Solved: Re: nat on Network

david foley · ‎03-10-2011

Could some one help me please with NAT.
I have a C licence (195.100.190.0/24)
A ISP WAN that connects to the Customer site uses network Address 199.1.1.36/30
& Loopback 126.0.0.1/8

i have
on ISP

ISP#show run
Building configuration...

Current configuration : 956 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ISP
!
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
!
!
!
!
interface Loopback0
ip address 126.0.0.1 255.0.0.0
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 199.1.1.37 255.255.255.252
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 195.199.190.0 255.255.255.0 Serial0/0/0
ip route 195.100.190.0 255.255.255.0 Serial0/0/0
!
!
!
banner motd ^C
ONLY STAFF WITH PASS KEY ^C
!
!
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
!
end

ISP#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
ISP#
ISP#
ISP#
ISP#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up

ISP#
ISP#
ISP#
ISP#show run
Building configuration...

Current configuration : 956 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ISP
!
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
!
!
!
!
interface Loopback0
ip address 126.0.0.1 255.0.0.0
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 199.1.1.37 255.255.255.252
clock rate 64000
!
interface Serial0/0/1
no ip address
shutdown
!
interface Vlan1
no ip address
shutdown
!
ip classless
ip route 195.199.190.0 255.255.255.0 Serial0/0/0
ip route 195.100.190.0 255.255.255.0 Serial0/0/0
!
!
!
banner motd ^C
ONLY STAFF WITH PASS KEY ^C
!
!
!
!
line con 0
exec-timeout 0 0
password cisco
logging synchronous
login
line vty 0 4
password cisco
login
line vty 5 15
password cisco
login
!
!
!
end

on R1

%SYS-5-CONFIG_I: Configured from console by console
R1#show run
Building configuration...

Current configuration : 1303 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
!
!
!
!
!
username R1 password 0 cisco
username R2 password 0 cisco
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
no ip address
duplex auto
speed auto
shutdown
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
shutdown
!
interface Serial0/0/0
ip address 199.1.1.38 255.255.255.252
ip nat inside
!
interface Serial0/0/1
ip address 172.190.0.14 255.255.255.252
ip nat inside
!
interface Serial0/1/0
ip address 172.190.0.1 255.255.255.252
encapsulation ppp
ppp authentication chap
ip nat inside
!
interface Serial0/1/1
ip address 172.190.0.5 255.255.255.252
ip nat inside
clock rate 64000
!
interface Vlan1
no ip address
shutdown
!
router ospf 1
log-adjacency-changes
network 172.190.0.0 0.0.0.3 area 0
network 172.190.0.4 0.0.0.3 area 0
network 172.190.0.12 0.0.0.3 area 0
default-information originate
!
ip nat pool MY-NAT-POOL 195.100.190.241 195.100.190.246 netmask 255.255.255.248
ip nat inside source list NAT pool MY-NAT-POOL
ip nat inside source static 172.190.0.254 195.1.1.254
ip classless
ip route 0.0.0.0 0.0.0.0 199.1.1.37
!
!
!
!
!
!
!
line con 0
line vty 0 4
login
line vty 5 15
login
!
!
!
end

i can i allow the rest of the Network Ping ISP, R1 can ping the Loopback 0 address but want the rest of the network to ping it.

Haris P · ‎03-11-2011

Dear ,

no need to set the ACL on the interface like " ip access-group NAT IN" .This is needed only when you wanted to block or allow certain things in your network .

I was saying to create an access-list for the nat. You have defined the nat statement as given below ,in which your source-list name is NAT

ip nat inside source list NAT pool MY-NAT-POOL

So just define your souce list NAT as given below . You have given the name NAT for your access-list and may be you are confused due to this . Just add an ACL as given below . Add all your local network in the access-list named NAT.

ip access-list extended NAT
permit ip 172.90.0.0 0.0.0.255 any

View solution in original post

sujinair · ‎03-10-2011

Hi David,

Looking at the configs on R1 I'm a bit confused, all interfaces are configured as "ip nat inside", to NAT the traffic outside Serial0/0/0 you need to configure "ip nat outside" on that interface.

Regards,

Sujit

Haris P · ‎03-10-2011

Dear ,

It seems that S0/0/0 is your outside interface . if so yyou hae to put ip nat outside on that interface as gien below

interface Serial0/0/0
ip address 199.1.1.38 255.255.255.252
ip nat outside

Secondly you didnt define the ACL or source list NAT,you can define as given below .Add all of your network in that NAT access-list

ip access-list extended NAT
permit ip 172.90.0.0 0.0.0.255 any

Regards

haris

sujinair · ‎03-11-2011

Missed the ACL part, thanks for pointing it out Haris :-)

Regards,

Sujit

david foley · ‎03-11-2011

i set up the Nat, and change S0/0/0 to Nat outside,

With the Access-list i set the on S0/0/0 as

ip access-group NAT IN

still not able to ping

Haris P · ‎03-11-2011

Dear ,

no need to set the ACL on the interface like " ip access-group NAT IN" .This is needed only when you wanted to block or allow certain things in your network .

I was saying to create an access-list for the nat. You have defined the nat statement as given below ,in which your source-list name is NAT

ip nat inside source list NAT pool MY-NAT-POOL

So just define your souce list NAT as given below . You have given the name NAT for your access-list and may be you are confused due to this . Just add an ACL as given below . Add all your local network in the access-list named NAT.

ip access-list extended NAT
permit ip 172.90.0.0 0.0.0.255 any

david foley · ‎03-12-2011

Thanks man,

The ACL done the trick..