07-21-2011 12:10 PM - edited 03-07-2019 01:20 AM
Hi,
Currently my NAT configuration is like this :
interface FastEthernet1/0
description ISP
ip address 172.16.10.2 255.255.255.0
ip nat outside
interface FastEthernet2/0
description Lan
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip route 0.0.0.0 0.0.0.0 172.16.10.1
ip nat inside source list 10 interface FastEthernet1/0 overload
access-list 10 permit 10.10.10.0 0.0.0.255
That work but I don't understand why the default route is required. Without that doesn't work. Why ?
I wand to add another ISP to used with IP addresses below 10.10.10.51. So I try to use an accesslist to capture trafic and change the route like this :
interface FastEthernet1/0
description ISP1
ip address 172.16.10.2 255.255.255.0
ip nat outside
interface FastEthernet2/0
description Lan
ip address 10.10.10.1 255.255.255.0
ip nat inside
interface FastEthernet3/0
description ISP2
ip address 172.16.20.2 255.255.255.0
ip nat outside
ip route 0.0.0.0 0.0.0.0 172.16.10.1
ip nat inside source list 10 interface FastEthernet1/0 overload
ip nat inside source list 20 interface FastEthernet3/0 overload
access-list 10 permit 10.10.10.0 0.0.0.50
access-list 20 permit 10.10.10.51 0.0.0.204
But with this configuration it's impossible with an IP address (like 10.10.10.20 or 10.10.10.100) to reach outside ?
Why that doesnt work, I dont understand ?
Is this possible tu use NAT like this ?
Must I use an ACL or RouteMap ?
Is this possible to use each ISP as backup to the other ?
Thanks for your help
Jerome
Solved! Go to Solution.
07-22-2011 05:07 PM
just to add to the discussion, have a look at the bellow document which i posted before in CSC that address requirements similar to yours
by the way you do not need PBR or IPSLA unless you want
https://supportforums.cisco.com/docs/DOC-8313
HTH
if helpful Rate
07-24-2011 04:22 AM
access-list 101 permit ip 192.168.0.51 0.0.0.127 any
access-list 101 permit ip 192.168.0.179 0.0.0.31 any
access-list 101 permit ip 192.168.0.211 0.0.0.31 any
access-list 101 permit ip 192.168.0.243 0.0.0.7 any
access-list 101 permit ip 192.168.0.250 0.0.0.3 any
access-list 101 permit ip host 192.168.0.254 any
No the above is not correct. See my previous post for the correct answer.
You cannot simply use the first address and apply a wildcard mask to it. You have to work out where the subnet would begin. So if you type
access-list 101 permt ip 192.168.0.51 0.0.0.127 any
the router will actually change that to
access-list 101 permit ip 192.168.0.0 0.0.0.127 any
which would include hosts 192.168.0.1 -> 126 with a broadcast of 192.168.0.127 which is not what you want. So what you need to do is look at that table you posted and see where the subnet would start.
So a class C address could be subnetted as follows
255.255.255.128 0.0.0.127 gives 126 hosts + broadcast
255.255.255.192 0.0.0.63 gives 62 hosts + b
255.255.255.224 0.0.0.31 gives 30 + b
255.255.255.240 0.0.0.15 gives 14 + b
255.255.255.248 0.0.0.7 gives 6 + b
255.255.255.252 0.0.0.3 gives 2 +b
so you need to understand that with a 0.0.0.127 you can have 2 subnets -
192.168.0.0 0.0.0.127 which is 192.168.0.1 -> 126 +b
192.168.0.128 0.0.0.127 which is 192.168.129 -> 254 + b
with 0.0.0.63 you can have 4 subnets -
192.168.0.0 0.0.0.63 -> 192.168.0.1 -> 62 + b
192.168.0.64 0.0.0.63 -> 192.168.0.65 -> 126 + b
192.168.0.128 0.0.0.63 -> 192.168.0.129 -> 190 + b
192.168.0.192. 0.0.0.63 -> 192.168.0.193 -> 254 + b
so the key is to understand that -
0.0.0.127 = subnets go up in 128
0.0.0.63 = subnets go up in 64
0.0.0.31 = subnets go up in 32
0.0.0.15 = subnets go up in 16
0.0.0.7 = subnets go up in 8
0.0.0.3 = subnets go up in 4
so for your acl you need to work out where to start. 192.168.0.51 does not fall into any subnet without including hosts that you don't want ie. hosts less than .51 so you include it as a host ie.
access-list 101 permit ip 192.168.0.51 any
then 52 onwards. If you look at the above examples you will see that
0.0.0.127 would be 192.168.0.1 -> 127 which is too many hosts.
