cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
885
Views
0
Helpful
9
Replies

C887VA SECENDARY IP NATING POOL

SAMEHELSAMMAK
Beginner
Beginner

DEAR ALL

i have a cisco c887va router i need to configure the nat pool on it with the secondary public ip from my isb

 

here is the configuration please advise

 

----------------------------

 

Building configuration...

Current configuration : 5866 bytes
!
! Last configuration change at 21:42:04 Cairo Sat Aug 29 2020 by SAMEHELSAMMAK
! NVRAM config last updated at 20:56:33 Cairo Sat Aug 29 2020 by SAMEHELSAMMAK
!
version 15.8
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname C887VA-K9
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.158-3.M2.bin
boot-end-marker
!
!
security authentication failure rate 3 log
logging buffered 10240
logging console critical
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
!
!
!
!
!
aaa session-id common
clock timezone Cairo 2 0
!
!
!
!
!
!
!
no ip source-route
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool dhcppool
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 208.67.222.222 1.1.1.2 8.8.8.8
!
!
!
no ip bootp server
no ip domain lookup
ip domain name WORKGROUP
ip host CISCO887VA 192.168.1.1 196.*.*.1
ip name-server 208.67.222.222
ip name-server 1.1.1.2
ip name-server 8.8.8.8
ip inspect tcp max-incomplete host 1000 block-time 0
ip inspect tcp reassembly queue length 1024
ip inspect tcp reassembly timeout 60
ip inspect tcp reassembly memory limit 256000
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall skinny
ip cef
login block-for 120 attempts 5 within 60
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license feature MEM-8XX-512U1GB
license accept end user agreement
license boot module c800 level advipservices
!
!
archive
path flash:config
write-memory
redundancy
!
!
!
controller VDSL 0
operating mode vdsl2
sync mode itu
sra
no cdp run
!
ip tcp selective-ack
ip tcp timestamp
ip tcp synwait-time 10
!
!
!
!
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
description $ETH-WAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address

!
interface FastEthernet3
no ip address

!
interface Vlan1
description $FW_INSIDE$
ip address 196.*.*.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
mtu 1492
ip address negotiated
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp pap sent-username *@tedata.net.eg password 7 *
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip forward-protocol nd
ip http server
ip http access-class 4
ip http authentication local
no ip http secure-server
!
!
no ip ftp passive
ip nat inside source list 1 interface Dialer0 overload ( this is normal nat working now )

ip route 0.0.0.0 0.0.0.0 Dialer0 permanent

 

these doesnt work :

the gateway is : 196.*.*.1

public ip is : 196.*.*.129

 ip nat pool NAT-POOL 196.*.*.1 196.*.*.129 netmask 255.255.255.0
 ip nat inside source list 1 pool NAT-POOL overload

 

 ip nat pool NAT-POOL 196.*.*.1 196.*.*.255 prefix-length 24 
 ip nat inside source static 192.168.1.1 196.*.*.1 no-payload

!
ip access-list standard SSH_MGMT
permit 192.168.1.10
!
ip access-list extended STOP_PING
deny icmp any any
permit ip any any
!
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipv6 permit
ipv6 ioam timestamp
!
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.0.0.0 0.255.255.255
access-list 1 permit 0.0.0.1 255.255.255.0
access-list 1 permit 196.*.*.0 0.0.0.255
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 196.*.*.0 0.0.0.255
access-list 4 remark HTTP Access-class list
access-list 4 remark CCP_ACL Category=1
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 4 deny any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 196.*.*.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
telephony-service
max-ephones 1
max-dn 5
max-conferences 4 gain -6
transfer-system full-consult
!
!
line con 0
exec-timeout 0 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 2 in
exec-timeout 0 0
authorization exec local_author
login authentication local_authen
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
ntp master
ntp update-calendar
ntp server 132.163.97.3
!
!
!
!
!
!
!
end

 

here is routing data : 

 

