Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
684
Views
0
Helpful
6
Replies

NAT in Transition

lnatschke
Level 1
Level 1

‎06-24-2008 08:43 AM - edited ‎03-05-2019 11:47 PM

3640 router version 12.3

We have most of our machines on a class C network. We have a DMZ setup with static NAT addresses. We are running low on the class C network IP addresses so would like to transition to NAT overload (PAT).

The commands I am using are:

ip nat pool ptinat 198.17.220.118 198.17.220.118 netmask 255.255.255.0

ip nat inside source list 20 pool ptinat overload

access-list 20 permit 172.28.0.0 0.0.255.255

I also put the following on the interface FastEthernet0/0

ip address 198.17.220.118 255.255.255.0 secondary

Once I have done this the 198.17.220.0 and the 172.28.0.0 networks cannot talk to each other.

Any ideas?

Labels:
0 Helpful
6 Replies 6

a.alekseev
Level 7
Level 7

‎06-24-2008 11:27 AM

the 198.17.220.0 and the 172.28.0.0 networks cannot talk to each other because you did PAT.

Only hosts from 172.28.0.0 can have an access to hosts in 198.17.220.0.

0 Helpful

lnatschke
Level 1
Level 1
In response to a.alekseev

‎06-24-2008 11:47 AM

I am logged into the 172.28.0.0 host.

If I ping 198.17.220.0 host it is successful

If I traceroute 198.17.220.0 host it is succesfull

If I ssh to 198.17.220.0 host, it comes back with:

debug1: Connecting to 198.17.220.131 [198.17.220.131] port 22.

debug1: Connection established.

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type -1

ssh_exchange_identification: read: Connection reset by peer

If I turn NAT off, I can this same ssh will be successful.

I am grateful for any help you can give me.

Thank you.

0 Helpful

a.alekseev
Level 7
Level 7
In response to lnatschke

‎06-24-2008 12:28 PM

Could you show all parts of your config related to NAT/PAT?

0 Helpful

lnatschke
Level 1
Level 1
In response to a.alekseev

‎06-24-2008 01:02 PM

I am a bit nervous about putting too much of the config out on the network.Does this help at all?

interface FastEthernet0/0

ip address 198.17.220.118 255.255.255.0 secondary

ip address 198.17.x.x 255.255.255.0

ip broadcast-address 198.17.220.255

ip nat outside

!

interface FastEthernet3/1

description PTI TESTING NAT

ip address 172.28.0.100 255.255.0.0

ip broadcast-address 172.28.0.255

ip nat inside

!

ip nat pool ptinat 198.17.220.118 198.17.220.118 netmask 255.255.255.0

ip nat inside source list 20 pool ptinat overload

access-list 20 permit 172.28.0.0 0.0.255.255

0 Helpful

a.alekseev
Level 7
Level 7
In response to lnatschke

‎06-24-2008 01:20 PM

remove this line from the config

ip address 198.17.220.118 255.255.255.0 secondary

and try again

0 Helpful

lnatschke
Level 1
Level 1
In response to a.alekseev

‎06-25-2008 06:11 AM

Sorry to say it did not make any difference to have the secondary interface removed.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card