Solved

configure 2 NAT pool in a router

Posted on 2016-08-10
13
38 Views
Last Modified: 2016-08-15
I have a Cisco router that connect with broadband internet and ISP  provided 30 public IPs (255.255.255.224)
Initially NAT was configured with only one NAT pool and used 4.Since another tech team would like to have another NAT pool with 2 additional public IP.
I have following configuration by adding  the following in the router. Does it make sense?
ip nat pool NATPOOL1 203.176.231.81 203.176.231.82 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL1 overload
ip nat inside source static 192.168.100.100 203.176.231.80
ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240

Below is the whole configuration.

ip name-server 8.8.8.8
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9
!
!
username monitor secret 4 g1rTD89b38NIXbGJse.zLc7Cega1TBTlKQNvYDh9Qo6
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Wan Connect ABCDE-1-01 port GI1/0/2
 ip address 203.176.236.170 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
!
interface GigabitEthernet0/1
 description lan
 ip address 192.168.254.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool NATPOOL 203.176.231.91 203.176.231.94 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL overload
ip nat inside source static 192.168.100.20 203.176.231.90
ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240
!
ip nat pool NATPOOL1 203.176.231.81 203.176.231.82 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL1 overload
ip nat inside source static 192.168.100.100 203.176.231.80
ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240

access-list 1 permit 192.168.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 login local
 length 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 203.98.129.70
end
0
Comment
Question by:techy98
  • 7
  • 6
13 Comments
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41752050
It will not work as you want the way it is written. Simply you  use the same ACL for both NAT translations.
ip nat inside source list 1 pool NATPOOL overload

ip nat inside source list 1 pool NATPOOL1 overload
access-list 1 permit 192.168.0.0 0.0.255.255
In this case what would be cryteria for router when to prefer one NAT configuration over the other?
However, it is typical to use route-maps (each route map still should have its own ACL so you can specify which users use specific pool). Do not forget to schedule downtime for this, since all active sessions will be broken.
Example:
ip nat pool NATPOOL 203.176.231.91 203.176.231.94 netmask 255.255.255.224
ip nat pool NATPOOL1 203.176.231.81 203.176.231.82 netmask 255.255.255.224
!
ip nat inside source route-map NAT1 pool NATPOOL overload
ip nat inside source route-map NAT2 pool NATPOOL1 overload
!
! write ACLs according to your needs, this is just example
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any 
access-list 110 permit ip 192.168.1.0 0.0.0.255 any 
!
route-map NAT1 permit 10 
 match ip address 100 
!
route-map NAT2 permit 10 
 match ip address 110 
!

Open in new window

0
 

Author Comment

by:techy98
ID: 41752085
that wull be very helpful. one question...since the router 1921 has only 2 ethernet interfaces. one connected to ISP modem and another connect to catalyst 2960. would the nat route-map you suggested also work to have 2 submets? thanks!
0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 500 total points
ID: 41752109
Sure it will work. I created it above with two subnets.
192.168.0.0
192.168.1.0
 :)
You can create ACL however you want.

In the case you try to delete current nat statements you will most likely get message
no ip nat inside source list 1 pool NATPOOL overload
%Pool NATPOOL in use, cannot destroy

So you will need to clear nat translations first
Just paste:

clear ip nat translation
conf t
no ip nat inside source list 1 pool NATPOOL1 overload
no ip nat inside source list 1 pool NATPOOL overload
no ip nat inside source static 192.168.100.100 203.176.231.80
no ip nat inside source static 192.168.100.20 203.176.231.90

and create new nat statements
0
 

Author Comment

by:techy98
ID: 41752307
based on your comment, i rewrote as follow. would that be anythining I missed?

interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Wan Connect ABCDE-1-01 port GI1/0/2
 ip address 203.176.236.170 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
!
interface GigabitEthernet0/1
 description lan
 ip address 192.168.254.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool NATPOOL 203.176.231.91 203.176.231.94 netmask 255.255.255.224
ip nat pool NATPOOL1 203.176.231.81 203.176.231.82 netmask 255.255.255.224
!
ip nat inside source route-map NAT1 pool NATPOOL overload
ip nat inside source route-map NAT2 pool NATPOOL1 overload
!
!
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
!
route-map NAT1 permit 10
 match ip address 100
!
route-map NAT2 permit 10
 match ip address 110

ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240

!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 login local
 length 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 203.98.129.70
end
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41752338
If switch is configured properly, that's it (at least for router part  - for subnets defined in ACLs 100 & 101).

What happened to your static assignments, you don't need it or forgot it?
:)
0
 

Author Comment

by:techy98
ID: 41753800
Sorry it's my bad to confuse you.
Actually the original should be just NATPOOL dynamic nat and it was working fine. But then another guy asked me to add another one as he would need 2 public IP addresses with internal ip 192.168.x.y and that's why I needed to come up with NATPOOL1
Today he provided with ip 192.168.254.131 and just need one public ip.
In this case, could I just add a static nat below and keep the original NATPOOL? Would it work?
Ip nat inside source static 192.168.254.131 203.176.231.89
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 500 total points
ID: 41753823
Ip nat inside source static 192.168.254.131 203.176.231.89
Static nat should work as it is written.
But since it overlaps with NAT range maybe it would be best idea to use last IP address from NAT pool for static NAT, and remove that address from POOL.
0
 

Author Comment

by:techy98
ID: 41754049
Here is what I do. Do you mean the public ip 203.176.231.89 overlapped?

no ip http server
no ip http secure-server
!
ip nat pool NATPOOL 203.176.231.91 203.176.231.94 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL overload
ip nat inside source static 192.168.100.20 203.176.231.90
ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240
ip nat inside source static 192.168.254.131 203.176.231.89

ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240

access-list 1 permit 192.168.0.0 0.0.255.255
!
0
 
LVL 26

Assisted Solution

by:Predrag Jovic
Predrag Jovic earned 500 total points
ID: 41754260
Do you mean the public ip 203.176.231.89 overlapped?
Yes.
When traffic is coming from WAN to router - static assigned NAT it will be properly forwarded, but I remember, few years back if I remember correctly the whole configuration, I had situation that the first IP address from the range had static NAT, and pool started with the same address (the same address was also IP address assigned to interface) and NAT started dynamic assignment from that address. So I never overlap static assignment with pool for dynamic assignment if I don't have to.

There is no need to have routes issued 2x (although it will can't hurt), but it will just overwrite commands. :)
0
 

Author Comment

by:techy98
ID: 41754875
Sorry Jovic...I still not get it. since the subnet is 255.255.255.224 so I believe we have 30 public IP addresses from 203.176.231.65 to 203.176.231.95. If the NATPOOL already assigned 91 to 94, i can use 89 for static NAT, correct?
0
 
LVL 26

Accepted Solution

by:
Predrag Jovic earned 500 total points
ID: 41754881
You can use whatever address you want from your IP range, but exclued that address from NAT range. :)
0
 

Author Closing Comment

by:techy98
ID: 41757198
many thanks for being so helpful!!
0
 
LVL 26

Expert Comment

by:Predrag Jovic
ID: 41757319
You are welcome.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Suggested Solutions

This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now