Help with NAT 2

[pgaliardo]

I need to accomplish the following and I want to know if it is possible and what commands I need to run. I need to get 5 machines around our proxy server, so I need to allow them access to the outside world through our Cisco 2600. I know how to add them to the access-list. What I want to accomplish is to NAT these 5 internal machines to 1 of our public IP addresses. I don't want to have to use 5 public IP addresses and do a 1 to 1 NAT.

The other issue is that the 5 machines are all on different subnets. So our router to the outside world is 10.0.0.1 255.255.255.0. The machines will be: 10.0.1.120, 10.0.2.120, 10.0.3.120, 10.0.4.120 and 10.0.5.120. Is this possible from our main router, or will there have to be configurations on the other routers in the remote buildings since the machines are on remote subnets.

Any help would be appreciated.

Thanks.

 

[JOAMON]

What is the default route on the 10.0.0.1 router?

 

[pgaliardo]

I should have posted the whole config. Here it is:

Current configuration : 5046 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname HACKENSACK_2620
!
logging rate-limit console 10 except errors
no logging console

!
ip subnet-zero
!
!
no ip finger
no ip domain-lookup
ip host regent 192.168.1.10
ip host medford 172.16.1.2
ip host wcald 172.16.1.6
ip host franklin 172.16.1.18
ip host PHCC_1720 192.168.1.6
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Internal tcp
ip inspect name Internal udp
ip inspect name Internal cuseeme
ip inspect name Internal ftp
ip inspect name Internal h323
ip inspect name Internal rcmd
ip inspect name Internal realaudio
ip inspect name Internal smtp
ip inspect name Internal streamworks
ip inspect name Internal vdolive
ip inspect name Internal sqlnet
ip inspect name Internal tftp
ip inspect name Internet smtp
ip inspect name Internet tcp
ip audit notify log
ip audit po max-events 100
!
!
controller T1 0/0
framing esf
linecode b8zs
channel-group 2 timeslots 1-24 speed 64
!
controller T1 0/1
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24 speed 64
!
controller T1 0/2
framing esf
clock source internal
linecode b8zs
cablelength short 133
channel-group 0 timeslots 1-24 speed 64
!
controller T1 0/3
framing esf
clock source internal
linecode b8zs
channel-group 0 timeslots 1-24 speed 64
!
!
interface Loopback0
no ip address
shutdown
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 10.0.0.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip inspect Internal in
duplex auto
speed auto
!
interface Serial0/0:2
no ip address
encapsulation frame-relay
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0:2.1 point-to-point
description connected to Franklin_1720
ip address 172.16.1.17 255.255.255.252
ip nat inside
frame-relay interface-dlci 100
!
interface Serial0/0:2.2 point-to-point
description connected to W_Caldwell_1720
ip address 172.16.1.5 255.255.255.252
ip nat inside
ip inspect Internal in
frame-relay interface-dlci 103
!
interface Serial0/0:2.3 point-to-point
description connected to Regent
ip address 172.16.1.13 255.255.255.252
ip nat inside
ip inspect Internal in
shutdown
frame-relay interface-dlci 102
!
interface Serial0/0:2.4 point-to-point
description connected to Prospect_1720
ip address 172.16.1.9 255.255.255.252
ip nat inside
ip inspect Internal in
shutdown
frame-relay interface-dlci 101
!
interface Serial0/0:2.5 point-to-point
description connected to Medford
ip address 172.16.1.1 255.255.255.252
ip nat inside
ip inspect Internal in
frame-relay interface-dlci 104
!
interface Serial0/0:2.6 point-to-point
description Connected to GNI
ip address 141.x.x.x 255.255.255.252
ip access-group 102 in
ip nat outside
ip inspect Internet in
frame-relay interface-dlci 16
!
interface Serial0/1:0
description connected to warehouse
ip address 10.0.7.2 255.255.255.0
!
interface Serial0/2:0
description connected to Prospect
ip address 192.168.1.5 255.255.255.252
ip nat inside
!
interface Serial0/3:0
description connected to Regent
ip address 192.168.1.9 255.255.255.252
ip nat inside
ip inspect Internal in
no cdp enable
!
ip nat inside source static 10.0.0.2 141.x.x.86
ip nat inside source static 10.0.0.19 141.x.x.84
ip nat inside source static 10.0.0.20 141.x.x.88
ip nat inside source static 10.0.0.11 141.x.x.87
ip nat inside source static 10.0.0.40 141.x.x.85
ip classless
ip route 0.0.0.0 0.0.0.0 141.x.x.89
ip route 10.0.1.0 255.255.255.0 172.16.1.2
ip route 10.0.2.0 255.255.255.0 172.16.1.18
ip route 10.0.3.0 255.255.255.0 172.16.1.6
ip route 10.0.4.0 255.255.255.0 192.168.1.6
ip route 10.0.5.0 255.255.255.0 192.168.1.10
ip route 10.0.6.0 255.255.255.0 10.0.7.1
ip route 10.0.9.0 255.255.255.0 192.168.1.6
no ip http server
!
access-list 1 permit any
access-list 100 permit tcp host 10.0.0.10 any eq www
access-list 100 permit tcp host 10.0.0.19 any eq www
access-list 100 permit tcp host 10.0.0.10 any eq 443
access-list 100 permit tcp host 10.0.0.19 any eq 443
access-list 100 permit udp host 10.0.0.10 any eq 443
access-list 100 permit udp host 10.0.0.19 any eq 443
access-list 100 deny tcp any any eq www
access-list 100 deny tcp any any eq 443
access-list 100 deny udp any any eq 443
access-list 100 permit ip any any
access-list 102 permit tcp any host 141.x.x.86 eq www
access-list 102 permit tcp any host 141.x.x.86 eq smtp
access-list 102 permit tcp any host 141.x.x.84 eq www
access-list 102 permit tcp any host 141.x.x.87 eq 1494
access-list 102 permit tcp any host 141.x.x.88 eq nntp
snmp-server community public RO
!
line con 0
exec-timeout 0 0