0.0.0.63 would be 192.168.0.1 -> 63 which is again too many hosts
0.0.0.31 would be 192.168.0.1 -> 31 which doesn't cover .52
192.168.0.32 -> 63 does cover .52 but again this is too many hosts
0.0.0.15 would be 192.168.0.1 -> 192.168.0.15
192.168.0.16 -> 192.168.0.31
192.168.0.32 -> 192.168.0.47
192.168.0.48 -> 63 - this covers .52 but is still too may hosts
0.0.0.7 would be 192.168.0.1 -> 192.168.0.7
192.168.0.8 -> 192.168.0.15
192.168.0.16 -> 192.168.0.23
192.168.0.24 -> 192.168.0.31
192.168.0.32 -> 192.168.0.39
192.168.0.40 -> 192.168.0.47
192.168.0.48 -> 55 - this covers .52 but too many hosts
0.0.0.3 would be 192.168.0.1 -> 192.168.0.3
192.168.0.4 -> 192.168.0.7
192.168.0.8 -> 192.168.0.11
etc...
192.168.0.48 -> 192.168.0.51
192.168.0.52 -> 55 which would work so next line of acl is
access-list 101 permit ip 192.168.0.52 0.0.0.3 any
that gets you to 192.168.0.56
we do the same thing again but this time we stop at -
0.0.0.7 which is 192.168.0.56 -> 63
etc.. for the rest of the acl.
So to work it out you have to break it down into available subnets and then see where your hosts fit into that.
I appreciate this is a long explanation but it's worth understanding both for subnetting and for wildcard masks. Have a read of it and perhaps try writing it out if it helps to make more sense and if you have further questions or need clarification then come back.
Jon
07-21-2011 12:20 PM
That work but I don't understand why the default route is required. Without that doesn't work. Why ?
The default route tells your traffic what the next hop is when it is destined for a network that your router does not have a route to.
Must I use an ACL or RouteMap ? AND Must I use an ACL or RouteMap ?
You could use that or you could use IP SLA to track a primary route and switch to a secondary route should it fail (sub 4.2.2.2 with your default next hop): http://www.inacom-sby.net/Shawn/post/2007/11/Cisco-IP-SLA-for-failover.aspx
Message was edited by: Antonio Knox
07-21-2011 02:35 PM
Ok thanks antonio
But there are allways one thing I dont understand. I want a routing like this :
10.10.10.0 to 50 use Fa1/0 as route
10.10.10.51 to 254 use Fa2/0 as route
I have try to set two route-map for this :
ip nat inside source route-map NAT-ADSL interface FastEthernet1/0 overload
ip nat inside source route-map NAT-SDSL interface FastEthernet3/0 overload
ip access-list extended ADSL
permit ip 10.10.10.0 0.0.0.50 any
ip access-list extended SDSL
permit ip 10.10.10.51 0.0.0.204 any
route-map NAT-ADSL permit 10
match ip address ADSL
route-map NAT-SDSL permit 10
match ip address SDSL
But I can't reach any destination with this conf. Why ? I dont see any problem In my conf...
