NAT translations and IP secondary Addresses

Answered Question
Apr 16th, 2004
User Badges:
  • Bronze, 100 points or more

I am running out of IP Addresses on the outside interface and want to configure a secondary ip address range. I am using a few ip addresses for NAT translations from the outside interface, but wanted for the NAT pool to use the secondary ip address range from the outside interface instead of the primary ip address range. I have configured the outside interface with the secondary ip address range and changed the ip address range of the NAT pool to the secondary ip address range. I also configured the router to route the secondary ip address range, but did not work for me. Any suggestions would be greatly appreciated


Correct Answer by billtoth about 13 years 4 months ago

rcostilla


It looks like your default gateway may be on the subnet with your primary ip address.


If this is the case then the replies probably have have no route back to your secondary ip address or your nat pool subnet.


another ip address in the same subnet as your secondary block needs to be added to the default gateway interface or the subnet mask needs to changed to range across both of your blocks.


If you already have a route from your isp to the secondary block then you can just remove the secondary ip address and nat through the primary ip address using the secondary pool.


hth


BT

Correct Answer by Georg Pauwen about 13 years 4 months ago

Hello,


stupid question maybe, but can you check if your PIX allows the translated range (165.95.250.66 165.95.250.126 prefix-length 26) through ? Are the translated addresses arriving at the PIX ?

By the way, NAT and HSRP do not work well together. The standby router does not have the NAT translation table, so when the cutover from the active to the standby router occurs, your connections will time out.


Regards,


Georg



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (4 ratings)
Loading.
Georg Pauwen Fri, 04/16/2004 - 12:53
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 WAN

Hello,


can you post your configuration ? Here is what I have configured:


interface Ethernet0

ip address 135.13.20.1 255.255.255.252

no ip directed-broadcast

no ip proxy-arp

ip nat inside

!

interface Serial0

ip address 172.16.1.1 255.255.0.0 secondary

ip address 192.168.1.1 255.255.255.252

no ip directed-broadcast

no ip proxy-arp

ip nat outside

encapsulation frame-relay

frame-relay map ip 192.168.1.2 102 broadcast

no frame-relay inverse-arp

!

ip nat pool HOME 172.16.1.1 172.16.1.1 netmask 255.255.0.0

ip nat inside source list 1 pool HOME overload

ip route 0.0.0.0 0.0.0.0 192.168.1.2


Do you at least get your inside addresses translated ?


Regards,


Georg

Anonymous (not verified) Fri, 04/16/2004 - 13:56
User Badges:

Yes, the inside addresses are being translated. I see the route in the table, but hosts can't access the Internet. Below is the configuration:


interface Vlan416

description Outside Interface

ip address 165.95.250.65 255.255.255.192 secondary

ip address 165.95.241.35 255.255.255.224

ip broadcast-address 165.95.241.63

ip access-group 121 in

ip access-group 120 out

no ip redirects

no ip unreachables

ip nat outside

no ip route-cache

no ip mroute-cache

service-policy output llq

standby 7 ip 165.95.241.33

standby 7 priority 40

standby 7 preempt


interface Vlan50

description Inside Interface

ip address 192.168.2.2 255.255.255.0

ip broadcast-address 192.168.2.255

ip access-group 102 in

ip helper-address 165.95.240.51

no ip redirects

no ip unreachables

ip nat inside

no ip route-cache

no ip mroute-cache

standby 2 ip 192.168.2.1

standby 2 priority 40

standby 2 preempt


router ospf area 10

network 165.95.241.32 0.0.0.31 area 10

network 165.95.250.64 0.0.0.63 area 10


ip nat pool Outsideovrld 165.95.250.66 165.95.250.126 prefix-length 26

ip nat inside source list 21 pool Outsideovrld overload


ip route 0.0.0.0 0.0.0.0 165.95.241.38


access-list 21 deny 192.168.2.2

access-list 21 permit 192.168.2.0 0.0.0.255 log


Note: Vlan 416 is connecting via a fiber link to the pix firewall and then to the Internet. This is the only path out to the Internet. IP Address 165.95.241.38 is the next hop address.

Correct Answer
Georg Pauwen Fri, 04/16/2004 - 22:29
User Badges:
  • Purple, 4500 points or more
  • Cisco Designated VIP,

    2017 WAN

Hello,


stupid question maybe, but can you check if your PIX allows the translated range (165.95.250.66 165.95.250.126 prefix-length 26) through ? Are the translated addresses arriving at the PIX ?

By the way, NAT and HSRP do not work well together. The standby router does not have the NAT translation table, so when the cutover from the active to the standby router occurs, your connections will time out.


Regards,


Georg



Anonymous (not verified) Mon, 04/19/2004 - 06:03
User Badges:

Hello Pauwen, I really appreciate your help. This is NOT a stupid question. I actually did forget to configure the route in the Pix Firewall. Once I did this, I tested and worked.

Correct Answer
billtoth Sat, 04/17/2004 - 03:30
User Badges:

rcostilla


It looks like your default gateway may be on the subnet with your primary ip address.


If this is the case then the replies probably have have no route back to your secondary ip address or your nat pool subnet.


another ip address in the same subnet as your secondary block needs to be added to the default gateway interface or the subnet mask needs to changed to range across both of your blocks.


If you already have a route from your isp to the secondary block then you can just remove the secondary ip address and nat through the primary ip address using the secondary pool.


hth


BT

Anonymous (not verified) Mon, 04/19/2004 - 06:28
User Badges:

Hello Bill,

I tried this prior to adding the secondary ip address to the interface and it did not work for me; but it did not work for me because I did not have the route on the Pix. Once I added the route, I then tried this option as well and worked. I will use this configuration instead of adding the second ip address range to the interface because users noticed a delay when configuring the secondary ip address on the interface. Thank you so much for your input.

Actions

This Discussion