In my network, I have a Firewall Hardware called Fortigate.
This device working as NAT device, or translator between my inside network ( LAN ) & OUR ISP Cisco Router 2801.
This device has 2 Ports:
Port ( 1 ) :-
1. Description: Connected to MY LAN.
2. IP Address: 192.168.1.100 / 24
NO GW & NO DNS on this Device.
Port ( 2 ) :-
1. Description: Connected to OUR ISP CISCO ROUTER 1841, interface F 0/1.
2. IP Address : 220.127.116.11
3. S/M : 255.255.255.248.
4.GW: 18.104.22.168---------------this is the IP Address of ISP Router, INT F 0/1.
5.DNS : 22.214.171.124 / 9
And this Device have a routing role to route every thing to 126.96.36.199 .
And on MY ISP Router, there is the following route
(ip route 0.0.0.0 0.0.0.0 188.8.131.52) .
All of my LAN users ( 200 users up to now ) , in order to access internet through this device, I have to configure them with the IP Address in the same range of the IP Address of PORT 1 .
i.e. IP---? 192.168.1.20 / 24 , GW : 192.168.1.100 , DNS : 184.108.40.206 /9.
Now for some security reasons , I need to shutdown this device and put my Cisco Router which is 1841, and configure this Router with NAT.
My 5 questions is :-
1- In order to do that, what should I do, Static NAT , or Dynamic , or PAT ?? overloading ?? ? can you Please guide me ?
I have 3 Real IP Address from my ISP, and I am using only one until now, and I need only this one IP Address to be used as real IP with those 200 Users , so guide me ?
2- I heard if I enable dynamic NAT, I have to create a one access list for each user IP, and make it Permit to Open internet for Him through my Internet Router which is Configured as NAT Router , is that correct ? if so, how can I wrote it to open only http & SMTP & FTP for only 5 users start from 192.168.1.20 up to 192.168.1.25. ?
3- what about the static route that I need to create on this router, to enable routing between interfaces ?
4- How can I configure the ROUTER with the DNS, in order to make the router configured with this DNS 220.127.116.11 ?
5- Do I need to configure the user again , or only it?s a matter of shutdown the Device, and put my router with the same configurations ?
Please guide me guys .
As your network has prefix /29 you can t do Static or Dynamic Nat instead you must use Pat (port address translation) because you don't have enough ip addresses to assign to user dynamicaly.
Next if you want to use PAT you need an access list to define the source ip address you want to nat like this :
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 10 deny any
then we define the nat
ip nat inside source list 10 interface fast0/1 overload
then assign our nat to interfaces
in interface configuration for fast0/1
///// ip nat outside /////
in interface configuration for fast0/0
//// ip nat inside /////
Thanks For your reply.
But, as i told you i have only 3 Real IP, and i am using only 1 .
i want all the users which is 200 Now, to use ONLY One REAL IP Address to communicate with the INTERNET .
and as i heard, the Dynamic INTERFACE, allow you to have a group of Internal IPs to let them connect to Internet using only one real IP-Address .
is that correct , or not .
Please update me as soon as you receive this message .
(1)If u are going to use 200 users with same ip then I would suggest NAT Ovrload.
(2)You can anytime block the users from accessing specific applications using access-lists.For that you do not need to have dynamic NATing.Dynamic NAT is used only when you have the same no. of public IPs that of privte Ips and each of your local PC will go out through a different public IPs.Which is not feasible in your case.
(3)The only static route you will need is already defined onto your router(default route to next hop).The command "ip routing" will take care of routing between all your interfaces...which is enabled by default.
(4)Please elaborate on the question.
(5)Is proxy configured on your Fortigate which gives user authentication?.In that case you need more configuration.
I would suggest you to install SDM onto your PC.This is a GUI which can help you to configure the router.
Hope that helps.
Thanks for your reply.
as far as i know, i have only 1 IP address, and i want 200 users to access the internet through this Real IP Address.
so , as i understood, i have to use Dynamic, because the Dynamic NAT allow you to have a group of Internal IP address in side your company, to access internet through one real IP address .
so, was i correct or wrong ? please update me as soon as you receive this message .
I would suggest you to read the following paper on NAT.This will clear all your doubts.
You will notice that dynamic NAT works exactly as I had mentioned.
as i wrote before it was not a dynamic nat its a overload or pat address translation every user take the address of your fast ethernet ip when they are go to internet.
Remember the configuration is pat and take a look to this line :
ip nat inside source list 10 interface fast0/1 overload
note to "overload" & "fast0/1"
every users go to internet with this ip address 18.104.22.168 which is your fast0/1 ip address.
Thanks for your reply.
Please i want to understand if what i understood is correct or not :-
1- NAT is devided in to the 4follwoing Parts :-
Static - Dynamic- PAT - Overloading .
Static Nat :-
is used only if you have one real IP Address and need this Real IP Address to be assign to one Internal User Only, and this User will always access internet with this real IP Address,and if the Users change the Internal IP Address, the Users will not be able to access internet, is that correct ?
2- Dynamic NAT :-
i am confused here, whcih is correct ?
Dynamic NAT, is used if i have a gorup of internal IP Address and 1 real IP.
and all the users need to access internet through this real IP , is that correct ?
what is the PAT & Overloaded ?
Pat is same as overload
when two users send a request with ip addresses like 192.168.1.50 and 192.168.1.60 the router change the ip address for both of them to ip address of your fast0/1 interface that s mean two users with two diffrent internal ip addresses take one ip address but the real thing is happen is that the port for users will change here look :
192.168.1.50:3000 ==> 22.214.171.124:3001
192.168.1.50:1500 ==> 126.96.36.199:2000
192.168.1.60:2000 ==> 188.8.131.52:3003
Let me make things straight and square for you:
NAT was introduced to overcome the shortage of public IPs on internet.The basic function of NAT is private-to-public conversion.It has 4 parts:
(1) NAT overload : when you have 200 PCs in private network 192.168.1.0/24 and you have single public IP 184.108.40.206...then you do NAT ovrload so that all the 200 PCs can access internet and will go out through single IP which is 220.127.116.11.
(2)PAT : a NAT overload can direct packets from internal network to public (ext.)network, but if you have a web-server in ur lan which need to be accessed from outside, then u do PAT.i.e, you will map port 80 of 18.104.22.168 with your server 192.168.1.254 on port 80.So that whenever there is http request on 22.214.171.124, it will be forwarded to 192.168.1.254.
(3)Static NAT : when you have a multi-purpose server in ur LAn and you want any outside connection to be made to 192.168.1.254 on any port, then you define that in ur router and map 192.168.1.254 with 126.96.36.199.This is static NAT.
(4)Dynamic NAT : When u have a pool of 188.8.131.52/24 and ur internal network is 192.168.1.0/24.You can define that each and every PC in ur network will go out through different public Ip through the pool given to u.then u do dynamic NAT.hence this is a first-come-first-server basis, and to any inside IP initiating the connection will be a assigned an public ip.Hence all Pcs in ur network can be accessed from outside b'coz all have different public IPs.
Hope I am making myself clear.
Pls rate helpful posts.