I have spent a few hours trying to NAT out a few intenal 192.168.x.x hosts through both my ethernet1/0 interface and also tryed using another IP from the range. Any help GREATLY appreciated. Thanks! (Config below)
Current configuration : 1021 bytes
service timestamps debug datetime msec
service timestamps log datetime msec
enable secret xxxx
enable password xxxx
no aaa new-model
ip name-server xx.xx.xx.xx
ip name-server xx.xx.xx.xx
ip audit po max-events 100
ip address 65.126.x.x.x.255.252
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip address 65.126.x.x.x.255.240
ip nat outside
ip nat inside source list 7 interface Ethernet1/0 overload
7 years old post but i have the CCNA Composite exam in 36 hours so i'll ignore that and answer.
I'm assuming a basic setup (like the one in the question) with PAT and many-to-one source translation.
The steps to properly configure NAT are:
1) list all your interfaces and track which ones are your *internal* interfaces and which one is your *external* one. In the configuration given by OP, the "inside" interface is Fastethernet 0/1. The "outside" interface is Ethernet 1/0.
2) Declare the interfaces one by one, this is done in the interface configuration dialog with the statement "ip nat inside" and "ip nat outside" for the respective interfaces.
3) Gather your traffic, with an ACL. This step is necessary to teach the router which traffic he should consider for Network Address Translation. It is achieved by an acl that permits traffic coming from the subnets configured on our "inside" interfaces. In this case, 192.168.1.0/24.
thanks joe, since I posted i caught that and have this in there
access-list 7 permit 192.168.1.0 0.0.0.250
it still does not. I am really at a loss here sitting in the datacenter at 9;30pm. Do I need to route the 192.x.x.x somewhere (tried all options), thanks for any more advice.
The reason OP can't get NAT to work is because his ACL was at first absent, and subsequently mistyped.
It should be
ip access-list standard 7
permit 192.168.1.0 0.0.0.255
The deny statement is implied but explicitly adding it simplifies troubleshooting as every packet matching it will show up in
# show access-lists
ACLs use a "wildcard" mask notation for defining groups of addresses. For all intents and purposes at this level, they are just another format for the subnet masks but they can be used in other ways.
You obtain your wildcard mask by subtracting the subnet mask bits (in decimal) from 255.255.255.255. In this case: 255.255.255.255 - 255.255.255.0 (the subnet mask for a /24 network) = 0.0.0.255. Therefore, the mistake lies in the ACL statement.
4) Activate NAT with the general configuration dialog statement "ip nat inside source list LISTNAME interface INTERFACEID overload
5) Troubleshoot if needed by using show access-lists, show ip nat translations, debug ip nat . It only works when you see relevant data in the output of those commands.
You do *not* have to route anything, as that would defy the entire purpose of NAT.
If i made any mistake in my post please point it out. I think i got my head around NAT pretty ok but you never know.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...