Solved

Urgent Assistance Needed with CISCO 2600 with NAT/DHCP

Posted on 2012-03-31
6
458 Views
Last Modified: 2012-06-21
Where does the DHCP and NAT go ? Is this considered Double NAT ? I just want my LAN to gain access to the Internet.

R1 is able to obtain its IP from ISP via DHCP. R1 is also able to Ping domain names so DNS works great! The problem is - I have R2 connected directly to it - and then the network is attached to R2.

Where do I setup the NAT on this particular network ? I have tried many variations .. even used static IP's to eliminate LAN DHCP being an issue. Any assistance would be appreciated!

Cable  Modem  | E/0/0
                    (R1)| E0/0 ip add dhcp
R1 (only has 1 ethernet, so connect to another router instead of switch)
  (R1)                 |S0/0 192.168.1.1 ip nat inside
                            R2
  (R2)                 |S0/0 192.168.1.2 ip nat outside
  (R2)                 |E0/0 192.168.2.1
                          Switch
(SW1                 |int vlan 1 192.168.2.2
Switch
 /    |   \
/     |    \
3 laptops of 192.168.2.3 - 5
0
Comment
Question by:CiscoNinja
  • 4
  • 2
6 Comments
 
LVL 5

Expert Comment

by:andrew1812
ID: 37792251
Perform these tests

1. From the laptop, ping 192.168.1.2 - Are you receiving a response ?

2. From the laptop , ping 192.168.1.1 - Are you receiving a response ?

3. Ensure that the laptops are configured for appropriate DNS settings.

Now NAT

Your ip nat outside command should be applied on the interface on which the ISP has provided the public IP - E0
IP Nat inside should be on 192.168.1.1.

Once the NAT is performed, ensure that a default route is configured on the route *R1* ip route 0.0.0.0 0.0.0.0 "Gateway IP provided by ISP"

Test internet

(Note: If the above NAT config does not work, setup additional nat on R2 , where the 192.168.2.0 network interface is setup as ip nat inside and 192.168.1.0 interface is setup as ip nat inside. This should be performed without removing the nat config on R1)
0
 

Author Comment

by:CiscoNinja
ID: 37792293
Thanks Andrew

If this works I will renew my membership.
I need to confirm the Theory is correct before I apply it.

Ok so NAT Outside goes on the Interface that received the IP Address on R1 from ISP. Ok.
Then the NAT Inside goes onto the Serial Cable connected R1 to R2. Ok

1) Now the Ethernet Interface on R2, does that need additional NAT settings applied, or will the NAT traverse from 192.168.1.1 all the way to a different network 192.168.2.1 on the LAN ?

2) Where does the DHCP for the lan go in best practice ?  

As long as the LAN computers can ping R1 and appear in NAT Translations, I can easily resolve the rest. Thanks Really appreciate it and looking forward to your reply so I can finally have this resolved

Can you confirm this is correct in Theory before I apply it ?

Cable  Modem  | E/0/0
                    (R1)| E0/0 ip add dhcp (Nat Outside)
R1 (only has 1 ethernet, so connect to another router instead of switch)
  (R1)                 |S0/0 192.168.1.1 ip (Nat Inside)
                            R2
  (R2)                 |S0/0 192.168.1.2
  (R2)                 |E0/0 192.168.2.1
                          Switch
(SW1                 |int vlan 1 192.168.2.2
Switch
 /    |   \
/     |    \
3 laptops of 192.168.2.3 - 5
0
 
LVL 5

Accepted Solution

by:
andrew1812 earned 500 total points
ID: 37792304
My understanding of your network.

1. R1 has Two interfaces - Ethernet is connected to cable modem , Serial interface is connected to R2

2. R2 has two interfaces- Serial is connected to R1 and Ethernet is connected to switch to which laptops are setup.


This is how the traffic would flow when a user on the laptop accesses a Server which is residing on the internet.

1. User constructs a packet with destination IP as that of the servers IP address. The source IP would be laptops IP.

2. When the packet reaches R2, it would be routed to 192.168.1.1 (R1), which is the serial IP of R1, from where the packet would be sent to the internet.

Your questions

1) Now the Ethernet Interface on R2, does that need additional NAT settings applied, or will the NAT traverse from 192.168.1.1 all the way to a different network 192.168.2.1 on the LAN ?

Answer.

We are applying NAT on serial interface of R1( ip nat inside). Due to this, all the packets which are inbound to R1 ( Ex: packets originating from laptop), would be inspected by the router for the source IP address that belongs to the 192.168.1.0/24 network. If the router internally is doing this in it's design , you would need to apply ip nat inside on the ethernet interface of R2 and ip nat outside on serial interface of R1 so that the packets originating from the laptops are nat translatted before it reaches R1 and the source IP would be in the 192.168.1.0/24 network (In this case, 192.168.1.2, which is R2's IP address after translation. )

Now this is a scenario which you can test after you first enable nat alone on R1 as I had mentioned in my earlier comment. This is because some routers apply NAT to all packets on the interface where NAT is applied ( In your case, ip nat inside on serial of R1).

2) Where does the DHCP for the lan go in best practice ?  

Your DHCP for providing IP address for the laptop computers should be setup on R2 or a separate DHCP server can be setup on the switch.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 5

Expert Comment

by:andrew1812
ID: 37792321
If the above solution is confusing try this simpler alternative for achieving the solution

1. Ensure that you are able to ping 192.168.2.0 network from R1 ( If it is not working, setup a route with the command 192.168.2.0 255.255.255.0 192.168.1.2 on R1)

2. Ensure that NAT is setup on R1 ( as in my first comment ) and ignore NAT on R2

3. Ensure that laptops are able to reach 192.168.1.1. The gateway of the laptops should be 192.168.2.1 and DNS should be appropriate address.

4. Ensure that default route is setup on R1 and R2 ( On R2, ip route 0.0.0.0 0.0.0.0 192.168.1.1 and on R1 ip route 0.0.0.0 0.0.0.0 "Gateway IP provided by ISP")

5. Once the above steps are ensured, you should be able to access internet.
0
 

Author Comment

by:CiscoNinja
ID: 37792386
Cheers Andrew

Yes All Up & Working.

I just completely underestimated the power of NAT .. I can see now its the access-list source that can open it up to LANS that are not directly connected.

Excellent work. The term 'Double NAT' which I have seen thrown around threw me off.

Thanks Again.
0
 
LVL 5

Expert Comment

by:andrew1812
ID: 37792404
Your Welcome
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
HP server windows2012 6 49
KVM switch 7 25
Resource cost of NAT vs routing 3 28
Network Switch Connections 8 32
Periodically we have to update or add SSL certificates for customers. Depending upon your hosting plan you may be responsible for the installation and/or key generation. In the wake of Heartbleed many sites were forced to re-key. We will concen…
Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now