NAT & routed at the same time, on an 837

Discussion in 'Cisco' started by Richard Antony Burton, Dec 1, 2004.

  1. I have a block of 8 IPs from my ISP, but I want to use NAT for most of the
    devices. How can I do that?

    I have to use IP unnumbered on the Dialer interface, to share the IP with
    the Ethernet interface. How do I add a 192.168.0.x address the the ethernet
    interface when it already has a real ip assigned? And what is going to be
    nat inside & nat outside?

    Anyone done this?

    Richard.

    The config I need for routing is something like this, just need to add nat,
    somehow:

    interface Ethernet0
    ip address 82.70.xxx.yyy 255.255.255.248
    no cdp enable
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    dsl power-cutback 0
    !
    interface Dialer0
    bandwidth 256
    ip unnumbered Ethernet0
    no ip redirects
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap callin
    ppp chap hostname
    ppp chap password 0
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    dialer-list 1 protocol ip permit
     
    Richard Antony Burton, Dec 1, 2004
    #1
    1. Advertising

  2. Richard Antony Burton

    Erik Freitag Guest

    On Wed, 01 Dec 2004 11:29:19 +0000, Richard Antony Burton wrote:

    > I have a block of 8 IPs from my ISP, but I want to use NAT for most of the
    > devices. How can I do that?
    >
    > I have to use IP unnumbered on the Dialer interface, to share the IP with
    > the Ethernet interface. How do I add a 192.168.0.x address the the ethernet
    > interface when it already has a real ip assigned? And what is going to be
    > nat inside & nat outside?
    >
    > Anyone done this?
    >
    > Richard.
    >
    > The config I need for routing is something like this, just need to add nat,
    > somehow:
    >
    > interface Ethernet0
    > ip address 82.70.xxx.yyy 255.255.255.248
    > no cdp enable
    > hold-queue 100 out
    > !
    > interface ATM0
    > no ip address
    > no atm ilmi-keepalive
    > pvc 0/38
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > dsl operating-mode auto
    > dsl power-cutback 0
    > !
    > interface Dialer0
    > bandwidth 256
    > ip unnumbered Ethernet0
    > no ip redirects
    > encapsulation ppp
    > dialer pool 1
    > dialer-group 1
    > ppp authentication chap callin
    > ppp chap hostname
    > ppp chap password 0
    > !
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer0
    > dialer-list 1 protocol ip permit


    I don't see why you can't move the ip address from the Ethernet to
    Dialer0, and put the 192.168.xxx.yyy address on the Ethernet. Can you
    explain?

    I'm thinking of something like this:

    interface Ethernet0
    ip address 192.168.xxx.yyy 255.255.255.255
    ip nat inside

    interface Dialer0
    ip address 82.70.xxx.yyy 255.255.255.248
    ip nat outside

    access-list 1 permit 192.168.xxx.yyy 0.0.0.255

    ip nat inside source list 1 interface Dialer0
     
    Erik Freitag, Dec 1, 2004
    #2
    1. Advertising

  3. "Erik Freitag" <> wrote in message
    news:p...

    > I don't see why you can't move the ip address from the Ethernet to
    > Dialer0, and put the 192.168.xxx.yyy address on the Ethernet. Can you
    > explain?


    That is basically what I currently have, and NAT works fine. The problem is
    that none of my real IPs are then usable on the lan. The external router
    address isn't reachable from a machine on the lan that has another ip from
    the block. And so withgout being able to reach the router machines on the
    lan with real addresses do not have access to the net, only the nat clients
    have access (via the 192.168.0.x ethernet interface). This seems reasonable
    to me because the real ips are not in the same subnet as the ethernet
    interface (192.168.0.x) to which they connect over the lan.

    Richard.

