Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

c1417 CPE, NAT and routable IPs

Hello,

this may have been answered before, but I am wondering how to have some (10.x.x.x) addresses translated by NAT, while allowing other (63.x.x.x) addresses to be passed through the router.

Basically I'm looking to replace a cisco 678, a DSL router, a Linux box running IPTables, and a VPN Endpoint with a Cisco 1417 I was given. I know the VPN endpoint replacement isn't possible, so how can I route it's public ip (.229) through, while still translating the 10 series addresses. I have a 2924 behind the boxes currently, so I can vlan off the public traffic from the private traffic. A web search came up with partial configs, but nothing definitive. Any Ideas?

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

Re: c1417 CPE, NAT and routable IPs

Howdy,

When you configure dynamic NAT, you typically specify the source addresses that you want NAT'ed via an ACL. In order to translate just the 10.x.x.x addresses, use something like the following:

ip nat inside source list 10 pool NATPOOL1 overload

!

access-list 10 permit 10.0.0.0 0.255.255.255

I presume you are familiar with the rest of the NAT config. If not, let us know...

Hope that helps - pls rate the post if it does.

Paresh

6 REPLIES

Re: c1417 CPE, NAT and routable IPs

You can use dynamic nat overload for the 10.x.x.x space - called PAT over a single public ip address. While you can use a static nat between .229 and the private ip address of the VPN box.

i. Lets assume 10.x.x.x is the private space for inside lan.

ii. Let this be Pat'ed to say 63.x.x.230 or even a pool of addresses (say)

To perform i and ii, you need following commands.

ip nat inside source list 10 interface ethernet0 overload

access-list 10 deny host 10.x.x.10

access-list 10 permit 10.0.0.0 0.255.255.255

ACL 10 will make sure that traffic from VPN box is not dynamically NATed using above commands.

Interface ethernet 0 is the public facing ethernet interface which has the 63.x.x.230 address configured.

iii. To pass VPN traffic through static nat from 63.x.x.229 to 10.x.x.229 (say). 10.x.x.229 is the ip address configured on the VPN box.

The command required to perform iii is,

ip nat inside source static 10.x.x.229 63.x.x.229

HTH

PS: Please remember to rate helpful replies!

Btw I am not familiar with the 1417 CLI. Hopefully it runs IOS and you will be able to set this up via CLI.

P

Purple

Re: c1417 CPE, NAT and routable IPs

Howdy,

When you configure dynamic NAT, you typically specify the source addresses that you want NAT'ed via an ACL. In order to translate just the 10.x.x.x addresses, use something like the following:

ip nat inside source list 10 pool NATPOOL1 overload

!

access-list 10 permit 10.0.0.0 0.255.255.255

I presume you are familiar with the rest of the NAT config. If not, let us know...

Hope that helps - pls rate the post if it does.

Paresh

New Member

Re: c1417 CPE, NAT and routable IPs

Will I need to use a 10.x.x.x address on the VPN box, or can it use it's real IP? the reason I'm asking is the VPN box is connected to the 10.x network on the internal ethernet side.

Purple

Re: c1417 CPE, NAT and routable IPs

YOu can use its real IP.. that was the point of only NAT'ing the 10.x.x.x addresses.

How is the VPN endpoint connected to the router ?

Paresh

New Member

Re: c1417 CPE, NAT and routable IPs

Current configuration is:

Internet -->cisco 678 ---> 10mbit hub --> (three NAT boxes on three static IPs one for web browsing, one for services (http,mail,telnet), one for vpn endpoint). not Pretty, but it works. :)

Purple

Re: c1417 CPE, NAT and routable IPs

Yep, with what you are proposing (and the ACL I posted earlier) you should be able to keep the public IP on your VPN endpoint...

Hope that helps - pls rate the post if it does.

Paresh

264
Views
4
Helpful
6
Replies
CreatePlease to create content