Solved: NAT Pool Help

mstaffeld · ‎11-03-2006

Sorry, being very noobish. I can't figure out the NAT pool.

Trying to get public ip to static nat to internal...

hopefully a simple fix

My Config:

//////////

Current configuration : 1185 bytes

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname CABLE

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

!

ip name-server 24.aaa.bb.53

ip dhcp excluded-address 10.10.10.1 10.10.10.99

!

ip dhcp pool client

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 24.aaa.bb.53 24.aaa.bb.53

!

ip audit notify log

ip audit po max-events 100

!

interface Ethernet0

ip address 71.aa.bb.114 255.255.255.240

ip nat outside

half-duplex

!

interface FastEthernet0

ip address 10.10.10.1 255.255.255.0

ip nat inside

speed auto

!

////////////////////////////NEED Guidance HERE/////

ip nat pool net71 71.bb.cc.114 71.bb.cc.126 netmask 255.255.255.240 //Multiple public IPS

ip nat outside source list 1 pool net71 add-route

//////////How to make those publics NAT to inside///////

ip nat inside source list 102 interface Ethernet0 overload///can be deleted if need be

no ip nat inside source static tcp 10.10.10.30 5900 71.aa.bb.120 5900 extendable//Would like publics to nat to inside

no ip nat inside source static tcp 10.10.10.31 5900 71.aa.bb.121 5900 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 71.aa.bb.113 //For cable modem/gateway

no ip http server

ip pim bidir-enable

!

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

!

line con 0

line aux 0

line vty 0 4

login

!

end

CABLE#

tdrais · ‎11-04-2006

It is mostly correct.

Other than the NO the static entries will work as you have configured.

For the nat overload you sorta have to make a selection.

Without this statement you will be able to get 12 nat entries from your other pool. It will assign the users 1 from the pool up to 12 at the same time. It can reuse them when the nat entry time out. If you only have a small number of users then this will work. This allows users to any source port since they are not translated. Most application now days tolerate translation of the source port.

To use the overload you have a couple of ways to do this. You must overload a outside interface so you have the wrong interface in you configuration.

Your problem is that both nat statements point the same addresses so you have to have a method of selecting them. You can put a routemap in to select between them on both nat statements but this can get complex.

The more common solution is to overload the nat pool statement you currently have. What it will do it overload the first address from the pool until it runs our of ports it will then use then next and the next. Commonly it will never use more than the first address unless you have a very large network. You can start assigning static nats from the top end of the pool and since these are static they will always be used rather than generate a new entry. The only issue I have seen with this is if there is a lot of activity and a user gets his ports translated to 2 different ip addresses you may get application problems. For example if a users web browser opens 4 sessions at the same time it could appear to the far server that these came from 2 different IPs and it could decide that was a security issue. This is unlikely but you need to know it can happen.

View solution in original post

tdrais · ‎11-04-2006

It is mostly correct.

Other than the NO the static entries will work as you have configured.

For the nat overload you sorta have to make a selection.

Without this statement you will be able to get 12 nat entries from your other pool. It will assign the users 1 from the pool up to 12 at the same time. It can reuse them when the nat entry time out. If you only have a small number of users then this will work. This allows users to any source port since they are not translated. Most application now days tolerate translation of the source port.

To use the overload you have a couple of ways to do this. You must overload a outside interface so you have the wrong interface in you configuration.

Your problem is that both nat statements point the same addresses so you have to have a method of selecting them. You can put a routemap in to select between them on both nat statements but this can get complex.

The more common solution is to overload the nat pool statement you currently have. What it will do it overload the first address from the pool until it runs our of ports it will then use then next and the next. Commonly it will never use more than the first address unless you have a very large network. You can start assigning static nats from the top end of the pool and since these are static they will always be used rather than generate a new entry. The only issue I have seen with this is if there is a lot of activity and a user gets his ports translated to 2 different ip addresses you may get application problems. For example if a users web browser opens 4 sessions at the same time it could appear to the far server that these came from 2 different IPs and it could decide that was a security issue. This is unlikely but you need to know it can happen.