Solved

Cisco Nat Configurations

Posted on 2011-02-15
14
1,030 Views
Last Modified: 2012-05-11
I have a 2600 Cisco Router attached to a Cisco 871 that belongs to Cable Vision with a block of 5 public static IP addresses. I chose one of the open IP addresses to run my Cisco lab without success. I can ping the public IP address from my laptop cannot get online. I was told that I needed to Nat from private to public but when I do I still cannot get online. I was also told that from my personal 2600 to the 871 I should be going from Nat inside to nat outside. However, this still fails. What am I missing?
0
Comment
Question by:hreyestech
  • 7
  • 6
14 Comments
 
LVL 22

Expert Comment

by:Matt V
ID: 34902334
Can you ping the public IP of the 2600 from anywhere on the Internet?
0
 
LVL 5

Expert Comment

by:Honez
ID: 34902385
One iP address will be need to terminate the interface, then use a second ip adress for the NAT pool.
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34902413
You can use a single IP for the interface and for NAT, but we need to know if the 871 is passing the network through or if we need NAT setup on the 871.

With my home connection, I have a 2621XM with a static IP and a /30 that is a different subnet.  I have to do static NAT mappings to my internal LAN IPs to use the /30.
0
 

Author Comment

by:hreyestech
ID: 34902501
What would the correct configurations be? Matty I can ping the default gateway without issues. I can also ping the public IP address that I assigned to the iint fastethernet 0/0 with out issues. Honez? Do you mean nat the private?
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34902531
If you can ping the public IP from another location (across the Internet) then you are all set.

On the 2600 you will need a line similar to:

ip nat inside source list 100 interface fastethernet 0/0 overload

Then define the inside IPs you would like to be nat'd in ACL 100

ip access-list extended 100
permit ip 192.168.0.1 0.0.0.255 any

0
 

Author Comment

by:hreyestech
ID: 34902781
what do I do about outside IP Nat? should I configure the outer interface facing the internet?
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34902800
What do you mean by outside IP nat?

Those statements tell the router to use the outside IP for all requests heading from the LAN to the Internet.

You will also need to add ip nat inside to the LAN interface and ip nat outside to the Fas0/0 interface.  

Other than that, you can add some ip inspect rules for tcp udp and ftp if your IOS supports it.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:hreyestech
ID: 34902853
Matty I am aware of Outside Nat configurations... I was instructed to configure IP Nat outside for my Public and IP Inside for my private. From what I am reading here only inside nat configurations are required with an access list. Is this correct?
0
 
LVL 22

Accepted Solution

by:
Matt V earned 500 total points
ID: 34902906
The only reason to NAT inbound traffic is if you are trying to allow outside access to your internal servers.

Which would be something like this:

ip nat inside source static 192.168.5.15 206.248.x.x extendable
-- maps all inocming traffic on 206.248.x.x (single IP) to 192.168.5.15 inside

ip nat inside source static udp 192.168.5.30 16235 interface Dialer2 16235
-- maps all incoming traffic on the dialer interface (public IP) on port 16235 udp will be routed to 192.168.5.30 on the inside

The configs I already posted will allow you to get out to the Internet from inside.  These last few allow outside traffic in to LAN IPs either with a blanket NAT or one port at a time.

Use ACLs to restrict access beyond the NAT as to what traffic is actually allowed inbound on the outside IP.
0
 

Author Comment

by:hreyestech
ID: 34903020
These are my results..

Enter configuration commands, one per line.  End with CNTL/Z.
internet(config)#ip nat inside source static 192.168.1.1 24.89.180.157 ex
internet(config)#$de source static 192.168.1.1 24.89.180.157 extendable
internet(config)#^Z
internet#
*Mar  1 00:38:37.915: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, chan                                                                             ged state to up
*Mar  1 00:38:38.991: %SYS-5-CONFIG_I: Configured from console by console
internet#show ip nat tra
internet#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
--- 24.89.180.157      192.168.1.1        ---                ---
internet
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34903068
That maps outside traffic in, what about allowing LAN traffic out?
0
 

Author Comment

by:hreyestech
ID: 34903114
what would be an example of mapping traffic out?   I have this  ip address 192.168.1.1 255.255.255.0
ip nat outside
I
0
 
LVL 22

Expert Comment

by:Matt V
ID: 34903151
I already posted that part:

ip nat inside source list 100 interface fastethernet 0/0 overload

ip access-list extended 100
permit ip 192.168.1.1 0.0.0.255 any

interface fas0/0
  ip nat outside

interface fas0/1 (interface with 192.168.1.1 on it)
  ip nat inside
0
 

Author Closing Comment

by:hreyestech
ID: 34905708
I reloaded and reset my router . Read online documentation and matched it with the results given to me by this expert. He pointed me in the right direction and will try configuring the environment one more time.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now