09-05-2011 07:58 PM - edited 03-04-2019 01:30 PM
Hello Everyone!!!
I have a little probelm configuring NAT on router 1841, like this is the topology:
WAN (PUBLIC´S ADDRESS) fast0/0 fast0/0/0 PUBLIC´S ADDRESS INSIDE (192.168.1.0/24)
ROUTER ====== X.X.X.X/30============= ROUTER ======== Z.Z.Z.Z/29 ============ SW 3560==============
(ISP) .253 .254 CLIENT . 47 .48
The conection with ISP or Extranet is a metro ethernet, so the isp gave two ip address to the client:
WAN (/30)
LAN (/29) Which be the public addresses to be used by the client if you need to publish any server on the network (like www), so they do not have any device that will could do the nat, like an asa or linux server, so the router has to do the nat, because the sw 3560 does not support this feature.
So... I did the following:
On router 1841:
inter fast 0/0
description WAN
no shut
inter fast 0/0.316
encapsulation dot1Q 316
ip address x.x.x.254 255.255.255.252
interface vlan 448
description LAN-ME
ip address Z.Z.Z.47 255.255.255.248
ip nat outside
no shut
inter fast 0/0/0
switchport mode access
switchport access vlan 448
no shut
I create an interface lookbackp to simulate the lan connection (192.168.1.0/24)
Inter loopb 0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip access-list nat
permit ip 192.168.0.0 255.255.0.0 any
deny ip any any
ip nat inside source list nat interface vlan 448 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.253
ON SWITCH:
interface vlan 448
description LAN-ME
ip address Z.Z.Z.48 255.255.255.248
no shut
ip route 0.0.0.0 0.0.0.0 Z.Z.Z.47
But if i try to do ping from the ip address 192.168.1.0/24 to any server´s internet the ping fails, but if i do the ping from vlan 228 the ping is success. I will think that route map could solve the problem.
Any idea???
KC
09-06-2011 12:06 AM
With a setup like this, you will be living dangerously.
You will make life both easier and safer when you add a firewall (AS5505) in between the router and the switch.
Public ip subnet can be on router's inside interface. The ASA can do the NAT and secure your network.
regards,
Leo
09-06-2011 07:30 PM
Thanks lgijssel,
unfortunately the customer does not have enough money to buy an asa or any firewall.
Regards,
KC
09-06-2011 02:08 AM
can you post sample topology of what you trying to do so we might help you here
09-06-2011 07:40 PM
Of course marwanshawi,
Like this is the topology, as the public address does not match the pattern for safety.
Like I said before the client have a metro ethernet that comunicate with internet, but they does not have any firewall that can do the nat, so the router-internet have to do that, because the switch core does not have the feature. The problem is that the router have two public ip address, so the config that i put before does not work, i will think that the route map could solve this problem.
What do you think??
KC
09-06-2011 08:45 PM
Hi Katherine,
You are using a network mask instead of wildcard mask for your access list.
And the subnet is not right.
It should be:
permit ip 192.168.1.0 0.0.0.255 any
T.
09-06-2011 09:01 PM
hi kc,
you should perform NAT overload/PAT on the WAN and use the ip address secondary command instead of creating a loopback interface.
1841:
int f0/0
ip address 200.200.200.254 255.255.255.252
ip nat out
int f0/1
ip add 192.168.1.254 255.255.255.0 secondary
ip add 220.220.220.47 255.255.255.248
ip nat in
ip nat inside source list nat int f0/0 over
for the 3560, you need to consider if this would be a L2 or L3 switch. having a point-to-point IP of .48 with your 1841 would waste IP space.
if you chose it to be a L2, you would perform a router-on-a stick with the 1841. on the other if it's L3, you would perform static and dynamic routing.
09-06-2011 09:21 PM
can you please confirm thebellow first
ISP/internet will send any traffic destined for 200.200.200.252/30 and 220.220.220.96/29 to the Router ISP and over to the Client router where you want to perform the NAT ?
and you want to nat some private servers IP to the IP range of 220.220.220.96/29 from the LAN 192.168.1.0/25 ?
if this is right ? can you change the IP address of interface between the core switch and the client router to anything private ?
once you confirm the above then we can work a solution for your case
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide