03-26-2009 01:39 AM - edited 03-04-2019 04:06 AM
There are two clients in our network who are connected to the ISP via a POP Router. There is something wrong in the config which is why only client1 is able to access the internet and not client 02.
Configs:
Client1 Router:
interface FastEthernet0/0
ip address 192.168.0.1 255.255.255.0
ip nat inside
interface Serial0/0/0
ip address 10.20.0.2 255.255.255.252
ip nat outside
ip nat pool client01 10.30.0.6 10.30.0.14 netmask 255.255.255.240
ip nat inside source list natpool pool client01
ip classless
ip route 0.0.0.0 0.0.0.0 10.20.0.1
ip access-list extended natpool
permit ip any any
!
!
ip dhcp pool client01
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 10.10.0.10
Client2 Router:
interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface Serial0/0/0
ip address 10.20.0.6 255.255.255.252
ip nat outside
ip nat pool client02 10.30.0.20 10.30.0.30 netmask 255.255.255.240
ip nat inside source list natpool pool client02
ip classless
ip route 0.0.0.0 0.0.0.0 10.20.0.5
ip access-list extended natpool
permit ip any any
!
!
ip dhcp pool client02
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 10.10.0.10
ISP Router:
interface FastEthernet0/0
ip address 204.60.0.1 255.255.255.0
ip nat outside
interface Serial0/0/0
ip address 10.11.0.18 255.255.255.252
ip nat inside
router ospf 10
log-adjacency-changes
redistribute static subnets
network 10.11.0.16 0.0.0.3 area 0
default-information originate
ip nat pool natclient01 204.60.0.9 204.60.0.14 netmask 255.255.255.0
ip nat inside source list natclient01 pool natclient01 overload
ip classless
ip route 0.0.0.0 0.0.0.0 204.60.0.254
!
!
ip access-list extended natclient01
permit ip 10.30.0.0 0.0.0.15 any.
Please assist.
Regards,
03-26-2009 03:36 AM
Hello Faizan,
on last router:
ip access-list extended natclient01
permit ip 10.30.0.0 0.0.0.15 any.
this doesn't match ip addresses of client2 that are in range 10.30.0.20 10.30.0.30
use
ip access-list extended natclient012
permit ip 10.30.0.0 0.0.0.31 any.
but what is the interface of client2 to isp router ?
it needs ip nat inside too
or there is another router in the middle collecting both access links ? I guess it is so.
Hope to help
Giuseppe
03-26-2009 04:26 AM
Giuseppe,
Thanx for your support :)
I've got it.
Client 01 also has an internal server that they would like internet users to be able to reach.
The public IP address to use for this is 204.60.0.3. What would be the command for it?
The server has been assigned the IP address 192.168.0.254
The public DNS has already been put in place for this on public DNS server 4.2.2.2 as www.client01.com
I've to make DNS entries so that internal users can reach it.
I've Use first available NAT in the reserved section of the NAT pool.
Kindly assist.
Regards.
03-26-2009 10:48 AM
A layer 3 swicth connects the border router, DNS server (4.2.2.2) and a host.
The vlans on L3 switch are as follows:
interface Vlan1
ip address 204.10.0.254 255.255.255.0
!
interface Vlan2
ip address 4.2.2.254 255.255.255.0
!
interface Vlan60
ip address 204.60.0.254 255.255.255.0
!
interface Vlan70
ip address 204.70.0.1 255.255.255.0
Regards.
03-26-2009 01:15 PM
Hello ,
>>The public IP address to use for this is 204.60.0.3. What would be the command for it?
>>The server has been assigned the IP address 192.168.0.254
you are doing NAT at two different sections of the network.
So you need to do two static NATs
one for client1 to
one on the border router.
to work well you need to use a dedicated address that is not in the pools to avoid competition with dynamic NAT
the basic command is
ip nat source inside static local-addr global-addr
r1client1:
ip nat inside source static 192.168.0.254 10.30.0.5
isp router
ip nat inside source static 10.30.0.5 204.60.0.3
remember also to exclude ip address 192.68.0.254 from dhcp pool
use from global config:
r1client1:
ip dhcp excluded-address 192.198.0.1 192.168.0.254
Hope to help
Giuseppe
03-26-2009 09:59 PM
Thanx for your support. I have made all the above changes.
I am still not able to ping the internal server from Internet user.
I am confused because the ISP router has a range of 204.60.0.0/24. I want to assign public IP 204.60.0.3 to the internal server connected to client01 router. How can I assign a public IP to the internal server from a pool of private IPs which have already been assigned to ISP router.
Please reply.
Regards.
03-27-2009 01:32 AM
Hello Faisan,
add the option reversible to both nat commands
because:
An initial session from inside-to-outside is required to trigger a NAT. New translation sessions can then be initiated from outside-to-inside to the inside host that triggered the initial translation.
see
Hope to help
Giuseppe
03-27-2009 02:58 AM
03-27-2009 07:24 AM
Hello Faizan,
let's try to add two lines like
ip nat outside source static global-ip local-ip
to create the entries from the outside interface.
Use the same addresses used before but in reverse order in the two commands.
Hope to help
Giuseppe
03-27-2009 12:13 PM
None of the routers are accepting the
ip nat outside source static global-ip local-ip command.
03-27-2009 01:30 PM
Hey Giussepe,
Thank you very much for your help.
I have made all the changes successfully.
You have been really very helpful.
Best regards.
03-27-2009 01:40 PM
Hello Faizan,
nice news it is working, by the way, what is the combination of commands that is working ?
just to indicate the right solution.
Hope to help
Giuseppe
03-28-2009 02:49 PM
Hi Giuseppe,
The command which you gave me where the one which were required to make the change. It was simple yet tricky.
r1client1:
ip nat inside source static 192.168.0.254 10.30.0.5
isp router
ip nat inside source static 10.30.0.5 204.60.0.3
There was no need to put
ip dhcp excluded-address 192.198.0.1 192.168.0.254
Everything is working fine now and the user can now connect to server.
Thank you very much for your assistance!
The issue is completely resolved.
Regards.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: