Solved: i have more than 1 free public ip addresses and need to know nat configure and site to site configur...

amralrazzaz · ‎04-01-2020

i have gateway 196.204.80.240/29 ( i have 6 free ip use 241 for GW and others free )

i can use 241 for example gateway and any one as real ip

my question is it better for the internet pool to make it like this :

ip nat pool PUBLIC_POOL 196.204.80.241 196.204.80.241 netmask 255.255.255.248
ip nat inside source list 1 pool PUBLIC_POOL overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1.328 172.19.138.89

or

ip nat pool PUBLIC_POOL 196.204.80.241 196.204.80.246 netmask 255.255.255.248
ip nat inside source list 1 pool PUBLIC_POOL overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1.328 172.19.138.89

access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 1 permit 192.168.6.0 0.0.0.255
access-list 1 permit 192.168.7.0 0.0.0.255
access-list 1 permit 192.168.8.0 0.0.0.255
access-list 1 permit 192.168.9.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.11.0 0.0.0.255
access-list 1 permit 192.168.12.0 0.0.0.255
access-list 1 permit 192.168.13.0 0.0.0.255

interface GigabitEthernet0/1
description connected to WAN
no ip address
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled

interface GigabitEthernet0/1.328
description connected to PRIMARY_ISP
encapsulation dot1Q 328
ip address 196.204.80.241 255.255.255.248 secondary
ip address 172.19.138.90 255.255.255.252
ip nat outside
ip virtual-reassembly in
ip flow ingress
ip flow egress

ip dhcp pool VodaFone gateway
network 196.204.80.240 255.255.255.248
default-router 196.204.80.241
dns-server 8.8.8.8 8.8.4.4

NOTE: i dont have any server in my network , so my question is :

- i have 6 free real ip and i use only one for PAT (nat overload) so can i use this same ip for vpn site to site ?

or shall i use another one from the free ip addresses for site to site vpn ? so other free ip addresses are useless?!

what is the good option for that ?

- or shall i go with option 2 and use all free public ip for translation and then i can assign 1 for vpn site to site ?

amr alrazzaz

Cristian Matei · ‎04-02-2020

That is correct.

View solution in original post

Cristian Matei · ‎04-01-2020

Hi,

I would use 1 or 2 IP addresses for the PAT/overload configuration, however note that there is no round-robin option, the second IP from the pool will be used for PAT only after the first IP has been fully used (all port services allocated). I would do the following changes to your config:

1. Swap your primary and secondary IP addresses on the WAN link, ensure the primary address is the public one. For example, in case you want to terminate a VPN tunnel on this device using crypto-map, the crypto-map unconditionally uses the primary IP address of the link, and this is not configurable. And if the primary IP address is private, your VPN will not get established.

interface GigabitEthernet0/1.328
no ip address 196.204.80.241 255.255.255.248 secondary
no ip address 172.19.138.90 255.255.255.252

ip address 196.204.80.241 255.255.255.248
ip address 172.19.138.90 255.255.255.252 secondary

2. There is no need to enable NAT on the main physical interface which is not used:

interface GigabitEthernet0/1
no ip nat outside

3. For your Internet access PAT configuration, i would use a different configuration, which gives me options for future possible needs, like a VPN tunnel; you would have to exclude the VPN traffic from being NAT'ed, and you can't do it if you use a standard ACL for your PAT config; for the PAT config use any of the last two options, depending if you want one or more IP's to the PAT pool

no access-list 1

ip access-list extended INTERNET_PAT

permit ip 192.168.2.0 0.0.0.255 any

permit ip 192.168.3.0 0.0.0.255 any

permit ip 192.168.4.0 0.0.0.255 any

permit ip 192.168.5.0 0.0.0.255 any

permit ip 192.168.6.0 0.0.0.255 any

permit ip 192.168.7.0 0.0.0.255 any

permit ip 192.168.8.0 0.0.0.255 any

permit ip 192.168.9.0 0.0.0.255 any

permit ip 192.168.10.0 0.0.0.255 any

permit ip 192.168.11.0 0.0.0.255 any

permit ip 192.168.12.0 0.0.0.255 any

permit ip 192.168.13.0 0.0.0.255 any

!
route-map INTERNET_TRAFFIC permit 10

match ip address INTERNET_PAT

match interface GigabitEthernet0/1.328

!

ip nat inside source route-map INTERNET_TRAFFIC interface GigabitEthernet0/1.328 overload (use this or the below NAT config, not both)

!

ip nat pool PUBLIC_POOL 196.204.80.242 196.204.80.243 netmask 255.255.255.248

ip nat inside source route-map INTERNET_TRAFFIC pool PUBLIC_POOL overload

Regards,

Cristian Matei.

amralrazzaz · ‎04-02-2020

many thanks for your great support :)

i need to confirm the below to understand :)

1. Swap your primary and secondary IP addresses on the WAN link, ensure the primary address is the public one. For example, in case you want to terminate a VPN tunnel on this device using crypto-map, the crypto-map unconditionally uses the primary IP address of the link, and this is not configurable. And if the primary IP address is private, your VPN will not get established.

so the public ip that i will use for vpn site tosite will be .241 ? am i correct ?
and what about .242 and .243 which is not configured on the interface ? is it okay and no need but once the ports are full
it will switch to .242 ? im i understanding correct ?

or what im understanding is 241 is for vpn site to site ? and u used 242 and 243 for pat ?
so u exclude the pat traffic with 2 public ip and vpn config will use 241 for vpn traffic ?

ip nat inside source route-map INTERNET_TRAFFIC interface GigabitEthernet0/1.328 overload (use this or the below NAT config, not both)

so this if i use ill use 1 public ip (.241) for pat and also for pat and use it also for vpn site to site ?

ip nat pool PUBLIC_POOL 196.204.80.242 196.204.80.243 netmask 255.255.255.248

ip nat inside source route-map INTERNET_TRAFFIC pool PUBLIC_POOL overload

and this i will use 2 public ip for pat and the .241 only for vpn site to site ?

amr alrazzaz

Cristian Matei · ‎04-02-2020

Hi,

That is all correct. Since you have public IP's, i would do NAT using the pool (2 public IP's would be way more than you need, but just put it here, you have IP's) and leave the public IP on the router for VPN.

Regards,

Cristian Matei.

amralrazzaz · ‎04-02-2020

dear sir

im really appreciate your great support and last thing to make sure is the below is fine to paste it on my router directly :

so the final configuration will be like this on below just to copy paste directly to my router :) :

interface GigabitEthernet0/1.328
ip address 196.204.80.241 255.255.255.248
ip address 172.19.138.90 255.255.255.252 secondary

interface GigabitEthernet0/1
no ip nat outside

ip access-list extended INTERNET_PAT
permit ip 192.168.2.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.6.0 0.0.0.255 any
permit ip 192.168.7.0 0.0.0.255 any
permit ip 192.168.8.0 0.0.0.255 any
permit ip 192.168.9.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
permit ip 192.168.11.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
permit ip 192.168.13.0 0.0.0.255 any

route-map INTERNET_TRAFFIC permit 10
match ip address INTERNET_PAT
match interface GigabitEthernet0/1.328

ip nat pool PUBLIC_POOL 196.204.80.242 196.204.80.243 netmask 255.255.255.248
ip nat inside source route-map INTERNET_TRAFFIC pool PUBLIC_POOL overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1.328 172.19.138.89

amr alrazzaz

Cristian Matei · ‎04-02-2020

That is correct.

amralrazzaz · ‎04-02-2020

many thanks sir

i would like to thanks you you are really super and helpful :)

amr alrazzaz

i have more than 1 free public ip addresses and need to know nat configure and site to site configure