Re: NAT for WAN IP address

VincentLong · ‎04-07-2011

Hi there,

My ISP provide me a set of IP as below:

Serial IP : 210.187.x.x 255.255.255.252

WAN IP : 58.27.x.x 255.255.255.224

I had setup a WAN router which as below:

Router#sh run
Building configuration...

Current configuration : 2606 bytes
!
! Last configuration change at 15:51:21 MAL Thu Dec 9 2010 by admin
!
version 15.0
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 < >
!
no aaa new-model
clock timezone MAL 8
ip source-route
!
!
ip dhcp excluded-address 10.3.18.0 10.3.18.1
ip dhcp excluded-address 10.3.18.51 10.3.18.254
!
ip dhcp pool Penang_Internal
   network 10.3.18.0 255.255.255.0
   default-router 10.3.18.1
   dns-server 202.188.0.136 202.188.0.133
   lease 2
!
!
ip cef
ip domain name tm.net.my
ip name-server 202.188.0.136
ip name-server 202.188.0.133
multilink bundle-name authenticated
!
!
license udi pid CISCO1841 sn < >
username admin privilege 15 password 7 < >
!
!
!
!
!
!
interface FastEthernet0/0
description Connected to Internal
ip address 10.3.18.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface Serial0/0/0
description Connected to TMNet Direct Link 1
bandwidth 2048
ip address 210.187.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
no fair-queue
invert txclock
no cdp enable
!
ip forward-protocol nd
!
!
no ip http server
ip nat inside source list 1 interface Serial0/0/0 overload
ip route 0.0.0.0 0.0.0.0 210.187.x.x
!
access-list 1 permit 10.3.18.0 0.0.0.255
!
!
control-plane
!
banner motd ^C

*****************************************************************
*                          Warning                              *
*           THIS DEVICE IS PART OF A PRIVATE NETWORK            *
*                                                               *
* DISCONNECT IMMEDIATELY IF YOU ARE NOT AN AUTHORISED USER     *
*                                                               *
*             UNAUTHORISED ACCESS IS PROHIBITED                 *
*                AND MAY BE PUNISHABLE BY LAW                   *
*                                                               *
*      THIS DEVICE IS MONITORED FOR UNAUTHORISED ACCESS         *
*                                                               *
*****************************************************************
^C
!
line con 0
exec-timeout 5 0
logging synchronous
login local
line aux 0
line vty 0 4
exec-timeout 5 0
logging synchronous
login local
!
scheduler allocate 20000 1000
end

My question is it possible that in stead of i NAT to serial 0/0/0 interface ip, i want to NAT to the WAN ip provide by my ISP and how to do it?

Richard Burts · ‎04-07-2011

Vincent

To give you the best answers we would need more information about the network topology that you are using. At this point you have told us only that you have a router with a serial interface connected to the ISP and with an inside interface. You have not told us whether your network devices really connect to the inside interface of your router or whether there is some kind of firewall connected to the inside and your network devices are connected through the firewall.

From the lack of access list filtering on the router I wonder if it is reasonable to assume that there is some kind of firewall connected inside of your router to protect your network devices.

If there is some firewall connected inside of your router, then it would be logical to use the block of addresses given by the provider to do address translation on the firewall using that address block on the firewall.

If there is not an inside firewall, then it is possible to configure on the router an address pool, using the address block assigned by the provider, and to configure address translation using the address pool and not using address translate overload on the serial interface.

HTH

Rick

HTH

Rick

VincentLong · ‎04-08-2011

Hi there,

My layout is very easy.

PC --------> Router ----------------------------------------> Internet

(private ip) (NAT to public IP provided by ISP) (Serial)

Don't worry about firewall and all other thing. That is not needed in this setup. Anyway, thanks for your advice. I really appreciate it.

My question is very simple. I just want to know how can i NAT to the public ip given by ISP as above layout.

stevjarbeck · ‎04-08-2011

I believe this is what you are looking for:

interface FastEthernet0/1
ip address 58.27.x.x 255.255.255.224
ip nat outside
duplex auto
speed auto

interface FastEthernet0/0
description Connected to Internal
ip address 10.3.18.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

interface Serial0/0/0
description Connected to TMNet Direct Link 1
bandwidth 2048
ip address 210.187.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
no fair-queue
invert txclock
no cdp enable

ip nat inside source list 1 interface FastEthernet0/1 overload

!--OR

ip nat pool WAN 58.27.x.1 58.27.x.28 netmask 255.255.255.224

ip nat inside source list 1 pool WAN overload

ip route 0.0.0.0 0.0.0.0 210.187.x.x

!--OR

ip route 0.0.0.0 0.0.0.0 Serial0/0/0:0
!
access-list 1 permit 10.3.18.0 0.0.0.255

Hopefully, this helps.

Reference:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic4

VincentLong · ‎04-09-2011

Hi

If i configure as below,it will only NAT the traffic if it use fa0/1 to go out right?

interface FastEthernet0/1
ip address 58.27.x.x 255.255.255.224
ip nat outside
duplex auto
speed auto

interface FastEthernet0/0
description Connected to Internal
ip address 10.3.18.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

interface Serial0/0/0
description Connected to TMNet Direct Link 1
bandwidth 2048
ip address 210.187.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
no fair-queue
invert txclock
no cdp enable

ip nat inside source list 1 interface FastEthernet0/1 overload

But, i need to use s0/0/0 to go out to internet.

t_mcwilliams · ‎04-08-2011

Setup the routed subnet on a loopback and then NAT using that interface. Or setup a natpool.

Sent from Cisco Technical Support iPhone App

VincentLong · ‎04-09-2011

Hi william,

Do you mean like this?

interface FastEthernet0/0
description Connected to Internal
ip address 10.3.18.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

interface Serial0/0/0
description Connected to TMNet Direct Link 1
bandwidth 2048
ip address 210.187.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
no fair-queue
invert txclock
no cdp enable

interface loopback0
ip address 58.27.x.x 255.255.255.224

ip nat pool MYPOOLEXAMPLE 58.27.x.x 58.27.x.x netmask 255.255.255.224
ip nat inside source list 1 pool MYPOOLEXAMPLE overload

Richard Burts · ‎04-10-2011

Vincent

You do not need to configure a loopback and to put the address pool on the interface. It is enough to configure the address pool and to configure the ip nat inside to use the pool - as you have configured.

HTH

Rick

HTH

Rick

VincentLong · ‎04-10-2011

Hi Richard,

I had tried that before but it didn't work. It seem like if the IP address not known by the router it don't work.

Richard Burts · ‎04-10-2011

Vincent

Can you help us understand what did not work when you tried it before?

- are you saying that the translations did not take place?

- are you saying that the address block was not reachable?

If you need to advertise the address block into your network, I can see why it might be better to have the block configured on an interface. But why would you need to advertise the block?

On the other hand - if you put the block on a loopback interface and it does work for you, then go for it.

HTH

Rick

HTH

Rick

VincentLong · ‎04-10-2011

Hi Richard,

I will try and update you. Thanks.

Regards,

Hing