02-17-2005 09:00 PM - edited 03-09-2019 10:23 AM
I have spent a few hours trying to NAT out a few intenal 192.168.x.x hosts through both my ethernet1/0 interface and also tryed using another IP from the range. Any help GREATLY appreciated. Thanks! (Config below)
Building configuration...
Current configuration : 1021 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2621
!
boot-start-marker
boot-end-marker
!
enable secret xxxx
enable password xxxx
!
no aaa new-model
ip subnet-zero
!
!
ip name-server xx.xx.xx.xx
ip name-server xx.xx.xx.xx
!
ip audit po max-events 100
!
interface FastEthernet0/0
ip address 65.126.x.x.x.255.252
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
half-duplex
!
interface Ethernet1/0
ip address 65.126.x.x.x.255.240
ip nat outside
half-duplex
!
ip nat inside source list 7 interface Ethernet1/0 overload
no ip http server
no ip http secure-server
ip classless
no ip route static inter-vrf
ip route 0.0.0.0 0.0.x.x.x.121.117
!
line con 0
line aux 0
line vty 0 4
password xxx
login
!
!
!
end
02-17-2005 09:25 PM
At first glance I think you may have to check or define access list 7 (see this line ip nat inside source list 7 interface Ethernet1/0 overload) that will state what traffic can proceed to e1/0.
Otherwise exactly what do you want NAT to do?
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml has a very good piece on how NAT uses ACls and http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml covers commonly used IP ACLs.
Cheers,
Josef.
02-17-2005 09:35 PM
thanks joe, since I posted i caught that and have this in there
access-list 7 permit 192.168.1.0 0.0.0.250
it still does not. I am really at a loss here sitting in the datacenter at 9;30pm. Do I need to route the 192.x.x.x somewhere (tried all options), thanks for any more advice.
05-26-2012 01:18 PM
7 years old post but i have the CCNA Composite exam in 36 hours so i'll ignore that and answer.
I'm assuming a basic setup (like the one in the question) with PAT and many-to-one source translation.
The steps to properly configure NAT are:
1) list all your interfaces and track which ones are your *internal* interfaces and which one is your *external* one. In the configuration given by OP, the "inside" interface is Fastethernet 0/1. The "outside" interface is Ethernet 1/0.
2) Declare the interfaces one by one, this is done in the interface configuration dialog with the statement "ip nat inside" and "ip nat outside" for the respective interfaces.
3) Gather your traffic, with an ACL. This step is necessary to teach the router which traffic he should consider for Network Address Translation. It is achieved by an acl that permits traffic coming from the subnets configured on our "inside" interfaces. In this case, 192.168.1.0/24.
segillett wrote:
thanks joe, since I posted i caught that and have this in there
access-list 7 permit 192.168.1.0 0.0.0.250
it still does not. I am really at a loss here sitting in the datacenter at 9;30pm. Do I need to route the 192.x.x.x somewhere (tried all options), thanks for any more advice.
The reason OP can't get NAT to work is because his ACL was at first absent, and subsequently mistyped.
It should be
ip access-list standard 7
permit 192.168.1.0 0.0.0.255
deny any
The deny statement is implied but explicitly adding it simplifies troubleshooting as every packet matching it will show up in
# show access-lists
ACLs use a "wildcard" mask notation for defining groups of addresses. For all intents and purposes at this level, they are just another format for the subnet masks but they can be used in other ways.
You obtain your wildcard mask by subtracting the subnet mask bits (in decimal) from 255.255.255.255. In this case: 255.255.255.255 - 255.255.255.0 (the subnet mask for a /24 network) = 0.0.0.255. Therefore, the mistake lies in the ACL statement.
4) Activate NAT with the general configuration dialog statement "ip nat inside source list LISTNAME interface INTERFACEID overload
5) Troubleshoot if needed by using show access-lists, show ip nat translations, debug ip nat . It only works when you see relevant data in the output of those commands.
You do *not* have to route anything, as that would defy the entire purpose of NAT.
If i made any mistake in my post please point it out. I think i got my head around NAT pretty ok but you never know.
Any feedback is welcome.
G.
05-28-2012 04:19 AM
I think Giulio's answer is quite good.
I'd only add one thing,
I would change
ip route 0.0.0.0 0.0.x.x.x.121.117
for this other line:
ip route 0.0.0.0 0.0.0.0 Ethernet1/0
The router will not have to make another search and it should be faster.
You can view if NAT is the problem using
show ip nat translations
You should see if nat is working fine.
Can you ping the next hop interface eth1/0?
Is your Eth1/0 up up?
05-28-2012 04:33 AM
Hi,
If you can't ping the other interface, make sure your ip address of your ETH1/0 have an ip adress between 65.126.121.112/28 and 65.126.121.127/28 (except the next hop 65.126.121.117).
and eth1/0 should be up up, of course.
I hope this helps
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide