nating in cisco router

Dear Sir,

i have a lease line for inernet access i configure my cisco router for dhcp and provide resitriction through open dns and torren blocking.

Now  our management want that provide local network of 192.168.9.1 to 192.168.9.254 which have no restriction and also for pool of static ip range 115.249.110.64/27.  Please tell me how configure nating for local pool and static pool. I attach my router configuration as attachment.
thanks
Manoj
115.249.110.70A.txt
ManojtanwarAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RafaelCommented:
You would have to set up NAT for Multiple Pools. The best way is to use a route map. See this link http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13739-nat-routemap.html from Cisco that will better explain each scenario and give step by step instructions for each.

[i]HTH
-Rafael [/i]
ManojtanwarAuthor Commented:
i am not expert in this thing can u provide me  the command if something goes wrong my job will be in danger

thanks
JustInCaseCommented:
You can configure static pool like this:

ip nat source static <inside address> <outside address>

ip nat source static 192.168.9.4 115.249.110.64

Dynamic pool is unchanged.

You can be more granular if you need so:
ip nat inside source static tcp 192.168.9.2 3389 115.249.110.64 3389 extendable (if port 3389 on 115.249.110.64 address is  triggered - link will be established to 3389 on 192.168.9.2)
ip nat inside source static tcp 192.168.9.4 3389 115.249.110.64 3390 extendable (if port 3390 on 115.249.110.64 address is  triggered - link will be established to 3389 on 192.168.9.4)

More about Configuring Static and Dynamic NAT Simultaneously

In this article there is no mention of extentable command (that why I gave this example) it is needed in case that from one WAN address you need to connect to two different inside addresses (in the case you ever need this).
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

ManojtanwarAuthor Commented:
Sir,

i apply this command ip nat source static 192.168.9.4 115.249.110.64 but i cannot access internet from 192.168.9.4 ip host nither pint to host 115.249.110.65 or 64

thanks
JustInCaseCommented:
ip nat source static 192.168.9.4 115.249.110.64
Is obviously wrong to configure like that :)
Since you have static pool 115.249.110.64/27 - that wold mean that 115.249.110.64 is network address and broadcast address is 115.249.110.95. Host addresses are 115.249.110.65 - 115.249.110.94 .
One address should be ISP's address (usually (not always) it is the first usable host in range so probably 115.249.110.65 belongs to ISP device).
Other addresses should be usable.
ip nat source static 192.168.9.4 115.249.110.66
ip nat source static 192.168.9.5 115.249.110.67
etc
ManojtanwarAuthor Commented:
still not connected to internet with this command.

i cannot ping to 115.249.110.66 from 192.168.9.4 and please see my access list already configure becuase i not able to reach the internet with the static ip pool 115.249.110.66. to 115.249.110.94. I apply the static ip 115.249.110.67 to my computer and default gateway 115.249.110.65 and dns 8.8.8.8 i cannot ping 115.249.110.65 and cannot surf internet
ManojtanwarAuthor Commented:
interface FastEthernet0/0
 description WAN port
 ip address 115.249.19.29 255.255.255.252
 ip flow egress
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Internal LAN$ES_LAN$
 ip address 192.168.48.1 255.255.252.0 secondary
 ip address 115.249.110.65 255.255.255.224
 ip access-group 100 in
 ip flow ingress
 ip nat inside
 duplex auto
 speed auto

This is my wan and lan port configuration
JustInCaseCommented:
You need to configure IP pool on WAN

ip nat pool OUT 115.249.110.66 115.249.110.94 netmask 255.255.255.224
ip nat inside source list 2 pool OUT

access-list 2 permit 192.168.9.0 0.0.0.255

I am not sure will it work without adding secondary IP address to WAN (or some other method). So far, I didn't have need to use 2 IP ranges on single WAN interface, but that can be tried in GNS 3.
ManojtanwarAuthor Commented:
interface FastEthernet0/0
 description WAN port
 ip address 192.168.9.1 255.255.255.0 secondary
 ip address 115.249.19.29 255.255.255.252
 ip flow egress
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Internal LAN$ES_LAN$
 ip address 192.168.48.1 255.255.252.0 secondary
 ip address 115.249.110.65 255.255.255.224
 ip access-group 100 in
 ip flow ingress
 ip nat inside
 duplex auto
 speed auto

I add secondary ip to wan port 192.168.9.1 255.255.255.0 and type above command at terminal but still i cannot access internet from both ip series. But when i get ip from dhcp in the 192.168.48.0 series i can ping 192.168.9.1.

thanks
ManojtanwarAuthor Commented:
ip http server
ip http authentication local
ip nat pool OUT 115.249.110.66 115.249.110.94 netmask 255.255.255.224
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source list 2 pool OUT
!
access-list 1 permit 192.0.0.0 0.252.255.255
access-list 100 permit tcp 192.168.48.0 0.0.1.255 host 208.67.222.222 eq domain
access-list 100 permit udp 192.168.48.0 0.0.1.255 host 208.67.222.222 eq domain
access-list 100 permit tcp 192.168.48.0 0.0.1.255 host 208.67.222.220 eq domain
access-list 100 permit udp 192.168.48.0 0.0.1.255 host 208.67.222.220 eq domain
access-list 100 deny   tcp 192.168.48.0 0.0.1.255 any eq domain
access-list 100 deny   udp 192.168.48.0 0.0.1.255 any eq domain
access-list 100 permit ip 192.168.48.0 0.0.1.255 any
access-list 100 permit udp any host 255.255.255.255 eq bootps
access-list 100 permit udp any host 255.255.255.255 eq bootpc
access-list 100 permit tcp 192.168.9.0 0.0.0.255 host 8.8.8.8 eq domain
access-list 100 permit udp 192.168.9.0 0.0.0.255 host 8.8.8.8 eq domain
access-list 100 permit tcp 0.0.0.3 255.255.255.224 host 8.8.8.8 eq domain

This is the access list of my router it may please help you to resolve the problem
JustInCaseCommented:
You have entered IP addresses wrong :)

description WAN port
ip address 115.249.19.29 255.255.255.252
ip address 115.249.110.66 255.255.255.224 secondary

 ip address 192.168.9.1 255.255.255.0 - I guess is the address of VLAN interface for that VLAN (or what ever), and I guess that you already have that address configured somewhere ... Or even if you don't .. that is private address space  and does not belong to WAN interface.
JustInCaseCommented:
And if you are worried that ACL is creating problems...
You can remove ACL from interface

# interface FastEthernet0/1
# no ip access-group 100 in

and if everything is working when ACL is not on interface, then you need to modify ACL

to restore ACL to interface
# interface FastEthernet0/1
# ip access-group 100 in

You need to make everything work without ACL, when basic config is solved - then you reapply ACL to interface, and if there is problems ACL - then you need to solve ACL.
ManojtanwarAuthor Commented:
when i want to configure this it give this message
115.249.110.64 is assigned to FastEthernet0/1 what i do
ManojtanwarAuthor Commented:
Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#int fa0/0
Router(config-if)#ip add 115.249.110.66 255.255.255.224 secondary
% 115.249.110.64 is assigned to FastEthernet0/1
Router(config-if)#
JustInCaseCommented:
Router tells you that % 115.249.110.64 is assigned to FastEthernet0/1

# interface fa0/1
# no ip address 115.249.110.65 255.255.255.224

And I told you that most likely you ISP have IP address 15.249.110.65
maybe it is better to set ip address 115.249.110.66 on WAN
ip address 115.249.110.66 255.255.255.224 to your interface

and also remove 192.168.9.1 from Fa0/0
# interface FastEthernet0/0
# no ip address 192.168.9.1 255.255.255.0 secondary
ManojtanwarAuthor Commented:
You want to say that i remove 115.249.110.65 from fa0/1 and put it to 115.249.110.66 to fa0/0 as secondary. and then what is primary ip of fa0/1.
JustInCaseCommented:
I just noticed that was there from the start
Interface fa0/1
 ip address 115.249.110.65 255.255.252.0
 ip address 192.168.48.1 255.255.252.0 Secondary

You have public address configured inside you network. Interesting :)

And why mask is /22 255.255.252.0?

Now I am not sure what your topology looks like.
ManojtanwarAuthor Commented:
now this is wan and lan configuration as tell you but its still not access internet from stataic ip pool and 192.168.9.1
interface FastEthernet0/0
 description WAN port
 ip address 115.249.110.66 255.255.255.224 secondary
 ip address 115.249.19.29 255.255.255.252
 ip flow egress
 ip nat outside
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Internal LAN$ES_LAN$
 ip address 192.168.48.1 255.255.252.0
 ip flow ingress
 ip nat inside
 duplex auto
 speed auto
 service-policy input drop-bittorrent
ManojtanwarAuthor Commented:
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.48.1
ip dhcp excluded-address 192.168.50.1
ip dhcp excluded-address 192.168.50.2
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.48.0 255.255.252.0
   dns-server 208.67.222.222 208.67.220.220
   default-router 192.168.48.1
   lease infinite
!
!
ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
username manoj privilege 15 password 0 221100
archive

