Help with NAT

[JM69]

I'm connecting a 871 router to an ISP device and need help routing traffic.

It works perfectly when I can use a public IP address on the WAN interface of the 871 (whether provided by a DHCP lease or statically). But if the ISP router is using a private address range in it's DHCP scope then I can't get traffic to route from a client directly attached to the 871's embedded switch out to the internet.

Here's the config which works for for the public DHCP address. What do I need to change to make it work for a private DHCP address? Thank you!!

!
version 12.4
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
logging console critical
!
aaa new-model
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.200.1
!
ip dhcp pool BC
   import all
   network 192.168.200.0 255.255.255.0
   dns-server 4.2.2.2 
   default-router 192.168.200.1 
   lease 7
!
!
no ip domain lookup
ip domain name abc.com
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name bc_urlf http java-list 51 urlfilter timeout 10
ip urlfilter max-request 500
ip urlfilter max-resp-pak 150
ip urlfilter allow-mode on
ip urlfilter cache 4500
ip urlfilter exclusive-domain permit concordrents.com
ip urlfilter audit-trail
ip urlfilter urlf-server-log
ip urlfilter server vendor n2h2 1.2.3.4 outside retrans 3 timeout 30
ip ddns update method BusCtr
 HTTP
  add [URL unfurl="true"]http://username:password%40dynupdate.no-ip.com/nic/update%3Fhostname=hostname.yourdomain.com[/URL]
  remove [URL unfurl="true"]http://username:password%40dynupdate.no-ip.com/nic/update%3Fhostname=hostname.yourdomain.com[/URL]
!
interface Loopback0
 ip address 10.1.1.2 255.255.255.255
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip ddns update hostname.yourdomain.com
 ip ddns update BusCtr
 ip address dhcp
 ip nat outside
 ip inspect bc_urlf out
 ip virtual-reassembly
 speed auto
 half-duplex
!
interface Vlan1
 ip address 192.168.200.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list standard ssh-in
 permit 5.6.7.8 0.0.0.15
 deny   any log
!
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 51 permit any
no cdp run
!
!
control-plane
!
!
line con 0
 no modem enable
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 privilege level 15
 transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17179384
ntp server 130.126.24.53
ntp server 198.82.162.213
end

 

[burtsbees]

You would not NAT if there is a private IP address...the ISP would, so take ip nat inside, ip nat outside, off of the interfaces. The ISP must then translate the private IP's to public ones.

Burt

 

[JM69]

Cisco suggested switching the default gateway to use DHCP instead of the interface, and that fixed the issue. Using an interface as a default gateway needs the outside device to proxy arp, which is not always true.

Removing "ip nat inside" and/or "ip nat outside" from the config broke the connectivity.

So the 871 is now working fine with the WAN interface receiving it's DHCP address from the cable modem (192.168.1.234).

 

[burtsbees]

Sorry, I must have misunderstod.

Burt