static nat

[theguyfromhere]

We have 2 new T1's in place, but we needed to keep our old T1 as we needed the ip's that came with it, and the company wouldn't lease the ip's to us. at any rate, we have 10.1.1.93/26 as our public ips, we use .93 .94 .200 .205 and .204. The goal was to have static nat of the public IP's to internal ip's so say the mail server was 10.1.1.200, and 172.1.1.4 respectively. i wanted 10.1.1.200 to NAT all traffic to 172.1.1.4, and 10.1.1.204 to 172.1.1.5. the config i came up with in the labis this:

Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname motolab
!
enable secret 5 $1$WH8Q$przb.w4LSb/doWjY9quSk1

enable password woot
!
ip subnet-zero
!
!
!
interface Ethernet0/0
 ip address 172.1.1.1 255.255.255.0
 no ip directed-broadcast

 ip nat inside
 no mop enabled
!
interface Ethernet0/0.1
 no ip directed-broadcast
!
interface Serial0/0
 ip address 10.1.1.93 255.255.0.0

 no ip directed-broadcast
 ip nat outside
!
interface Serial0/0.1
 ip address 10.1.1.200 255.255.0.0
 no ip directed-broadcast

 ip nat outside
!
interface Serial0/0.2
 ip address 10.1.1.204 255.255.0.0
 no ip directed-broadcast
 ip nat outside
!
ip nat inside source static 
10.1.1.204 172.124.1.5
ip nat inside source static 10.1.1.200 172.124.1.4
ip classless

!
access-list 10 deny   192.168.0.6
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
banner motd ^C
Welcome!  Welcome to the MotoSat lab 2610!  IF you DARE mess wiht my

config, i'm gonna be on you like stink on shit.  Have a nice day! :D
^C
!
line con 0
 password woot
 login
 transport input none
line aux 0
line vty 0 4
 password woot
 login
!
end


i have no way to test this in the lab since i have no serial connection to work with here.  unless you know how to plug a t1 card into a computer, google has been helpless.

when i went to our router that needed the new config, i couldn't proceed becuase the ser 0/0 int has IETF frame relay encapsualtion point to point to eth 0/0.  so eth 0/0 has the 63.110.63.93 address, naturally if i try to assing a 63.110.63.200 address to ser 0/0.2 i get an 'overlaps with eth 0/0" error
 config on the non-lab router is:
[code]
interface fastethernet 0/0
ip addr 10.1.1.193 
255.255.255.192

interface serial 0/0
bandwitdh 1536
no ip address
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type ansi

interface serial 0/0.1 point-to-point
bandwitdh 1536

ip unnumbered FastEthernet0/0
frame-relay interface-dlci 500 IETF

If you can help me out at all, or point me where to look that be great.

 

[fartingfrog]

wHAT EXACTLY DO YOU WANT??? Sorry---caps was on. Your ip addresses would not overlap with vlsm. But what are you trying to accomplish here?

 

[theguyfromhere]

very simply to set up a static route. i want out public ip (10.1.1.204) to forward to our internal ip (172.124.1.4). i cant assign a public IP to ser0/0 since it overlaps with the one assinged to eth0/0. so im lost. in my experince, you assing the first public IP to ser0/0.1 not to eth0/0 but that isnt the case here. here there is no ip at all on ser0/0. the first config is what i came up with in the lab (untestable in the lab), the second config is how the router in the feild is configured on the serial and ethernet interfaces.

 

[fartingfrog]

Post a good topology map with ip's, and I think I can help you. Thanks.

Tim

 

[theguyfromhere]

oky doke, from the begnning.
the picture "howitwas" is how it was, no IP on ser0/0, and ser0/0.1 was bonded somehow to eth0/0, and eth0/0 had our first public IP. since eth 0/0 had the first public ip, i cant give a public ip to any subinterface of ser0/0. we had a firebox that did the natting for us, that is gone now to firewall our new t1's. this is a pic of the topology, and the router config of how it was.

