Solved: NAT on 1 Physical Interface

nino.sehovic · ‎12-15-2015

Hi everyone...

I need some help please.

I have a site with a router and all of its ports are already taken except one.

The thing is i need 2 interfaces for a customer that wants a seperate connection to the internet with NAT. Ofcourse they ill have their own

IP address and own Internal Ip Address.

The external ip address would be 77.77.77.1 (for example) and the inside 10.204.0.0 255.255.0.0

The problem is that i have only 1 interface can i somehow NAT over subinterfaces or Virtual interface?

As far as i have seen on the documentation it is not possible,but perhaps one of u guys has an idea????

Thanks in advance...

Masoud Pourshabanian · ‎12-15-2015

Configure a private subnet on the link between two 2811s.

Suppose 10.10.10.0/30

Your router 10.10.10.1

your customer router 10.10.10.2

Your router configuration

interface G0/1

Des conneted-to-customer

IP address 10.10.10.1 255.255.255.252

IP nat inside

***

int G0/0

IP nat outside[ which is already set]

access-list 50 permit 10.204.0.0 0.0.255.255

ip nat pool Public-IP 77.77.77.1 77.77.77.1 prefix 24

ip nat inside source list 50 pool Public-IP overload

***

Ip route 10.204.0.0 255.255.0.0 10.10.10.2

****

To say it simply, You can use one IP nat outside for several IP NAT inside

The access-list and pool in NAT configuration determines how your router translates IP addresses.

You do not have to set 77.77.77.1 on your router as long as your ISP has configured it correctly. So you will not see 77.77.77.1 under any interfaces.

ON your customer router

IP route 0.0.0.0 0.0.0.0 10.10.10.1

Feel free to ask more questions,

Masoud

View solution in original post

Masoud Pourshabanian · ‎12-15-2015

Hello,

yes, you can NAT over subinterface. Can you make the interface between your router and your customer router trunk?

You have probably one interface connected to external network which configured with IP nat outside.

interface fa0/0

des external network

ip nat outside

You can create two subinterfaces.

interface fast0/1.10

encapsulation dot1q 10

ip nat inside

interface fast0/1.20

encapsulation dot1q 20

ip nat inside

access-list 50 permit 10.204.0.0 0.0.255.255

ip nat pool Public-IP 77.77.77.1 77.77.77.1 prefix 24

ip nat inside source list 50 pool Public-IP overload

Please explain more if you have different situtation.

Masoud

nino.sehovic · ‎12-15-2015

Hello Masoud,

I have a interface Gig0/1 which is the only free Interface.

This will be connected to a watchguard router on a subnet like 10.204.0.0 0.0.255.255

On the Gig0/0 Interface is where the ISP router is connected to my router (gateway).

So yes the Gig0/0 interface is already configured for NAT directly connected to my gateway.

So i need to configure the Gig0/1 for NAT with a different set of IP addresses like 77.77.77.1 and route this over my Gateway on the interface Gig0/0.

Masoud Pourshabanian · ‎12-15-2015

77.77.77.1 is your public IP address connected to G0/0?

nino.sehovic · ‎12-15-2015

I made a small diagram for you in packet tracer...hiope it helps to understand hwat i need...

Check the attachement...

Masoud Pourshabanian · ‎12-15-2015

your public address is 77.77.78.254.

I am still unclear about 77.77.77.1. Is it some portion of your public IP?

Did you set any IP on the link between two 2811 now or it can be anything?

Masoud

nino.sehovic · ‎12-15-2015

Sorry my bad 77.77.78.254 is the next HOP IP ADDREsS TO MY ISP

ip route 0.0.0.0 0.0.0.0 77.77.78.254

The Address 77.77.77.1 is a new ip address assigned to us from the ISP for the new customer which needs to go through the same next hop address 77.77.78.254.

Masoud Pourshabanian · ‎12-15-2015

Configure a private subnet on the link between two 2811s.

