Solved

Cisco Nat Configurations

Posted on 2011-02-15
14
1,072 Views
Last Modified: 2012-05-11
I have a 2600 Cisco Router attached to a Cisco 871 that belongs to Cable Vision with a block of 5 public static IP addresses. I chose one of the open IP addresses to run my Cisco lab without success. I can ping the public IP address from my laptop cannot get online. I was told that I needed to Nat from private to public but when I do I still cannot get online. I was also told that from my personal 2600 to the 871 I should be going from Nat inside to nat outside. However, this still fails. What am I missing?
0
Comment
Question by:hreyestech
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
14 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 34902334
Can you ping the public IP of the 2600 from anywhere on the Internet?
0
 
LVL 5

Expert Comment

by:Honez
ID: 34902385
One iP address will be need to terminate the interface, then use a second ip adress for the NAT pool.
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34902413
You can use a single IP for the interface and for NAT, but we need to know if the 871 is passing the network through or if we need NAT setup on the 871.

With my home connection, I have a 2621XM with a static IP and a /30 that is a different subnet.  I have to do static NAT mappings to my internal LAN IPs to use the /30.
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Author Comment

by:hreyestech
ID: 34902501
What would the correct configurations be? Matty I can ping the default gateway without issues. I can also ping the public IP address that I assigned to the iint fastethernet 0/0 with out issues. Honez? Do you mean nat the private?
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34902531
If you can ping the public IP from another location (across the Internet) then you are all set.

On the 2600 you will need a line similar to:

ip nat inside source list 100 interface fastethernet 0/0 overload

Then define the inside IPs you would like to be nat'd in ACL 100

ip access-list extended 100
permit ip 192.168.0.1 0.0.0.255 any

0
 

Author Comment

by:hreyestech
ID: 34902781
what do I do about outside IP Nat? should I configure the outer interface facing the internet?
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34902800
What do you mean by outside IP nat?

Those statements tell the router to use the outside IP for all requests heading from the LAN to the Internet.

You will also need to add ip nat inside to the LAN interface and ip nat outside to the Fas0/0 interface.  

Other than that, you can add some ip inspect rules for tcp udp and ftp if your IOS supports it.
0
 

Author Comment

by:hreyestech
ID: 34902853
Matty I am aware of Outside Nat configurations... I was instructed to configure IP Nat outside for my Public and IP Inside for my private. From what I am reading here only inside nat configurations are required with an access list. Is this correct?
0
 
LVL 22

Accepted Solution

by:
Matt V earned 500 total points
ID: 34902906
The only reason to NAT inbound traffic is if you are trying to allow outside access to your internal servers.

Which would be something like this:

ip nat inside source static 192.168.5.15 206.248.x.x extendable
-- maps all inocming traffic on 206.248.x.x (single IP) to 192.168.5.15 inside

ip nat inside source static udp 192.168.5.30 16235 interface Dialer2 16235
-- maps all incoming traffic on the dialer interface (public IP) on port 16235 udp will be routed to 192.168.5.30 on the inside

The configs I already posted will allow you to get out to the Internet from inside.  These last few allow outside traffic in to LAN IPs either with a blanket NAT or one port at a time.

Use ACLs to restrict access beyond the NAT as to what traffic is actually allowed inbound on the outside IP.
0
 

Author Comment

by:hreyestech
ID: 34903020
These are my results..

Enter configuration commands, one per line.  End with CNTL/Z.
internet(config)#ip nat inside source static 192.168.1.1 24.89.180.157 ex
internet(config)#$de source static 192.168.1.1 24.89.180.157 extendable
internet(config)#^Z
internet#
*Mar  1 00:38:37.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, chan                                                                             ged state to up
*Mar  1 00:38:38.991: %SYS-5-CONFIG_I: Configured from console by console
internet#show ip nat tra
internet#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 24.89.180.157      192.168.1.1        ---                ---
internet
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34903068
That maps outside traffic in, what about allowing LAN traffic out?
0
 

Author Comment

by:hreyestech
ID: 34903114
what would be an example of mapping traffic out?   I have this  ip address 192.168.1.1 255.255.255.0
ip nat outside
I
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34903151
I already posted that part:

ip nat inside source list 100 interface fastethernet 0/0 overload

ip access-list extended 100
permit ip 192.168.1.1 0.0.0.255 any

interface fas0/0
  ip nat outside

interface fas0/1 (interface with 192.168.1.1 on it)
  ip nat inside
0
 

Author Closing Comment

by:hreyestech
ID: 34905708
I reloaded and reset my router . Read online documentation and matched it with the results given to me by this expert. He pointed me in the right direction and will try configuring the environment one more time.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Suggested Courses
Course of the Month2 days, 18 hours left to enroll

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question