    > I'm thinking of something like this:
    >
    > interface Ethernet0
    > ip address 192.168.xxx.yyy 255.255.255.255
    > ip nat inside
    >
    > interface Dialer0
    > ip address 82.70.xxx.yyy 255.255.255.248
    > ip nat outside
    >
    > access-list 1 permit 192.168.xxx.yyy 0.0.0.255
    >
    > ip nat inside source list 1 interface Dialer0
     
    Richard Antony Burton, Dec 1, 2004
    #3
  4. On Wed, 01 Dec 2004 11:29:19 +0000, Richard Antony Burton wrote:

    > I have to use IP unnumbered on the Dialer interface, to share the IP with
    > the Ethernet interface. How do I add a 192.168.0.x address the the
    > ethernet interface when it already has a real ip assigned? And what is
    > going to be nat inside & nat outside?
    >


    This might get you started.

    interface Ethernet0
    ip address 192.168.1.1 255.255.255.0 secondary
    ip address 82.70.xxx.yyy 255.255.255.248
    ip route-cache same-interface
    ip nat inside
    !
    interface Dialer0
    ip nat outside
    !
    ip nat inside source list 10 interface Dialer0 overload
    !
    access-list 10 permit 192.168.1.0 0.0.0.255
    !

    --
    Rgds,
    Martin
     
    Martin Gallagher, Dec 2, 2004
    #4
  5. "Martin Gallagher" <> wrote in message
    news:p...
    > On Wed, 01 Dec 2004 11:29:19 +0000, Richard Antony Burton wrote:
    >
    >> I have to use IP unnumbered on the Dialer interface, to share the IP with
    >> the Ethernet interface. How do I add a 192.168.0.x address the the
    >> ethernet interface when it already has a real ip assigned? And what is
    >> going to be nat inside & nat outside?
    >>

    >
    > This might get you started.


    Thanks, but that didn't do the job. Routed IPs work fine with my config
    listed below (based on your post), but anything from 192.168.7.xxx that
    should be natted fails with:
    Dec 2 20:02:55 raburton.---.com 1644: 001635: Dec 2 20:02:54.050 GMT: NAT:
    translation failed (A), dropping packet s=192.168.7.138 d=217.160.216.102

    Feels so close, but that error doesn't really explain why it is failing. Any
    ideas?

    Richard.

    interface Ethernet0
    ip address 192.168.7.1 255.255.255.0 secondary
    ip address 84.92.27.9 255.255.255.248
    ip directed-broadcast
    ip nat inside
    ip virtual-reassembly
    ip route-cache same-interface
    no ip route-cache cef
    no cdp enable
    hold-queue 100 out
    !
    interface Dialer0
    ip unnumbered Ethernet0
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 2
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname
    ppp chap password 0 passw0rd
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    ip nat inside source list 1 interface Dialer0 overload
    !
    access-list 1 permit 192.168.7.0 0.0.0.255
     
    Richard Antony Burton, Dec 2, 2004
    #5
  6. On Thu, 02 Dec 2004 20:16:58 +0000, Richard Antony Burton wrote:


    > Thanks, but that didn't do the job. Routed IPs work fine with my config
    > listed below (based on your post), but anything from 192.168.7.xxx that
    > should be natted fails with:


    > Dec 2 20:02:55 raburton.---.com 1644: 001635: Dec 2 20:02:54.050 GMT:
    > NAT: translation failed (A), dropping packet s=192.168.7.138
    > d=217.160.216.102
    >
    >


    Maybe it doesn't like dialer0 being an unnumbered interface so try

    !
    no ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source list 1 interface Ethernet0 overload
    !

    If it's still flaky, and you have a spare address out of your /29, maybe
    this

    !
    no ip nat inside source list 1 interface Ethernet0 overload
    ip nat pool heres-hoping 84.92.27.13 84.92.27.13 prefix-length 29
    ip nat inside source list 1 pool heres-hoping overload
    !

    --
    Rgds,
    Martin
     
    Martin Gallagher, Dec 3, 2004
    #6
  7. "Martin Gallagher" <> wrote in message
    news:p...
    > On Thu, 02 Dec 2004 20:16:58 +0000, Richard Antony Burton wrote:


    > If it's still flaky, and you have a spare address out of your /29, maybe
    > this
    >
    > !
    > no ip nat inside source list 1 interface Ethernet0 overload
    > ip nat pool heres-hoping 84.92.27.13 84.92.27.13 prefix-length 29
    > ip nat inside source list 1 pool heres-hoping overload
    > !


    I got this one to work, but even better I told it to use the IP that is
    currently assigned to the ethernet (and dialer, via ip unnumbered), so I
    haven't lost another IP.
    I'm not entirely sure what how this pool thing works, but the main thing is
    that it does.

    Once I have chance to trim down and censor my config I'll post it, for the
    benefit of anyone else looking to do the same.

    Thanks for your help,
    Richard.
     
    Richard Antony Burton, Dec 3, 2004
    #7
  8. "Richard Antony Burton" <> wrote in
    message news:01%rd.189279$...

    > Once I have chance to trim down and censor my config I'll post it, for the
    > benefit of anyone else looking to do the same.


    Ok, here is a basic config that should work in the uk for plusnet, zen
    (untested), and probably many others where you get 8 ips (rather than 8+1).

    This has nat and routing, dhcp server (192.168.7.129-254 (use 2-128 for
    statics)), dns server. There is an example dhcp reservation, and nat port
    forwarding rule for a webserver. This example uses 84.xxx.xxx.8/29, with
    84.xxx.xxx.9 as the router.

    Richard.

    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    no service password-encryption
    service sequence-numbers
    !
    hostname router
    !
    !
    username root privilege 15 password 0 passw0rd
    !
    no aaa new-model
    ip subnet-zero
    ip dhcp excluded-address 192.168.0.1 192.168.0.128
    !
    ip dhcp pool Lan-pool
    network 192.168.0.0 255.255.255.0
    default-router 192.168.0.1
    dns-server 192.168.0.1
    domain-name lan
    !
    ip dhcp pool webserver
    host 192.168.0.2 255.255.255.0
    client-identifier 0100.50da.000d.1f
    client-name www
    !
    !
    ip domain name lan
    ip host www.lan 192.168.0.2
    !
    ip name-server 212.159.13.49
    ip name-server 212.159.13.50
    ip name-server 212.159.6.9
    !
    !
    interface Ethernet0
    description Lan
    ip address 192.168.0.1 255.255.255.0 secondary
    ip address 84.xxx.xxx.9 255.255.255.248
    ip directed-broadcast
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    no cdp enable
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    ip route-cache flow
    no ip mroute-cache
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    !
    interface Dialer0
    ip unnumbered Ethernet0
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 2
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname
    ppp chap password 0 passw0rd
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
    ip dns server
    ip dns primary lan soa router.lan mail.router.lan 600 600 600 600
    !
    ip nat pool nat-pool 84.xxx.xxx.9 84.xxx.xxx.9 netmask 255.255.255.248
    ip nat inside source list 1 pool nat-pool overload
    !
    ip nat inside source static tcp 192.168.0.2 80 interface Dialer0 80
    !
    !
    access-list 1 remark SDM_ACL Category=2
    access-list 1 remark Permit any lan IP
    access-list 1 permit 192.168.0.0 0.0.0.255
    dialer-list 2 protocol ip permit
    !
     
    Richard Antony Burton, Dec 3, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Confused

    Cisco 837-837 VPN

    Confused, Jul 9, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,802
    Confused
    Jul 9, 2003
  2. Suppa Lamah
    Replies:
    8
    Views:
    1,667
  3. Richard Antony Burton
    Replies:
    0
    Views:
    6,294
    Richard Antony Burton
    Jan 5, 2004
  4. Replies:
    4
    Views:
    4,224
  5. Replies:
    3
    Views:
    912
    Walter Roberson
    Dec 14, 2006
Loading...

Share This Page