Solved: Re: NAT overloading issue in my 2811

vinuqueta · ‎12-01-2010

Hi All,
I know i am lacking a lot in below given config. Can some one plzzzzzzzzzz help me to allign it for industry standard..?

I am using C2811 router with 12.4(13r)T running.

My problems are
1. Need industry standard config.
2. PATing happens only on first IP address of the ISP1 pool. Not translating next available public IP from pool.
3. Route fail over to ISP2 not happening whenever ISP1 fails.
4. I need to avoid giving "ip nat inside" for all of my VLANs, still allowing them for NAT translations.
5. I need to avoid configuring secondary IP addresses to my vlan interface.
6. How can I avoid vlans on router. (FastEthernet0/3/0-3 is HWIC4ESW card. How effectively can i use it for 4 vlan creation?)

My config looks like below.....................

interface FastEthernet0/0
description ***ISP2***
ip address 10.x.x.x 255.255.255.252
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description ***ISP1***
ip address 115.x.x.x 255.255.255.252
no ip redirects
no ip proxy-arp
ip accounting output-packets
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/3/0
description *VLAN 10*
switchport access vlan 10
!
interface FastEthernet0/3/1
description *VLAN 3*
switchport access vlan 3
!
interface FastEthernet0/3/2
description *VLAN 17*
switchport access vlan 17
!
interface FastEthernet0/3/3
description *VLAN 8*
switchport access vlan 8
!
interface Vlan1
no ip address
!
interface Vlan3
description ***MAIN LAN***
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan8
description ***VOICE LAN***
ip address 192.168.8.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan10
description ***SECOND LAN***
ip address 110.x.x.x 255.255.255.248 secondary // First IP of ISP2 public IP range
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Vlan17
description ***Server LAN***
ip address 115.y.y.y 255.255.255.240 secondary // First IP of ISP1 public IP range
ip address 172.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
no ip classless
ip route 0.0.0.0 0.0.0.0 ISP1
ip route 0.0.0.0 0.0.0.0 ISP2 10
!
ip nat pool ISP1 115.y.y.y 115.y.y.y netmask 255.255.255.240
ip nat pool ISP2 110.x.x.x 110.x.x.x netmask 255.255.255.248
ip nat inside source route-map ISP1 pool ISP1 overload
ip nat inside source route-map ISP2 pool ISP2 overload
!
access-list 100 permit ip 192.168.0.0 0.0.15.255 any
access-list 100 permit ip 172.168.3.0 0.0.0.255 any
!
route-map ISP1 permit 10
match ip address 100
match interface FastEthernet0/1
!
route-map ISP2 permit 10
match ip address 100
match interface FastEthernet0/0
!
!
!
!
control-plane

Ganesh Hariharan · ‎12-01-2010

Hi All,
I know i am lacking a lot in below given config. Can some one plzzzzzzzzzz help me to allign it for industry standard..?
I am using C2811 router with  12.4(13r)T running.
My problems are
1. Need industry standard config.
2. PATing happens only on first IP address of the ISP1 pool. Not translating next available public IP from pool.
3. Route fail over to ISP2 not happening whenever ISP1 fails.
4. I need to avoid giving "ip nat inside" for all of my VLANs, still allowing them for NAT translations.
5. I need to avoid configuring secondary IP addresses to my vlan interface.
6. How can I avoid vlans on router. (FastEthernet0/3/0-3 is HWIC4ESW card. How effectively can i use it for 4 vlan creation?)
My config looks like below.....................

Hi,

Standard configuration for natting is lan interface need to be configured with ip nat inside and isp side interface require configuration with ip nat outside and patting always got with single ip address.

For link redundancy you need to configure IP SLA configuration in your routers check out the belwo link for more details

http://docwiki.cisco.com/wiki/IP_SLA_Tracking_with_Configuration_Example

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

View solution in original post

Ganesh Hariharan · ‎12-05-2010

Hi,

Thanks very much..

In my scenario i have HWIC4ESW card configured for VLANs. I am enabled ip nat inside in all vlan ports i.e. I have 4 LAN ports indeed. How can I avoid giving nat inside to all vlan ports. How can I avoid assigning secondary IP adresses to those vlan ports.

Secondly, PATing happens only for single IP? what about aother IP addresses available in pool?

Thanks for redundancy part.

Vinayak.M

Hi Vinayak,

PAT can work with multiple ip address based upon the folowing conditions

PAT with One IP Address

1      NAT/PAT inspects traffic and matches it to a translation rule.
2      Rule matches to a PAT configuration.
3     If PAT knows about the traffic type and if that traffic type has "a set of specific ports or ports it negotiates" that it will use, PAT sets them aside and does not allocate them as unique identifiers.
4     If a session with no special port requirements attempts to connect out, PAT translates the IP source address and checks availability of the originated source port (433, for example).

Note: For Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), the ranges are: 1-511, 512-1023, 1024-65535. For Internet Control Message Protocol (ICMP), the first group starts at 0.

5     If the requested source port is available, PAT assigns the source port, and the session continues.
6     If the requested source port is not available, PAT starts searching from the beginning of the relevant group (starting at 1 for TCP or UDP applications, and from 0 for ICMP).
7     If a port is available it is assigned, and the session continues.
8     If no ports are available, the packet is dropped.

PAT with Multiple IP Addresses

The first seven conditions are the same as with a single IP address.
8      If no ports are available in the relevant group on the first IP address, NAT moves on to the next IP address in the pool and tries to allocate the original source port requested.
9       If the requested source port is available, NAT assigns the source port and the session continues.
10     If the requested source port is not available, NAT starts searching from the beginning of the relevant group (starting at 1 for TCP or UDP applications, and from 0 for ICMP).
11     If a port is available, it is assigned and the session continues.
12     If no ports are available, the packet is dropped, unless another IP address is available in the pool.

