help with NAT config

Answered Question

Hi All,

I got some help the other day with a slight nat config, but now that I have implemented it, I need a bit more. This is my config:

!

interface FastEthernet0/0

ip address <public ip1> 255.255.255.248

ip nat inside

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1/0

spanning-tree portfast

!

interface FastEthernet0/1/1

spanning-tree portfast

!

interface FastEthernet0/1/2

spanning-tree portfast

!

interface FastEthernet0/1/3

spanning-tree portfast

!

interface Serial0/0/0:1

no ip address

ip nat outside

encapsulation frame-relay IETF

frame-relay lmi-type ansi

!

interface Serial0/0/0:1.1 point-to-point

bandwidth 1536

ip unnumbered FastEthernet0/0

frame-relay interface-dlci 500 IETF

!

interface Serial0/0/1:1

no ip address

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

!

ip classless

ip route 0.0.0.0 0.0.0.0 Serial0/0/0:1.1

!

ip nat inside source static 192.168.1.91 <public ip2>

ip nat inside source static 192.168.1.92 <public ip3>

ip nat inside source static 192.168.1.5 <public ip3>

I cannot get out to the internet from the devices that are being natted. I can ping the public address from outside and get a reply, but cannot access any services on the boxes. When I jump on the box and try to browse the net or ping external addresses I cannot do so either. I can ping the router and vice versa. Should I not be able to go both ways with this config? Also, I realize this is a bit risky, but I am just working from the ground up..access lists later.

TIA,

R

I have this problem too.
0 votes
Correct Answer by Edison Ortiz about 9 years 4 months ago

Can I see the new config along with show ip nat translation output ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Edison Ortiz Tue, 07/17/2007 - 18:21

1) When configuring NAT, you need to enter "ip nat outside" on the egress interface and "ip nat inside" on the ingress interface. Looking at your config again, it looks like the egress interface is interface Serial0/0/0:1.1 - I didn't catch it before - the nat out should be move there instead of f0/0.

You should also insert the IP address on s0/0.0:1.1 from f0/0 and allow f0/0 to be part of Vlan1.

2) If you shut down one of those devices with the static NAT, are you still able to ping them ? If so, it seems another device in the internet is already using that IP.

3) Can you post the show ip nat translation ?

thank you for your reply.

1) I changed the ip nat outside the ser0/0/0:1.1 interface, unfortunately this cut my communication to the router via telnet. On the up side, I can get to the device I was trying...but not telnet. why would this kill telnet??

Also, I cannot move the ip address because i am using the ip unnumbered command as i do not have a /30 serial address from my isp.

I will try to post the show ip nat when i get into the office and restore connection.

Thanks

Edison Ortiz Wed, 07/18/2007 - 07:07

It killed telnet because the egress interface doesn't have an IP address so the packet is being processed by the NAT. I don't see any PAT configuration in your config, can you post your entire config ? I can't give a firm suggestion without it, of course you can hide your public addressing.

You can use any IP subnet under a subinterface, just because it says point-to-point doesn't mean the subnet must be /30

Having the ip address under f0/0 provides no benefit to your config.

Thanks again for your reply. I was under the impression i must put the address on my fa0/0 because my ISP sent me a snipet stating so.

Also, I am not running any PAT, there are only two clients on the lan and both are being statically addressed via NAT.

I will change the ip info and see if that helps my situation.

thanks

I think I know now why i did the config as I did. I have a host that needs to have a public ip address but cannot be behind NAT, so with the config I had in place I could use a crossover cable to go to that host and assign it a public ip from the range i was given. is there another way i could do this?

If not, what are my options to use telnet from the outside?

thanks

Correct Answer
Edison Ortiz Wed, 07/18/2007 - 12:09

Can I see the new config along with show ip nat translation output ?

Actions

This Discussion