Jerome
07-21-2011 02:52 PM
Your acls won't work because you are using incorrect wildcard masks. Also you need to apply route-map. I'm assuming you meant to wanted to use fa1/0 and fa3/0 to route traffic out to your ISPs. Use the below config -
access-list 101 permit ip 10.10.10.0 0.0.0.31 any
access-list 101 permit ip 10.10.10.32 0.0.0.15 any
access-list 101 permit ip host 10.10.10.49 any
access-list 101 permit ip host 10.10.10.50 any
access-list 102 permit ip host 10.10.10.51 any
access-list 102 permit ip 10.10.10.52 0.0.0.3 any
access-list 102 permit ip 10.10.10.56 0.0.0.7 any
access-list 102 permit ip 10.10.10.64 0.0.0.63 any
access-list 102 permit ip 10.10.10.128 0.0.0.127 any
ip nat inside source list 101 interface fa1/0 overload
ip nat inside source list 102 interface fa3/0 overload
route-map PBR permit 10
match ip address 101
set ip next-hop 172.16.10.1
route-map PBR permit 20
match ip address 102
set ip next-hop 172.16.20.1
int fa2/0
ip policy route-map PBR
07-21-2011 02:58 PM
Ok john
But why :
access-list 102 permit ip host 10.10.10.51 any
access-list 102 permit ip 10.10.10.52 0.0.0.3 any
access-list 102 permit ip 10.10.10.56 0.0.0.7 any
access-list 102 permit ip 10.10.10.64 0.0.0.63 any
access-list 102 permit ip 10.10.10.128 0.0.0.127 any
And not simpy :
acess-list 102 permit ip 10.10.10.51 0.0.0.203 any
51+203=254
07-21-2011 03:00 PM
Because wildcard masks just don't work like that unfortunately. It would be very handy if they did
07-21-2011 03:15 PM
Do you know where I can found a correct explaination to use wildcard mask ?
07-21-2011 03:34 PM
Have a look at this link which covers subnetting and wildcards -
http://www.rhyshaden.com/ipadd.htm
if you have further questions then come back for clarification.
Jon
07-22-2011 04:41 PM
Jon,
If I understand you split the size wanted in multiple wildcard. So if I want to capture packets from 192.168.0.1 to 192.168.0.24 you don't use 0.0.0.24 as wildcard but with the help of this magic table :
Cidr Addr Mask Wildcard
24 256 0 255
25 128 128 127
26 64 192 63
27 32 224 31
28 16 240 15
29 8 248 7
30 4 252 3
31 2 254 1
access-list 101 permit ip 192.168.0.1 0.0.0.15 any
access-list 101 permit ip 192.168.0.16 0.0.0.7 any
access-list 101 permit ip host 192.168.0.24 any
Is this correct ? So for 192.168.0.51 to 192.168.0.254 (203 addresses ) I suppose this wildcards correct :
access-list 101 permit ip 192.168.0.51 0.0.0.127 any
access-list 101 permit ip 192.168.0.179 0.0.0.31 any
access-list 101 permit ip 192.168.0.211 0.0.0.31 any
access-list 101 permit ip 192.168.0.243 0.0.0.7 any
access-list 101 permit ip 192.168.0.250 0.0.0.3 any
access-list 101 permit ip host 192.168.0.254 any
It's correct ?
07-22-2011 05:07 PM
just to add to the discussion, have a look at the bellow document which i posted before in CSC that address requirements similar to yours
by the way you do not need PBR or IPSLA unless you want
https://supportforums.cisco.com/docs/DOC-8313
HTH
if helpful Rate
07-23-2011 03:37 AM
Thank for this perfect article !
07-24-2011 02:17 AM
Jon,
My reply about wildcard is correct or not ?
Do you know a tools for doing this calcul ?
07-24-2011 04:22 AM
access-list 101 permit ip 192.168.0.51 0.0.0.127 any
access-list 101 permit ip 192.168.0.179 0.0.0.31 any
access-list 101 permit ip 192.168.0.211 0.0.0.31 any
access-list 101 permit ip 192.168.0.243 0.0.0.7 any
access-list 101 permit ip 192.168.0.250 0.0.0.3 any
access-list 101 permit ip host 192.168.0.254 any
No the above is not correct. See my previous post for the correct answer.
