NAT with two outside interfaces

[bmcdonn]

I have a department network that we need to connect to both the company intranet and the Internet. We have a 3640. All interfaces are Ethernet. Both the company intranet and the Internet interface have only a single IP address. I think this means using "overload" instead of "pool".

The department network is 192.168.0.x/24
The company intranet is 10.22.66.x/24 but I only have a single IP on this net.
The Internet IP is 66.248.170.5/24

I hope this is enough to get some help. If not tell me what I need to provide. Thanks in advance.

Bernie

 

[voltron1011]

You may want to reword your question a bit. I'm having a hard time grasping your problem.

 

[burtsbees]

Actually, the overload changes NAT to PAT, which actually is NAT, but with ports associated to the converted address, so that you in essence do not use said pool. That being said, you need
router>en
router#conf t
router(config)#access-list 10 permit 192.168.0.x 0.0.0.255
router(config)#access-list 10 permit host 10.22.66.x
router(config)#ip nat inside source list 10 int x overload
"x" is the interface that faces the internet, with the public IP address on it. Then, you must get into interface config mode for the ethernet interfaces and the interface that faces the internet. In this example, we'll use S0 as the internet interface, and E0 as 192.168.x.x interface, and int E1 as the 10.22.66.x interface...
router(config)#int s0
router(config-if)#ip nat outside
router(config-if)#exit
router(config)#int E0
router(config-if)#ip nat inside
router(config-if)#exit
router(config)#int E1
router(config-if)#ip nat inside
router(config-if)#^z (which is ctrl-z)
Now, you'll want to copy the config to NVRAM...
router# copy run start

Burt

 

[burtsbees]

Whoops---the wildcard mask in the acl is not needed---only for extended acl's...sorry.

Burt

 

[bmcdonn]

ok one thing I didnt make clear I guess--

I want to treat the department network as "inside" and both the company intranet and Internet as "outside". Nothing should access the internet from the company network. Nothing should access the department network from either the company intranet or Internet unless it is a response to a request from the department network or explicitly allowed in.

Thanks.

 

[burtsbees]

Then why NAT at all? Why not just VPN?

Burt

 

[bmcdonn]

The department is really seperate from and managed independently forom the company intranet. The department needs to access a limited number of servers on the company intranet and needs to serve a few pcomputers on the company intranet. Their equipment and support is old, limited, and poorly supported. I figured I could do what I needed with NAT/PAT and not involve them in the setup like I would have to with VPN.

Does that help any? Again thanks.

 

[burtsbees]

If you could just post a topology, that would be great...here's what you first said...
"I have a department network that we need to connect to both the company intranet and the Internet.". Then, you came back and said..."Nothing should access the internet from the company network."So...looks like what you have is...

Your Department----Internet----Their Department
Is this correct?

Burt

 

[bmcdonn]

OK, lets see if I can figure out how to do this with text:


OUTSIDE-----|-----3640 port and ip assignment-----|--INSIDE
Internet------66.248.170.40--eth0/3

eth0/0--192.168.1.0/24---Dept.

Company Net---10.22.89.180---eth0/2

INSIDE is the Department Network.
OUTSIDE is the Company Network and the Internet

from Inside I want to NAT/PAT to the Comapny Net and the Internet

the company net has its own internet access and should not access the internet here

I use static port translations to permit some access to the Inside from both the Company net and the internet

My headache is in configuring NAT for both outside networks. I only have the IP assigned to my eth interface for each of these networks. This makes me think I need to use the "overload" function, since I dont have a "pool" of addresses for these OUTSIDE networks. I think I need to use "route-map" somehow to do this but - How do I use "route-map" with "overload" or should I barking up a different tree?

 

[burtsbees]

Still sounds like NAT has NOTHING to do with what you want. VPN sounds more like it. I'm absolutely lost...anyone else? Do you simply want connectivity and allow access/deny access? How are you connected now,I mean at layers 1 and 2 to the outside network? I mean, if you are physically connected, and the outside network needs acces to you guys, and vice versa...

Burt

 

[bmcdonn]

OK, let me ask another way.

What if instead of the Company Intranet and the Internet as two outside interfaces, I said I have two ISPs and each has only provided me with one IP address. How can I NAT/PAT to different ISPs using only one IP address per ISP?

 

[Minue]

Hello
I don't NAT/PAT is right for this situation,the VPN looks better.NAT/PAT is use to let LAN client get out to internet.Or to let people reach your server like DNS,WEB,FTP from the Internet.
If you want the department to reach the company Intranet this way.Yes it is possible even with 1 ip address.
Regards

 

[bmcdonn]

What you say NAT/PAT is for is exactly what I want to do. Creating a VPN requires more interaction with others than I am interested in pursuing. Can anyone suggest a way to implement NAT/PAT between an inside network and two outside ISP networks using the one IP address assigned by each ISP?

 

[burtsbees]

router(config-if)#ip nat outside
do this on both outside interfaces instead of just one!

Burt

 

[Minue]

Hello
This can work in two ways the first a mapping to the entire Server.This method will let use do a UNC path to see shares and some other things This will map only to 1 host.This is the command:

ip nat inside source static 192.168.1.6 66.248.170.5

The you have the mapping with services/port numbers.Let say you have a Web,mail and ftp server that you want to reach from the outside and you only have 1 public address.Note you can have all 3 services running on the same Computer or you can have 3 computers with different private ip addresses.(The example is with 1 computer handling all services)These are the commands:

ip nat inside source static tcp 192.168.1.6 80 66.248.170.50 80
ip nat inside source static tcp 192.168.1.6 25 66.248.170.50 25
ip nat inside source static tcp 192.168.1.6 21 66.248.170.50 21

The nat will send the request to the right serverbase on the port number.The idea is this if you want help with the actual configuration,feel free to ask!
Regards

 

[plshlpme]

the above post will handle your inbound requests.. if you are hosting any services that they need to get too...

you will also need to overload outbound to both of your "isps"

assuming your hosts are all allowed to go to both connections you could resuse the same access-list for both links...

ip nat inside source list 1 interface INTERFACE1 overload
ip nat inside source list 1 interface INTERFACE2 overload

if not then just make a seperate access-list for the second interface.. and replace INTERFACE with the appropriate interface.. this way all outbound traffic onto those links will be natted to the ip on the link.

 

[bmcdonn]

when I tried what you suggested, using the same access-list for both ip nat inside source...... commands, only the second one ended up in my configuration. whichever command was typed last is the only one in the config. How do you get two of them into the config?

 

[burtsbees]

Are you saying that there is only one static acl entry? If you are trying two different IP addresses with the same port it won't work. To quote Minue...
"Let say you have a Web,mail and ftp server that you want to reach from the outside and you only have 1 public address.Note you can have all 3 services running on the same Computer or you can have 3 computers with different private ip addresses."

You can APPLY the acl for NAT to as many interfaces that you want. The statement itself that is actually applied is what is limited.

Burt

 

[bmcdonn]

Burt,

The incomming routing is working. The comment from plshlpme is the one I was responding to. It is with the translating of inside addresses to the IP assigned by the ISP that is the problem. I can make NAT work for either one or the other route, but I cannot seem to find the right configuration to work with two outside interfaces.

I got to say, this is making crazy. I am really losing my mind over this issue. Thanks to all who have helped so far. I am making a little headway thanks to this board.

 

[Minue]

Hello
To help us troubleshoot please send the config of the router and the show ip route.
I don't think you can use the same list for 2 different interfaces.Try build another access-list and nat statement for the 2nd ISP.
ip nat inside source list 2 interface Ethernet1 overload
access-list 2 permit xx.xxx.xx.xx 0.0.0.255
Regards