Nat routing 1

[skatcb]

I saw someone use the following on our router (1720), ip inside source static 192.168.1.31 66.160.21.222, and it worked he did fifteen public addresses like this. Now I need to undo this and set up pools so that 4 or 5 machine can use the same number. The problem is after I enter the router I dont know where he went to make this work, when I go in no commands work. What am I doing wrong and how do I specify a group of static IP's.

Thanks Gang

 

[dtabera]

Have you entered enable mode? First time you enter the router, the prompt it shows is like:

Router>

type 'enable' (or ena) and it asks you for the password

Password:

afterwards, you will have:

Router# (THIS IS THE ENABLE MODE)

type 'configure terminal' (or 'conf t')

Router(config)#

If you want to erase config lines, type 'no' and then the line:

Router(config)#no ip nat inside source static 192.168.1.31 66.160.21.222

According to your issue, you will have to enter something like this:

Let us suppose you want hosts in network 192.168.1.0 255.255.255.0 to be translated to an external network to 66.160.21.220 - 235, so as to use 66.160.x.x addresses for 4 or 5 192.168.1.y addresses. You have to include in the config:

Router(config)#ip nat pool external-addresses 66.160.21.220 netmask 255.255.255.240 (depending on the addresses, of course)
Router(config)#access-list 1 permit 192.168.1.0 0.0.0.255
(if your local addresses are different, you will have to type something different than 0.0.0.255, e.g., if the network mask is 255.255.240.0, it will be 0.0.15.255, always the INVERSE of the mask)
Router(config)#ip nat inside source list 1 pool external-addresses overload

Besides, in the interface attached to 192.168.1.0 network, you will need to type (for the example, this is interface ethernet 0):
Router(config)#int ethernet 0 (to enter interface config mode)
Router(config-if)#ip nat inside (enable translation)

And, in the other interface to 66.160.x.y network (Serial 0, for example)
Router(config)#int serial 0
Router(config-if)#ip nat outside

Afterwards, remember to save your changes with
Router#write mem

You can verify it with:

Router#show ip nat trans

Good Luck.

D.

Well, I do not know if you knew all this. If so, reply with a more detailed explanation and I will try to help you.

 

[skatcb]

I just am not sure about the inverse part. Our interior mask ends in 0, these masks end in 224

 

[dtabera]

skatcb, I commited a mistake yesterday with this line:

Router(config)#ip nat pool external-addresses 66.160.21.220 netmask 255.255.255.240 (depending on the addresses, of course)

It should be:

Router(config)#ip nat pool external-addresses 66.160.21.220 66.160.21.235 netmask 255.255.255.240 that is, the first address and the last address of the range.

About the inverse part, the mask I wrote was just an example. For your case, the inverse one you have to use for access-lists is 0.0.0.255. You always have to use inverse form in access-lists, and they are called WILDCARD. There is a very simple formula for every mask and wildcard (inverse mask): mask + wildcard = 255.255.255.255
I told you this:
>if your local addresses are different, you will have to >type something different than 0.0.0.255, e.g., if the >network mask is 255.255.240.0, it will be 0.0.15.255, >always the INVERSE of the mask
In case you have to face a different mask, do not worry about that in your network.

Let me know the result.

D.

P.S. If there is any one out there who thinks I am wrong, please tell me and skatcb. This is a way for me to learn a little bit more.

 

[skatcb]

I think the problem is our router, actually what I am trying to do is point 4 static inside numbers to one public outside number. So far I can only do it one to one. I have had a couple of people tell me you can do it 4 to one if you use nat routing in the following example:

ip nat static inside source 192.168.1.33 66.160.21.222
ip nat static inside source 192.168.1.34 66.160.21.222

This example will not work even though I have seen it accomplished by someone else, it tells me that 66.160.21.222 is already used by .33.

 

[dtabera]

If you do it 4 to one you cannot use static translation, that is, one to one. there must be an 'overload' keyword at the end of the command. Unless you can differentiate services so you can do the static translation with ports, this way

66.66.66.66 tcp port 80 <---> 192.168.1.1
66.66.66.66 tcp port 53 <---> 192.168.1.2
66.66.66.66 tcp port 161 <---> 192.168.1.3

D.

 

[skatcb]

what if I put the overload command in there, where do I put it?

 

[gaveeve]

skatch, there is a set of commands for allowing several webservers to use the same global ip. It's called tcp load distribution. Maybe that will help. Here'e a link

http://www.cisco.com/univercd/cc/td...3ed_cr/dial_c/dcprt11/dcnat.htm#xtocid1349912

 

[dtabera]

sorry for the delay, I have been out of office. Regarding overload, you have to put it at the end of nat translation sentence:

Router(config)#ip nat inside source list 1 pool external-addresses overload

About load distribution, I have never used it, but it might be a good alternative, as gaveeve says.

 

[skatcb]

I have tried the load distribution and does not work, if I use the overload command can I do it the way I did in the following example. Would I have to specify differently.