You cannot simply use the first address and apply a wildcard mask to it. You have to work out where the subnet would begin. So if you type
access-list 101 permt ip 192.168.0.51 0.0.0.127 any
the router will actually change that to
access-list 101 permit ip 192.168.0.0 0.0.0.127 any
which would include hosts 192.168.0.1 -> 126 with a broadcast of 192.168.0.127 which is not what you want. So what you need to do is look at that table you posted and see where the subnet would start.
So a class C address could be subnetted as follows
255.255.255.128 0.0.0.127 gives 126 hosts + broadcast
255.255.255.192 0.0.0.63 gives 62 hosts + b
255.255.255.224 0.0.0.31 gives 30 + b
255.255.255.240 0.0.0.15 gives 14 + b
255.255.255.248 0.0.0.7 gives 6 + b
255.255.255.252 0.0.0.3 gives 2 +b
so you need to understand that with a 0.0.0.127 you can have 2 subnets -
192.168.0.0 0.0.0.127 which is 192.168.0.1 -> 126 +b
192.168.0.128 0.0.0.127 which is 192.168.129 -> 254 + b
with 0.0.0.63 you can have 4 subnets -
192.168.0.0 0.0.0.63 -> 192.168.0.1 -> 62 + b
192.168.0.64 0.0.0.63 -> 192.168.0.65 -> 126 + b
192.168.0.128 0.0.0.63 -> 192.168.0.129 -> 190 + b
192.168.0.192. 0.0.0.63 -> 192.168.0.193 -> 254 + b
so the key is to understand that -
0.0.0.127 = subnets go up in 128
0.0.0.63 = subnets go up in 64
0.0.0.31 = subnets go up in 32
0.0.0.15 = subnets go up in 16
0.0.0.7 = subnets go up in 8
0.0.0.3 = subnets go up in 4
so for your acl you need to work out where to start. 192.168.0.51 does not fall into any subnet without including hosts that you don't want ie. hosts less than .51 so you include it as a host ie.
access-list 101 permit ip 192.168.0.51 any
then 52 onwards. If you look at the above examples you will see that
0.0.0.127 would be 192.168.0.1 -> 127 which is too many hosts.
0.0.0.63 would be 192.168.0.1 -> 63 which is again too many hosts
0.0.0.31 would be 192.168.0.1 -> 31 which doesn't cover .52
192.168.0.32 -> 63 does cover .52 but again this is too many hosts
0.0.0.15 would be 192.168.0.1 -> 192.168.0.15
192.168.0.16 -> 192.168.0.31
192.168.0.32 -> 192.168.0.47
192.168.0.48 -> 63 - this covers .52 but is still too may hosts
0.0.0.7 would be 192.168.0.1 -> 192.168.0.7
192.168.0.8 -> 192.168.0.15
192.168.0.16 -> 192.168.0.23
192.168.0.24 -> 192.168.0.31
192.168.0.32 -> 192.168.0.39
192.168.0.40 -> 192.168.0.47
192.168.0.48 -> 55 - this covers .52 but too many hosts
0.0.0.3 would be 192.168.0.1 -> 192.168.0.3
192.168.0.4 -> 192.168.0.7
192.168.0.8 -> 192.168.0.11
etc...
192.168.0.48 -> 192.168.0.51
192.168.0.52 -> 55 which would work so next line of acl is
access-list 101 permit ip 192.168.0.52 0.0.0.3 any
that gets you to 192.168.0.56
we do the same thing again but this time we stop at -
0.0.0.7 which is 192.168.0.56 -> 63
etc.. for the rest of the acl.
So to work it out you have to break it down into available subnets and then see where your hosts fit into that.
I appreciate this is a long explanation but it's worth understanding both for subnetting and for wildcard masks. Have a read of it and perhaps try writing it out if it helps to make more sense and if you have further questions or need clarification then come back.
Jon
07-24-2011 03:10 PM
Also for quick subneting you can use the bellow link
http://www.subnet-calculator.com/
Jon, 5+ very nice and thorough explanation
Plz rate the helpful posts
HTH
Sent from Cisco Technical Support iPhone App
07-24-2011 03:34 PM
Marwan
Thanks, it was one of those that as i was writing it i was wondering whether it would create more confusion rather than simplify things
Jon
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide