Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

NAT Configuration with ip routing (2811 <---> AS5300)

Hello, I need to interconnect two Cisco routers (2811 and A5300) through IP, and my purpose is to use 2811 as NAT service provider to translate between Private and Public, so that office LAN can use Private IP to access the internet.

AS5300 is working as our internet gateway provider and we use static public IP addresses, for security we need to use NAT.

As shown in the attached diagram, 2811 has 2 FE, I used FE0/0 to connect to the public switch and FE0/1 is connected to private switch to provide private IP and internet accessibility.

My problem is that how to make routing between AS5300 and 2811, and also to check with me if the NAT configuration is correct.

Attached are:

2811 sh config

AS5300 sh config

Diagram

22 REPLIES
Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

Hi,

What is your "Public IP Address" Range ?

Assuming it is 196.201.205.0 255.255.255.128 ,

Your NAT config in 2811 looks good.

In your AS5300 , there's no need to put in route for 10.10.0.0 since you are doing NAT instead of routing.

Everything goes thru AS5300 without the 10.10.x.x IP.

Your Office should be able to use the internet now with this config.

What else do you need to do ?

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

Thanks for your response, yes my public ip range is 196.201.205.0/24, but still i can not use the internet from private IPs, and the issue is routing problem, between the two routers its by though.

the interface loopback0 of AS5300 is connected to public router IP.

interface Loopback0

ip address 192.168.79.1 255.255.255.0

but i don't know what to do about interface Loopback0 of Cisco 2811 router.

Thanks

attached is the client computer which i connected to private LAN and configured to use the private IP 10.10.0.4 and gateway 10.10.0.1

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

who can help me this issue?

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

Let me understand here more.

You are having some weird configuration for the AS5300.

1) Why do you have a loopback interface on the AS5300 ?

2) Why did you set your default route to the loopback interface subnet ?

3) Who is holding 192.168.79.1 ?

4) Are you able to ping to the internet from the AS5300 ?

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

1) Loopback interface of the AS5300 (Gateway1) is connected another AS5300 (Gateway2) loopback through E1, these two AS5300 are our internet backbone from neighbor country via transmission channel.

2) This loopback interface is connected to next router loopback interface that is why we used it as our default router.

3) 192.168.79.1 is holding by AS5300 of AS5300 (Gateway2)

4) By using public IP addresses (196.201.205/24) I can ping and use the internet from any client connected to Catalyst 2950 24 port.

i have also again attached the network diagram to understand the physical connection between routers.

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

Your NAT config looks good.

Can you post the test for below

1) Ping from 2811 F0/0 to www.yahoo.com

2) Ping from 2811 F0/1 to www.yahoo.com

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

below is the result of ping command, inside the router which means i am using F0/0, is there any other way to ping www.yahoo.com using F0/1 or F0/0?

2800#ping www.yahoo.com

Translating "www.yahoo.com"...domain server (255.255.255.255) [OK]

Translating "www.yahoo.com"...domain server (255.255.255.255) [OK]

Translating "www.yahoo.com"...domain server (255.255.255.255) [OK]

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 87.248.113.14, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 168/175/192 ms

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

the command is

ping www.yahoo.com source f0/1

if you dont have the above command, try

ping ip

then go into extended command.

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

this is the result of commands using F0/1 and F0/0.

2800#ping http://www.yahoo.com source f0/1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 87.248.113.14, timeout is 2 seconds:

Packet sent with a source address of 10.10.0.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 164/190/264 ms

Telcom2800#ping http://www.yahoo.com source f0/0

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 87.248.113.14, timeout is 2 seconds:

Packet sent with a source address of 196.201.205.3

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 172/201/276 ms

2800#

Now both can ping the internet. how can clients users access the internet using private ip range 10.10.0.0/16.

Also during assigning private ip to clients do we need to add gateway ip, which is 10.10.0.1?

Cisco Employee

Re: NAT Configuration with ip routing (2811 <---> AS5300)

You NAT is fine, but I see two issues with your config (assuming your Public IP's are correct, and the routing from the SP to you are correct)

1) On 2811, loopback 0, the IP address is overlapping with your F0/1. You should change the IP or remove loopback 0.

