Solved

Cisco Nat Configurations

Posted on 2011-02-15
14
1,060 Views
Last Modified: 2012-05-11
I have a 2600 Cisco Router attached to a Cisco 871 that belongs to Cable Vision with a block of 5 public static IP addresses. I chose one of the open IP addresses to run my Cisco lab without success. I can ping the public IP address from my laptop cannot get online. I was told that I needed to Nat from private to public but when I do I still cannot get online. I was also told that from my personal 2600 to the 871 I should be going from Nat inside to nat outside. However, this still fails. What am I missing?
0
Comment
Question by:hreyestech
  • 7
  • 6
14 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 34902334
Can you ping the public IP of the 2600 from anywhere on the Internet?
0
 
LVL 5

Expert Comment

by:Honez
ID: 34902385
One iP address will be need to terminate the interface, then use a second ip adress for the NAT pool.
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34902413
You can use a single IP for the interface and for NAT, but we need to know if the 871 is passing the network through or if we need NAT setup on the 871.

With my home connection, I have a 2621XM with a static IP and a /30 that is a different subnet.  I have to do static NAT mappings to my internal LAN IPs to use the /30.
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 

Author Comment

by:hreyestech
ID: 34902501
What would the correct configurations be? Matty I can ping the default gateway without issues. I can also ping the public IP address that I assigned to the iint fastethernet 0/0 with out issues. Honez? Do you mean nat the private?
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34902531
If you can ping the public IP from another location (across the Internet) then you are all set.

On the 2600 you will need a line similar to:

ip nat inside source list 100 interface fastethernet 0/0 overload

Then define the inside IPs you would like to be nat'd in ACL 100

ip access-list extended 100
permit ip 192.168.0.1 0.0.0.255 any

0
 

Author Comment

by:hreyestech
ID: 34902781
what do I do about outside IP Nat? should I configure the outer interface facing the internet?
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34902800
What do you mean by outside IP nat?

Those statements tell the router to use the outside IP for all requests heading from the LAN to the Internet.

You will also need to add ip nat inside to the LAN interface and ip nat outside to the Fas0/0 interface.  

Other than that, you can add some ip inspect rules for tcp udp and ftp if your IOS supports it.
0
 

Author Comment

by:hreyestech
ID: 34902853
Matty I am aware of Outside Nat configurations... I was instructed to configure IP Nat outside for my Public and IP Inside for my private. From what I am reading here only inside nat configurations are required with an access list. Is this correct?
0
 
LVL 22

Accepted Solution

by:
Matt V earned 500 total points
ID: 34902906
The only reason to NAT inbound traffic is if you are trying to allow outside access to your internal servers.

Which would be something like this:

ip nat inside source static 192.168.5.15 206.248.x.x extendable
-- maps all inocming traffic on 206.248.x.x (single IP) to 192.168.5.15 inside

ip nat inside source static udp 192.168.5.30 16235 interface Dialer2 16235
-- maps all incoming traffic on the dialer interface (public IP) on port 16235 udp will be routed to 192.168.5.30 on the inside

The configs I already posted will allow you to get out to the Internet from inside.  These last few allow outside traffic in to LAN IPs either with a blanket NAT or one port at a time.

Use ACLs to restrict access beyond the NAT as to what traffic is actually allowed inbound on the outside IP.
0
 

Author Comment

by:hreyestech
ID: 34903020
These are my results..

Enter configuration commands, one per line.  End with CNTL/Z.
internet(config)#ip nat inside source static 192.168.1.1 24.89.180.157 ex
internet(config)#$de source static 192.168.1.1 24.89.180.157 extendable
internet(config)#^Z
internet#
*Mar  1 00:38:37.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, chan                                                                             ged state to up
*Mar  1 00:38:38.991: %SYS-5-CONFIG_I: Configured from console by console
internet#show ip nat tra
internet#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 24.89.180.157      192.168.1.1        ---                ---
internet
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34903068
That maps outside traffic in, what about allowing LAN traffic out?
0
 

Author Comment

by:hreyestech
ID: 34903114
what would be an example of mapping traffic out?   I have this  ip address 192.168.1.1 255.255.255.0
ip nat outside
I
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34903151
I already posted that part:

ip nat inside source list 100 interface fastethernet 0/0 overload

ip access-list extended 100
permit ip 192.168.1.1 0.0.0.255 any

interface fas0/0
  ip nat outside

interface fas0/1 (interface with 192.168.1.1 on it)
  ip nat inside
0
 

Author Closing Comment

by:hreyestech
ID: 34905708
I reloaded and reset my router . Read online documentation and matched it with the results given to me by this expert. He pointed me in the right direction and will try configuring the environment one more time.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Single Number Reach 3 49
How can I tell if drop outs to server are due to network or a bottle neck? 3 41
SSL-VPN 1 45
PoE Injector and switch 2 11
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question