Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT on C2911 ISR complicated...

Hello,

I am trying to design a solution to my problem with little results.

My goal is to have my C2911 router that is running BGP to my ISP successfully NAT an inside network that is attached to the C2911. I am not entirely sure this is possible, or even the best solution.

Network design is a dual-tier FW with a DMZ in between. In this DMZ there are web servers serviced by software load-balancers. I am trying to prevent having to use the real Virtual IPs for the LBs so I was hoping to implement an outbound NAT in between my inside DMZ network and my edge BGP router (C2911)

I believe this is all the pertinent information:

interface GigabitEthernet0/0

description inside DMZ network /24

ip address 10.100.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description BGP peer to ISP /30

ip address 10.200.0.1 255.255.255.252

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/2

description public IP block /24

ip address 10.250.0.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

standby 10 ip 10.250.0.1

standby 10 priority 110

standby 10 preempt

standby 10 track 1 decrement 20

duplex auto

speed auto

no mop enabled

!

router bgp 64000

bgp log-neighbor-changes

neighbor 10.200.0.2 remote-as 1111

neighbor 10.200.0.2 description <blah>

neighbor 10.200.0.2 password 7 <hash>

neighbor 10.200.0.2 timers 30 90 30

neighbor 10.250.0.3 remote-as 64000

neighbor 10.250.0.3 description X-connect to Secondary Router

neighbor 10.250.0.3 password 7 <hash>

!

address-family ipv4

  network 10.250.0.0

  neighbor 10.200.0.2 activate

  neighbor 10.200.0.2 soft-reconfiguration inbound

  neighbor 10.250.0.3 activate

exit-address-family

!

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool dmz16_pat 10.250.0.226 10.250.0.226 netmask 255.255.255.255

ip nat inside source list 1 pool dmz16_pat overload

ip nat inside source static 10.100.3.200 10.250.0.200

ip nat inside source static 10.100.3.201 10.250.0.201

ip nat inside source static 10.100.3.206 10.250.0.206

ip nat inside source static 10.100.3.207 10.250.0.207

ip nat inside source static 10.100.3.208 10.250.0.208

ip nat inside source static 10.100.3.209 10.250.0.209

ip nat inside source static 10.100.3.210 10.250.0.210

ip nat inside source static 10.100.3.211 10.250.0.211

ip nat inside source static 10.100.3.217 10.250.0.217

ip nat inside source static 10.100.3.218 10.250.0.218

ip nat inside source static 10.100.3.219 10.250.0.219

ip nat inside source static 10.100.3.220 10.250.0.220

ip nat inside source static 10.100.3.223 10.250.0.223

ip nat inside source static 10.100.3.224 10.250.0.224

ip nat inside source static 10.100.3.232 10.250.0.232

ip nat inside source static 10.100.3.233 10.250.0.233

ip nat inside source static 10.100.3.234 10.250.0.234

ip nat inside source static 10.100.3.235 10.250.0.235

ip nat inside source static 10.100.3.236 10.250.0.236

ip nat inside source static 10.100.3.237 10.250.0.237

ip nat inside source static 10.100.3.238 10.250.0.238

ip nat inside source static 10.100.3.239 10.250.0.239

ip nat inside source static 10.100.3.240 10.250.0.240

ip route 10.250.0.0 255.255.255.0 Null0

!

access-list 1 permit 10.100.3.0 0.0.0.255

access-list 101 <omit>

Thanks in advance for anyone offering up any thoughts!

Cheers!

Everyone's tags (2)
582
Views
0
Helpful
0
Replies
CreatePlease to create content