08-29-2020 03:51 PM
DEAR ALL
i have a cisco c887va router i need to configure the nat pool on it with the secondary public ip from my isb
here is the configuration please advise
----------------------------
Building configuration...
Current configuration : 5866 bytes
!
! Last configuration change at 21:42:04 Cairo Sat Aug 29 2020 by SAMEHELSAMMAK
! NVRAM config last updated at 20:56:33 Cairo Sat Aug 29 2020 by SAMEHELSAMMAK
!
version 15.8
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname C887VA-K9
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.158-3.M2.bin
boot-end-marker
!
!
security authentication failure rate 3 log
logging buffered 10240
logging console critical
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
!
aaa session-id common
clock timezone Cairo 2 0
!
!
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool dhcppool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 208.67.222.222 1.1.1.2 8.8.8.8
!
!
!
no ip bootp server
no ip domain lookup
ip domain name WORKGROUP
ip host CISCO887VA 192.168.1.1 196.*.*.1
ip name-server 208.67.222.222
ip name-server 1.1.1.2
ip name-server 8.8.8.8
ip inspect tcp max-incomplete host 1000 block-time 0
ip inspect tcp reassembly queue length 1024
ip inspect tcp reassembly timeout 60
ip inspect tcp reassembly memory limit 256000
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall skinny
ip cef
login block-for 120 attempts 5 within 60
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license feature MEM-8XX-512U1GB
license accept end user agreement
license boot module c800 level advipservices
!
!
archive
path flash:config
write-memory
redundancy
!
!
!
controller VDSL 0
operating mode vdsl2
sync mode itu
sra
no cdp run
!
ip tcp selective-ack
ip tcp timestamp
ip tcp synwait-time 10
!
!
!
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
description $ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 196.*.*.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
mtu 1492
ip address negotiated
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp pap sent-username *@tedata.net.eg password 7 *
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip forward-protocol nd
ip http server
ip http access-class 4
ip http authentication local
no ip http secure-server
!
!
no ip ftp passive
ip nat inside source list 1 interface Dialer0 overload ( this is normal nat working now )
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
these doesnt work :
the gateway is : 196.*.*.1
public ip is : 196.*.*.129
ip nat pool NAT-POOL 196.*.*.1 196.*.*.129 netmask 255.255.255.0
ip nat inside source list 1 pool NAT-POOL overload
ip nat pool NAT-POOL 196.*.*.1 196.*.*.255 prefix-length 24
ip nat inside source static 192.168.1.1 196.*.*.1 no-payload
!
ip access-list standard SSH_MGMT
permit 192.168.1.10
!
ip access-list extended STOP_PING
deny icmp any any
permit ip any any
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 ioam timestamp
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.0.0.0 0.255.255.255
access-list 1 permit 0.0.0.1 255.255.255.0
access-list 1 permit 196.*.*.0 0.0.0.255
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 196.*.*.0 0.0.0.255
access-list 4 remark HTTP Access-class list
access-list 4 remark CCP_ACL Category=1
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 4 deny any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 196.*.*.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
telephony-service
max-ephones 1
max-dn 5
max-conferences 4 gain -6
transfer-system full-consult
!
!
line con 0
exec-timeout 0 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 2 in
exec-timeout 0 0
authorization exec local_author
login authentication local_authen
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 132.163.97.3
!
!
!
!
!
!
!
end
here is routing data :
Gateway of last resort is 10.*.*.65 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.*.*.65
is directly connected, Dialer0
10.0.0.0/32 is subnetted, 1 subnets
C 10.*.*.65 is directly connected, Dialer0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan1
L 192.168.1.1/32 is directly connected, Vlan1
196.*.*.0/24 is variably subnetted, 2 subnets, 2 masks
C 196.*.*.0/24 is directly connected, Vlan1
L 196.*.*.1/32 is directly connected, Vlan1
196.*.*.0/32 is subnetted, 1 subnets
C 196.*.*.238 is directly connected, Dialer0 ( wan ip )
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM administratively down down
Dialer0 196.*.*.238 YES IPCP up up
Ethernet0 unassigned YES NVRAM up up
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
NVI0 unassigned YES unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Vlan1 192.168.1.1 YES NVRAM up up
please advise what to do to make it work and make the gateway ( 196.*.*.1 ) is the ext ip for the router
08-29-2020 11:33 PM
Hello,
your NAT pool is specifying a complete Class C subnet, is that right ?
Either way, the access list (1) does not look right. Either way, try the simplified configuration below:
ip nat pool NAT-POOL 196.*.*.1 196.*.*.129 netmask 255.255.255.0
ip nat inside source list 1 pool NAT-POOL overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
08-30-2020 12:26 AM
tried it didnt work
no browsing on clients pc
08-30-2020 02:06 AM
What is your WAN IP address range ? You cannot use the LAN subnet for the NAT pool.
08-30-2020 02:17 AM
THE GATEWAY IS 196.218.46.1 255.255.255.0
08-30-2020 02:05 AM - edited 08-30-2020 02:06 AM
Hello
i need to configure the nat pool on it with the secondary public ip from my isb
Interface Vlan1
description $FW_INSIDE$
ip address 196.*.*.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
The above doesnt really make sence, Why do you have an ISP assigned public addressing applied to the LAN interface of your rtr, I would have thought this secondary addressing would be assigned to the wan interface?
Would I be correct in saying you wish to NAT your internal subnet = 192.168.1.0/24 to 196.*.*.0/24 ?
08-30-2020 02:15 AM
YES SIR I WOULD LIKE THAT
DUE TO LAKE OF IPV4 SEGMENT THEY GAVE US THIS SHARED SEGMENT TO THE CLIENTS AND THEY MANAGE IT
THE GATEWAY IS 196.218.46.1 I NEED ALL TRAFIC COMING OUT OF ROUTER TO GET OUT THROUGH IT
NOT THROUGH THE WAN IP *.*.*.238
ip http client source-interface Dialer0
ip nat pool KARIM-IP 196.218.46.1 196.218.46.254 netmask 255.255.255.0
ip nat inside source list 1 pool KARIM-IP overload
ip access-list standard 1
10 remark The local LAN.
10 permit 192.168.1.0 0.0.0.255
20 permit 192.0.0.0 0.255.255.255
30 permit 0.0.0.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
WILL THESE MODIFICATIONS WORK OR DO I NEED TO CHANGE IT ?
08-30-2020 07:56 AM
Hello,
it is still unclear what you are trying to accomplish. Do you want all traffic to be natted to 196.218.46.1 ? In your pool, you have specified a class C subnet mask, is that what you really have ?
You also need to remove the secondary IP address starting with 196 from your Vlan 1 interface.
Your access list 1 looks weird. Try the config below:
ip nat pool KARIM-IP 196.218.46.1 196.218.46.1 netmask 255.255.255.0
ip nat inside source list 1 pool KARIM-IP overload
!
access-list 1 permit 192.168.1.0 0.0.0.255
08-30-2020 01:17 PM
DEAR SIR
YES I want all traffic to be natted to 196.218.46.1.
IF I REMOVE THE secondary IP address starting with 196 from your Vlan 1 interface
WHERE DO I PUT IT IN SEPERATE VLAN ( VLAN2) OR ?
08-31-2020 12:53 AM - edited 08-31-2020 12:54 AM
Hello
As your wan interface is dynamically learning its addressing, Can you first test if you can ping that new gateway address because you have a connected dialer interface of 196.218.16.238 so having a next-hop of 196.218.16.1 seems such a large ip range being provided.
Once you've confirm that next-hop is valid remove all the nat pool configuration and append s simple policy route to point to your new next hop address and see if that works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide