12-20-2018 01:02 PM
Hi,
I'm looking for some help in configuring NAT on my Cisco 891F router.
I have a pool of five public ip addresses provided by my ISP and would like to configure my router so that the router itself uses one of them as its WAN interface and for the remaining addresses to be mapped to the 192.168.1.x addresses on my inside private network.
I found an example, which I’ve listed below, on the forum that I think goes some way towards the configuration I'm looking for (except that I'm not looking to restrict bandwidth for the purpose of voice traffic as required in the example).
I have some questions about access lists and I would like to know if I need to configure an access list entry for each of the public to private address mappings and, if so, how do I go about it?
Example
interface Gi0/0
description ### WAN interface ###
ip address 21.20.20.2 255.255.255.248
bandwidth 20000
!
ip route 0.0.0.0 0.0.0.0 21.20.20.1
interface Gi0/1
description ### LAN interface ###
ip address 192.168.1.1 255.255.255.0
ip access-list NAT extended ip permit 192.168.1.0 0.0.0.255 any
!
ip nat inside source list NAT interface Gi0/0 overload
!
interface Gi0/1
ip nat inside
!
interface Gi0/0
ip nat outside
ip nat inside source static 192.168.1.10 21.20.20.3
==> Classify voice RTP traffic
access-list 100 permit udp any any range 16384 32767
class-map voip
match access-group 100
==> Classify traffic incoming to your email server
access-list 110 permit ip any host 21.20.20.3
class-map email
match access-group 110
==> Configuration of outbound policy-map (from internal to internet)
policy-map PMAP-OUT
class voip
priority 5000
class class-default
==> Configuration of outbound policy-map (from internet to internal)
policy-map PMAP-IN
class email
bandwidth 5000
class class-default
==> Apply policy-map to your WAN interface
interface Gi0/0
service-policy output PMAP-OUT
service-policy input PMAP-IN
Solved! Go to Solution.
12-20-2018 01:47 PM
Hello,
in that case, what you posted looks perfect. Just add a static entry for each of the four servers and leave the rest as is.
The entire config would look like this (I added 'fair-queue' to the default classes):
interface Gi0/0
description ### WAN interface ###
ip address 21.20.20.2 255.255.255.248
service-policy output PMAP-OUT
service-policy input PMAP-IN
ip nat outside
bandwidth 20000
!
interface Gi0/1
description ### LAN interface ###
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source list NAT interface Gi0/0 overload
ip nat inside source static 192.168.1.10 21.20.20.3
ip nat inside source static 192.168.1.11 21.20.20.4
ip nat inside source static 192.168.1.12 21.20.20.5
ip nat inside source static 192.168.1.13 21.20.20.6
!
ip route 0.0.0.0 0.0.0.0 21.20.20.1
!
ip access-list NAT extended ip permit 192.168.1.0 0.0.0.255 any
!
access-list 100 permit udp any any range 16384 32767
access-list 110 permit ip any host 21.20.20.3
!
class-map voip
match access-group 100
!
class-map email
match access-group 110
!
policy-map PMAP-OUT
class voip
priority 5000
class class-default
fair-queue
!
policy-map PMAP-IN
class email
bandwidth 5000
class class-default
fair-queue
12-20-2018 01:09 PM
Hello,
do you want static NAT mappings for the remaining four public IP addresses, or can they be randomly used by any of your inside hosts ?
If you have static mappings you don't need matching access lists...
Post the running configuration as you have it now (show run)...
12-20-2018 01:25 PM
Hi and thank you for your reply.
The mappings will be static, for example one being used for a mail server and the the others for web servers with fixed 192.168.x addresses.
12-20-2018 01:28 PM
I forgot to add, I dont currently have a running configuration as it's a new router I'm about to configure.
12-20-2018 01:47 PM
Hello,
in that case, what you posted looks perfect. Just add a static entry for each of the four servers and leave the rest as is.
The entire config would look like this (I added 'fair-queue' to the default classes):
interface Gi0/0
description ### WAN interface ###
ip address 21.20.20.2 255.255.255.248
service-policy output PMAP-OUT
service-policy input PMAP-IN
ip nat outside
bandwidth 20000
!
interface Gi0/1
description ### LAN interface ###
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source list NAT interface Gi0/0 overload
ip nat inside source static 192.168.1.10 21.20.20.3
ip nat inside source static 192.168.1.11 21.20.20.4
ip nat inside source static 192.168.1.12 21.20.20.5
ip nat inside source static 192.168.1.13 21.20.20.6
!
ip route 0.0.0.0 0.0.0.0 21.20.20.1
!
ip access-list NAT extended ip permit 192.168.1.0 0.0.0.255 any
!
access-list 100 permit udp any any range 16384 32767
access-list 110 permit ip any host 21.20.20.3
!
class-map voip
match access-group 100
!
class-map email
match access-group 110
!
policy-map PMAP-OUT
class voip
priority 5000
class class-default
fair-queue
!
policy-map PMAP-IN
class email
bandwidth 5000
class class-default
fair-queue
12-20-2018 02:04 PM
That’s excellent, thank you very much for clarifying this.
Much appreciated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide