Solved: ip nat inside and ip nat

kakomaisa · ‎01-16-2015

hello

iam having Cisco router 2800.

what iam trying to do is connecting my router with GT784WNV modem from Verizon

this connection doesnot support PPPOE or PPPOA , The way iam connecting to Verizon is through static IP address on Modem side .

iam able to ping and trace from cisco router but when I tried to browse internet from any client I cannot

here is my configuration

Current configuration : 4686 bytes
!
! Last configuration change at 09:05:15 MST Fri Jan 16 2015
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XX
!
boot-start-marker
boot system flash:c2801-advsecurityk9-mz.124-24.T6.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 32768
enable password XX
!
no aaa new-model
clock timezone MST -7
clock summer-time MDT recurring
clock calendar-valid
dot11 syslog
ip source-route
!
!
!
!
ip cef
!
multilink bundle-name authenticated
!
!
!
!
!

!
!
archive
log config
hidekeys
!
!
!
!
!
!
class-map match-all PRIORITY
match access-group name PRIORITY
!
!
policy-map PRIORITY
class PRIORITY
priority 1000
!
!
!
!
interface FastEthernet0/0
ip address 10.2.1.1 255.255.255.0
ip flow ingress
ip flow egress
duplex auto
speed auto

Description connection to LAN
service-policy output PRIORITY
!
interface FastEthernet0/1
ip address 10.2.2.1 255.255.255.0
duplex auto
speed auto

Description connection to WIFI
!
interface FastEthernet0/1/0
ip address 10.2.3.2 255.255.255.0
duplex auto
speed auto

Description connection to DSL
!
interface Serial0/3/0
ip address 10.99.0.2 255.255.255.252
encapsulation ppp

Description connection to PPP
!
router rip
version 2
network 10.0.0.0
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.2.3.1
ip route 4.2.2.2 255.255.255.255 10.2.3.1
ip route 10.3.1.0 255.255.255.0 10.99.0.1
ip route 10.3.2.0 255.255.255.0 10.99.0.1
ip route 10.3.3.0 255.255.255.0 10.99.0.1
ip route 10.9.1.0 255.255.255.0 10.99.0.1
ip route 10.9.2.0 255.255.255.0 10.99.0.1
ip route 10.9.3.0 255.255.255.0 10.99.0.1
ip route 10.13.1.0 255.255.255.0 10.99.0.1
ip route 10.13.2.0 255.255.255.0 10.99.0.1
ip route 10.13.3.0 255.255.255.0 10.99.0.1
ip route 10.13.4.0 255.255.255.0 10.99.0.1
ip route 10.17.1.0 255.255.255.0 10.99.0.1
ip route 10.18.1.0 255.255.255.0 10.99.0.1
ip route 10.90.0.0 255.255.0.0 10.99.0.1
ip route 10.90.41.0 255.255.255.0 10.99.0.1
ip route 10.99.0.6 255.255.255.255 10.99.0.1
ip route 10.99.0.16 255.255.255.252 10.99.0.1
ip route 10.99.0.18 255.255.255.255 10.99.0.1
ip route 10.99.0.32 255.255.255.252 10.99.0.1
ip route 10.99.0.34 255.255.255.255 10.99.0.1
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 10.2.1.10 2055
ip flow-export destination 10.17.1.66 2055
!
!
ip access-list extended PRIORITY
permit ip any 155.55.131.0 0.0.0.252
permit ip any 65.55.114.0 0.0.0.248
permit ip any 65.55.123.0 0.0.0.240
permit ip any 65.55.183.0 0.0.0.248
permit ip any 64.4.19.0 0.0.0.255
!
access-list 1 permit 10.2.0.0 0.0.255.255
access-list 10 permit any
access-list 110 permit ip 10.2.0.0 0.0.255.255 any
dialer-list 1 protocol ip permit
!
!
!
!
snmp-server community public RO
!
control-plane
!
!

Any help will be appreciated

Miguel Villarreal De La Cruz · ‎01-16-2015

Correct, same principle 10.2.1.x needs to get nated on the Cisco or in your modem

something like

access-list 199 permit ip 10.2.1.0 0.0.0.255 any

ip nat inside source list 199 interface fa0/1/0 overload

int fa0/0

ip nat inside

int fa0/1/0

ip nat outiside

View solution in original post

Chris Carlson · ‎01-16-2015

you need to translate your inside addresses using NAT.

http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13770-1.html

kakomaisa · ‎01-16-2015

Thank you chris for your reply

I have concern here .

why do I need to do natting on cisco router since all nats are done from my dsl modem

Chris Carlson · ‎01-16-2015

then your network interface that is connected to your modem is the only network your modem is nating.. it is not nating the rest of your networks.

kakomaisa · ‎01-16-2015

ok

let me explain

as you can see I have fa 0/0 which is connected to our switch

f0/1 subnet for guest users and they use PPP to go out

f0/1/0 is going to be used by all users if they are going to internet

if they are going to data center then they will go through PPP

I hope it is clear

Miguel Villarreal De La Cruz · ‎01-16-2015

Usually the ISP modems only NAT the network of their LAN in this case 10.2.3.x/24 which is why you can ping and trace from the router, because your traffic is sourced with the ip 10.2.3.2

When you try to go to the internet from a PC it uses the IP 10.2.2.x/24 and it is probable that the modem is not doing NAT for that network

You have two options

1- NAT on the Cisco router as Chris suggested, that way all the 10.2.2.x/24 would appear as a 10.2.3.x address and get nated on the verizon modem

2- Check if your modem can do the NAT for the second network (10.2.2.x/24)

Regards

kakomaisa · ‎01-16-2015

thank you Luis for your reply

but again I donnot care about 10.2.2.x since they are routed through PPP.

I care about 10.2.1.x

so do you mean I have to do ip nat inside for fa0/0

kakomaisa · ‎01-16-2015

on interface f0/0 I add ip nat inside

on interface fa 0/1/0 I add ip nat outside

and it doesnot work

Miguel Villarreal De La Cruz · ‎01-16-2015

ip nat inside and ip nat outside just tell the router the interfaces that are going to be involved in the NAT process, you still need to create a rule to select which traffic is going to be nated. Something like the example above.

Here is a link with more information regarding NAT

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/15-mt/nat-15-mt-book/iadnat-addr-consv.html#GUID-8DF8A9A7-4FFF-4AA7-AA93-B3F8FB705C50

kakomaisa · ‎01-16-2015

thank you very much Luis

it works

appreciate your help

Miguel Villarreal De La Cruz · ‎01-16-2015