Solved: Help in configuring NAT on a Cisco 891F router.

GCannell · ‎12-20-2018

Hi,

I'm looking for some help in configuring NAT on my Cisco 891F router.

I have a pool of five public ip addresses provided by my ISP and would like to configure my router so that the router itself uses one of them as its WAN interface and for the remaining addresses to be mapped to the 192.168.1.x addresses on my inside private network.

I found an example, which I’ve listed below, on the forum that I think goes some way towards the configuration I'm looking for (except that I'm not looking to restrict bandwidth for the purpose of voice traffic as required in the example).

I have some questions about access lists and I would like to know if I need to configure an access list entry for each of the public to private address mappings and, if so, how do I go about it?

https://community.cisco.com/t5/other-service-provider-subjects/how-to-route-public-ip-and-assign-particulr-speed-on-same-routed/td-p/3064360

Example

interface Gi0/0

description ### WAN interface ###

ip address 21.20.20.2 255.255.255.248

bandwidth 20000

!

ip route 0.0.0.0 0.0.0.0 21.20.20.1

LAN interface configuration

interface Gi0/1

description ### LAN interface ###

ip address 192.168.1.1 255.255.255.0

NAT Configuration (dynamic NAT to allow all internal hosts to access internet)

ip access-list NAT extended ip permit 192.168.1.0 0.0.0.255 any

!

ip nat inside source list NAT interface Gi0/0 overload

!

interface Gi0/1

ip nat inside

!

interface Gi0/0

ip nat outside

NAT configuration (static NAT) for your email server

ip nat inside source static 192.168.1.10 21.20.20.3

QoS configuration

==> Classify voice RTP traffic

access-list 100 permit udp any any range 16384 32767

class-map voip

match access-group 100

==> Classify traffic incoming to your email server

access-list 110 permit ip any host 21.20.20.3

class-map email

match access-group 110

==> Configuration of outbound policy-map (from internal to internet)

policy-map PMAP-OUT

class voip

priority 5000

class class-default

==> Configuration of outbound policy-map (from internet to internal)

policy-map PMAP-IN

class email

bandwidth 5000

class class-default

==> Apply policy-map to your WAN interface

interface Gi0/0

service-policy output PMAP-OUT

service-policy input PMAP-IN

Georg Pauwen · ‎12-20-2018

Hello,

in that case, what you posted looks perfect. Just add a static entry for each of the four servers and leave the rest as is.

The entire config would look like this (I added 'fair-queue' to the default classes):

interface Gi0/0
description ### WAN interface ###
ip address 21.20.20.2 255.255.255.248
service-policy output PMAP-OUT
service-policy input PMAP-IN
ip nat outside
bandwidth 20000
!
interface Gi0/1
description ### LAN interface ###
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source list NAT interface Gi0/0 overload
ip nat inside source static 192.168.1.10 21.20.20.3
ip nat inside source static 192.168.1.11 21.20.20.4
ip nat inside source static 192.168.1.12 21.20.20.5
ip nat inside source static 192.168.1.13 21.20.20.6
!
ip route 0.0.0.0 0.0.0.0 21.20.20.1
!
ip access-list NAT extended ip permit 192.168.1.0 0.0.0.255 any
!
access-list 100 permit udp any any range 16384 32767
access-list 110 permit ip any host 21.20.20.3
!
class-map voip
match access-group 100
!
class-map email
match access-group 110
!
policy-map PMAP-OUT
class voip
priority 5000
class class-default
fair-queue
!
policy-map PMAP-IN
class email
bandwidth 5000
class class-default
fair-queue

View solution in original post

Georg Pauwen · ‎12-20-2018

Hello,

do you want static NAT mappings for the remaining four public IP addresses, or can they be randomly used by any of your inside hosts ?

If you have static mappings you don't need matching access lists...

Post the running configuration as you have it now (show run)...

GCannell · ‎12-20-2018

Hi and thank you for your reply.

The mappings will be static, for example one being used for a mail server and the the others for web servers with fixed 192.168.x addresses.

GCannell · ‎12-20-2018

I forgot to add, I dont currently have a running configuration as it's a new router I'm about to configure.

Georg Pauwen · ‎12-20-2018

Hello,

in that case, what you posted looks perfect. Just add a static entry for each of the four servers and leave the rest as is.

The entire config would look like this (I added 'fair-queue' to the default classes):

interface Gi0/0
description ### WAN interface ###
ip address 21.20.20.2 255.255.255.248
service-policy output PMAP-OUT
service-policy input PMAP-IN
ip nat outside
bandwidth 20000
!
interface Gi0/1
description ### LAN interface ###
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source list NAT interface Gi0/0 overload
ip nat inside source static 192.168.1.10 21.20.20.3
ip nat inside source static 192.168.1.11 21.20.20.4
ip nat inside source static 192.168.1.12 21.20.20.5
ip nat inside source static 192.168.1.13 21.20.20.6
!
ip route 0.0.0.0 0.0.0.0 21.20.20.1
!
ip access-list NAT extended ip permit 192.168.1.0 0.0.0.255 any
!
access-list 100 permit udp any any range 16384 32767
access-list 110 permit ip any host 21.20.20.3
!
class-map voip
match access-group 100
!
class-map email
match access-group 110
!
policy-map PMAP-OUT
class voip
priority 5000
class class-default
fair-queue
!
policy-map PMAP-IN
class email
bandwidth 5000
class class-default
fair-queue

GCannell · ‎12-20-2018

That’s excellent, thank you very much for clarifying this.

Much appreciated.