CCNA NAT.

Cork24 · 11-03-2011 1:17am #1

Could some one help me please with NAT.
I have a C licence (195.100.190.0/24)
A ISP WAN that connects to the Customer site uses network Address 199.1.1.36/30
& Loopback 126.0.0.1/8

i have
on ISP

ISP#show run
Building configuration...

Current configuration : 956 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ISP
!
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
!
!
!
!
interface Loopback0
 ip address 126.0.0.1 255.0.0.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0/0
 ip address 199.1.1.37 255.255.255.252
 clock rate 64000
!
interface Serial0/0/1
 no ip address
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 195.199.190.0 255.255.255.0 Serial0/0/0 
ip route 195.100.190.0 255.255.255.0 Serial0/0/0 
!
!
!
banner motd ^C
ONLY STAFF WITH PASS KEY ^C
!
!
!
!
line con 0
 exec-timeout 0 0
 password cisco
 logging synchronous
 login
line vty 0 4
 password cisco
 login
line vty 5 15
 password cisco
 login
!
!
!
end


ISP#copy run start
Destination filename [startup-config]? 
Building configuration...
[OK]
ISP#
ISP#
ISP#
ISP#
%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to down

%LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up

ISP#
ISP#
ISP#
ISP#show run
Building configuration...

Current configuration : 956 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname ISP
!
!
!
enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0
!
!
!
!
!
!
!
!
!
!
no ip domain-lookup
!
!
!
!
!
!
interface Loopback0
 ip address 126.0.0.1 255.0.0.0
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0/0
 ip address 199.1.1.37 255.255.255.252
 clock rate 64000
!
interface Serial0/0/1
 no ip address
 shutdown
!
interface Vlan1
 no ip address
 shutdown
!
ip classless
ip route 195.199.190.0 255.255.255.0 Serial0/0/0 
ip route 195.100.190.0 255.255.255.0 Serial0/0/0 
!
!
!
banner motd ^C
ONLY STAFF WITH PASS KEY ^C
!
!
!
!
line con 0
 exec-timeout 0 0
 password cisco
 logging synchronous
 login
line vty 0 4
 password cisco
 login
line vty 5 15
 password cisco
 login
!
!
!
end

on R1

%SYS-5-CONFIG_I: Configured from console by console
R1#show run
Building configuration...

Current configuration : 1303 bytes
!
version 12.4
no service timestamps log datetime msec
no service timestamps debug datetime msec
no service password-encryption
!
hostname R1
!
!
!
!
!
!
!
!
username R1 password 0 cisco
username R2 password 0 cisco
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 shutdown
!
interface Serial0/0/0
 ip address 199.1.1.38 255.255.255.252
 ip nat inside
!
interface Serial0/0/1
 ip address 172.190.0.14 255.255.255.252
 ip nat inside
!
interface Serial0/1/0
 ip address 172.190.0.1 255.255.255.252
 encapsulation ppp
 ppp authentication chap
 ip nat inside
!
interface Serial0/1/1
 ip address 172.190.0.5 255.255.255.252
 ip nat inside
 clock rate 64000
!
interface Vlan1
 no ip address
 shutdown
!
router ospf 1
 log-adjacency-changes
 network 172.190.0.0 0.0.0.3 area 0
 network 172.190.0.4 0.0.0.3 area 0
 network 172.190.0.12 0.0.0.3 area 0
 default-information originate
!
ip nat pool MY-NAT-POOL 195.100.190.241 195.100.190.246 netmask 255.255.255.248
ip nat inside source list NAT pool MY-NAT-POOL
ip nat inside source static 172.190.0.254 195.1.1.254 
ip classless
ip route 0.0.0.0 0.0.0.0 199.1.1.37 
!
!
!
!
!
!
!
line con 0
line vty 0 4
 login
line vty 5 15
 login
!
!
!
end

i can i allow the rest of the Network Ping ISP, R1 can ping the Loopback 0 address but want the rest of the network to ping it.

Shamo · 11-03-2011 8:42pm

R1

interface Serial0/0/0
ip address 199.1.1.38 255.255.255.252
ip nat inside

Change "ip nat inside" to "ip nat outside" as it's the WAN interface. See what happens after that.

Cork24 · 12-03-2011 2:15am

Did that added access list to router 1 for nat
Used acces-group NAT out on int s/0/0/0

Didn't work either

Shamo · 12-03-2011 12:48pm

The NAT ACL just references what subnets are allowed to NAT up. Don't apply it to an interface.

See what "show ip nat translations" shows.

Check this out.

Cork24 · 12-03-2011 7:24pm

R1#show ip nat translation
Pro Inside global Inside local Outside local Outside global
--- 195.1.1.254 172.190.0.254 --- ---

Shamo · 12-03-2011 9:14pm

Your dynamic NAT isn't working as it only shows your static NAT.

Also from R1 you can do "ping 126.0.0.1 source 172.190.0.14" which takes away the need to test from a host.

Check the link I posted and go through your config. Post the modified config here again if you want.

Cork24 · 12-03-2011 11:09pm

Got it working,

i added all Address to the ACL

Cork24 · 14-03-2011 10:48pm

OK, I got the ACLS working but wanted to check the port 80 on ISP working for Router 2 i blocked every other port.

