NAT question
in [Cisco]
|
Prev: output drops?
Next: CDR records
From: James Flockton on 2 Aug 2006 08:08 Hello, I'm currently working on a 876 ISR router and having a couple of problems NAT'ing a device on the inside of the network. Just trying to get my head around one of the statements that the Cisco SDM. I wonder if someone could explain to me exactly what is meant by the following NAT statement; ip nat inside source list 1 interface Dialer0 overload Many thanks in advance. James Flockton
From: Hans on 2 Aug 2006 08:18 James Flockton <james.flockton(a)gmail.com> wrote: > I'm currently working on a 876 ISR router and having a couple of > problems NAT'ing a device on the inside of the network. Just trying to > get my head around one of the statements that the Cisco SDM. I wonder > if someone could explain to me exactly what is meant by the following > NAT statement; > > ip nat inside source list 1 interface Dialer0 overload http://www.cisco.com/warp/public/556/12.html Maybe that helps ? :-) Hans
From: Rainer Temme on 2 Aug 2006 08:21 James Flockton wrote: > ip nat inside source list 1 interface Dialer0 overload Nat IP addresses of hosts living behind an interface marked as "inside" if the traffic is flowing to an interface marked as "outside". Access-list 1 describes which hosts are to be NATed. Interface Dialer0's actual address shall be used instead of the local host IP's. Rainer
From: Jim Flockton on 2 Aug 2006 09:30 Rainer Temme wrote: > James Flockton wrote: > > ip nat inside source list 1 interface Dialer0 overload > > Nat IP addresses of hosts living behind an interface marked as > "inside" if the traffic is flowing to an interface marked > as "outside". > > Access-list 1 describes which hosts are to be NATed. > > Interface Dialer0's actual address shall be used instead of > the local host IP's. > > Rainer This has been auto added from the SDM application, the router currently does not have any ACL's bound to any interface or nat statements yet. Please see SH RUN below; Current configuration : 4953 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service udp-small-servers service tcp-small-servers service sequence-numbers ! hostname wibble ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret 5 (hashed) ! no aaa new-model ! resource policy ! clock timezone PCTime 0 clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 ip subnet-zero ip gratuitous-arps ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.0.0.255 10.0.255.254 ip dhcp excluded-address 10.0.0.1 ! ip dhcp pool sdm-pool1 import all network 10.0.0.0 255.255.0.0 dns-server (hashed) default-router 10.0.0.1 domain-name (hashed) ! ! ip finger ip tcp synwait-time 10 ip domain name (hashed) ip name-server (hashed) ip name-server (hashed) ip ssh time-out 60 ip ssh authentication-retries 2 ! ! crypto pki trustpoint TP-self-signed-1211653751 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1211653751 revocation-check none rsakeypair TP-self-signed-1211653751 ! ! crypto pki certificate chain TP-self-signed-(hashed) (hashed) quit username (hashed) privilege 15 secret 5 (hashed) ! ! ! ! ! ! interface ATM0 no ip address ip mask-reply ip directed-broadcast ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $FW_OUTSIDE$$ES_WAN$ ip mask-reply ip directed-broadcast pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 description (hashed) ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 10.0.0.1 255.255.0.0 ip mask-reply ip directed-broadcast ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! interface Dialer0 description $FW_OUTSIDE$ ip address (hashed) ip mask-reply ip directed-broadcast ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname (hashed) ppp chap password 7 (hashed) ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface Dialer0 overload ip nat inside source static 10.0.0.254 (hashed) ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.0.0.0 0.0.255.255 dialer-list 1 protocol ip permit no cdp run ! ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login local no modem enable transport output telnet line aux 0 login local transport output telnet line vty 0 4 privilege level 15 login local transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end
From: Jim Flockton on 2 Aug 2006 09:36
