NAT'ing config - quick sanity check please

Unanswered Question
Apr 24th, 2007

Hello. I was just wondering if someone with natting knowledge can give this a quick sanity check for me, before I implement it this weekend.

______________________________

interface FastEthernet0/0

ip address 199.x.x.2 255.255.255.0

ip nat inside

speed 100

full-duplex

!

interface Serial0/0

bandwidth 256

ip address 199.x.x.13 255.255.255.252

ip directed-broadcast

ip nat outside

encapsulation frame-relay

no ip mroute-cache

no fair-queue

!

interface Ethernet1/0

description GDO Connection

ip address 192.x.x.1 255.255.255.0

ip nat outside

full-duplex

!

interface Ethernet1/1

description MDRAS Connection

ip address 192.168.209.1 255.255.255.0

ip nat inside

full-duplex

!

ip nat pool ras 199.x.x.208 199.43.3.208 prefix-length 24

ip nat pool gdo 192.168.166.10 192.168.166.10 prefix-length 24

ip nat pool gdoace 192.168.166.201 192.168.166.201 prefix-length 24

ip nat inside source list 101 pool ras overload

Ip nat inside source list 102 pool gdoace overload

ip nat inside source list 103 pool gdo overload

ip nat inside source static tcp 199.43.3.201 21 192.168.166.201 21 extendable

no ip classless

!

ip route 0.0.0.0 0.0.0.0 199.43.3.1

ip route 142.x.x.6 255.255.255.255 192.168.166.2

ip route 142.x.x.71 255.255.255.255 192.168.166.2

ip route 198.x.x.121 255.255.255.255 199.43.120.14

!

access-list 101 permit tcp 192.168.209.0 0.0.0.255 eq telnet host 198.x.x.121 log

access-list 102 permit ip any host 142.225.137.71 log

access-list 103 permit ip any host 142.x.x.5 log

!

end

________________________________

Here is what is supposed to happen:

- Anything originating from the 192.168.209.x subnet, and going to the host 198.20.10.121 should

show up as 199.43.3.208

- Anything going to 142.225.137.71 should show up as 192.168.166.201

- Anything going to 142.225.34.5 should show up as 192.168.166.10

- Anything inbound looking for ftp on 192.168.166.201 should be sent to 199.43.3.201 (arp on our firewall,

which nats through to a host)

Anybody see anything that might bite me?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
leighharrison Tue, 04/24/2007 - 04:49

Hi there,

This looks fine to me. The only 1 thing that I would point out is:-

Here is what is supposed to happen:

- Anything originating from the 192.168.209.x subnet, and going to the host 198.20.10.121 should show up as 199.43.3.208

The acl 101 will only permit tcp telnet, rather than anything.

Apart form that - it's looking good.

You should check out Dynagen. This is a router emulator and would let you put this config in and test it before you put it to production - the poor mans lab ;-)

Check it out:- http://dynagen.org/

Let me know how it goes!

Best regards,

LH

** Please rate all post **

poulid Tue, 04/24/2007 - 04:55

I forgot to say telnet instead of anything.

I've got a router that I tested some of the stuff on, but I don't have enough interfaces to make it all work at once.

Thanks a lot for confirming, you have been extremely helpful.

poulid Mon, 04/30/2007 - 04:29

Just thought I'd let everybody know that this went OK on the weekend. The only thing that almost killed me the "no ip classless" setting that was enabled on the router.

We have several classless addresses that are being natted through (10.50.x.x/16 and 10.100.x.x/16 for example), and only one of these subnets was able to go through the router at once. Does anyone know of a good way to define why this happened in english?

Actions

This Discussion