Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > NAT & routed at the same time, on an 837

Reply
Thread Tools

NAT & routed at the same time, on an 837

 
 
Richard Antony Burton
Guest
Posts: n/a
 
      12-01-2004
I have a block of 8 IPs from my ISP, but I want to use NAT for most of the
devices. How can I do that?

I have to use IP unnumbered on the Dialer interface, to share the IP with
the Ethernet interface. How do I add a 192.168.0.x address the the ethernet
interface when it already has a real ip assigned? And what is going to be
nat inside & nat outside?

Anyone done this?

Richard.

The config I need for routing is something like this, just need to add nat,
somehow:

interface Ethernet0
ip address 82.70.xxx.yyy 255.255.255.248
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
dsl power-cutback 0
!
interface Dialer0
bandwidth 256
ip unnumbered Ethernet0
no ip redirects
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname
ppp chap password 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
dialer-list 1 protocol ip permit


 
Reply With Quote
 
 
 
 
Erik Freitag
Guest
Posts: n/a
 
      12-01-2004
On Wed, 01 Dec 2004 11:29:19 +0000, Richard Antony Burton wrote:

> I have a block of 8 IPs from my ISP, but I want to use NAT for most of the
> devices. How can I do that?
>
> I have to use IP unnumbered on the Dialer interface, to share the IP with
> the Ethernet interface. How do I add a 192.168.0.x address the the ethernet
> interface when it already has a real ip assigned? And what is going to be
> nat inside & nat outside?
>
> Anyone done this?
>
> Richard.
>
> The config I need for routing is something like this, just need to add nat,
> somehow:
>
> interface Ethernet0
> ip address 82.70.xxx.yyy 255.255.255.248
> no cdp enable
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> no atm ilmi-keepalive
> pvc 0/38
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> dsl operating-mode auto
> dsl power-cutback 0
> !
> interface Dialer0
> bandwidth 256
> ip unnumbered Ethernet0
> no ip redirects
> encapsulation ppp
> dialer pool 1
> dialer-group 1
> ppp authentication chap callin
> ppp chap hostname
> ppp chap password 0
> !
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer0
> dialer-list 1 protocol ip permit


I don't see why you can't move the ip address from the Ethernet to
Dialer0, and put the 192.168.xxx.yyy address on the Ethernet. Can you
explain?

I'm thinking of something like this:

interface Ethernet0
ip address 192.168.xxx.yyy 255.255.255.255
ip nat inside

interface Dialer0
ip address 82.70.xxx.yyy 255.255.255.248
ip nat outside

access-list 1 permit 192.168.xxx.yyy 0.0.0.255

ip nat inside source list 1 interface Dialer0

 
Reply With Quote
 
 
 
 
Richard Antony Burton
Guest
Posts: n/a
 
      12-01-2004

"Erik Freitag" <(E-Mail Removed)> wrote in message
news(E-Mail Removed)...

> I don't see why you can't move the ip address from the Ethernet to
> Dialer0, and put the 192.168.xxx.yyy address on the Ethernet. Can you
> explain?


That is basically what I currently have, and NAT works fine. The problem is
that none of my real IPs are then usable on the lan. The external router
address isn't reachable from a machine on the lan that has another ip from
the block. And so withgout being able to reach the router machines on the
lan with real addresses do not have access to the net, only the nat clients
have access (via the 192.168.0.x ethernet interface). This seems reasonable
to me because the real ips are not in the same subnet as the ethernet
interface (192.168.0.x) to which they connect over the lan.

Richard.

> I'm thinking of something like this:
>
> interface Ethernet0
> ip address 192.168.xxx.yyy 255.255.255.255
> ip nat inside
>
> interface Dialer0
> ip address 82.70.xxx.yyy 255.255.255.248
> ip nat outside
>
> access-list 1 permit 192.168.xxx.yyy 0.0.0.255
>
> ip nat inside source list 1 interface Dialer0




 
Reply With Quote
 
Martin Gallagher
Guest
Posts: n/a
 
      12-02-2004
On Wed, 01 Dec 2004 11:29:19 +0000, Richard Antony Burton wrote:

> I have to use IP unnumbered on the Dialer interface, to share the IP with
> the Ethernet interface. How do I add a 192.168.0.x address the the
> ethernet interface when it already has a real ip assigned? And what is
> going to be nat inside & nat outside?
>


This might get you started.

interface Ethernet0
ip address 192.168.1.1 255.255.255.0 secondary
ip address 82.70.xxx.yyy 255.255.255.248
ip route-cache same-interface
ip nat inside
!
interface Dialer0
ip nat outside
!
ip nat inside source list 10 interface Dialer0 overload
!
access-list 10 permit 192.168.1.0 0.0.0.255
!

--
Rgds,
Martin
 
Reply With Quote
 
Richard Antony Burton
Guest
Posts: n/a
 
      12-02-2004

"Martin Gallagher" <(E-Mail Removed)> wrote in message
news(E-Mail Removed) .au...
> On Wed, 01 Dec 2004 11:29:19 +0000, Richard Antony Burton wrote:
>
>> I have to use IP unnumbered on the Dialer interface, to share the IP with
>> the Ethernet interface. How do I add a 192.168.0.x address the the
>> ethernet interface when it already has a real ip assigned? And what is
>> going to be nat inside & nat outside?
>>

>
> This might get you started.


Thanks, but that didn't do the job. Routed IPs work fine with my config
listed below (based on your post), but anything from 192.168.7.xxx that
should be natted fails with:
Dec 2 20:02:55 raburton.---.com 1644: 001635: Dec 2 20:02:54.050 GMT: NAT:
translation failed (A), dropping packet s=192.168.7.138 d=217.160.216.102

Feels so close, but that error doesn't really explain why it is failing. Any
ideas?

Richard.

interface Ethernet0
ip address 192.168.7.1 255.255.255.0 secondary
ip address 84.92.27.9 255.255.255.248
ip directed-broadcast
ip nat inside
ip virtual-reassembly
ip route-cache same-interface
no ip route-cache cef
no cdp enable
hold-queue 100 out
!
interface Dialer0
ip unnumbered Ethernet0
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname http://www.velocityreviews.com/forums/(E-Mail Removed)
ppp chap password 0 passw0rd
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 permit 192.168.7.0 0.0.0.255


 
Reply With Quote
 
Martin Gallagher
Guest
Posts: n/a
 
      12-03-2004
On Thu, 02 Dec 2004 20:16:58 +0000, Richard Antony Burton wrote:


> Thanks, but that didn't do the job. Routed IPs work fine with my config
> listed below (based on your post), but anything from 192.168.7.xxx that
> should be natted fails with:


> Dec 2 20:02:55 raburton.---.com 1644: 001635: Dec 2 20:02:54.050 GMT:
> NAT: translation failed (A), dropping packet s=192.168.7.138
> d=217.160.216.102
>
>


Maybe it doesn't like dialer0 being an unnumbered interface so try

!
no ip nat inside source list 1 interface Dialer0 overload
ip nat inside source list 1 interface Ethernet0 overload
!

If it's still flaky, and you have a spare address out of your /29, maybe
this

!
no ip nat inside source list 1 interface Ethernet0 overload
ip nat pool heres-hoping 84.92.27.13 84.92.27.13 prefix-length 29
ip nat inside source list 1 pool heres-hoping overload
!

--
Rgds,
Martin
 
Reply With Quote
 
Richard Antony Burton
Guest
Posts: n/a
 
      12-03-2004
"Martin Gallagher" <(E-Mail Removed)> wrote in message
news(E-Mail Removed) .au...
> On Thu, 02 Dec 2004 20:16:58 +0000, Richard Antony Burton wrote:


> If it's still flaky, and you have a spare address out of your /29, maybe
> this
>
> !
> no ip nat inside source list 1 interface Ethernet0 overload
> ip nat pool heres-hoping 84.92.27.13 84.92.27.13 prefix-length 29
> ip nat inside source list 1 pool heres-hoping overload
> !


I got this one to work, but even better I told it to use the IP that is
currently assigned to the ethernet (and dialer, via ip unnumbered), so I
haven't lost another IP.
I'm not entirely sure what how this pool thing works, but the main thing is
that it does.

Once I have chance to trim down and censor my config I'll post it, for the
benefit of anyone else looking to do the same.

Thanks for your help,
Richard.


 
Reply With Quote
 
Richard Antony Burton
Guest
Posts: n/a
 
      12-03-2004

"Richard Antony Burton" <(E-Mail Removed)> wrote in
message news:01%rd.189279$(E-Mail Removed)...

> Once I have chance to trim down and censor my config I'll post it, for the
> benefit of anyone else looking to do the same.


Ok, here is a basic config that should work in the uk for plusnet, zen
(untested), and probably many others where you get 8 ips (rather than 8+1).

This has nat and routing, dhcp server (192.168.7.129-254 (use 2-128 for
statics)), dns server. There is an example dhcp reservation, and nat port
forwarding rule for a webserver. This example uses 84.xxx.xxx.8/29, with
84.xxx.xxx.9 as the router.

Richard.

!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname router
!
!
username root privilege 15 password 0 passw0rd
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 192.168.0.1 192.168.0.128
!
ip dhcp pool Lan-pool
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
domain-name lan
!
ip dhcp pool webserver
host 192.168.0.2 255.255.255.0
client-identifier 0100.50da.000d.1f
client-name www
!
!
ip domain name lan
ip host www.lan 192.168.0.2
!
ip name-server 212.159.13.49
ip name-server 212.159.13.50
ip name-server 212.159.6.9
!
!
interface Ethernet0
description Lan
ip address 192.168.0.1 255.255.255.0 secondary
ip address 84.xxx.xxx.9 255.255.255.248
ip directed-broadcast
ip nat inside
ip virtual-reassembly
ip route-cache flow
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
ip route-cache flow
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
!
interface Dialer0
ip unnumbered Ethernet0
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 2
no cdp enable
ppp authentication chap callin
ppp chap hostname (E-Mail Removed)
ppp chap password 0 passw0rd
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip dns server
ip dns primary lan soa router.lan mail.router.lan 600 600 600 600
!
ip nat pool nat-pool 84.xxx.xxx.9 84.xxx.xxx.9 netmask 255.255.255.248
ip nat inside source list 1 pool nat-pool overload
!
ip nat inside source static tcp 192.168.0.2 80 interface Dialer0 80
!
!
access-list 1 remark SDM_ACL Category=2
access-list 1 remark Permit any lan IP
access-list 1 permit 192.168.0.0 0.0.0.255
dialer-list 2 protocol ip permit
!



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Site-to-site tunnel w/NAT, return packets decap but not routed? mercutio.viz@gmail.com Cisco 3 12-14-2006 07:26 PM
VPN between Cisco 837 and cisco 837 with IP static and ip dinamic lyvicro@hotmail.com Cisco 4 12-15-2005 09:10 PM
Working: 837 Wake On Lan over internet using NAT (837) Richard Antony Burton Cisco 0 01-05-2004 10:08 AM
Cisco 837 to Cisco 837 VPN, ping OK, NetBios / VNC DROPPING! Suppa Lamah Cisco 8 12-19-2003 01:15 PM
Cisco 837-837 VPN Confused Cisco 0 07-09-2003 11:13 AM



Advertisments