Prev: Which router to buy?
Next: PIX 7.2: IKE Initiator unable to find policy: Intf 1..
From: sphealey on 8 Nov 2006 17:58
2691
IOS 12.3(14)T6
SP Services

I am working on setting up a simple dynamic NAT connection to an ADSL
ISP. The ISP's device is very simple and there is basically nothing I
can do to fix that.

My setup is:


---------
== 172.20.10.0 ==| | -------
| 2691 | | |
== 172.20.20.0 ==| 0/4|= 2.2.2.2 === 2.2.2.1=| ISP |== 3.3.3.3
| | | box |
== 172.20.30.0 ==| | -------
---------

where 2.2.2.1 and 2.2.2.2 are valid IP addresses provided by the ISP.
There are about 30 hosts (PCs) per private network. The ISP box will
not NAT multiple connections.

Is this as simple as doing a

conf t
int FE 0/4
ip nat enable
exit
exit

or is there more to it than that? I am suspicious because the Cisco
document (Configuring NAT for IP Address Conservaton) appears too
simple!

Thanks.

sPh

From: Mike Rahl on 8 Nov 2006 21:49
You have to do a few things here.

First you have to define what you are natting to (be it an interface,
or an IP address; you can do both). Then you have to indicate what
traffic you are NATting. Because you have only 1 IP address on the
public side, you will need to do a NAT overload

A basic configuration would be something like this:

access-list 101 permit ip 172.20.0.0 0.0.31.255 any
ip nat inside source list 101 interface dialer1 overload

interface fastethernet0/0 !(or whatever your LAN interface is)
ip nat inside

interface dialer1 !(the interface that is configured with your WAN IP
address)
ip nat outside

I usually indicate the WAN interface that has the IP address
configured, as it's the easiest way I know

Hope that helps!

sphealey wrote:
> 2691
> IOS 12.3(14)T6
> SP Services
>
> I am working on setting up a simple dynamic NAT connection to an ADSL
> ISP. The ISP's device is very simple and there is basically nothing I
> can do to fix that.
>
> My setup is:
>
>
> ---------
> == 172.20.10.0 ==| | -------
> | 2691 | | |
> == 172.20.20.0 ==| 0/4|= 2.2.2.2 === 2.2.2.1=| ISP |== 3.3.3.3
> | | | box |
> == 172.20.30.0 ==| | -------
> ---------
>
> where 2.2.2.1 and 2.2.2.2 are valid IP addresses provided by the ISP.
> There are about 30 hosts (PCs) per private network. The ISP box will
> not NAT multiple connections.
>
> Is this as simple as doing a
>
> conf t
> int FE 0/4
> ip nat enable
> exit
> exit
>
> or is there more to it than that? I am suspicious because the Cisco
> document (Configuring NAT for IP Address Conservaton) appears too
> simple!
>
> Thanks.
>
> sPh

From: sphealey on 9 Nov 2006 09:40
> Mike Rahl wrote:
> You have to do a few things here.
>
> First you have to define what you are natting to (be it an interface,
> or an IP address; you can do both). Then you have to indicate what
> traffic you are NATting. Because you have only 1 IP address on the
> public side, you will need to do a NAT overload
>
> A basic configuration would be something like this:
>
> access-list 101 permit ip 172.20.0.0 0.0.31.255 any
> ip nat inside source list 101 interface dialer1 overload

I am looking at the "NAT virtual interface" option though which seems
to remove the requirement for defining outside and insider interfaces
per the above-mentioned document.

sPh

From: CK on 9 Nov 2006 11:04


> I am looking at the "NAT virtual interface" option though which seems
> to remove the requirement for defining outside and insider interfaces
> per the above-mentioned document.
>

Why to go with virtual interface when every thing can by NATTING
outside interface..

Config should be as simple to understand.


CK

From: sphealey on 9 Nov 2006 13:26
> CK wrote:
> > I am looking at the "NAT virtual interface" option though which seems
> > to remove the requirement for defining outside and insider interfaces
> > per the above-mentioned document.
> >
>
> Why to go with virtual interface when every thing can by NATTING
> outside interface..
>
> Config should be as simple to understand.

The Virtual NAT option just seemed like a very clean way to connect to
the ISP without having to worry about affecting any other interface or
function of the router (some of which are not under my jurisdiction).
I am just having trouble grasping exactly what the options do,
particularly how the access list comes into play when I simply want to
allow full access from any connected network. Also the defintion of
vrf is unclear.

sPh

 |  Next  |  Last
Pages: 1 2
Prev: Which router to buy?
Next: PIX 7.2: IKE Initiator unable to find policy: Intf 1..