How to properly configure NAT

Islam Nadim · ‎02-03-2014

Hello All,

I have this topology below:

When I use the VPN router to ping any IP Address on the WAN side, it works since I have a default route

IslamVPN#sh run | i ip route

ip route 0.0.0.0 0.0.0.0 192.168.1.1

on the LAN Router, I can only ping the 192.168.1.0/24 subnet.

IslamLAN#ping 192.168.1.250

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.250, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 16/24/40 ms

IslamLAN#ping 192.168.1.6

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.6, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 20/41/84 ms

Other than that, I can't ping anything:

IslamLAN#ping 4.2.2.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 4.2.2.2, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

I tried to apply NAT on the VPN router, but can't figure out the correct way to achieve this

The VPN router will connect to a remote VPN router on a different REAL Network on a PC that belongs to a friend of mine, where we have already enabled ports 50 and 500 on our routers (LinkSys and DLink if this help) ..

All I need for now is to create a NAT Rule that translates anything, except the VPN traffic, from the LAN Router going through the VPN router to the Internet. How can I achieve this?

NOTE: I already tried ip nat inside and ip nat outside on the LAN/WAN interfaces of VPN Router and used ip nat overload, but didn't work! The NAT table is always empty!

Jon Marshall · ‎02-03-2014

What is your local subnet, is it 10.10.2.0/24 ?

Could you post the NAT configuration that didn't work ?

Jon

Islam Nadim · ‎02-03-2014

Unfortunately I have removed all the NAT configuration. My Local Subnet is 10.10.2.0/24

Jon Marshall · ‎02-03-2014

Try this -

access-list 101 deny ip 10.10.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 10.10.2.0 0.0.0.255 any

ip nat inside source list 101 interface overload

you will also need "ip nat inside" and "ip nat outside" on the relevant interfaces.

Jon

Islam Nadim · ‎02-03-2014

So my config should look like this?

conf t

interface FastEthernet0/1

ip address 192.168.1.250 255.255.255.0

description -- WAN INTERFACE --

ip nat outside

exit

interface FastEthernet0/0

ip address 10.10.2.1 255.255.255.0

description -- LAN INTERFACE --

ip nat inside

exit

access-list 101 deny ip 10.10.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 10.10.2.0 0.0.0.255 any

ip nat inside source list 101 interface FastEthernet0/1 overload

And if I add another networks behind 10.10.2.0/24, should I add them to the ACL 101 ?

CSCO11508096 · ‎02-03-2014

Dear Islam,

It seems your NAT configuration is not working because Public IP is not configured at the WAN interface of your IslamVPN router.

Configure the Public IP on the WAN interface

Add interface command at IslamVPN

"ip nat outside" at WAN interface

"ip nat inside" at lan interfaces

create acl for LAN pool

add command in global con figuration mode

ip nat inside source list "ACL" interface WAN interface overload

Thanks

Shashi

Islam Nadim · ‎02-03-2014

So my config should look like this?

conf t

interface FastEthernet0/1

ip address 192.168.1.250 255.255.255.0

description -- WAN INTERFACE --

ip nat outside

exit

interface FastEthernet0/0

ip address 10.10.2.1 255.255.255.0

description -- LAN INTERFACE --

ip nat inside

exit

access-list 101 deny ip 10.10.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 10.10.2.0 0.0.0.255 any

ip nat inside source list 101 interface FastEthernet0/1 overload

And if I add another networks behind 10.10.2.0/24, should I add them to the ACL 101 ?

CSCO11508096 · ‎02-03-2014

But dont understand why are you adding deny acl.

access-list 101 deny ip 10.10.2.0 0.0.0.255 192.168.1.0 0.0.0.255

yes if you add any network in lan you need to permit it in acl 101

Jon Marshall · ‎02-04-2014

Shashi

The deny line is needed so that traffic from 10.10.2.0 0.0.0.255 going down the VPN is not subjected to NAT.

If you just used a permit line then VPN traffic would also be subjected to NAT and the OP does not want that.

Jon

Jon Marshall · ‎02-04-2014

And if I add another networks behind 10.10.2.0/24, should I add them to the ACL 101 ?

Yes. If you want to add a new network and this network should also be able use the VPN you need to -

1) add a deny line before the permit lines

2) add a permit line for the new network

Jon