2) On AS5300, you don't need the static route ip route 10.10.0.0 255.255.0.0 196.201.205.3, the NAT on the 2811 will take care of it.

HTH,

jerry

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

We can not change the configuration of AS5300Gateway1 and AS5300Gateway2, since the internet is working, we need only to configure 2811 as NAT,and provide internet to offices.

i have attached the current configuration of AS5300Gateway1 and AS5300Gateway2 and 2811.

Thanks

Bronze

Re: NAT Configuration with ip routing (2811 <---> AS5300)

Although it is not mandatory but to be on safer side I would use extended ACL to match interesting traffic for NAT. Also to troubleshoot this issue further, first check hits on your NAT ACL and if possible use NAT debugging in controlled manner(using ACL) to verify NAT operation.

Cisco Employee

Re: NAT Configuration with ip routing (2811 <---> AS5300)

Your routing looks fine. I will suggest you to follow other posters' comment to troubleshoot it (to determine where the traffic stop).

Regards,

jerry

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

Thanks,

Now i can ping the internet using the private ip.

2800#ping www.yahoo.com source f0/1

Sending 5, 100-byte ICMP Echos to 87.248.113.14, timeout is 2 seconds:

Packet sent with a source address of 10.10.0.1

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 164/190/264 ms

But the problem is that when assigning private IP to clients, i can't reach the internet.

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

Post the ipconfigs for your client

Yes, you need to make sure they are configured with default gateway 10.10.0.1.

Post also

1) PING to 10.10.0.1

2) PING to www.yahoo.com

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 10.10.0.4

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 10.10.0.1

C:\Documents and Settings\Administrator>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

IP Address. . . . . . . . . . . . : 10.10.0.4

Subnet Mask . . . . . . . . . . . : 255.255.0.0

Default Gateway . . . . . . . . . : 10.10.0.1

C:\Documents and Settings\Administrator>ping 10.10.0.1

Pinging 10.10.0.1 with 32 bytes of data:

Reply from 10.10.0.1: bytes=32 time<1ms TTL=255

Reply from 10.10.0.1: bytes=32 time<1ms TTL=255

Reply from 10.10.0.1: bytes=32 time<1ms TTL=255

Reply from 10.10.0.1: bytes=32 time<1ms TTL=255

Ping statistics for 10.10.0.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Documents and Settings\Administrator>ping 196.201.205.3

Pinging 196.201.205.3 with 32 bytes of data:

Reply from 196.201.205.3: bytes=32 time<1ms TTL=255

Reply from 196.201.205.3: bytes=32 time<1ms TTL=255

Reply from 196.201.205.3: bytes=32 time<1ms TTL=255

Reply from 196.201.205.3: bytes=32 time<1ms TTL=255

Ping statistics for 196.201.205.3:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

C:\Documents and Settings\Administrator>ping www.yahoo.com

Ping request could not find host www.yahoo.com. Please check the name and try ag

ain.

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

>> C:\Documents and Settings\Administrator>ping www.yahoo.com

>> Ping request could not find host www.yahoo.com. Please check the name and try again.

Your client is not configured with DNS servers.

Please do a PING to 209.131.36.158 (IP for www.yahoo.com) instead.

Your PINGs from client looks okay. Perhaps because your clients are not configured with DNS servers, they are not able to surf the Internet.

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>ping 209.131.36.158

Pinging 209.131.36.158 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 209.131.36.158:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Documents and Settings\Administrator>ping 74.125.67.100

Pinging 74.125.67.100 with 32 bytes of data:

Request timed out.

Request timed out.

Request timed out.

Request timed out.

Ping statistics for 74.125.67.100:

Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

Can you do a traceroute and see where it stops ?

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>tracert 209.131.36.158

Tracing route to 209.131.36.158 over a maximum of 30 hops

1 * * * Request timed out.

2 * * * Request timed out.

3 * * * Request timed out.

4 * * * Request timed out.

