cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
749
Views
0
Helpful
12
Replies

NAT Pool Question

sadik.bash
Level 1
Level 1

Hi all,

I have a new dual T1 circuit ordred from at&t and I was provided with the IP addresses for the WAN and the LAN. I am unclear on which IP address to use for the Nat pool. Here is a clarificaiton:

Existing router configuration:

Existing Circuit- DSL

G0/0: 98.173.157.108

G1/0: 10.10.3.0/24

G1/0.1: 10.10.0.1/24

G1/0.2: 10.10.2.1/24

ip nat pool mynetwork 98.173.157.108 98.173.157.108 netmask 255.255.255.248

New IP addresses:

S0/0: 12.90.58.66

LAN info:

IP address: 12.100.140.191/26

LAN/Ethenet/Gateway IP address: 12.100.140.192

Subnet mask: 255.255.255.192

======================================

My question:

- Do I replace the ip nat pool with WAN ip address (12.90.58.66) or the LAN IP address (12.100.14.191)?

I hope I was clear in stating my question and thanks in advance for any assistance.

SK

1 Accepted Solution

Accepted Solutions

Sadik,

Is this a trick question? (J/K)

10.199.223.0/28

10.199.223.16/28

10.199.223.32/28

10.199.223.48/28

10.199.223.64/28

10.199.223.80/28

10.199.223.96/28

10.199.223.112/28

Sorry for my math. (grin)

What about the rating sytem. hehehe..

Toshi

View solution in original post

12 Replies 12

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Sadik,

>> Do I replace the ip nat pool with WAN ip address (12.90.58.66) or the LAN IP address (12.100.14.191)?

actually both solutions are possible, however you have received a valuable public ip address block.

This can be used to create your DMZ where you can put servers that should be visible on the internet.

Or also for security reasons you may want to keep all servers private but you may like to have static ip addresses reserved to servers.

Solution 1 sees three L3 interfaces WAN, LAN and DMZ.

Solution2: has two L3 interfaces WAN and LAN.

the LAN public block can be associated in this case (solution 2) to a loopback interface that represents the pool.

This is the way I usually do.

So, there is no single answer to your question and all these possibilities can work even using single ip addresses in public block of DMZ interface for NATTING internal hosts.

Ask yourself what are your needs?

Have you got servers to be exposed to the internet that could benefit from static NAT entries?

A DMZ LAN can be useful ?

Hope to help

Giuseppe

Thank you Giuseppe!

I don't have a DMZ yet, so solution 2 is what I have in my environment.

So, I could do this and please feel free to provide a feedback:

S0/0: 12.90.58.66

G0/0: 12.100.14.191

ip nat pool mycompany 12.100.14.191 12.100.14.191 netmask 255.255.255.192

ip nat inside source list 199 interface g0/0 overload

Thanks in advance,

sK

Hello Sadik,

this can work if G0/0 is NOT your internal interface.

if it is your internal interface you should use

S0/0: 12.90.58.66

Loopback0: 12.100.14.191/26

G0/0: private ip address here

ip nat pool mycompany 12.100.14.192 12.100.14.2xy netmask 255.255.255.192

ip nat inside source list 199 pool mycompany overload

otherwise if g0/0 is your internal interface and you give it a public ip addres, well you wouldn't need NAT for users in LAN (not recommended for security reasons)

Hope to help

Giuseppe

Thanks Giuseppe.

One last question; should this statment include the loopback or (G0/1) physical address after the source list number:

ip nat inside source list 199 pool mycompany overload

Thanks,

sK

Hi again.

As I was trying to implement this, I realized that if the S0/0 is my outbound connection to the Internet, G0/1 is my inbound connection to the switch, why would I configure G0/0 if it isn't going to be plugged into anything?

I am unclear about where I need to configure 12.100.14.191/26 if I already have a connection to the carrier through the outbound (S0/0) interface!

Thanks in advance,

sK

Sadik,

You've purchased a new wan interface and they provided you a new public ip block. Am I right?

- Wan is s0/0 configured with the new public IP address.

- Public IP block you got is 12.100.14.191/26.

- You also have a lan IP network (Private IPs).

As per your question,it depends on what you want to do. If you want to use a new IP block as a NAT pool, you can do it. You can use it for inbound connections by configuring static NAT for a new public IP block. In case you only do dynamic NAT for outboubd connection, you can do nothing about it as well. (grin)

HTH,

Toshi

Thanks Toshi.

Yes, you are correct.

So, in that case, i could simply use the G0/1 or my inbound connection (Private), assign static NAT begining with the first Public IP block address(12.100.14.191), and disable G0/0, would this be correct?

Thanks,

SK

Sadik,

G0/0 is not used anymore. right? If yes,just disable it.

You can use the new public IP block to do static NATs. It depends on what you design. (grin)

Keep in mind, Using a pool to do dynamic NAT is limited to the number of IPs you got. If it's not enough for your active hosts inside the network, you'd better use PAT to do so.

HTH,

Toshi

Thanks Toshi!

sK

Toshi,

How would you subnet this ip address to 7 subnets: 10.199.223.0/25?

Thanks in advance,

sK

Sadik,

Is this a trick question? (J/K)

10.199.223.0/28

10.199.223.16/28

10.199.223.32/28

10.199.223.48/28

10.199.223.64/28

10.199.223.80/28

10.199.223.96/28

10.199.223.112/28

Sorry for my math. (grin)

What about the rating sytem. hehehe..

Toshi

Thanks again, Toshi!

No, it wasn't a trick question.. lol. I just wanted to verify my subnetting skills!

Thanks again,

sK

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco