Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
599
Views
0
Helpful
3
Replies

NAT/PAT on a 1720 Router

cisco515
Level 1
Level 1

‎12-20-2001 09:37 PM - edited ‎03-08-2019 09:27 PM

Hello all,

Was hoping to get some "basic" help with NAT, in this case running on a 1720 router. This is an Internet router, running Frame Relay to the provider. The Ethernet side is a /29 network. Since they want more than 5 users, and do not have a firewall, NAT/PAT is obviously needed.

The router has one serial interface, and one fastethernet interface. The basic configuration is as follows (abbreviated for brevity):

int serial 0

encap frame-relay IETF

frame-relay lmi-type ansi

no ip address

int serial 0.1

ip address 192.168.1.2/30

frame-relay interface-dlci 250

ip nat outside

int fastethernet 0

ip address 192.168.2.1/29

ip nat inside

ip nat pool TEST 192.168.2.2 192.168.2.2 prefix-length 29

ip nat inside source list 99 pool TEST overload

access-list 99 permit 172.16.15.0 0.0.0.255

OK, I believe I already realize some of my mistakes. As an Internet router, the router's current two interfaces are BOTH "outside interfaces." So, questions are:

1). I believe I have to have a second Fastethernet interface, configured with e.g. RFC 1918 address, reflecing inside network. This will be the NAT INSIDE interface. The original Fastethernet interface will be the NAT OUTSIDE interface. Is this correct?

2). Is there any way to avoid a second fastethernet interface, and use just the two interfaces-the LAN and WAN interfaces-and have NAT/PAT work properly? I don't believe so, but I would like to have a definitive answer before having this client spring for another interface.

So this is how I feel it will look afterwards:

int fastethernet 0

ip address 192.168.2.1/29

ip nat outside

int fastethernet 1

ip address 172.16.15.0/24

ip nat inside

ip nat pool TEST 192.168.2.2 192.168.2.2 prefix-length 29

ip nat inside source list 99 pool TEST overload

access-list 99 permit 172.16.15.0 0.0.0.255

(Or I could tell them to buy a firewall ;)

Thanks in advance!

Sean Geist, Network Engineer

SEALI.com

Labels:
0 Helpful
3 Replies 3

cisco515
Level 1
Level 1

‎12-22-2001 10:36 AM

Ok, this went over well ;)

I'll abbreviate it:

Can I use a LOOPBACK interface as the 'ip nat inside' interface (I know the commands are there), and have the internal structure use this loopback as their Default Gateway. I could then call the Ethernet interface (with globally routed IPs, or "Inside Global addresses" the "ip nat outside' Is this doable?

Thanks in advance!

Sean G.

SEALI.com

0 Helpful

ross.filipek
Level 1
Level 1
In response to cisco515

‎12-26-2001 06:29 AM

You could use the loopback, but you really don't need to. You also don't need multiple LAN interfaces. I'm assuming you've got a public IP on your serial interface, so you could just PAT your internal users to that. So if your serial IP is 200.200.200.200/30 (for example), and your internal network is 172.16.15.0/24, your config would look like this:

int serial 0

enc frame IETF

int serial 0.250 point

ip add 200.200.200.200 255.255.255.252

frame interface-dlci 250

no ip route-cache

ip nat out

int fast 0

ip add 172.16.15.0 255.255.255.0

ip nat in

access-list 99 permit 172.16.15.0 0.0.0.255

ip nat inside source list 99 int s0.250 over

Make sure that you disable fast switching (i.e., 'no ip route-cache') on your outside interface. Otherwise, the PAT won't work properly.

0 Helpful

cisco515
Level 1
Level 1
In response to ross.filipek

‎12-27-2001 09:17 PM

Ross,

Thanks for the info and reply! Much appreciated.

Have a happy new year all,

Sean Geist, CCNP

Network Engineer

SEALI.com

0 Helpful
Customers Also Viewed These Support Documents