i have dhcp pool on this router above is the configuration of this dhcp
ManojtanwarAuthor Commented:
but when give 192.168.9.1 to fa0/1 secondary ip intenet access from 192.168.9.0 series start but still not access internet from static ip pool 115.249.110.66 to 115.249.110.94
ManojtanwarAuthor Commented:
Now i configure my router to acess internet to dhcp and static ip but without apply access-group 100 when apply this group on fa0/1 its stop internet from static pool but dhcp user can access internet .  please rectify this to access group to access internet from 8.8.8.8 dns to  static pool 115.249.110.67 to 115.249.110.94. dhcp user cannot access internet from 8.8.8.8. they are force to use open dns
ManojtanwarAuthor Commented:
My access group 100 is
Router#show access-list
Standard IP access list 1
    10 permit 192.0.0.0, wildcard bits 0.252.255.255 (1084277 matches)
Standard IP access list 2
    10 permit 192.168.9.4
Extended IP access list 100
    10 permit tcp 192.168.48.0 0.0.1.255 host 208.67.222.222 eq domain (102 matc
hes)
    20 permit udp 192.168.48.0 0.0.1.255 host 208.67.222.222 eq domain (340113 m
atches)
    30 permit tcp 192.168.48.0 0.0.1.255 host 208.67.222.220 eq domain
    40 permit udp 192.168.48.0 0.0.1.255 host 208.67.222.220 eq domain
    50 deny tcp 192.168.48.0 0.0.1.255 any eq domain (40 matches)
    60 deny udp 192.168.48.0 0.0.1.255 any eq domain (7964 matches)
    70 permit ip 192.168.48.0 0.0.1.255 any (45879648 matches)
    80 permit udp any host 255.255.255.255 eq bootps (3363 matches)
    90 permit udp any host 255.255.255.255 eq bootpc
    100 permit tcp 192.168.9.0 0.0.0.255 host 8.8.8.8 eq domain
    110 permit udp 192.168.9.0 0.0.0.255 host 8.8.8.8 eq domain (144 matches)
    120 permit tcp 0.0.0.3 255.255.255.224 host 8.8.8.8 eq domain
JustInCaseCommented:
access-list 100 permit tcp 192.168.48.0 0.0.1.255 host 208.67.222.222 eq domain
access-list 100 permit udp 192.168.48.0 0.0.1.255 host 208.67.222.222 eq domain
access-list 100 permit tcp 192.168.48.0 0.0.1.255 host 208.67.222.220 eq domain
access-list 100 permit udp 192.168.48.0 0.0.1.255 host 208.67.222.220 eq domain
access-list 100 deny   tcp 192.168.48.0 0.0.1.255 any eq domain
access-list 100 deny   udp 192.168.48.0 0.0.1.255 any eq domain
access-list 100 permit ip 192.168.9.0 0.0.0.255 any
access-list 100 permit ip 192.168.48.0 0.0.1.255 any
access-list 100 permit udp any host 255.255.255.255 eq bootps
access-list 100 permit udp any host 255.255.255.255 eq bootpc

That change should be enough.
You can be more granular, but you need to know exactly what you want to achieve.
JustInCaseCommented:
And also... you need to change access-list 1
It is too wide, and covers  too much ground.

access-list 1 permit 192.0.0.0 0.252.255.255
change it to:
access-list 1 permit 192.168.48.0 0.0.3.255

also
access-list 2 permit 192.168.9.0 0.0.0.255

Standard IP access list 2
    10 permit 192.168.9.4
In the case that this does not work (although should work), try just to create one ACL for NAT, and create static mappings for 192.168.9.x hosts
(but then you need to leave static pool as is, that mean - that access-list 2 should stay the the same as it is)
access-list 1 permit 192.168.48.0 0.0.1.255
access-list 1 permit 192.168.9.0 0.0.0.255

ip nat source inside static 192.168.9.4 115.249.110.67
ip nat source inside static 192.168.9.5 115.249.110.68

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ManojtanwarAuthor Commented:
great its work, one more thing what is the access list for 115.249.110.67 115.249.110.94 255.255.255.224

i try but i cannot calculate the right

access-list 3 permit 115.249.110.0 255.255.255.224

what is the right format for this
JustInCaseCommented:
access-list 3 permit 115.249.110.64 255.255.255.224
ManojtanwarAuthor Commented:
is it possible to give 2 secondary ip to fa0/1

i give two secondary ip to fa0/1

one is 192.168.9.1
second is 115.249.110.65

then

access-list 3 permit 115.249.110.64 255.255.255.224
access-list 100 permit ip 0.0.0.0 255.255.255.224 any

but its not work why, i do something wrong please tell
ManojtanwarAuthor Commented:
I get my fault

access-list 100 permit ip 0.0.0.0 224.255.255.255 any

thanks for your help

can u tell they work in reverse

i want to remove some entry in access-group 100
like
access-list 100 permit tcp 0.0.0.0 255.255.255.224 any
access-list 100 permit tcp 0.0.0.0 255.255.255.224 any

and
why access-list 100 permit ip 0.0.0.0 224.255.255.255 any convert into access-list 100 permit ip 19.0.0.0 224.255.255.255 any
JustInCaseCommented:
Usually when ACL is more than few lines this is fastest way.

#show run  | inc access-list 100                    (or start)
! mark result
! control + c
! paste ACL into txt file
!
# config t
# no access-list 100

Correct access list in txt file - copy it and then enter config terminal in router - right click and...
press enter
That's it...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.