I added a Server on the ISP, gave it the 172.190.1.2 ip address with gate way 172.190.1.1 i check the all devices can ping it but PC2 cant which i want but it give me Time out when i open Web Browser and enter the servers ip address

R2#show access-list
Extended IP access list sl_def_acl
    deny tcp any any eq telnet
    deny tcp any any eq www
    deny tcp any any eq 22
    permit tcp any any eq 22
Extended IP access list EXTEND-1
    deny ip 172.190.0.32 0.0.0.31 any
    deny ip 172.190.0.32 0.0.0.31 host 199.1.1.37
    permit ip any any
    permit tcp 172.190.0.32 0.0.0.31 eq www host 199.1.1.37
    deny tcp 172.190.0.32 0.0.0.31 eq ftp host 199.1.1.37
    deny tcp 172.190.0.32 0.0.0.31 eq pop3 host 199.1.1.37
    deny tcp 172.190.0.32 0.0.0.31 eq smtp host 199.1.1.37
    deny icmp 172.190.0.32 0.0.0.31 host 199.1.1.37
Extended IP access list 102
    deny tcp 172.190.0.32 0.0.0.31 eq ftp host 199.1.1.37
    deny tcp 172.190.0.32 0.0.0.31 eq smtp host 199.1.1.37
    deny tcp 172.190.0.32 0.0.0.31 eq pop3 host 199.1.1.37
    deny icmp 172.190.0.32 0.0.0.31 host 199.1.1.37
    deny tcp 172.190.0.32 0.0.0.31 eq telnet host 199.1.1.37
    permit tcp 172.190.0.32 0.0.0.31 eq www host 199.1.1.37
    permit ip 172.190.0.0 0.0.0.3 any
    permit ip 172.190.0.12 0.0.0.3 any (1 match(es))
    permit ip 172.190.0.4 0.0.0.3 any
    permit ip 172.190.0.16 0.0.0.3 any
    permit ip 172.190.0.20 0.0.0.3 any
    permit ip 172.190.0.80 0.0.0.7 any
    permit ip 172.190.0.72 0.0.0.7 any (22 match(es))
    permit ip 172.190.0.64 0.0.0.31 any (1 match(es))
    permit tcp 172.190.0.32 0.0.0.31 eq www host 172.190.1.2

_CreeD_ · 20-03-2011 6:49am

:eek:
Presuming thats not just a lab config.
You...eh....*might* want to scrub some of that config. I know the interwebz is a trustworthy place where nobody could benefit from knowing your IPs, ACLs, Passwords (which are default) and various other setup points but still

...

Cork24 · 20-03-2011 7:34pm

_CreeD_ wrote: »

:eek:
Presuming thats not just a lab config.
You...eh....*might* want to scrub some of that config. I know the interwebz is a trustworthy place where nobody could benefit from knowing your IPs, ACLs, Passwords (which are default) and various other setup points but still ...

Its a lab i'm trying to set up. Every thing is Working and i plug in a Server into the ISP Router and ping port 80 every other Devices which is working away..

But i want PC-2 on Router 2 to only ping ISP Router on port 80. Which it can't..

here are the configs that are up and running
Extended IP access list 102 deny tcp 172.190.0.32 0.0.0.31 eq ftp host 199.1.1.37 deny tcp 172.190.0.32 0.0.0.31 eq smtp host 199.1.1.37 deny tcp 172.190.0.32 0.0.0.31 eq pop3 host 199.1.1.37 deny icmp 172.190.0.32 0.0.0.31 host 199.1.1.37 deny tcp 172.190.0.32 0.0.0.31 eq telnet host 199.1.1.37 permit tcp 172.190.0.32 0.0.0.31 eq www host 199.1.1.37 permit ip 172.190.0.0 0.0.0.3 any permit ip 172.190.0.12 0.0.0.3 any (1 match(es)) permit ip 172.190.0.4 0.0.0.3 any permit ip 172.190.0.16 0.0.0.3 any permit ip 172.190.0.20 0.0.0.3 any permit ip 172.190.0.80 0.0.0.7 any permit ip 172.190.0.72 0.0.0.7 any (22 match(es)) permit ip 172.190.0.64 0.0.0.31 any (1 match(es)) permit tcp 172.190.0.32 0.0.0.31 eq www host 172.190.1.2

never mind those config.
Extended IP access list sl_def_acl deny tcp any any eq telnet deny tcp any any eq www deny tcp any any eq 22 permit tcp any any eq 22 Extended IP access list EXTEND-1 deny ip 172.190.0.32 0.0.0.31 any deny ip 172.190.0.32 0.0.0.31 host 199.1.1.37 permit ip any any permit tcp 172.190.0.32 0.0.0.31 eq www host 199.1.1.37 deny tcp 172.190.0.32 0.0.0.31 eq ftp host 199.1.1.37 deny tcp 172.190.0.32 0.0.0.31 eq pop3 host 199.1.1.37 deny tcp 172.190.0.32 0.0.0.31 eq smtp host 199.1.1.37 deny icmp 172.190.0.32 0.0.0.31 host 199.1.1.37

CCNA NAT.

Comments