5 * * * Request timed out.

6 * * * Request timed out.

7 * * * Request timed out.

8 * * * Request timed out.

9 * * * Request timed out.

10 * * * Request timed out.

11 * * * Request timed out.

12 * * * Request timed out.

13 * * * Request timed out.

14 * * * Request timed out.

15 * * * Request timed out.

16 * * * Request timed out.

17 * * * Request timed out.

18 * * * Request timed out.

19 * * * Request timed out.

20 * * * Request timed out.

21 * * * Request timed out.

22 * * * Request timed out.

23 * * * Request timed out.

24 * * * Request timed out.

25 * * * Request timed out.

26 * * * Request timed out.

27 * * * Request timed out.

28 * * * Request timed out.

29 * * * Request timed out.

30 * * * Request timed out.

Trace complete.

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

now routing is working after disabling this command:

!

no ip routing

!

Thanks for your efforts

Community Member

Re: NAT Configuration with ip routing (2811 <---> AS5300)

Now NAT and routing are working well, what type of NAT is best to deploy in term of efficiency and reliability. now i am using only one public ip address for nat, as you can see below output.

2800#sh ip nat translations

Pro Inside global Inside local Outside local Outside global

tcp 196.201.205.3:1128 10.10.0.5:1128 74.15.246.63:60967 74.15.246.63:60967

tcp 196.201.205.3:1151 10.10.0.5:1151 90.210.153.93:43871 90.210.153.93:43871

tcp 196.201.205.3:1172 10.10.0.5:1172 90.220.58.229:52718 90.220.58.229:52718

tcp 196.201.205.3:1214 10.10.0.5:1214 173.33.239.199:33485 173.33.239.199:33485

tcp 196.201.205.3:1270 10.10.0.5:1270 174.3.135.41:43633 174.3.135.41:43633

tcp 196.201.205.3:1281 10.10.0.5:1281 87.101.161.101:55826 87.101.161.101:55826

tcp 196.201.205.3:1288 10.10.0.5:1288 173.6.142.89:34207 173.6.142.89:34207

tcp 196.201.205.3:1297 10.10.0.5:1297 196.209.111.116:14151 196.209.111.116:14151

tcp 196.201.205.3:1347 10.10.0.5:1347 196.221.185.195:11800 196.221.185.195:11800

tcp 196.201.205.3:1408 10.10.0.5:1408 188.24.15.201:27328 188.24.15.201:27328

tcp 196.201.205.3:1423 10.10.0.5:1423 95.209.210.59:41341 95.209.210.59:41341

tcp 196.201.205.3:1443 10.10.0.5:1443 122.107.82.187:13050 122.107.82.187:13050

tcp 196.201.205.3:1467 10.10.0.5:1467 203.206.110.4:51733 203.206.110.4:51733

tcp 196.201.205.3:1496 10.10.0.5:1496 77.54.215.160:59729 77.54.215.160:59729

tcp 196.201.205.3:1502 10.10.0.5:1502 89.143.162.177:52335 89.143.162.177:52335

tcp 196.201.205.3:1534 10.10.0.5:1534 190.201.255.11:37402 190.201.255.11:37402

tcp 196.201.205.3:1548 10.10.0.5:1548 93.125.189.43:35333 93.125.189.43:35333

tcp 196.201.205.3:1570 10.10.0.5:1570 154.5.121.77:50256 154.5.121.77:50256

tcp 196.201.205.3:1614 10.10.0.5:1614 121.44.235.243:61052 121.44.235.243:61052

tcp 196.201.205.3:1616 10.10.0.5:1616 86.157.47.58:33550 86.157.47.58:33550

tcp 196.201.205.3:1622 10.10.0.5:1622 123.236.147.54:12604 123.236.147.54:12604

tcp 196.201.205.3:1623 10.10.0.5:1623 76.69.128.44:18009 76.69.128.44:18009

tcp 196.201.205.3:1652 10.10.0.5:1652 138.217.152.47:46612 138.217.152.47:46612

509
Views
5
Helpful
22
Replies
CreatePlease to create content