Dudes, Basically what i'm attempting to achieve is a device on the (inside) which is a h.323 device appearing on the outside with a public address without using NAT. I would prefer not to use NAT as it is not re-writing the IP payload with the correct external address. But I would use it if could get the NAT functioning correctly. Does anyone know if I can get this working correctly by using 'route-map' based on ACL's? This is a Cisco 877 ISR router BTW. Thanks James Jim Flockton wrote: > Rainer Temme wrote: > > James Flockton wrote: > > > ip nat inside source list 1 interface Dialer0 overload > > > > Nat IP addresses of hosts living behind an interface marked as > > "inside" if the traffic is flowing to an interface marked > > as "outside". > > > > Access-list 1 describes which hosts are to be NATed. > > > > Interface Dialer0's actual address shall be used instead of > > the local host IP's. > > > > Rainer > > This has been auto added from the SDM application, the router currently > does not have any ACL's bound to any interface or nat statements yet. > > Please see SH RUN below; > Current configuration : 4953 bytes > ! > version 12.4 > no service pad > service tcp-keepalives-in > service tcp-keepalives-out > service timestamps debug datetime msec localtime show-timezone > service timestamps log datetime msec localtime show-timezone > service password-encryption > service udp-small-servers > service tcp-small-servers > service sequence-numbers > ! > hostname wibble > ! > boot-start-marker > boot-end-marker > ! > security authentication failure rate 3 log > security passwords min-length 6 > logging buffered 51200 debugging > logging console critical > enable secret 5 (hashed) > ! > no aaa new-model > ! > resource policy > ! > clock timezone PCTime 0 > clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 > ip subnet-zero > ip gratuitous-arps > ip cef > ! > ! > no ip dhcp use vrf connected > ip dhcp excluded-address 10.0.0.255 10.0.255.254 > ip dhcp excluded-address 10.0.0.1 > ! > ip dhcp pool sdm-pool1 > import all > network 10.0.0.0 255.255.0.0 > dns-server (hashed) > default-router 10.0.0.1 > domain-name (hashed) > ! > ! > ip finger > ip tcp synwait-time 10 > ip domain name (hashed) > ip name-server (hashed) > ip name-server (hashed) > ip ssh time-out 60 > ip ssh authentication-retries 2 > ! > ! > crypto pki trustpoint TP-self-signed-1211653751 > enrollment selfsigned > subject-name cn=IOS-Self-Signed-Certificate-1211653751 > revocation-check none > rsakeypair TP-self-signed-1211653751 > ! > ! > crypto pki certificate chain TP-self-signed-(hashed) > (hashed) > quit > username (hashed) privilege 15 secret 5 (hashed) > ! > ! > ! > ! > ! > ! > interface ATM0 > no ip address > ip mask-reply > ip directed-broadcast > ip route-cache flow > no atm ilmi-keepalive > dsl operating-mode auto > ! > interface ATM0.1 point-to-point > description $FW_OUTSIDE$$ES_WAN$ > ip mask-reply > ip directed-broadcast > pvc 0/38 > encapsulation aal5mux ppp dialer > dialer pool-member 1 > ! > ! > interface FastEthernet0 > description (hashed) > ! > interface FastEthernet1 > ! > interface FastEthernet2 > ! > interface FastEthernet3 > ! > interface Vlan1 > description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ > ip address 10.0.0.1 255.255.0.0 > ip mask-reply > ip directed-broadcast > ip nat inside > ip virtual-reassembly > ip route-cache flow > ip tcp adjust-mss 1452 > ! > interface Dialer0 > description $FW_OUTSIDE$ > ip address (hashed) > ip mask-reply > ip directed-broadcast > ip nat outside > ip virtual-reassembly > encapsulation ppp > ip route-cache flow > dialer pool 1 > dialer-group 1 > no cdp enable > ppp authentication chap callin > ppp chap hostname (hashed) > ppp chap password 7 (hashed) > ! > ip classless > ip route 0.0.0.0 0.0.0.0 Dialer0 > ! > ! > ip http server > ip http authentication local > ip http secure-server > ip http timeout-policy idle 60 life 86400 requests 10000 > ip nat inside source list 1 interface Dialer0 overload > ip nat inside source static 10.0.0.254 (hashed) > ! > logging trap debugging > access-list 1 remark INSIDE_IF=Vlan1 > access-list 1 remark SDM_ACL Category=2 > access-list 1 permit 10.0.0.0 0.0.255.255 > dialer-list 1 protocol ip permit > no cdp run > ! > ! > control-plane > ! > banner login ^CAuthorized access only! > Disconnect IMMEDIATELY if you are not an authorized user!^C > ! > line con 0 > login local > no modem enable > transport output telnet > line aux 0 > login local > transport output telnet > line vty 0 4 > privilege level 15 > login local > transport input telnet ssh > ! > scheduler max-task-time 5000 > scheduler allocate 4000 1000 > scheduler interval 500 > end |