Solved

configure 2 NAT pool in a router

Posted on 2016-08-10
13
45 Views
Last Modified: 2016-08-15
I have a Cisco router that connect with broadband internet and ISP  provided 30 public IPs (255.255.255.224)
Initially NAT was configured with only one NAT pool and used 4.Since another tech team would like to have another NAT pool with 2 additional public IP.
I have following configuration by adding  the following in the router. Does it make sense?
ip nat pool NATPOOL1 203.176.231.81 203.176.231.82 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL1 overload
ip nat inside source static 192.168.100.100 203.176.231.80
ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240

Below is the whole configuration.

ip name-server 8.8.8.8
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9
!
!
username monitor secret 4 g1rTD89b38NIXbGJse.zLc7Cega1TBTlKQNvYDh9Qo6
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Wan Connect ABCDE-1-01 port GI1/0/2
 ip address 203.176.236.170 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
!
interface GigabitEthernet0/1
 description lan
 ip address 192.168.254.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool NATPOOL 203.176.231.91 203.176.231.94 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL overload
ip nat inside source static 192.168.100.20 203.176.231.90
ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240
!
ip nat pool NATPOOL1 203.176.231.81 203.176.231.82 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL1 overload
ip nat inside source static 192.168.100.100 203.176.231.80
ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240

access-list 1 permit 192.168.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 login local
 length 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 203.98.129.70
end
0
Comment
Question by:techy98
  • 7
  • 6
13 Comments
 
LVL 27

Expert Comment

by:Predrag Jovic
ID: 41752050
It will not work as you want the way it is written. Simply you  use the same ACL for both NAT translations.
ip nat inside source list 1 pool NATPOOL overload

ip nat inside source list 1 pool NATPOOL1 overload
access-list 1 permit 192.168.0.0 0.0.255.255
In this case what would be cryteria for router when to prefer one NAT configuration over the other?
However, it is typical to use route-maps (each route map still should have its own ACL so you can specify which users use specific pool). Do not forget to schedule downtime for this, since all active sessions will be broken.
Example:
ip nat pool NATPOOL 203.176.231.91 203.176.231.94 netmask 255.255.255.224
ip nat pool NATPOOL1 203.176.231.81 203.176.231.82 netmask 255.255.255.224
!
ip nat inside source route-map NAT1 pool NATPOOL overload
ip nat inside source route-map NAT2 pool NATPOOL1 overload
!
! write ACLs according to your needs, this is just example
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any 
access-list 110 permit ip 192.168.1.0 0.0.0.255 any 
!
route-map NAT1 permit 10 
 match ip address 100 
!
route-map NAT2 permit 10 
 match ip address 110 
!

Open in new window

0
 

Author Comment

by:techy98
ID: 41752085
that wull be very helpful. one question...since the router 1921 has only 2 ethernet interfaces. one connected to ISP modem and another connect to catalyst 2960. would the nat route-map you suggested also work to have 2 submets? thanks!
0
 
LVL 27

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 500 total points
ID: 41752109
Sure it will work. I created it above with two subnets.
192.168.0.0
192.168.1.0
 :)
You can create ACL however you want.

In the case you try to delete current nat statements you will most likely get message
no ip nat inside source list 1 pool NATPOOL overload
%Pool NATPOOL in use, cannot destroy

So you will need to clear nat translations first
Just paste:

clear ip nat translation
conf t
no ip nat inside source list 1 pool NATPOOL1 overload
no ip nat inside source list 1 pool NATPOOL overload
no ip nat inside source static 192.168.100.100 203.176.231.80
no ip nat inside source static 192.168.100.20 203.176.231.90

and create new nat statements
0
 

Author Comment

by:techy98
ID: 41752307
based on your comment, i rewrote as follow. would that be anythining I missed?

interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Wan Connect ABCDE-1-01 port GI1/0/2
 ip address 203.176.236.170 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
!
interface GigabitEthernet0/1
 description lan
 ip address 192.168.254.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool NATPOOL 203.176.231.91 203.176.231.94 netmask 255.255.255.224
ip nat pool NATPOOL1 203.176.231.81 203.176.231.82 netmask 255.255.255.224
!
ip nat inside source route-map NAT1 pool NATPOOL overload
ip nat inside source route-map NAT2 pool NATPOOL1 overload
!
!
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
!
route-map NAT1 permit 10
 match ip address 100
!
route-map NAT2 permit 10
 match ip address 110

ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240

!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 login local
 length 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 203.98.129.70
end
0
 
LVL 27

Expert Comment

by:Predrag Jovic
ID: 41752338
If switch is configured properly, that's it (at least for router part  - for subnets defined in ACLs 100 & 101).

What happened to your static assignments, you don't need it or forgot it?
:)
0
 

Author Comment

by:techy98
ID: 41753800
Sorry it's my bad to confuse you.
Actually the original should be just NATPOOL dynamic nat and it was working fine. But then another guy asked me to add another one as he would need 2 public IP addresses with internal ip 192.168.x.y and that's why I needed to come up with NATPOOL1
Today he provided with ip 192.168.254.131 and just need one public ip.
In this case, could I just add a static nat below and keep the original NATPOOL? Would it work?
Ip nat inside source static 192.168.254.131 203.176.231.89
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 27

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 500 total points
ID: 41753823
Ip nat inside source static 192.168.254.131 203.176.231.89
Static nat should work as it is written.
But since it overlaps with NAT range maybe it would be best idea to use last IP address from NAT pool for static NAT, and remove that address from POOL.
0
 

Author Comment

by:techy98
ID: 41754049
Here is what I do. Do you mean the public ip 203.176.231.89 overlapped?

no ip http server
no ip http secure-server
!
ip nat pool NATPOOL 203.176.231.91 203.176.231.94 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL overload
ip nat inside source static 192.168.100.20 203.176.231.90
ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240
ip nat inside source static 192.168.254.131 203.176.231.89

ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240

access-list 1 permit 192.168.0.0 0.0.255.255
!
0
 
LVL 27

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 500 total points
ID: 41754260
Do you mean the public ip 203.176.231.89 overlapped?
Yes.
When traffic is coming from WAN to router - static assigned NAT it will be properly forwarded, but I remember, few years back if I remember correctly the whole configuration, I had situation that the first IP address from the range had static NAT, and pool started with the same address (the same address was also IP address assigned to interface) and NAT started dynamic assignment from that address. So I never overlap static assignment with pool for dynamic assignment if I don't have to.

There is no need to have routes issued 2x (although it will can't hurt), but it will just overwrite commands. :)
0
 

Author Comment

by:techy98
ID: 41754875
Sorry Jovic...I still not get it. since the subnet is 255.255.255.224 so I believe we have 30 public IP addresses from 203.176.231.65 to 203.176.231.95. If the NATPOOL already assigned 91 to 94, i can use 89 for static NAT, correct?
0
 
LVL 27

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 41754881
You can use whatever address you want from your IP range, but exclued that address from NAT range. :)
0
 

Author Closing Comment

by:techy98
ID: 41757198
many thanks for being so helpful!!
0
 
LVL 27

Expert Comment

by:Predrag Jovic
ID: 41757319
You are welcome.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now