• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 84
  • Last Modified:

configure 2 NAT pool in a router

I have a Cisco router that connect with broadband internet and ISP  provided 30 public IPs (255.255.255.224)
Initially NAT was configured with only one NAT pool and used 4.Since another tech team would like to have another NAT pool with 2 additional public IP.
I have following configuration by adding  the following in the router. Does it make sense?
ip nat pool NATPOOL1 203.176.231.81 203.176.231.82 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL1 overload
ip nat inside source static 192.168.100.100 203.176.231.80
ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240

Below is the whole configuration.

ip name-server 8.8.8.8
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9
!
!
username monitor secret 4 g1rTD89b38NIXbGJse.zLc7Cega1TBTlKQNvYDh9Qo6
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Wan Connect ABCDE-1-01 port GI1/0/2
 ip address 203.176.236.170 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
!
interface GigabitEthernet0/1
 description lan
 ip address 192.168.254.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool NATPOOL 203.176.231.91 203.176.231.94 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL overload
ip nat inside source static 192.168.100.20 203.176.231.90
ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240
!
ip nat pool NATPOOL1 203.176.231.81 203.176.231.82 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL1 overload
ip nat inside source static 192.168.100.100 203.176.231.80
ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240

access-list 1 permit 192.168.0.0 0.0.255.255
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 login local
 length 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 203.98.129.70
end
0
techy98
Asked:
techy98
  • 7
  • 6
4 Solutions
 
JustInCaseNetwork EngineerCommented:
It will not work as you want the way it is written. Simply you  use the same ACL for both NAT translations.
ip nat inside source list 1 pool NATPOOL overload

ip nat inside source list 1 pool NATPOOL1 overload
access-list 1 permit 192.168.0.0 0.0.255.255
In this case what would be cryteria for router when to prefer one NAT configuration over the other?
However, it is typical to use route-maps (each route map still should have its own ACL so you can specify which users use specific pool). Do not forget to schedule downtime for this, since all active sessions will be broken.
Example:
ip nat pool NATPOOL 203.176.231.91 203.176.231.94 netmask 255.255.255.224
ip nat pool NATPOOL1 203.176.231.81 203.176.231.82 netmask 255.255.255.224
!
ip nat inside source route-map NAT1 pool NATPOOL overload
ip nat inside source route-map NAT2 pool NATPOOL1 overload
!
! write ACLs according to your needs, this is just example
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any 
access-list 110 permit ip 192.168.1.0 0.0.0.255 any 
!
route-map NAT1 permit 10 
 match ip address 100 
!
route-map NAT2 permit 10 
 match ip address 110 
!

Open in new window

0
 
techy98Author Commented:
that wull be very helpful. one question...since the router 1921 has only 2 ethernet interfaces. one connected to ISP modem and another connect to catalyst 2960. would the nat route-map you suggested also work to have 2 submets? thanks!
0
 
JustInCaseNetwork EngineerCommented:
Sure it will work. I created it above with two subnets.
192.168.0.0
192.168.1.0
 :)
You can create ACL however you want.

In the case you try to delete current nat statements you will most likely get message
no ip nat inside source list 1 pool NATPOOL overload
%Pool NATPOOL in use, cannot destroy

So you will need to clear nat translations first
Just paste:

clear ip nat translation
conf t
no ip nat inside source list 1 pool NATPOOL1 overload
no ip nat inside source list 1 pool NATPOOL overload
no ip nat inside source static 192.168.100.100 203.176.231.80
no ip nat inside source static 192.168.100.20 203.176.231.90

and create new nat statements
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
techy98Author Commented:
based on your comment, i rewrote as follow. would that be anythining I missed?

interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Wan Connect ABCDE-1-01 port GI1/0/2
 ip address 203.176.236.170 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
!
interface GigabitEthernet0/1
 description lan
 ip address 192.168.254.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 load-interval 30
 duplex auto
 speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool NATPOOL 203.176.231.91 203.176.231.94 netmask 255.255.255.224
ip nat pool NATPOOL1 203.176.231.81 203.176.231.82 netmask 255.255.255.224
!
ip nat inside source route-map NAT1 pool NATPOOL overload
ip nat inside source route-map NAT2 pool NATPOOL1 overload
!
!
!
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
!
route-map NAT1 permit 10
 match ip address 100
!
route-map NAT2 permit 10
 match ip address 110

ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240

!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 login local
 length 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
 length 0
 transport input ssh
!
scheduler allocate 20000 1000
ntp server 203.98.129.70
end
0
 
JustInCaseNetwork EngineerCommented:
If switch is configured properly, that's it (at least for router part  - for subnets defined in ACLs 100 & 101).

What happened to your static assignments, you don't need it or forgot it?
:)
0
 
techy98Author Commented:
Sorry it's my bad to confuse you.
Actually the original should be just NATPOOL dynamic nat and it was working fine. But then another guy asked me to add another one as he would need 2 public IP addresses with internal ip 192.168.x.y and that's why I needed to come up with NATPOOL1
Today he provided with ip 192.168.254.131 and just need one public ip.
In this case, could I just add a static nat below and keep the original NATPOOL? Would it work?
Ip nat inside source static 192.168.254.131 203.176.231.89
0
 
JustInCaseNetwork EngineerCommented:
Ip nat inside source static 192.168.254.131 203.176.231.89
Static nat should work as it is written.
But since it overlaps with NAT range maybe it would be best idea to use last IP address from NAT pool for static NAT, and remove that address from POOL.
0
 
techy98Author Commented:
Here is what I do. Do you mean the public ip 203.176.231.89 overlapped?

no ip http server
no ip http secure-server
!
ip nat pool NATPOOL 203.176.231.91 203.176.231.94 netmask 255.255.255.224
ip nat inside source list 1 pool NATPOOL overload
ip nat inside source static 192.168.100.20 203.176.231.90
ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240
ip nat inside source static 192.168.254.131 203.176.231.89

ip route 0.0.0.0 0.0.0.0 203.176.236.169
ip route 192.168.0.0 255.255.0.0 GigabitEthernet0/1 192.168.254.240

access-list 1 permit 192.168.0.0 0.0.255.255
!
0
 
JustInCaseNetwork EngineerCommented:
Do you mean the public ip 203.176.231.89 overlapped?
Yes.
When traffic is coming from WAN to router - static assigned NAT it will be properly forwarded, but I remember, few years back if I remember correctly the whole configuration, I had situation that the first IP address from the range had static NAT, and pool started with the same address (the same address was also IP address assigned to interface) and NAT started dynamic assignment from that address. So I never overlap static assignment with pool for dynamic assignment if I don't have to.

There is no need to have routes issued 2x (although it will can't hurt), but it will just overwrite commands. :)
0
 
techy98Author Commented:
Sorry Jovic...I still not get it. since the subnet is 255.255.255.224 so I believe we have 30 public IP addresses from 203.176.231.65 to 203.176.231.95. If the NATPOOL already assigned 91 to 94, i can use 89 for static NAT, correct?
0
 
JustInCaseNetwork EngineerCommented:
You can use whatever address you want from your IP range, but exclued that address from NAT range. :)
0
 
techy98Author Commented:
many thanks for being so helpful!!
0
 
JustInCaseNetwork EngineerCommented:
You are welcome.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 7
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now