NAT Configuration with ip routing (2811 <---> AS5300)

hirmoge123_2 · ‎09-22-2009

Hello, I need to interconnect two Cisco routers (2811 and A5300) through IP, and my purpose is to use 2811 as NAT service provider to translate between Private and Public, so that office LAN can use Private IP to access the internet.

AS5300 is working as our internet gateway provider and we use static public IP addresses, for security we need to use NAT.

As shown in the attached diagram, 2811 has 2 FE, I used FE0/0 to connect to the public switch and FE0/1 is connected to private switch to provide private IP and internet accessibility.

My problem is that how to make routing between AS5300 and 2811, and also to check with me if the NAT configuration is correct.

Attached are:

2811 sh config

AS5300 sh config

Diagram

platinum_jem · ‎09-22-2009

Hi,

What is your "Public IP Address" Range ?

Assuming it is 196.201.205.0 255.255.255.128 ,

Your NAT config in 2811 looks good.

In your AS5300 , there's no need to put in route for 10.10.0.0 since you are doing NAT instead of routing.

Everything goes thru AS5300 without the 10.10.x.x IP.

Your Office should be able to use the internet now with this config.

What else do you need to do ?

hirmoge123_2 · ‎09-22-2009

Thanks for your response, yes my public ip range is 196.201.205.0/24, but still i can not use the internet from private IPs, and the issue is routing problem, between the two routers its by though.

the interface loopback0 of AS5300 is connected to public router IP.

interface Loopback0

ip address 192.168.79.1 255.255.255.0

but i don't know what to do about interface Loopback0 of Cisco 2811 router.

Thanks

attached is the client computer which i connected to private LAN and configured to use the private IP 10.10.0.4 and gateway 10.10.0.1

hirmoge123_2 · ‎09-22-2009

who can help me this issue?

platinum_jem · ‎09-22-2009

Let me understand here more.

You are having some weird configuration for the AS5300.

1) Why do you have a loopback interface on the AS5300 ?

2) Why did you set your default route to the loopback interface subnet ?

3) Who is holding 192.168.79.1 ?

4) Are you able to ping to the internet from the AS5300 ?

hirmoge123_2 · ‎09-23-2009

1) Loopback interface of the AS5300 (Gateway1) is connected another AS5300 (Gateway2) loopback through E1, these two AS5300 are our internet backbone from neighbor country via transmission channel.

2) This loopback interface is connected to next router loopback interface that is why we used it as our default router.

3) 192.168.79.1 is holding by AS5300 of AS5300 (Gateway2)

4) By using public IP addresses (196.201.205/24) I can ping and use the internet from any client connected to Catalyst 2950 24 port.

i have also again attached the network diagram to understand the physical connection between routers.

platinum_jem · ‎09-23-2009

Your NAT config looks good.

Can you post the test for below

1) Ping from 2811 F0/0 to www.yahoo.com

2) Ping from 2811 F0/1 to www.yahoo.com

hirmoge123_2 · ‎09-23-2009

below is the result of ping command, inside the router which means i am using F0/0, is there any other way to ping www.yahoo.com using F0/1 or F0/0?

2800#ping www.yahoo.com

Translating "www.yahoo.com"...domain server (255.255.255.255) [OK]

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 87.248.113.14, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 168/175/192 ms

platinum_jem · ‎09-23-2009

the command is

ping www.yahoo.com source f0/1

if you dont have the above command, try

ping ip

then go into extended command.

hirmoge123_2 · ‎09-23-2009

this is the result of commands using F0/1 and F0/0.

2800#ping http://www.yahoo.com source f0/1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 87.248.113.14, timeout is 2 seconds:

Packet sent with a source address of 10.10.0.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 164/190/264 ms

Telcom2800#ping http://www.yahoo.com source f0/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 87.248.113.14, timeout is 2 seconds:

Packet sent with a source address of 196.201.205.3

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 172/201/276 ms

2800#

Now both can ping the internet. how can clients users access the internet using private ip range 10.10.0.0/16.

Also during assigning private ip to clients do we need to add gateway ip, which is 10.10.0.1?

Jerry Ye · ‎09-22-2009

You NAT is fine, but I see two issues with your config (assuming your Public IP's are correct, and the routing from the SP to you are correct)

1) On 2811, loopback 0, the IP address is overlapping with your F0/1. You should change the IP or remove loopback 0.

2) On AS5300, you don't need the static route ip route 10.10.0.0 255.255.0.0 196.201.205.3, the NAT on the 2811 will take care of it.

HTH,

jerry

hirmoge123_2 · ‎09-23-2009

We can not change the configuration of AS5300Gateway1 and AS5300Gateway2, since the internet is working, we need only to configure 2811 as NAT,and provide internet to offices.

i have attached the current configuration of AS5300Gateway1 and AS5300Gateway2 and 2811.

Thanks

yagnesh_tel · ‎09-23-2009

Although it is not mandatory but to be on safer side I would use extended ACL to match interesting traffic for NAT. Also to troubleshoot this issue further, first check hits on your NAT ACL and if possible use NAT debugging in controlled manner(using ACL) to verify NAT operation.

Jerry Ye · ‎09-23-2009

Your routing looks fine. I will suggest you to follow other posters' comment to troubleshoot it (to determine where the traffic stop).

Regards,

jerry

hirmoge123_2 · ‎09-23-2009

Thanks,

Now i can ping the internet using the private ip.

2800#ping www.yahoo.com source f0/1

Sending 5, 100-byte ICMP Echos to 87.248.113.14, timeout is 2 seconds:

Packet sent with a source address of 10.10.0.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 164/190/264 ms

But the problem is that when assigning private IP to clients, i can't reach the internet.