logging synchronous
login
transport input none
line aux 0

login
line vty 0 4

login
!
no scheduler allocate
end

 

[JOAMON]

Trying to figure this out. You want specific machines to bypass the proxy to get to the internet. These machines are all from different subnets. Is the IP address of the proxy 10.0.0.2? What is the default gateway on the clients?

 

[KiscoKid]

You can get a router to NAT across multiple non-connected subnets. Just need to ensure there is not another NAT'ing device between them and you and that the routing to these mote subnets works otherwise it could all fall apart.

I'd have thought all you'd need to do is add the following line:

ip nat inside source list 10 interface Serial0/0:2.6 overload

and create access list 10 and add all the source IPs of the hosts you want to translate.

 

[JOAMON]

Thats what I was thinking...
Something like:

ip nat inside source list 1 interface Serial0/0:2.6 overload

access-list 1 permit 192.168.1.20
access-list 1 permit 192.168.2.20
access-list 1 permit 172.168.1.50
access-list 1 permit 10.0.1.25

If the default gateway is aimed at the proxy IP then change it to 10.0.0.1

 

[pgaliardo]

Thanks for the responses. Just to clear up some confusion, there are a lot of interface that are still showing in my config that are no longer used. Also, a quick overview of our setup:
All Internet access goes out through our corporate office through the Cisco 2620.
We have 5 remote facilities all with dedicated T1 PPP connections to the corporate office. The subnets of each remote office is 10.0.1.1, 10.0.2.1, etc. mask 255.255.255.0.
Each remote office default gateway is the address of the Cisco 1720 at the remote site which is directly connected to the corporate office (10.0.1.1, 10.0.2.1, 10.0.3.1, etc).
Don't know if that has any effect on your answers, but I am going to give your suggestions a try.

Thanks.

 

[JOAMON]

Leave the client gateways is is then. you mentioned a proxy server. What is the IP address of that?

 

[pgaliardo]

10.0.0.19

 

[nyingmeh]

Hi,

I have a problem with a new Cisco 3640 Router.
I have installed two fastethernet modules on it and receive the following public IP from my provider :

IP address: 64.110.0.130
subnet: 255.255.255.224
Gateway IP : 64.110.0.129

now, I have a large network and would like to do nat on this router. so after setting up the router, I ran the folowing commands.


1. IP routing
2. Int f0/0 ---> ip address 64.110.0.130 255.255.255.224
no shutdown
ip nat outside

3. Int f0/1 ---> ip address 172.16.0.0 255.255.0.0
no shutdown
ip nat inside


4. access-list 1 permit 172.16.0.0 0.0.255.255

5. ip nat pool NETNAT 64.110.0.133 64.110.0.133 netmask 255.255.255.224

6. ip nat inside source list 1 pool NETNAT overload.

then I did a copy run start and then reloaded.

from a lan IP,
172.16.10.5 with gateway IP 172.16.10.1 I am not able to browse, though I can ping the f0/0 and even the gateway 64.110.0.129

I was advised to change the command

5. ip nat pool NETNAT 64.110.0.133 64.110.0.133 netmask 255.255.255.224

to

5. ip nat pool NETNAT 64.110.0.129 64.110.0.129 netmask 255.255.255.224

when I reloaded, the cisco box compained of network address conflit.

I even added.

7. ip route 0.0.0.0 0.0.0.0 f0/0

and yet it just does not work.

can anyone please help with with where I went wrong, or just provide a list of step by step commands to run ?


PS : Later I avoided overloading;


-------------
5. ip nat pool NETNAT 64.110.0.129 64.110.0.133 netmask 255.255.255.224

6. ip nat inside source list 1 pool NETNAT \

---------- STILL NOTHING

when I ran :

sh ip nat translations

I saw a bunch of results in each case, with a whole lot of public IP addresses, probably being tried to be reached from my LAN PC. dunno.

Lastly I cannot ping the outside world from within the router though I put the DNS address

Please help .