Thanks much, by the way

ip nat static inside source 192.168.1.33 66.160.21.222
ip nat static inside source 192.168.1.34 66.160.21.222

 

[skatcb]

Let me explain better, this is what we have right now. In order to better utilize the external addresses we would like to map the static ips in groups of 4 to one of the external addresses, so we can use more external addresses.

ip nat pool Global 66.160.21.203 66.160.31.206 netmask 255.255.255.224
ip nat inside source list 1 pool Global overload
ip nat inside source static 192.168.1.31 66.160.31.222
ip nat inside source static 192.168.1.29 66.160.31.220
ip nat inside source static 192.168.1.28 66.160.31.219
ip nat inside source static 192.168.1.27 66.160.31.218
ip nat inside source static 192.168.1.26 66.160.31.217
ip nat inside source static 192.168.1.25 66.160.31.216
ip nat inside source static 192.168.1.24 66.160.31.215
ip nat inside source static 192.168.1.23 66.160.31.214
ip nat inside source static 192.168.1.19 66.160.31.210
ip nat inside source static 192.168.1.17 66.160.31.208
ip nat inside source static 192.168.1.16 66.160.31.207
ip nat inside source static 192.168.1.15 66.160.31.202
ip nat inside source static 192.168.1.13 66.160.31.199
ip nat inside source static 192.168.1.11 66.160.31.197
ip nat inside source static 192.168.1.10 66.160.31.196
ip nat inside source static 192.168.1.4 66.160.31.194
ip nat inside source static 192.168.1.3 66.160.31.193
ip nat inside source static 192.168.1.2 66.160.31.192
ip nat inside source static 192.168.1.9 66.160.31.195
ip nat inside source static 192.168.1.12 66.160.31.198
ip nat inside source static 192.168.1.14 66.160.31.200
ip nat inside source static 192.168.1.18 66.160.31.209
ip nat inside source static 192.168.1.20 66.160.31.211
ip nat inside source static 192.168.1.21 66.160.31.212
ip nat inside source static 192.168.1.22 66.160.31.213
ip nat inside source static 192.168.1.30 66.160.31.221
ip classless

Is this possible?

 

[dtabera]

ok, let´s look at the two first lines:
ip nat pool Global 66.160.21.203 66.160.31.206 netmask 255.255.255.224
ip nat inside source list 1 pool Global overload

With this, every local (or private, as you like best) address that matches list 1 will be dinamically translated to one of those in the pool Global (66.160.21.203, .204, .205, .206)

So, what you have to do to map 4 local addresses to one external (or global, or public) is:

1.- Define the 4 private addresses in an access-list:

access-list 2 permit 192.168.1.0 0.0.0.251

2.- Define the external pool with only one address:

ip nat pool Global2 66.160.21.203 66.160.31.203 netmask 255.255.255.224

3.- Assign the translation:

ip nat inside source list 2 pool Global2 overload

You must do this with every group of 4 internal addresses:

access-list 1 permit 192.168.1.0 0.0.0.251
ip nat pool Global1 66.160.21.203 66.160.31.203 netmask 255.255.255.224
ip nat inside source list 1 pool Global1 overload

access-list 2 permit 192.168.1.4 0.0.0.251
ip nat pool Global2 66.160.21.204 66.160.31.204 netmask 255.255.255.224
ip nat inside source list 1 pool Global1 overload
.
.
.

Actually, I have never do this before, so I cannot be absolutely sure it works, you´d better test it with one group and verify it works fine.
By the way, can I ask, why do you want every group of 4 addresses to be translated to different public addresses? I think there are no servers in that network that need static mapping, right? If you only want Internet access, maybe you´d better use only ONE translation of your whole LAN. It works the same.

 

[skatcb]

We access a site that is for public use not commercial, so if you exceed there amount of hits per day they block your IP. So they told us the way around it is to make sure they see different ip addresses so if one gets shut down we have a backup (we have been shut off twice, and the next time it is permenant). Since we have over 80 people accessing that site, for future growth we want to be able to have more IP addresses we can just give out, believe me these were hard to get, so we want to conserverve but still give everyone access. Strange huh

 

[dtabera]

Yeah, strange, but what about three people with the same translation access lots of times and then you get rejected? If you are not changing addresses or nat translations often, it may happen. Tough work, chap.

 

[skatcb]

We have done an analysis and also have given a course that shows these people what counts as hits. They are smarter now in the way they use the site, so I think we will have alot less problems, but right now with 80 people allowed access to that site it is more likley we will get in trouble. One more thing if I do it this way can I still give people static addresses and they will be able to work.

 

[gaveeve]

Why not try a number of nat pools, each pool for a small range of internal addresses? Not static entries but many small pools of dynamic nat.
from the cisco site:
Q. What is the maximum number of configurable NAT IP pools (ip nat pool &quot;name&quot?

A. There is no actual limit. In practical use, however, the maximum number of configurable IP pools is limited by the amount of available DRAM in the particular router being used.