For vlan assignment in cisco 2811 just configure and assign the ports in same vlan and configure ip nat inside in the SVI of the vlan

interface FastEthernet0/1/0

description LAN 1

!

interface FastEthernet0/1/1

description LAN 2

switchport access vlan 2

!

interface FastEthernet0/1/2

description LAN 3

switchport access vlan 3

!

interface Vlan 1

ip nat inside

description LAN 1

ip address 192.168.0.1 255.255.255.0

!

interface Vlan 2

description LAN 2

ip address 192.168.1.1 255.255.255.0

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

View solution in original post

Ganesh Hariharan · ‎12-01-2010

Hi All,
I know i am lacking a lot in below given config. Can some one plzzzzzzzzzz help me to allign it for industry standard..?
I am using C2811 router with  12.4(13r)T running.
My problems are
1. Need industry standard config.
2. PATing happens only on first IP address of the ISP1 pool. Not translating next available public IP from pool.
3. Route fail over to ISP2 not happening whenever ISP1 fails.
4. I need to avoid giving "ip nat inside" for all of my VLANs, still allowing them for NAT translations.
5. I need to avoid configuring secondary IP addresses to my vlan interface.
6. How can I avoid vlans on router. (FastEthernet0/3/0-3 is HWIC4ESW card. How effectively can i use it for 4 vlan creation?)
My config looks like below.....................

Hi,

Standard configuration for natting is lan interface need to be configured with ip nat inside and isp side interface require configuration with ip nat outside and patting always got with single ip address.

For link redundancy you need to configure IP SLA configuration in your routers check out the belwo link for more details

http://docwiki.cisco.com/wiki/IP_SLA_Tracking_with_Configuration_Example

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

vinuqueta · ‎12-01-2010

Hi,

Thanks very much..

In my scenario i have HWIC4ESW card configured for VLANs. I am enabled ip nat inside in all vlan ports i.e. I have 4 LAN ports indeed. How can I avoid giving nat inside to all vlan ports. How can I avoid assigning secondary IP adresses to those vlan ports.

Secondly, PATing happens only for single IP? what about aother IP addresses available in pool?

Thanks for redundancy part.

Vinayak.M

Ganesh Hariharan · ‎12-05-2010

Hi,

Thanks very much..

In my scenario i have HWIC4ESW card configured for VLANs. I am enabled ip nat inside in all vlan ports i.e. I have 4 LAN ports indeed. How can I avoid giving nat inside to all vlan ports. How can I avoid assigning secondary IP adresses to those vlan ports.

Secondly, PATing happens only for single IP? what about aother IP addresses available in pool?

Thanks for redundancy part.

Vinayak.M

Hi Vinayak,

PAT can work with multiple ip address based upon the folowing conditions

PAT with One IP Address

1      NAT/PAT inspects traffic and matches it to a translation rule.
2      Rule matches to a PAT configuration.
3     If PAT knows about the traffic type and if that traffic type has "a set of specific ports or ports it negotiates" that it will use, PAT sets them aside and does not allocate them as unique identifiers.
4     If a session with no special port requirements attempts to connect out, PAT translates the IP source address and checks availability of the originated source port (433, for example).

Note: For Transmission Control Protocol (TCP) and User Datagram Protocol (UDP), the ranges are: 1-511, 512-1023, 1024-65535. For Internet Control Message Protocol (ICMP), the first group starts at 0.

5     If the requested source port is available, PAT assigns the source port, and the session continues.
6     If the requested source port is not available, PAT starts searching from the beginning of the relevant group (starting at 1 for TCP or UDP applications, and from 0 for ICMP).
7     If a port is available it is assigned, and the session continues.
8     If no ports are available, the packet is dropped.

PAT with Multiple IP Addresses

The first seven conditions are the same as with a single IP address.
8      If no ports are available in the relevant group on the first IP address, NAT moves on to the next IP address in the pool and tries to allocate the original source port requested.
9       If the requested source port is available, NAT assigns the source port and the session continues.
10     If the requested source port is not available, NAT starts searching from the beginning of the relevant group (starting at 1 for TCP or UDP applications, and from 0 for ICMP).
11     If a port is available, it is assigned and the session continues.
12     If no ports are available, the packet is dropped, unless another IP address is available in the pool.

For vlan assignment in cisco 2811 just configure and assign the ports in same vlan and configure ip nat inside in the SVI of the vlan

interface FastEthernet0/1/0

description LAN 1

!

interface FastEthernet0/1/1

description LAN 2

switchport access vlan 2

!

interface FastEthernet0/1/2

description LAN 3

switchport access vlan 3

!

interface Vlan 1

ip nat inside

description LAN 1

ip address 192.168.0.1 255.255.255.0

!

interface Vlan 2

description LAN 2

ip address 192.168.1.1 255.255.255.0

Hope to Help !!

Ganesh.H

Remember to rate the helpful post

vinuqueta · ‎12-06-2010

Thanks very much...... It helpde me understand.

Does PAT with Multiple IP Addresses requires additional config?

Ganesh Hariharan · ‎12-07-2010

Thanks very much...... It helpde me understand.
Does PAT with Multiple IP Addresses requires additional config?

Hi Vinayak,

No special configuration required for Multiple ip pat just overload with the pool you have created,check out the below link with good examples on Natting and Patting.

http://articles.techrepublic.com.com/5100-10878_11-1053789.html

Hope to Help !!

Ganesh.H

Remember to rate the helpful post