Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1296
Views
0
Helpful
5
Replies

NAT Help

Go to solution
gdrandles
Level 1
Level 1

‎05-02-2011 12:48 PM - edited ‎03-06-2019 04:52 PM

Scenario:  We are using HSRP both ways between our core switches and the ISP redundant routers.  We were originally give a subnet of X.X.X.16 /28 to use for the connection between our core and the ISP.  Since we only needed 6 IP's, I borrowed a host bit in order to get two networks that have 6 available public IP's.  I assigned the X.X.X.16 /29 for the HSRP.  I want to use the other network X.X.X.24 /29 to do one to one NAT.  We host websites and want to hide the actual IP of the server from the public.  Since we have 6 available IP and 6 web servers it works out even.  The idea is to map the following public IP's to our private IP's:

X.X.X.25 /29 to 10.1.1.2 /25

X.X.X.26 /29 to 10.1.1.3 /25

X.X.X.27 /29 to 10.1.1.4 /25....and so on

Question:  I guess my concern is how does the routing and NAT work if the X.X.X.24 /29 subnet isn't actually assigned to anything other than the NAT configuration?  Any examples or articles you can suggest is much appreciated.

Thanks in advance,

Labels:
Preview file
1994 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to gdrandles

‎05-03-2011 06:49 AM

Hi,

YES, you need to configure "ip nat outside" on each vlan5 interface on the both 6506.

Please see the below example config.

ACTIVE:
interface Vlan5
description *******
ip address 10.10.10.20 255.255.255.0
ip helper-address 10.xx.xx.xx
ip nat outside
standby 99 ip 10.10.10.22
standby 99 priority 150
standby 99 preempt delay minimum 600
standby 99 authentication vlan500


STANDBY:
interface Vlan5
description *******
ip address 10.10.10.21 255.255.255.0
ip helper-address 10.xx.xx.xx
ip nat outside
standby 99 ip 10.10.10.22
standby 99 preempt delay minimum 600
standby 99 authentication vlan500


Hope the above will help you.

please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni

‎05-02-2011 11:25 PM

Hi,

The public IP which you want to NAT with the private IP is not need to assign any interface.
You can directly use the free IP's for NAT.
The only thing is that the public IP should able to communicate outside through the ISP that is it.
And I hope you have valid public IP's from your ISP.

Please click on the correct answer if this answered your question.
Regards,
Naidu.

0 Helpful

Go to solution
gdrandles
Level 1
Level 1
In response to Latchum Naidu

‎05-03-2011 06:03 AM

Naidu,

  The X.X.X.16 /29 network and X.X.X.24 /29 networks are public subnets assigned by our ISP.  What you are saying is that I can create a one-to-one NAT mapping for each of my webservers to a public IP on the X.X.X.24 /29 subnet and don't have to have an interface (including a loopback) with a public IP in that range.  I plan on using PAT with the X.X.X.22 /29 IP for our internal users Internet traffic as well.  Currently our ISP has static routes which point both of those subnets to our core switches.  I do have another question:

Since I am running HSRP, where do the "IP NAT Outside" statements go?

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to gdrandles

‎05-03-2011 06:11 AM

Hi,

If you have HSRP for redundancy then you need to configure the "ip nat outside" on the both routers WAN interfaces (which connected to your PE). The config looks like below...

Please click on the correct answer if this answered your question.
Regards,
Naidu.

0 Helpful

Go to solution
gdrandles
Level 1
Level 1
In response to Latchum Naidu

‎05-03-2011 06:41 AM

Hi Naidu,

  There was no config example attached to your post.  On each of the 6506 switches I will have VLAN 5 configured for the HSRP to our ISP routers.  VLAN 5 IP of the first switch will be X.X.X.20 255.255.255.248 and VLAN 5 IP of the second switch will be X.X.X.21 255.255.255.248.  The VIP will be X.X.X.22 255.255.255.248.  All of the inside VLAN's (i.e. user PC's) will also point to a VIP for their Gateway.  I assume you are saying that I would put the ip nat outside statement on each of the VLAN 5 interfaces?

Thanks

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to gdrandles

‎05-03-2011 06:49 AM

Hi,

YES, you need to configure "ip nat outside" on each vlan5 interface on the both 6506.

Please see the below example config.

ACTIVE:
interface Vlan5
description *******
ip address 10.10.10.20 255.255.255.0
ip helper-address 10.xx.xx.xx
ip nat outside
standby 99 ip 10.10.10.22
standby 99 priority 150
standby 99 preempt delay minimum 600
standby 99 authentication vlan500


STANDBY:
interface Vlan5
description *******
ip address 10.10.10.21 255.255.255.0
ip helper-address 10.xx.xx.xx
ip nat outside
standby 99 ip 10.10.10.22
standby 99 preempt delay minimum 600
standby 99 authentication vlan500


Hope the above will help you.

please click on the correct answer on all posts if they answered your question.
Regards,
Naidu.

0 Helpful
Customers Also Viewed These Support Documents