Turn off Cisco NAT

[cherisc]

Hello,

I have a network with a Cisco 2800 that was the firewall for the network. I placed a SonicWALL router between the Cisco and the T1 Internet connection. The cisco is currently using NAT, so that the SonicWALL logs are all showing the IP address from the connected Cisco IP address.

Here are is the ip address scheme:

SonicWALL WAN: xxx.xxx.xxx.202
SonicWALL LAN: 10.166.42.100 255.255.255.0

Cisco FA0/0
interface FastEthernet0/0
description <== Internet Connection ==>
ip address 10.166.42.101 255.255.255.0
ip access-group out2in in
ip inspect inet out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable

Cisco FA0/1
interface FastEthernet0/1
description <==Internal LAN==>
ip address 10.166.40.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

Here is the NAT command:
ip nat inside source list 1 interface FastEthernet0/0 overload

Here is the default gateway:
ip route 0.0.0.0 0.0.0.0 10.166.42.100

What I want to do is turn off NAT in the Cisco, so that the real IP addresses are logged in the SonicWALL.

When I issue the no commands to remove the ip nat inside..., we lose Internet. This also happens if I try to remove the NAT commands from either or both Fast Ethernet interfaces.

Any help would be appreciated.

Thank you

 

[plshlpme]

when you turn off nat on your cisco you will be passing traffic from the 10.166.40.0/24 subnet
so youll need to add a static route on the sonic wall pointing back to your lan..

route goes on the sonic wall
10.166.40.0 255.255.255.0 10.166.42.101

 

[cherisc]

I'll try that. Thank you. I haven't worked with Ciscos in over 3 years, so this is all coming back to me.

 

[cherisc]

This is not working. When I take out the NAT commands, I get no Internet. Here is my running config

no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service linenumber

hostname xxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 10000 warnings
logging monitor informational
enable secret 5
enable password 7
!
no aaa new-model
!
resource policy
!
clock timezone utc 0
no network-clock-participate wic 1
no network-clock-participate wic 2
ip subnet-zero
no ip source-route
!
!
ip cef
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 900
ip inspect one-minute high 1100
ip inspect one-minute low 900
ip inspect tcp max-incomplete host 40 block-time 0
ip inspect name inet tcp
ip inspect name inet udp
ip inspect name inet cuseeme
ip inspect name inet ftp
ip inspect name inet h323
ip inspect name inet http
ip inspect name inet rcmd
ip inspect name inet realaudio
ip inspect name inet smtp
ip inspect name inet sqlnet
ip inspect name inet streamworks
ip inspect name inet tftp
ip inspect name inet vdolive
!
!
no ip domain lookup
ip domain name xxx.local
ip host xxxxxxx 10.165.2.1
ip name-server 10.166.40.51
login delay 5
!
!
!
crypto .......
!
!
crypto pki certificate .......

username xxxxx privilege 15 password 7
username xxxxxxxxxxx privilege 6 secret 5
!
!
controller T1 0/1/0
framing xxx
linecode xxxx
channel-group 1 timeslots 1-12
description
!
controller T1 0/1/1
framing xxx
clock source internal
linecode xxxx
channel-group 1 timeslots 1-24
description
!
controller T1 0/2/0
framing xxx
linecode xxxx
channel-group 1 timeslots 1-12
description
!
controller T1 0/2/1
framing xxx
linecode xxxx
channel-group 1 timeslots 1-24
description
!
class-map match-any VOIP
match ip dscp ef
!
!
policy-map VOIP
class VOIP
compress header ip rtp
priority percent 60
class class-default
fair-queue
!
!
!
!
!
interface FastEthernet0/0
description <== Internet Connection ==>
ip address 10.166.42.101 255.255.255.0
ip access-group out2in in
ip inspect inet out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description <==Internal LAN==>
ip address 10.166.40.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Serial0/1/0:1
description
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
shutdown
max-reserved-bandwidth 100
service-policy output VOIP
!
interface Serial0/1/1:1
description
ip address 10.1.2.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
max-reserved-bandwidth 100
service-policy output VOIP
!
interface Serial0/2/0:1
description
ip address 10.1.3.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
max-reserved-bandwidth 100
service-policy output VOIP
!
interface Serial0/2/1:1
description
ip address 10.1.4.1 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
no ip route-cache cef
no ip route-cache
max-reserved-bandwidth 100
service-policy output VOIP
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.166.42.100
ip route 10.165.2.1 255.255.255.255 10.166.40.1
ip route 10.166.40.1 255.255.255.255 FastEthernet0/1
ip route 10.166.41.0 255.255.255.0 Serial0/1/1:1
ip route 10.166.43.0 255.255.255.0 Serial0/2/0:1
ip route 10.166.44.0 255.255.255.0 Serial0/2/1:1
ip route 10.251.16.0 255.255.255.0 FastEthernet0/1
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0/0 overload
!
ip access-list extended out2in
remark Block outside icmp requests
deny icmp any any echo
remark Permit outgoing icmp requests
permit icmp any xxx.xxx.xxx.xxx 0.0.0.7 administratively-prohibited
permit icmp any xxx.xxx.xxx.xxx 0.0.0.7 echo-reply
permit icmp any xxx.xxx.xxx.xxx 0.0.0.7 packet-too-big
permit icmp any xxx.xxx.xxx.xxx 0.0.0.7 time-exceeded
permit icmp any xxx.xxx.xxx.xxx 0.0.0.7 traceroute
permit icmp any xxx.xxx.xxx.xxx 0.0.0.7 unreachable
permit icmp any any echo-reply
remark Permit tcp traffic originating from Inside
permit tcp any any established
permit udp any host xxx.xxx.xxx.xxx eq domain
remark Block ip spoofing
deny ip 127.0.0.0 0.255.255.255 any
deny ip any any
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
!
control-plane
!
!
banner login ^CC

Banner
W A R N I N G W A R N I N G W A R N I N G W A R N I N G
^C
privilege exec level 6 show startup-config
privilege exec level 6 show
!
line con 0
exec-timeout 5 0
password 7
logging synchronous
login local
transport preferred none
line aux 0
exec-timeout 0 0
password 7
logging synchronous
login
modem InOut
modem autoconfigure type xxx_xxx
transport input all
stopbits 1
speed xxxx
flowcontrol hardware
line vty 0 4
access-class management in
exec-timeout 5 0
privilege level 15
password 7
logging synchronous
login local
transport preferred none
transport input telnet
line vty 5 15
access-class management in
exec-timeout 5 0
privilege level 15
password 7
logging synchronous
login local
transport preferred none
transport input telnet
line vty xx xxx
exec-timeout 0 0
password 7
logging synchronous
login
!
scheduler allocate 20000 1000
ntp clock-period xxxxxxxxxx
ntp server xxx.xxx.xxx.xxx!
end

 

[jeter]

Is the sonic wall setup for nat? where does your trace route end?

“Reserve your right to think, for even to think wrongly is better than not to think at all”

Tek-TIP Member 19,650

 

[burtsbees]

One of the devices must NAT, either the Sonic Wall or the Cisco.

Burt

 

[cherisc]

Yes, I want the SonicWALL to be the NAT device, and I want to turn NAT off on the Cisco. I believe I figured it out, I need to enter more routes on the SonicWALL. I'll post tomorrow.

 

[plshlpme]

you will need a route for every subnet that will be using that sonic wall as a gateway..
the sonic wall needs to know about your subnets or the packets will be dropped.