Gateway of last resort is 10.*.*.65 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.*.*.65
is directly connected, Dialer0
10.0.0.0/32 is subnetted, 1 subnets
C 10.*.*.65 is directly connected, Dialer0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, Vlan1
L 192.168.1.1/32 is directly connected, Vlan1
196.*.*.0/24 is variably subnetted, 2 subnets, 2 masks
C 196.*.*.0/24 is directly connected, Vlan1
L 196.*.*.1/32 is directly connected, Vlan1
196.*.*.0/32 is subnetted, 1 subnets
C 196.*.*.238 is directly connected, Dialer0 ( wan ip )


Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM administratively down down
Dialer0 196.*.*.238 YES IPCP up up
Ethernet0 unassigned YES NVRAM up up
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
NVI0 unassigned YES unset up up
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Vlan1 192.168.1.1 YES NVRAM up up

 

please advise what to do to make it work and make the gateway ( 196.*.*.1 ) is the ext ip for the router 

 

 

9 Replies 9

Georg Pauwen
VIP Master VIP Master
VIP Master

Hello,

 

your NAT pool is specifying a complete Class C subnet, is that right ?

 

Either way, the access list (1) does not look right. Either way, try the simplified configuration below:

 

ip nat pool NAT-POOL 196.*.*.1 196.*.*.129 netmask 255.255.255.0
ip nat inside source list 1 pool NAT-POOL overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

tried it didnt work

 

no browsing on clients pc

 

 

What is your WAN IP address range ? You cannot use the LAN subnet for the NAT pool.

THE GATEWAY IS 196.218.46.1 255.255.255.0

paul driver
VIP Expert VIP Expert
VIP Expert

Hello

i need to configure the nat pool on it with the secondary public ip from my isb

Interface Vlan1
description $FW_INSIDE$
ip address 196.*.*.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0

 

The above doesnt really make sence, Why do you have an ISP assigned public addressing applied to the LAN interface of your rtr, I would have thought this secondary addressing would be assigned to the wan interface?

Would I be correct in saying you wish to NAT your internal subnet = 192.168.1.0/24 to 196.*.*.0/24 ?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

YES SIR I WOULD LIKE THAT

DUE TO LAKE OF IPV4 SEGMENT THEY GAVE US THIS SHARED SEGMENT TO THE CLIENTS AND THEY MANAGE IT 

 

THE GATEWAY IS 196.218.46.1 I NEED ALL TRAFIC COMING OUT OF ROUTER TO GET OUT THROUGH IT

 

NOT THROUGH THE WAN IP *.*.*.238

 

ip http client source-interface Dialer0

 

ip nat pool KARIM-IP 196.218.46.1 196.218.46.254 netmask 255.255.255.0

ip nat inside source list 1 pool KARIM-IP overload

 

ip access-list standard 1

10 remark The local LAN.

10 permit 192.168.1.0 0.0.0.255

20 permit 192.0.0.0 0.255.255.255

30 permit 0.0.0.1 255.255.255.0

 

ip route 0.0.0.0 0.0.0.0 Dialer0 permanent

 

WILL THESE MODIFICATIONS WORK OR DO I NEED TO CHANGE IT ?

 

Hello,

 

it is still unclear what you are trying to accomplish. Do you want all traffic to be natted to 196.218.46.1 ? In your pool, you have specified a class C subnet mask, is that what you really have ?

 

You also need to remove the secondary IP address starting with 196 from your Vlan 1 interface.

 

Your access list 1 looks weird. Try the config below:

 

ip nat pool KARIM-IP 196.218.46.1 196.218.46.1 netmask 255.255.255.0

ip nat inside source list 1 pool KARIM-IP overload

!

access-list 1 permit 192.168.1.0 0.0.0.255

DEAR SIR

 

YES I want all traffic to be natted to 196.218.46.1.

 

IF I REMOVE THE secondary IP address starting with 196 from your Vlan 1 interface

 

WHERE DO I PUT IT IN SEPERATE VLAN ( VLAN2) OR ?

 

 

 

Hello

As your wan interface is dynamically learning its addressing, Can you first test if you can ping that new gateway address because you have a connected dialer interface of 196.218.16.238 so having a next-hop of 196.218.16.1 seems such a large ip range being provided.

Once you've confirm that next-hop is valid remove all the nat pool configuration and append s simple policy route to point to your new next hop address and see if that works.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers