Re: NAT my private network internal IPs toward the Public IP configured on loopback

ledaouk · ‎05-03-2018

Hi,

I have a router C881-k9 connected on wan port fastethernet4 to the ISP modem, which provide internet with 1 public IP address and I’ve been asked to configure the following to get the internet working from my LAN:

Wanip2 is assigned on fastethernet4 and wanip1 is assigned on ISP modem

A default route is set to wanip1

A loopback is created and a public ip is assigned

VLAN1 is configured with a dhcp

The loopback has to ping the wanip1 on ISP modem and it is

A NAT was set, the client PCs can ping the loopback (public ip), the WANIP1 and the WANIP2 but not the google DNS 8.8.8.8

I can ping the public IP from anywhere as well

My problem is that I cannot get internet on the internal network

Here is the configuration and I appreciate some help.

!

version 15.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$b.pC$wkyOJBKtya.BkiDwOAMG0/

enable password nopassword

!

no aaa new-model

!

ip dhcp excluded-address 192.168.1.1 192.168.1.10

!

ip dhcp pool vlan1pool

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 8.8.8.8 8.8.4.4

!

ip name-server 8.8.8.8

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

cts logging verbose

license udi pid C881-K9 sn xxxxxxxxxx

!

interface Loopback0

ip address xxx.yyyy.zzz.sss 255.255.255.255

ip nat outside

ip virtual-reassembly in

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address 172.16.0.2 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat pool PUBLIC-POOL xxx.yyyy.zzz.sss xxx.yyyy.zzz.sss netmask 255.255.255.255

ip nat inside source list 1 pool PUBLIC-POOL overload

ip route 0.0.0.0 0.0.0.0 172.16.0.1

!

snmp-server community public RO

access-list 1 permit 192.168.1.0 0.0.0.255

!

control-plane

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

line con 0

no modem enable

line aux 0

line vty 0 4

password cisco

login

transport input none

!

scheduler allocate 20000 1000

!

end

Thank you

Julio E. Moisa · ‎05-03-2018

Hi

I assume it is a lab (because it could involve others steps in real world), now if you are going to NAT the private networks using a loopback, the ip nat outside command is not required under the interface loopback, it is required under the interfaces where the packets will be routed, so your configuration should be:

interface Loopback0

ip address xxx.yyyy.zzz.sss 255.255.255.255

interface FastEthernet4

ip address 172.16.0.2 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip nat inside source list 1 interface loopback0 overload

ip route 0.0.0.0 0.0.0.0 172.16.0.1

access-list 1 permit 192.168.1.0 0.0.0.255

Now, the steps I mentioned above (real world) is, if you are using a loopback IP to translate the traffic the ISP device must know that loopback IP so you should have a static route on the ISP device. If your loopback is related a public IP address it could be not required.

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ledaouk · ‎05-03-2018

Thank you for your reply, btw it is not a lab

and i already removed the ip nat outside

and as you can see there is a default route 0.0.0.0 to the isp gateway wich is his wanip1

bit still not working, do you think any additional config is needed?

ledaouk · ‎05-05-2018

at the end it was an ISP issue and they had to fix it.

thank you all for your help.

ledaouk · ‎05-03-2018

The loopback ip is not able to ping the 8.8.8.8 as well, could it be a misconfiguration from the isp side?

But what make it weird that this public ip is reachable for ping once configured on loopback interface.

Julio E. Moisa · ‎05-03-2018

ok the question here is: the ip address to create the NAT is a loopback and it is a public IP? or you want to translate the loopback IP and private network through a public IP?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ledaouk · ‎05-03-2018

the ip address to create the NAT is a loopback and it is a public IP

Julio E. Moisa · ‎05-03-2018

Ok,

So the configuration should be imagining the IP is 111.0.0.25 :

interface Loopback0

ip address 111.0.0.25 255.255.255.255

interface FastEthernet4

ip address 172.16.0.2 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

ip nat inside source list 1 interface loopback0 overload

ip route 0.0.0.0 0.0.0.0 172.16.0.1

access-list 1 permit 192.168.1.0 0.0.0.255

ISP DEVICE

ip route 111.0.0.25 255.255.255.255 172.16.0.2 (it will be known via the client router)

The ISP usually provide public IP addresses also for the point to point between the client router and the ISP device, they also could provide different public network segments but everything is handled on the ISP side.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ledaouk · ‎05-03-2018

The configuration is already the same what you wrote, and not rorkung

ledaouk · ‎05-03-2018

And do you think there is anyway to test the connection that it is reaching the internet other than pinging from the loopback id to another public ip like the google dns?

keeping in mind that i can ping the public ip from everywhere.

Julio E. Moisa · ‎05-03-2018

the loopback IP was provided by the ISP? and the /30 used between the router and modem is 172.16.0.0/30?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Julio E. Moisa · ‎05-03-2018

Have you tried to configure the public IP under the FastEthernet 4 interface?

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

ledaouk · ‎05-04-2018

yes even if it is not a logical test I already tested and it is not working.

ledaouk · ‎05-03-2018

Yes

mohammed01701 · ‎05-04-2018

Hi ledaouk!

Could you run commands: "show ip nat translations" and "show ip route"?

Mybe you are missing routes to outside NAT address.. It just look like that every thing is going on "ip route 0.0.0.0 0.0.0.0 172.16.0.1", without any NATs.

Trafic from you Local subnet "192.168.1.0/24" have to know where is the network "xxx.yyyy.zzz.sss xxx.yyyy.zzz.sss/Y", this loopback interface is your Outside global . I afriad that you are missing routes to your loopback address!!!

Please post the "show ip route" and "show ip nat translations" outputs to figure out what is going on.

/Mohammed