Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

NAT & routing issue - IOS CBAC

We purchased ISP service from our local carrier including 14 routable addresses. I am trying to combine the router/firewall into a single device (26xx).

*** ISP supplied info

CPE (my end) 68.190.254.26/30

ISP (there end) 68.190.254.25/30

Default route 68.190.254.25

*** additional IP's

71.95.12.48/28

*** The issue is the ISP says I have to make the default route for the 71.95.12.48/28 block the supplied CPE IP (68.190.254.26), not the ISP default route.

*************************************

Outline of my current NAT config

want to PAT one and static two others

*************************************

ip nat pool pat-pool 71.95.12.49 71.95.12.49 netmask 255.255.255.240

ip nat inside source list 10 pool pat-pool overload

ip nat inside source static 192.168.1.5 71.95.12.50

ip nat inside source static 192.168.1.10 71.95.12.51

int fe0/0 (inside)

ip address 192.168.1.1 255.255.255.0

ip nat inside

int fe0/1 (to ISP)

ip address 68.190.254.26 255.255.255.252

ip nat outside

ip route 0.0.0.0 0.0.0.0 68.190.254.25

access-list 10 permit 192.168.1.0 0.0.0.255

ideas?...suggestions? don't want to add an additional edge router (which was suggested)....was thinking about possibly playing with policy routing to change the next hop or source interface?.....or maybe moving nat to a loopback interface?

Forgot to mention if I PAT using the CPE IP address, (68.190.254.26) I can get it to work. I do have good connectivity.

Any help would be appreciated! Visited the NAT section on CCO & didn't find much useful for this situation.

2 REPLIES
Silver

Re: NAT & routing issue - IOS CBAC

While configuring CBAC and NAT on a router, the NAT order of operation plays an important role.

For inside-to-outside traffic, perform these steps:

1. Check input ACL.

2. Perform NAT inside to outside.

3. Check output ACL.

For outside-to-inside traffic, perform these steps:

1. Check input ACL.

2. Perform NAT outside to inside.

3. Check output ACL.

For filtering inside-to-outside traffic on the inside interface, the inside hosts should be specified by their actual IP addresses.

Similarly, for filtering outside-to-inside traffic on the outside interface, the inside hosts should be specified by their translated addresses (inside global).

Try these links :>

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_configuration_example09186a008009445f.shtml

New Member

Re: NAT & routing issue - IOS CBAC

Thanks for the reply....I actually figured out the problem. It took three days to convince the carrier that they had a routing problem inside there network.(lots of traceroutes sourcing from the /28 block) They had an incorrect filter applied that was not allowing the advertisement of the new /28 block of routable addresses. The routing issue was resolved 30 minutes after convincing them it was there problem.

88
Views
0
Helpful
2
Replies