Multiple NAT Networks on an 1841?

[ryezak]

Is it possible to route several private networks using NAT?

I have 4 private neworks.

I have Fa0/0 with a public IP to the internet.

Currently 1 private network is being NAT'd.
I am trying to add more private networks and route them to the internet.

My ISP is wanting to put a public IP on FA0/0 and have my usable public IP on fa0/1 to reduce broadcast traffic.
So I guess put a static route in and try NAt'g several of my networks to the Public IP on Fa0/1?

Any ideas would be great. Thanks.

 

[burtsbees]

Yes---just build acl's for all the networks you want natted.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ryezak]

Can you provide me with an ACL example?

BTW - I like the Ubuntu burn on windows. Linux rocks!

 

[ryezak]

I see my private network in the ACL 1

Do I just add the next network I want to add below the 192.168.10.0 ?

Thanks.

access-list 1 remark INSIDE_IF=FastEthernet0/1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 2 deny any

 

[burtsbees]

EXAMPLE

networks 10.1.1.0/24, 10.2.2.0/24, 10.3.3.0/24, 10.4.4.0/24

s0=WAN
fa0=LAN

access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip 10.2.2.0 0.0.0.255 any
access-list 101 permit ip 10.3.3.0 0.0.0.255 any
access-list 101 permit ip 10.4.4.0 0.0.0.255 any

int fa0
ip add 10.1.1.1 255.255.255.0
ip nat inside

int s0
ip add 23.1.23.1 255.255.255.248
ip nat outside

ip nat inside source list 101 int s0 overload

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ryezak]

if I don't have a s0 will it still work on Fa0/0 outside internet port?

tks

 

[burtsbees]

Yes. ip nat inside=inside LAN interface and ip nat out=outside WAN interface, or outside facing interface.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ryezak]

Question: do all networks in addition need to be routed?
Or can I just connect a PC in say any one of the 10.X.X.X networks and ping an internet address?
What would my gateway be in the PC?

 

[Minue]

You should post a scrub conf.Yes you can do the above.The gateway would be the LAN interface.

Regards

 

[burtsbees]

You can build a DMZ with your public addresses ("dirty" dmz), or just NAT everything to fa0/0, even static NAT for servers, depending on your needs. How are there four networks hanging off of fa0/1 right now? Switch trunking VLANs? Router trunking vlans in an L2 switch? Please draw out or describe a simple topology and like Minue says post a scrubbed config.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[ryezak]

I have an 10 meg FD circuit from ISP.
I have an 1841 cisco as gateway or demarc of there e10 on fa0/0.

Currently I have several Wifi ethernet links terminating on a 2950 cisco switch. The switch is connected to fa0/1.
No vlans yet, however it would improve I think.
Currently every device including management is in 192.168.1.X network.

I want to introduce a 10.X.X.X network. Currently all traffic is NAT'd and being default routed to the ISP via fa0/0

Now- ISP wants to have a 2 IP subnet between F0/0 and there core router.
Move gateway Public IP onto fa0/1.
Add a default route from fa0/1 public IP to there Public ip on there core. Why I don't really know.
Now I have issues with NAT inside/outside as my router only has 2 interfaces at this time.

What I want is to be able to route 2 private networks, 1 DHCP server across this fa0/1.

Any suggestions would be appreciated.

 

[Minue]

Please post the scrub conf!We have nothing to work on.For us it's like trying to build a house without a drawing.
Regards

 

[ryezak]

ip dhcp pool main
import all
network 10.1.1.0 255.255.255.0
dns-server 4.2.2.2 4.3.3.3
default-router 10.1.1.1

interface FastEthernet0/0
ip address 208.X.X.X 255.255.255.0
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.1
!
ip classless
ip route 0.0.0.0 0.0.0.0 208.X.X.X
ip route 10.0.0.0 255.0.0.0 10.3.3.0
ip route 10.2.2.0 255.255.255.0 FastEthernet0/1
ip route 10.3.3.0 255.255.255.0 FastEthernet0/1
ip route 10.4.4.0 255.255.255.0 FastEthernet0/0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.2.2.1 5900 interface FastEthernet0/0 5900
!
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
access-list 101 permit ip 10.2.2.0 0.0.0.255 any
access-list 101 permit ip 10.3.3.0 0.0.0.255 any
access-list 101 permit ip 10.4.4.0 0.0.0.255 any
!

 

[ryezak]

This is a current test config I am playing with a non production 1841 Router.

What I am trying to do is have several networks use the nat'g on the fa0/1 (inside) and fa0/0 (outside)

The problem now is ISP is requesting a separate 2 ip subnet from there gateway interface to my fa0/0 us burning up 1 of my availble ports.

My 1841 only has 2 fa interfaces. They said it is to reduce broadcast traffic?

To summarize:
I have 4 private networks. (how to route many private networks with one router?
1 1841 router with 2 interfaces.

They want me to statically route all traffic to there router from my fa0/1 (which has my public IP) as well as have fa0/0 with public IP facing there router but not routing any of my traffic?
Any ideas on a solution? this does not seem correct to me?

 

[Minue]

Hello
This solution doesn't seem right to me.You should ask your ISP for a precise explanation about this broadcast stuff.Also explain to them about your present design with your private addresses.I have seen other ISP putting a public address on the LAN interface and using a secondary private address for inside host.The public on the LAN is use for public access to a web server or similiar without having to use static NAT.But from what your ISP has said the situation isn't the same.
In any case if the ISP insist on this idea we can work around it using secondary addresses or subinterfaces on the Fastethernet0/1.

Regards

 

[ryezak]

Trying to get in touch with my ISP.

Could you provide me with a config to have NAT working on FA0/1 with the public IP and the private on the same port?
Also where would my default route point to?

Any help would be appreciated.

 

[burtsbees]

All your addresses in acl 101 right now will get natted, provided the router can reach them (or rather they can reach the router...lol).

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!