04-24-2007 03:59 AM - edited 03-05-2019 03:38 PM
Hello. I was just wondering if someone with natting knowledge can give this a quick sanity check for me, before I implement it this weekend.
______________________________
interface FastEthernet0/0
ip address 199.x.x.2 255.255.255.0
ip nat inside
speed 100
full-duplex
!
interface Serial0/0
bandwidth 256
ip address 199.x.x.13 255.255.255.252
ip directed-broadcast
ip nat outside
encapsulation frame-relay
no ip mroute-cache
no fair-queue
!
interface Ethernet1/0
description GDO Connection
ip address 192.x.x.1 255.255.255.0
ip nat outside
full-duplex
!
interface Ethernet1/1
description MDRAS Connection
ip address 192.168.209.1 255.255.255.0
ip nat inside
full-duplex
!
ip nat pool ras 199.x.x.208 199.43.3.208 prefix-length 24
ip nat pool gdo 192.168.166.10 192.168.166.10 prefix-length 24
ip nat pool gdoace 192.168.166.201 192.168.166.201 prefix-length 24
ip nat inside source list 101 pool ras overload
Ip nat inside source list 102 pool gdoace overload
ip nat inside source list 103 pool gdo overload
ip nat inside source static tcp 199.43.3.201 21 192.168.166.201 21 extendable
no ip classless
!
ip route 0.0.0.0 0.0.0.0 199.43.3.1
ip route 142.x.x.6 255.255.255.255 192.168.166.2
ip route 142.x.x.71 255.255.255.255 192.168.166.2
ip route 198.x.x.121 255.255.255.255 199.43.120.14
!
access-list 101 permit tcp 192.168.209.0 0.0.0.255 eq telnet host 198.x.x.121 log
access-list 102 permit ip any host 142.225.137.71 log
access-list 103 permit ip any host 142.x.x.5 log
!
end
________________________________
Here is what is supposed to happen:
- Anything originating from the 192.168.209.x subnet, and going to the host 198.20.10.121 should
show up as 199.43.3.208
- Anything going to 142.225.137.71 should show up as 192.168.166.201
- Anything going to 142.225.34.5 should show up as 192.168.166.10
- Anything inbound looking for ftp on 192.168.166.201 should be sent to 199.43.3.201 (arp on our firewall,
which nats through to a host)
Anybody see anything that might bite me?
04-24-2007 04:49 AM
Hi there,
This looks fine to me. The only 1 thing that I would point out is:-
Here is what is supposed to happen:
- Anything originating from the 192.168.209.x subnet, and going to the host 198.20.10.121 should show up as 199.43.3.208
The acl 101 will only permit tcp telnet, rather than anything.
Apart form that - it's looking good.
You should check out Dynagen. This is a router emulator and would let you put this config in and test it before you put it to production - the poor mans lab ;-)
Check it out:- http://dynagen.org/
Let me know how it goes!
Best regards,
LH
** Please rate all post **
04-24-2007 04:55 AM
I forgot to say telnet instead of anything.
I've got a router that I tested some of the stuff on, but I don't have enough interfaces to make it all work at once.
Thanks a lot for confirming, you have been extremely helpful.
04-30-2007 04:29 AM
Just thought I'd let everybody know that this went OK on the weekend. The only thing that almost killed me the "no ip classless" setting that was enabled on the router.
We have several classless addresses that are being natted through (10.50.x.x/16 and 10.100.x.x/16 for example), and only one of these subnets was able to go through the router at once. Does anyone know of a good way to define why this happened in english?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: