Re: question about NAT.

philipsyao · ‎07-16-2007

I tried to have a NAT enabled on my LAN. IP address of my PC is 10.10.0.183. Outside interface is 66.x.x.18/30, which is connected to my Internet router with IP address ending with .17/30. The configuration is like the following. However, I cannot go out to the rest of the world. I check on the NAT router, the NAT seems ok.

LAN_2801#show ip nat translations

Pro Inside global Inside local Outside local Outside global

--- 66.210.216.3 10.10.0.183 --- ---

I was wondering that the Internet Router might not know the route to 66.x.x.0, that's why I even added the secondary IP address 66.x.x.1/24 to the NAT router's outside interface. However, still no luck.

Is there anyone has an idea about that? Many thanks.

interface FastEthernet0/0

ip address 66.x.x.1 255.255.255.0 secondary

ip address 66.x.x.18 255.255.255.252

ip verify unicast reverse-path

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no snmp trap link-status

crypto map rtptrans

service-policy output Shaper

!

interface FastEthernet0/1

ip address 10.10.0.29 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1.1

encapsulation dot1Q 2

ip address 10.10.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no snmp trap link-status

!

ip local pool DIAL-IN 10.10.11.240 10.10.11.254

ip route 0.0.0.0 0.0.0.0 66.210.222.17

ip route 208.x.x.0 255.255.255.0 10.10.0.1

!

ip nat pool sss 66.x.x.3 66.210.216.3 prefix-length 24

ip nat inside source route-map SSS pool sss reversible

ip nat inside source route-map nonat interface FastEthernet0/0 overload

!

access-list 125 deny ip 10.10.11.0 0.0.0.255 10.254.0.0 0.0.255.255

access-list 125 permit ip 10.10.11.0 0.0.0.255 any

access-list 135 permit ip host 208.1.42.59 host 198.205.161.1

access-list 145 permit ip host 10.10.0.183 any

!

route-map SSS permit 5

match ip address 145

!

route-map nonat permit 10

match ip address 125

Edison Ortiz · ‎07-16-2007

Looks good, did you configure DNS on the workstations trying to access the internet ?

Try pinging a internet location by using an IP address instead of the name and see if it works.

I also noticed you have a crypto (IPSec) in the outgoing interface, I didn't see any IPSec configuration in the router. Was that left behind by mistake ?

philipsyao · ‎07-16-2007

Yes, I did have the DNS configured and try using an IP address instead of name, but not working.

The IPSec is for something else, it just works fine, long before I tried this NAT. I didn't post the crpto congiguration since it's totally unrelated.

As you can see, we also have another NAT with 10.10.11.0 subnet, but use overloading mode, that works. what I what is the 1-to-1 static mapping with 10.10.0.0 subnet.

what's the standard configuration for the 1-to-1 mapping? I used the route-map and nat pool method, but not sure if it's the right way. I though there should be a eaiser way to do it.

Edison Ortiz · ‎07-16-2007

With the 'overload' option, you turn on PAT, which means many workstations can share the same IP address since it's using port-address translation.

On a 1-to-1 like you stated, it's static NAT, the first workstation will grab that IP and that's the only one able to browse the internet.

Currently, 10.10.0.183 is the only device able to browse the net.

philipsyao · ‎07-17-2007

Even though it's shown that my PC got NATed, I cannot browse the internet, I cannot visit any website, no ping, no traceroute. It right stoped at the NAT router. I can ping the outside interface address, but no further than that.

what could be the reason? that must be a routing problem.

Edison Ortiz · ‎07-17-2007

... and you are allowed to use 66.210.216.3 by your ISP ?

Can you try this way ?

ip nat inside source static local-ip global-ip

philipsyao · ‎07-19-2007

actually I'm the ISP itself.

I tried that command at the very first step because it's the most straightforward way you can come up with. but it didn't work.

is there any conflct if I use both overloading and static NAT on the same interface?