polled by a data acquisition server on the private network (yellow cloud in diagram - and its not our network).
The data loggers need to see each other to execute calculations to provide accurate data prior to being polled by server on private network.
I believe I need NAT because the two 2810's are not managed by us, therefore, we cannot use them to create a local 192.168 network in order for the data loggers called out to see each other. As you can see, there is fiber between sites 1 & 2. So i thought it would be best to create a separate local network that both sites could see (mainly for data loggers to communicate and execute calculations) and then be NAT'd to each respectful 2810.
Long story short: if we had control of those two 2810's, then we could configure them to see each other using that fiber run as a path. We have no control over the yellow cloud or the T1 lines .
Does this help? I'm under the gun to make this happen, please let me know if you need further explanation. Thanks!
Each 2810 router (which we can't touch)
Pardon my lack of explanation; I'm still learning network design and how to configure cisco router's.
This is all about providing a path for the data loggers from site 1 & 2 called out in attached diagram to see each other. All of the devices will ultimately be polled by a data acquisition server on the private network (yellow cloud in diagram - and its not our network).
The data loggers need to see each other to execute calculations to provide accurate data prior to being polled by server on private network.
I believe I need NAT because the two 2810's are not managed by us, therefore, we cannot use them to create a local 192.168 network in order for the data loggers called out to see each other. As you can see, there is fiber between sites 1 & 2. So i thought it would be best to create a separate local network that both sites could see (mainly for data loggers to communicate and execute calculations) and then be NAT'd to each respectful 2810.
Long story short: if we had control of those two 2810's, then we could configure them to see each other using that fiber run as a path. We have no control over the yellow cloud or the T1 lines .
Does this help? I'm under the gun to make this happen, please let me know if you need further explanation. Thanks!
Each 2810 router (which we can't touch)
Looking at your diagram, I can kinda see what you want to do. I would suggest another 1841 (or even something with less horsepower) at site 2. We're talking T1's, so interface bandwidth on this nat router shouldn't be a big deal.
Set up static nat's on anything that needs a 10.10 -> 192.168 address, and you could set up a dynamic pool for anything else. Assign gateway's appropriately on each host for optimum routing to the private wan network.
Should work fine.
Set up static nat's on anything that needs a 10.10 -> 192.168 address, and you could set up a dynamic pool for anything else. Assign gateway's appropriately on each host for optimum routing to the private wan network.
Should work fine.
ASKER
Thank you very much for the response. I could use some help from the procedural side on how to actually setup static nat, dynamic pool, gateway... If you could I'd be really appreciative. Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks gmooney7, I'll work on this tonight and paste router config if I get stuck. Unfortunately, we can only use one router right now; which means reliability is not there if and when the fiber link goes down.
will report back soon.
will report back soon.
ASKER
Question: is it possible to do this with one router (we don't have another one at the moment)? Can you push NAT thru both FE INT's for both 2810's?
thanks...
thanks...
ASKER
Ok, having a problem when trying to input NAT
Here is how I input the commands:
(config)# ip nat inside source static tcp 192.168.0.3 10.10.152.3
Wouldn't take the command, here is my config so far....
Current configuration : 654 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.152.254 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip classless
!
ip http server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
Here is how I input the commands:
(config)# ip nat inside source static tcp 192.168.0.3 10.10.152.3
Wouldn't take the command, here is my config so far....
Current configuration : 654 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 10.10.152.254 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip classless
!
ip http server
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
ASKER
Ok, I figured out why my NAT commands failed, I had to call out the ports (lame, I know). Is there a command to call out to allow all ports instead of an individual one?
As mentioned in prior post, we'll only be able to use one router to handle all NAT routing including NAT for the other cisco 2810 at site 2 (other end of fiber run, a router which we also don't have control over). Original plan was to have an 1841 at both sites to handle NAT.
That said, I have one FE set for traffic to 2810 at site 1 and the other FE set to handle all 192.168.0.0 traffic. Not sure how to proceed, any help would be really great!
thanks!
As mentioned in prior post, we'll only be able to use one router to handle all NAT routing including NAT for the other cisco 2810 at site 2 (other end of fiber run, a router which we also don't have control over). Original plan was to have an 1841 at both sites to handle NAT.
That said, I have one FE set for traffic to 2810 at site 1 and the other FE set to handle all 192.168.0.0 traffic. Not sure how to proceed, any help would be really great!
thanks!
ASKER
Latest config:
interface FastEthernet0/0
ip address 10.10.152.254 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip classless
!
ip http server
ip nat inside source static tcp 192.168.0.3 502 10.10.152.3 502 extendable
ip nat inside source static tcp 192.168.0.6 502 10.10.152.4 502 extendable
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
interface FastEthernet0/0
ip address 10.10.152.254 255.255.255.0
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.0.254 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip classless
!
ip http server
ip nat inside source static tcp 192.168.0.3 502 10.10.152.3 502 extendable
ip nat inside source static tcp 192.168.0.6 502 10.10.152.4 502 extendable
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
ip nat inside source static <localaddr> <globaladdr> extendable
in your case:
ip nat inside source static 192.168.0.3 10.10.152.3 extendable
Billy
in your case:
ip nat inside source static 192.168.0.3 10.10.152.3 extendable
Billy
ASKER
Thanks Billy, I assume thats for use on any port. Any idea on how to setup NAT for both 2810's??
Sorry, I thought the configs on the 2810 could not be managed as there were managed by AT&T; did you install additional 2810s?
Billy
Billy
ASKER
No, you are correct, the 2810's cannot be managed by us. The diagram shows two cisco 1841's to handle NAT for each site, however, we can't supply an 1841 for site two and I need help to config the 1841 to handle NAT for both sites.
Mike,
Sorry I couldn't get back to you sooner. One router cannot handle nat for both sites with the need for the data loggers to stay on the same network, unless you want to get really messy.
My suggestion is to buy a cheap linksys router for site 2, have everything on the same subnet behind site 1 and 2, and configure the gateway for site 1 hosts to the 1841, and the site 2 hosts to the cheap router.
If you don't want to do it this way, configuration and physical layout become ugly.
Your 1841 still needs to be configured to allow all other hosts to nat out of it dynamically.
access-list 140 permit ip 192.168.0.0 0.0.0.255
ip nat inside source list 140 interface fa 0/0 overload
ip route 0.0.0.0 0.0.0.0 10.10.152.x ! x being whatever the ip is of the 2810's inside interface
Sorry I can't put more thought into this, have several broken things to tend to myself :p
good luck
Sorry I couldn't get back to you sooner. One router cannot handle nat for both sites with the need for the data loggers to stay on the same network, unless you want to get really messy.
My suggestion is to buy a cheap linksys router for site 2, have everything on the same subnet behind site 1 and 2, and configure the gateway for site 1 hosts to the 1841, and the site 2 hosts to the cheap router.
If you don't want to do it this way, configuration and physical layout become ugly.
Your 1841 still needs to be configured to allow all other hosts to nat out of it dynamically.
access-list 140 permit ip 192.168.0.0 0.0.0.255
ip nat inside source list 140 interface fa 0/0 overload
ip route 0.0.0.0 0.0.0.0 10.10.152.x ! x being whatever the ip is of the 2810's inside interface
Sorry I can't put more thought into this, have several broken things to tend to myself :p
good luck
ASKER
Hey no worries. I agree about having a second router; we'll proceed with getting a cheep Linksys to handle site 2. Will report back, thanks again!
ASKER
Thanks for your help!
Why do you think you need NAT?
What is it you are trying to accomplish? (This has yet to be explained)
Maybe some clarification what source and destination communication flow.
Thanks
Billy