I have a little probelm configuring NAT on router 1841, like this is the topology:
WAN (PUBLIC´S ADDRESS) fast0/0 fast0/0/0 PUBLIC´S ADDRESS INSIDE (192.168.1.0/24)
ROUTER ====== X.X.X.X/30============= ROUTER ======== Z.Z.Z.Z/29 ============ SW 3560==============
(ISP) .253 .254 CLIENT . 47 .48
The conection with ISP or Extranet is a metro ethernet, so the isp gave two ip address to the client:
LAN (/29) Which be the public addresses to be used by the client if you need to publish any server on the network (like www), so they do not have any device that will could do the nat, like an asa or linux server, so the router has to do the nat, because the sw 3560 does not support this feature.
So... I did the following:
On router 1841:
inter fast 0/0
inter fast 0/0.316
encapsulation dot1Q 316
ip address x.x.x.254 255.255.255.252
interface vlan 448
ip address Z.Z.Z.47 255.255.255.248
ip nat outside
inter fast 0/0/0
switchport mode access
switchport access vlan 448
I create an interface lookbackp to simulate the lan connection (192.168.1.0/24)
Inter loopb 0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip access-list nat
permit ip 192.168.0.0 255.255.0.0 any
deny ip any any
ip nat inside source list nat interface vlan 448 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.253
interface vlan 448
ip address Z.Z.Z.48 255.255.255.248
ip route 0.0.0.0 0.0.0.0 Z.Z.Z.47
But if i try to do ping from the ip address 192.168.1.0/24 to any server´s internet the ping fails, but if i do the ping from vlan 228 the ping is success. I will think that route map could solve the problem.
With a setup like this, you will be living dangerously.
You will make life both easier and safer when you add a firewall (AS5505) in between the router and the switch.
Public ip subnet can be on router's inside interface. The ASA can do the NAT and secure your network.
Of course marwanshawi,
Like this is the topology, as the public address does not match the pattern for safety.
Like I said before the client have a metro ethernet that comunicate with internet, but they does not have any firewall that can do the nat, so the router-internet have to do that, because the switch core does not have the feature. The problem is that the router have two public ip address, so the config that i put before does not work, i will think that the route map could solve this problem.
What do you think??
You are using a network mask instead of wildcard mask for your access list.
And the subnet is not right.
It should be:
permit ip 192.168.1.0 0.0.0.255 any
you should perform NAT overload/PAT on the WAN and use the ip address secondary command instead of creating a loopback interface.
ip address 188.8.131.52 255.255.255.252
ip nat out
ip add 192.168.1.254 255.255.255.0 secondary
ip add 184.108.40.206 255.255.255.248
ip nat in
ip nat inside source list nat int f0/0 over
for the 3560, you need to consider if this would be a L2 or L3 switch. having a point-to-point IP of .48 with your 1841 would waste IP space.
if you chose it to be a L2, you would perform a router-on-a stick with the 1841. on the other if it's L3, you would perform static and dynamic routing.
can you please confirm thebellow first
ISP/internet will send any traffic destined for 220.127.116.11/30 and 18.104.22.168/29 to the Router ISP and over to the Client router where you want to perform the NAT ?
and you want to nat some private servers IP to the IP range of 22.214.171.124/29 from the LAN 192.168.1.0/25 ?
if this is right ? can you change the IP address of interface between the core switch and the client router to anything private ?
once you confirm the above then we can work a solution for your case