Cisco 4431 public IPs static NAT

isquare · ‎07-05-2024

The ISP, from the fiber terminal (a Cisco ASR), gave me an ethernet cable on the WAN subnet: 1.1.1.170/31
The IP 1.1.1.170 is the ISP's gateway.
On the ethernet port 'eth0' of the 4431 I set the IP to 1.1.1.171.

Now, on the other ethernet port 'eth1' of the 4431 lies my LAN at 10.0.0.0/24 and 'eth1' holds the address 10.0.0.1.

The ISP has provided a set of 8 public IPs, 2.2.2.120/29, which routes to my WAN IP 1.1.1.171.

I cannot use any of the other ethernet ports of the 4431. I also do not want to assign public IPs to my LAN.

Can I use static NAT to forward the 8 public IPs to machines on my LAN (10.0.0.0/24)?
That is without assigning these public IPs to any port on the 4431.

If the WAN port of the 4431 is set to overload NAT outside for other LAN machines to access the Internet, will this affect the static NAT machines which correspond to the translated public IPs and are used as servers?

Any reply would be greatly appreciated.

[I have used 1.1.1.1 and 2.2.2.2 for the public IPs as I cannot reveal the real ones. Beg your patience and understanding.]

MHM Cisco World · ‎07-05-2024

Sure you can
public IP 1.1.1.171 use for WAN interface
public IP 1.1.1.172 use for static NAT ""ip nat inside source static <LAN workstation> <1.1.1.172>
etc..

MHM

isquare · ‎07-05-2024

Well, the IP 1.1.1.172 is not available, it’s a /31 subnet. Just my 4431 on 1.1.1.171 and the ISP’s gateway on 1.1.1.170 on the other side of the fiber.

I guess you meant one of the public IPs that the ISP has provided, let’s say 2.2.2.122 for example.

So the static NAT command becomes "ip nat inside source static <LAN workstation> <2.2.2.122>“.

That is my question really. If the 4431 does not have any of its interfaces on the 2.2.2.120/29 subnet how does it ‘know’ that it can route this subnet and not send back packets to its gateway. The above NAT inside command is enough to make 2.2.2.120/29 a known subnet? Or do I need to add a route command sending any packet destined to 2.2.2.120/29 and arriving on the WAN to the LAN interface?

As it is now, the 4431 does not know anything about the 2.2.2.120/29 subnet except for the NAT inside directive.

MHM Cisco World · ‎07-05-2024

The ISP provides IP in same sunbet' I don't think these IP from same ISP.

If it from ISP then you can add one of public IP you get under WAN interface connect to ISP but not as primary but ad secondary

And use it with NAT

MHM

paul driver · ‎07-05-2024

Hello

@isquare wrote:
I use static NAT to forward the 8 public IPs to machines on my LAN (10.0.0.0/24)?
That is without assigning these public IPs to any port on the 4431.

Yes you can - without assigning any secondary addressing to eth0
The isp will probably have a static route towards your rtr for this subnet and advertising 2.2.2.120/29 for you, so all you need to do is nat on those PIPs and you will be fine.

example: - your rtr
int eth0
description WAN
ip address 1.1.1.170 255.255.255.254
ip nat outside

int xx
description LAN
ip address 10.0.0.254 255.255.255.0
ip nat inside

ip route 0.0.0.0 0.0.0.0 eth0 1.1.1.170
access-list 100 deny host ip 10.0.0.10 any
access-list 100 permit ip 10.0.0.0 0 0.0.0.255 any
ip nat pool PUBIP 2.2.2.121 2.2.2.125 prefix-length 29
ip nat inside source static 10.0.0.10 2.2.2.126
ip nat inside source list 100 pool PUBIP overload < edited apologies i missed this !

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

isquare · ‎07-05-2024

Thank you so much for the reply.

The only blurred thing is the nat pool PUBIP at the end of your code excerpt. I understand that access-list 100 excludes 2.2.2.126 which receives a static NAT. But what about the rest of the public IPs? Being part of the nat pool what happens to packets destined to one of those? You have to explicitly include them in the nat pool even if you might not use them?

paul driver · ‎07-06-2024

Hello
Its a pool of addressing that the rtr will use provide dynamic port address translation for you lan hosts, it will choose the first available PIP in the pool and lookup a relevant source port to use for a lan host and translate, if no port is available from that first IP it will use the next PIP in the pool and again try to perform PAT.

Note: you do not need to have all your PIPs in the pool you can use a single address if applicable.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

isquare · ‎07-06-2024

Excellent! Perfectly understood.

Couldn’t I use the WAN interface IP 1.1.1.171 to overload? So that I could use all 6 PIPs for static NAT?