I got some help the other day with a slight nat config, but now that I have implemented it, I need a bit more. This is my config:
ip address <public ip1> 255.255.255.248
ip nat inside
no ip address
no ip address
ip nat outside
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/0/0:1.1 point-to-point
ip unnumbered FastEthernet0/0
frame-relay interface-dlci 500 IETF
no ip address
ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 Serial0/0/0:1.1
ip nat inside source static 192.168.1.91 <public ip2>
ip nat inside source static 192.168.1.92 <public ip3>
ip nat inside source static 192.168.1.5 <public ip3>
I cannot get out to the internet from the devices that are being natted. I can ping the public address from outside and get a reply, but cannot access any services on the boxes. When I jump on the box and try to browse the net or ping external addresses I cannot do so either. I can ping the router and vice versa. Should I not be able to go both ways with this config? Also, I realize this is a bit risky, but I am just working from the ground up..access lists later.
Solved! Go to Solution.
Thanks for your reply.
I am a bit confused as to why this is, but I did change it and I am still unable to access any services on the boxes, but can still ping them from the outside.
1) When configuring NAT, you need to enter "ip nat outside" on the egress interface and "ip nat inside" on the ingress interface. Looking at your config again, it looks like the egress interface is interface Serial0/0/0:1.1 - I didn't catch it before - the nat out should be move there instead of f0/0.
You should also insert the IP address on s0/0.0:1.1 from f0/0 and allow f0/0 to be part of Vlan1.
2) If you shut down one of those devices with the static NAT, are you still able to ping them ? If so, it seems another device in the internet is already using that IP.
3) Can you post the show ip nat translation ?
thank you for your reply.
1) I changed the ip nat outside the ser0/0/0:1.1 interface, unfortunately this cut my communication to the router via telnet. On the up side, I can get to the device I was trying...but not telnet. why would this kill telnet??
Also, I cannot move the ip address because i am using the ip unnumbered command as i do not have a /30 serial address from my isp.
I will try to post the show ip nat when i get into the office and restore connection.
Also..I can still telnet from inside the lan, but not from the outside...what's going on with that?
I can still ping the address from outside as well.
It killed telnet because the egress interface doesn't have an IP address so the packet is being processed by the NAT. I don't see any PAT configuration in your config, can you post your entire config ? I can't give a firm suggestion without it, of course you can hide your public addressing.
You can use any IP subnet under a subinterface, just because it says point-to-point doesn't mean the subnet must be /30
Having the ip address under f0/0 provides no benefit to your config.
Thanks again for your reply. I was under the impression i must put the address on my fa0/0 because my ISP sent me a snipet stating so.
Also, I am not running any PAT, there are only two clients on the lan and both are being statically addressed via NAT.
I will change the ip info and see if that helps my situation.
I think I know now why i did the config as I did. I have a host that needs to have a public ip address but cannot be behind NAT, so with the config I had in place I could use a crossover cable to go to that host and assign it a public ip from the range i was given. is there another way i could do this?
If not, what are my options to use telnet from the outside?
Thanks for your replied. I realized what you were saying about the nat. I did not need the ip nat overloading on the interface as I am statically natting both hosts. once I removed it, I can telnet to the box now from the outside.