question on NAT configuration

Discussion in 'Cisco' started by Steve Wolfe, Jan 5, 2004.

  1. Steve Wolfe

    Steve Wolfe Guest

    On a Cisco 1720 with 12.2(15)T9, I'm trying to set up NAT, and I seem
    *almost* there, but not quite. I did:

    ip nat inside source static 10.0.0.254 A.B.C.D
    interface ethernet0
    ip address 10.0.0.254 255.255.255.0
    ip nat inside
    interface serial0
    ip nat outside

    From the router, I can ping an outside machine with ethernet0 as the
    source interface, and it works just fine, leading me to believe I'm
    *almost* there.

    However, machines conneced in the 10.0.0.0 network with 10.0.0.254 as
    their default gateway cannot reach the outside world. I imagine there's
    something very small I overlooked - anybody want to offer advice?

    steve
    Steve Wolfe, Jan 5, 2004
    #1
    1. Advertising

  2. Hi Steve.

    At present the only translation you have in place is a static
    translation for the router's ethernet interface so only packets
    sourced from that will be natted.

    What I think you need is PAT where all inside addresses use one
    registered IP address? If so then this is the setup you need.


    interface ethernet0
    ip address 10.0.0.254 255.255.255.0
    ip nat inside
    !
    interface serial0
    ip address x.x.x.x 255.255.255.x
    ip nat outside
    !
    ip nat inside source list 3 interface serial 0 overload
    !
    access-list 3 permit 10.0.0.0 0.0.0.255

    Basically this will translate anything in the 10.0.0.x subnet to the
    outside interface.

    Simon
    Simon Tibbitts, Jan 5, 2004
    #2
    1. Advertising

  3. Steve Wolfe

    Steve Wolfe Guest

    > At present the only translation you have in place is a static
    > translation for the router's ethernet interface so only packets
    > sourced from that will be natted.


    Yes, you're correct - it being 2 a.m., I was pretty tired. On the way
    home, I realized what I'd done. : ) I did learn quite a bit last night.
    For example, the xmodem in my rommon does *not* have the ability to change
    speeds of the console port, so I would have had to upload the image onto
    the new flash card at 9600 bps, so I wouldn't have been leaving until at
    least 4:30 a.m.. However, I also learned that, contrary to what the Cisco
    rep told me, my rommon *did* support a tftp download of the image. THAT
    sure cut off a lot of time!

    > What I think you need is PAT where all inside addresses use one
    > registered IP address? If so then this is the setup you need.


    Thanks a million for the help with PAT, it works like a charm!

    steve
    Steve Wolfe, Jan 5, 2004
    #3
  4. Steve Wolfe

    Steve Wolfe Guest

    > Thanks a million for the help with PAT, it works like a charm!

    Actually, again, I spoke too soon. I implemented the changes that you
    mentioned, but am still not working:

    Trying to do a traceroute out from one of the machines in the 10.0.0.0
    network still gives:

    1 <1 ms <1ms <1ms 10.0.0.254
    2 * 10.0.0.254 reports: Destination net unreachable

    Trying 'ping yahoo.com source ethernet 0' on the router does, however,
    work sucesfully. Any more tips?

    Sh running-config reports:

    interface Ethernet0
    ip address 10.0.0.254 255.255.255.0
    ip nat inside
    full-duplex

    interface Serial0
    ip address a.b.c.d 255.255.255.252
    ip access-group 101 in
    ip access-group 102 out
    ip nat outside

    ip nat inside source list 3 interface Serial0 overload

    I've entertained the idea of one of the access lists being the culprit,
    but (a) they shouldn't, from my limitted understanding, and (b) wouldn't
    that result in a different error message?

    steve
    Steve Wolfe, Jan 5, 2004
    #4
  5. Steve Wolfe

    mikester Guest

    (Simon Tibbitts) wrote in message news:<>...
    > Hi Steve.
    >
    > At present the only translation you have in place is a static
    > translation for the router's ethernet interface so only packets
    > sourced from that will be natted.
    >
    > What I think you need is PAT where all inside addresses use one
    > registered IP address? If so then this is the setup you need.
    >
    >
    > interface ethernet0
    > ip address 10.0.0.254 255.255.255.0
    > ip nat inside
    > !
    > interface serial0
    > ip address x.x.x.x 255.255.255.x
    > ip nat outside
    > !
    > ip nat inside source list 3 interface serial 0 overload
    > !
    > access-list 3 permit 10.0.0.0 0.0.0.255
    >
    > Basically this will translate anything in the 10.0.0.x subnet to the
    > outside interface.
    >
    > Simon



    little bit of reading...
    http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml
    mikester, Jan 6, 2004
    #5
  6. Hi Steve.

    Try removing the inbound and outbound access-lists briefly and see if
    you have the same problem. If you don't then you know the problem to
    be the access-lists.

    If you need help then paste the access-lists.

    Some traceroute's will use ICMP echo and some traceroutes will use
    unknown UDP ports. If you want traceroute to work then you will have
    to allow whichever your device is using through the ACL and back
    again.

    Do you have IOS Firewall Feature set? It might be something you'd like
    to read up on. It'll give you stateful packet inspection on your
    router.

    Simon
    Simon Tibbitts, Jan 6, 2004
    #6
  7. Steve Wolfe

    Steve Wolfe Guest

    > Try removing the inbound and outbound access-lists briefly and see if
    > you have the same problem. If you don't then you know the problem to
    > be the access-lists.
    >
    > If you need help then paste the access-lists.


    It was, indeed, caused by the access-lists. There were a few subtle
    "gotchas" in them that... well, they got me. : ) Everything's up and
    running now. Thanks again to all involved!

    > Do you have IOS Firewall Feature set? It might be something you'd like
    > to read up on. It'll give you stateful packet inspection on your
    > router.


    All of the major filtering is done upstream, the access lists on this
    router are mostly simple fire-breaks, such as containing netbios to the
    local ethernet, preventing outbound IP-spoofing, etc.. I do, however,
    appreciate the suggestion!

    steve
    Steve Wolfe, Jan 6, 2004
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. John
    Replies:
    3
    Views:
    2,230
    MDCXCI
    Nov 26, 2004
  2. brian
    Replies:
    7
    Views:
    457
    brian
    Jan 2, 2005
  3. Sri
    Replies:
    0
    Views:
    453
  4. jester
    Replies:
    1
    Views:
    1,762
    Vivek
    Dec 20, 2005
  5. pbass83
    Replies:
    2
    Views:
    1,227
    pbass83
    May 17, 2008
Loading...

Share This Page