Suppose 10.10.10.0/30

Your router 10.10.10.1

your customer router 10.10.10.2

Your router configuration

interface G0/1

Des conneted-to-customer

IP address 10.10.10.1 255.255.255.252

IP nat inside

***

int G0/0

IP nat outside[ which is already set]

access-list 50 permit 10.204.0.0 0.0.255.255

ip nat pool Public-IP 77.77.77.1 77.77.77.1 prefix 24

ip nat inside source list 50 pool Public-IP overload

***

Ip route 10.204.0.0 255.255.0.0 10.10.10.2

****

To say it simply, You can use one IP nat outside for several IP NAT inside

The access-list and pool in NAT configuration determines how your router translates IP addresses.

You do not have to set 77.77.77.1 on your router as long as your ISP has configured it correctly. So you will not see 77.77.77.1 under any interfaces.

ON your customer router

IP route 0.0.0.0 0.0.0.0 10.10.10.1

Feel free to ask more questions,

Masoud

nino.sehovic · ‎12-15-2015

Thank you very much Masoud i cannot believe i struggeled with something so simple :D

nino.sehovic · ‎12-15-2015

Im sorry i overlooked something.The interface Gig0/0 has already Ip nat pool configured and acl assigned for another network . That is the problem...

like this

interface GigabitEthernet0/0
description ISP-Connection
ip address 77.77.78.1 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1

so it already has a ip nat statement and already has an IP address assigned.

Masoud Pourshabanian · ‎12-15-2015

It does not matter.

You are configuring pool with different name and access-list with different number.

If you share your NAT statement with corresponding access-list, I can take a look.

Masoud

nino.sehovic · ‎12-16-2015

hello masoud

Loopback interface with the new ip is ok and i can ping the google dns.

I have done what u suggested but i get this error

% Invalid source address- IP address not on any of our up interfaces

nino.sehovic · ‎12-16-2015

Here is my configuration the xxxxxxxx are the PUBLIC ip addresses i just hide them like this...

interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.202.255.254 255.255.0.0
ip access-group from-inside-Ga0 in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0.50
encapsulation dot1Q 50
ip address 10.10.200.17 255.255.255.252
ip nat inside
no ip virtual-reassembly in
!
interface GigabitEthernet0/0.60
encapsulation dot1Q 60
ip address 192.168.60.1 255.255.255.0
!
interface GigabitEthernet0/1
description DIGEL-LAN
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description $ES_LAN$
ip address xxxxxxxx 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/2
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoVPN
!
ip local pool localpool 10.10.200.96 10.10.200.102
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat pool PUBLIC-IP xxxxxxxx xxxxxxxx prefix-length 29
ip nat inside source list 50 pool PUBLIC-IP overload
ip nat inside source list VLAN1-NAT-ACL interface GigabitEthernet0/2 overload
ip nat inside source list VLAN50-NAT-ACL interface GigabitEthernet0/2 overload
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/2 overload
ip nat inside source static tcp 10.10.200.18 2014 xxxxxxxx 2014 extendable
ip nat inside source static udp 10.10.200.18 5060 xxxxxxxx 5060 extendable
ip nat inside source static tcp 10.10.200.18 8015 xxxxxxxx 8015 extendable
ip route 0.0.0.0 0.0.0.0 xxxxxxxx
!
ip access-list extended EX-NA-AC
deny ip 10.202.0.0 0.0.255.255 192.168.20.0 0.0.3.255
deny ip 10.202.0.0 0.0.255.255 10.0.0.0 0.0.255.255
deny ip 10.202.0.0 0.0.255.255 192.168.109.0 0.0.0.255
deny ip 10.202.0.0 0.0.255.255 192.168.101.0 0.0.0.255
deny ip 10.202.0.0 0.0.255.255 10.10.16.0 0.0.15.255
deny ip 10.202.0.0 0.0.255.255 192.168.103.0 0.0.0.255
deny ip 10.202.0.0 0.0.255.255 192.168.104.0 0.0.0.255
deny ip 10.202.0.0 0.0.255.255 10.10.0.0 0.0.15.255
deny ip 10.202.0.0 0.0.255.255 192.168.1.0 0.0.0.255
permit ip 10.202.0.0 0.0.255.255 any
ip access-list extended VLAN50-NAT-ACL
deny ip 10.10.200.16 0.0.0.3 10.202.0.0 0.0.255.255
deny ip 10.10.200.96 0.0.0.7 10.202.0.0 0.0.255.255
permit ip 10.10.200.16 0.0.0.3 any
ip access-list extended from-inside-Ga0
permit ip any host 192.168.104.22
permit ip any 192.168.20.0 0.0.3.255
permit ip 10.202.0.0 0.0.255.255 10.202.0.0 0.0.255.255
permit ip 10.202.0.0 0.0.255.255 10.10.200.16 0.0.0.3
permit ip 10.202.0.0 0.0.255.255 192.168.103.0 0.0.0.255
permit ip 10.202.0.0 0.0.255.255 192.168.104.0 0.0.0.255
permit ip 10.202.0.0 0.0.255.255 10.10.0.0 0.0.15.255
permit ip 10.202.0.0 0.0.255.255 192.168.20.0 0.0.3.255
permit ip 10.202.0.0 0.0.255.255 10.0.0.0 0.0.255.255
permit ip 10.202.0.0 0.0.255.255 192.168.1.0 0.0.0.255
permit ip 10.202.0.0 0.0.255.255 192.168.101.0 0.0.0.255
permit ip 10.202.0.0 0.0.0.255 any
permit ip any host xxxxxxxx
permit ip any host xxxxxxxx
permit ip any host xxxxxxxx
permit ip any host xxxxxxxx
permit ip host 10.202.5.1 any
permit ip host 10.202.5.2 any
permit ip host 10.202.5.3 any
permit ip host 10.202.5.4 any
permit ip host 10.202.5.5 any
permit ip host 10.202.5.6 any
permit ip host 10.202.5.7 any
permit ip host 10.202.5.8 any
permit ip host 10.202.5.9 any
permit ip host 10.202.5.10 any
permit ip host 10.202.5.11 any
permit ip host 10.202.5.12 any
permit ip host 10.202.5.13 any
permit ip host 10.202.5.14 any
permit ip host 10.202.5.15 any
permit ip host 10.202.5.16 any
permit ip host 10.202.5.17 any
permit ip host 10.202.5.18 any
permit ip host 10.202.5.19 any
permit ip host 10.202.5.20 any
permit tcp any any eq pop3
permit tcp any any eq 143
permit tcp any any eq 993
permit tcp any any eq 995
deny ip any any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 permit ip 10.202.0.0 0.0.255.255 192.168.103.0 0.0.0.255
access-list 100 permit ip 10.202.0.0 0.0.255.255 192.168.104.0 0.0.0.255
access-list 100 permit ip 10.202.0.0 0.0.255.255 10.10.0.0 0.0.15.255
access-list 101 permit ip 10.202.0.0 0.0.255.255 192.168.20.0 0.0.3.255
access-list 101 permit ip 10.202.0.0 0.0.255.255 10.0.0.0 0.0.255.255
access-list 102 permit ip 10.202.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 103 permit ip 10.202.0.0 0.0.255.255 192.168.101.0 0.0.0.255
access-list 103 permit ip 10.202.0.0 0.0.255.255 10.10.16.0 0.0.15.255
!
!
!
!

Masoud Pourshabanian · ‎12-16-2015

Hello,

I do not see access-list 50. Please add it.

For test

Int g0/0

Ip address 10.204.0.1 255.255.0.0

Ip nat inside

No shut.

Connect a pc directly to g0/0 with the ip 10.204.0.2 and gateway 10.204.01 and ping google dns.

Let me know the result.

Masoud

nino.sehovic · ‎12-16-2015

Same again

% Invalid source address- IP address not on any of our up interfaces