http://img162.imageshack.us/img162/3437/howitwasbr8.jpg

!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname motosat-gw
!
boot-start-marker
boot-end-marker
!
enable password 
!
no aaa new-model
ip subnet-zero
!
!
!
ip domain name ALTER.NET
ip name-server 198.6.1.5
no ftp-server write-enable
!
!
!
!
interface FastEthernet0/0
 description To Office FastEthernet
 ip address 10.1.1.193 255.255.255.192
 duplex auto
 speed auto
!
interface FastEthernet0/0.2
!
interface FastEthernet0/0.3
!
interface Serial0/0
 description To UUNET 
 bandwidth 1536
 no ip address
 encapsulation frame-relay IETF
 no fair-queue
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 bandwidth 1536
 ip unnumbered FastEthernet0/0
 frame-relay interface-dlci 500 IETF   
!
!
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
snmp-server community 61879f8df RO
snmp-server enable traps snmp authentication
snmp-server enable traps tty
!
line con 0
password 
login
 transport preferred none
line aux 0
 password login
 modem InOut
 transport preferred none
 transport input all
 transport output all
 stopbits 1
 flowcontrol hardware
line vty 0 4
 password login
 transport preferred none
!
!
!
end

now that the firebox is out of the loop, i want to set it up likes the pic "howiwantit" (link below). i want ser0/0.1 to have our first public ip, and ser 0/0.2 to have .204 and ser 0/0.3 tp have .205 etc. my problem is, i've never run into the fact taht ser0/0.1 is somehow bonded to eth 0/0, and eht 0/0 has our first public IP. i want eth0/0 to have the 172.1.1.1. make sense? below is the link to the pic of how i want it, and the config of my lab router. the lab router is my best idea of how i *think* you set up natting. but my current environment wont allow that.

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname motolab
!
enable secret 5 $1$WH8Q$przb.w4LSb/doWjY9quSk1
enable password woot
!
ip subnet-zero
!
!
!
interface Ethernet0/0
 ip address 172.124.1.1 255.255.255.0
 no ip directed-broadcast
 ip nat inside
 no mop enabled
!
interface Ethernet0/0.1
 no ip directed-broadcast
!
interface Serial0/0.1
 ip address 10.1.1.93 255.255.0.0
 no ip directed-broadcast
 ip nat outside
!
interface Serial0/0.2
 ip address 10.1.1..205 255.255.0.0
 no ip directed-broadcast
 ip nat outside
!
interface Serial0/0.3
 ip address 10.1.1.204 255.255.0.0
 no ip directed-broadcast
 ip nat outside
!
ip nat inside source static 10.1.1.204 172.124.1.4
ip nat inside source static 10.1.1.205 172.124.1.5
ip classless
!
access-list 10 deny   192.168.0.6
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
banner motd ^C
Welcome!  Welcome to the MotoSat lab 2610!  IF you DARE mess wiht my
config, i'm gonna be on you like stink on shit.  Have a nice day! :D
^C
!
line con 0
 password woot
 login
 transport input none
line aux 0
line vty 0 4
 password woot
 login
!
end

http://img162.imageshack.us/img162/1724/howiwantitrr8.jpg

so really my question is , how and why is ser0/0.1 bonded to eth 0/0 why would i want that? is that a good idea, bad idea? how do i get around that?

 

[fartingfrog]

First off, why subinterfaces on the serial? Are you still WANning with FR? If so, you need FR encap. Second, if you are frame relay, you can't have subinterfaces in the same subnet (all 3 of yours are). You need to map the dlci's with point-to-point, or in this case, point-to-multipoint subinterfaces. One ip to map to more than one dlci. The nat is not the problem here. For NAT to work, or anything else for that matter, subinterfaces must all be in different subnets (frame relay, bridge groups, vlans, etc.). If you don't even have frame relay, then you don't even need subinterfaces! Hope this helps.

Tim

 

[theguyfromhere]

ser0/0 is a t1 coming from our isp, is my understanding that you never assing ips to ser0/0 always to sbinterfaces. But if i can't have sub interfaces on the same subnet, i very simply cant do what i want here, and that does indeed answer my question. Im not sure if i need FR or not, im positive the ISP set up the cisco, so im gonna assume that its set up that way for a reason. the solution we ended up with is setting it up similar to the old configuration, (wich meant spendgin another 1300 dollars on a firebox) then we just assinged all the needed public ip's to it's WAN int and it works like a charm. wich i could have done it without the purchase, but cest la vie. thanks very much for you help.

 

[plshlpme]

if its just a point to point t1 then there is no reason why you cannot assign an ip to s0/0.

if the isp is routing to you then you don't even need to assign your other ips to an interface. you can just create your nat rules and it will take care of it.

i don't see any purpose for the unnumbered setup on your router right now.

from the "wayyouwantit" picture it is very doable..
you can either assign the other ips as secondary ips on the main interface or just make nat rules and not worry about them.

my setup at home i have .1 assigned on my router... and nat rules that nat .253 and .245.. but i haven't physically assigned them anywhere on the router.