Skip to main content

Configure Cisco router overload NAT (IOS 15)

itemprop="text">

I am attempting to configure a Cisco
2901 router using IOS 15 to properly perform NAT/PAT translation between LAN and the
internet connection. I've configured DHCP pool for the local interface, which works
properly (even using an additional switch, wireless access point, ...). Likewise, the
WAN interface is configured to obtain its own IP by DHCP from the ISP. I can work on the
LAN computers and I can access the internet directly from the router (using, for
example, telnet and router's ping commands).
The problem is, NAT does not work
properly and connection from the LAN interface (GigabitEthernet0/1) does not reach the
WAN interface (GigabitEthernet0/0).



I have
followed several href="http://www.itsyourip.com/cisco/how-to-configure-nat-in-cisco-ios-nat-overload/"
rel="nofollow noreferrer">guides on the matter, but it seems that no matter
what I do, NAT just doesn't seem to work. I have tried both the interface
GigabitEthernet0/0 overload NAT inside source list and the NAT pool source
list (being the current ISP-assigned IP) described in the
guides.



Attached is the complete configuration,
hoping someone finds the problem I have
missed.




Current
            configuration : 2007 bytes
!
! Last configuration change at 19:59:30
            UTC Wed Jul 6 2011
!
version 15.0
service timestamps debug
            datetime msec
service timestamps log datetime msec
no service
            password-encryption
!
hostname
            odin

!
boot-start-marker
boot-end-marker
!
enable
            secret 5 enablesecret
enable password enablepassword
!
no
            aaa new-model
!
!

!
!
no
            ipv6 cef
ip source-route
no ip routing
no ip
            cef
!
!
ip dhcp excluded-address 10.1.1.1
            10.1.1.10
!

ip dhcp pool lan
 import
            all
 network 10.1.1.0 255.255.255.0
 default-router
            10.1.1.1
 dns-server
            8.8.8.8
!
!
!
multilink bundle-name
            authenticated
!

!
!
!
!
!
!
voice-card
            0
!
!
!

!
!
!
license
            udi pid licensepid sn
            licensesn
!
!
!
redundancy
!
!

!
!
!
!
!
!
!
interface
            GigabitEthernet0/0
 ip address dhcp
 ip nat
            outside

 ip virtual-reassembly
 no ip
            route-cache
 duplex auto
 speed auto
 no cdp
            enable
 no mop enabled
 !
!
interface
            ISM0/0
 no ip address

 no ip route-cache

            shutdown
 service-module fail-open
 no cdp enable

            !
 hold-queue 60 out
!
interface ISM0/1
 no ip
            address
 no ip route-cache

 shutdown
 no cdp
            enable
 !
!
interface GigabitEthernet0/1
 ip
            address 10.1.1.1 255.255.255.0
 ip nat inside
 ip
            virtual-reassembly
 no ip route-cache
 duplex
            auto

 speed auto
 no cdp enable

            !
!
ip forward-protocol nd
!
no ip http
            server
no ip http secure-server
!
ip nat inside source
            list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0
            0.0.0.0 GigabitEthernet0/0
!
access-list 1 permit 10.1.1.0
            0.0.0.255
!
!
!
!
!
snmp-server
            community snmp_lan RO
!

control-plane

            !
!
!
!
!
!
!
!
!

gatekeeper

            shutdown
!
!
line con 0
 exec-timeout 0
            0
line aux 0
line 67
 no activation-character

            no exec

 transport preferred none
 transport input
            all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

            stopbits 1
 flowcontrol software
line vty 0 4
 password
            password
 login
!
scheduler allocate 20000
            1000

no process cpu extended
no process cpu autoprofile
            hog
end


/>

UPDATE
1:



Tried specifying outbound
rules by
adding




interface
            GigabitEthernet0/0
 ip access-group lan_out out
!
ip
            access-list extended la_out
 permit ip any
            any


but to no
avail.




After that, also tried
utilizing nat pools and route maps, resulting
in



ip nat pool lan_np 1.2.3.135
            1.2.3.135 prefix-length 24
ip nat inside source route-map natmap pool lan_np
            overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
            permanent
!
ip access-list extended lan_out
 permit ip any
            any
!
access-list 101 permit ip 10.1.1.0 0.0.0.255
            any

!
!
!
!
route-map
            natmap permit 10
 match ip address
            lan_out


Both with and
without any combination of ip route 0.0.0.0 0.0.0.0 and either
interface GigabitEthernet0/0 or the ISP default gateway IP.
Results in an sh ip nat st
of




offblast_odin#sh ip
            nat st
Total active translations: 0 (0 static, 0 dynamic; 0
            extended)
Peak translations: 0, occurred 02:58:27 ago
Outside
            interfaces:
 GigabitEthernet0/0
Inside interfaces:

            GigabitEthernet0/1
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF
            Punted packets: 0
Expired translations: 0

Dynamic
            mappings:
-- Inside Source
[Id: 2] route-map natmap pool
            offblast_lan_np refcount 0
 pool offblast_lan_np: netmask
            255.255.255.0
 start 1.2.3.135 end 1.2.3.135
 type generic, total
            addresses 1, allocated 0 (0%), misses 0
Appl doors: 0
Normal doors:
            0
Queued Packets:
            0



Sadly,
nothing so far worked.
Full final configuration.



Answer




Can you show output of 'sh ip nat stat' and 'sh ip nat
tran'?



I think the config looks correct, did you
try applying an ACL on the outside interface to specifically allow the
traffic?




interface
            GigabitEthernet0/0

 ip access-group OUTBOUND
            out
!
ip access-list extended OUTBOUND
 permit ip any
            any



here's a working
example from a 1800
series:




interface
            FastEthernet0

 description $FW_OUTSIDE$
 bandwidth
            34000
 ip address 1.2.3.141 255.255.255.240
 ip access-group
            OUTBOUND out
 ip verify unicast reverse-path
 no ip
            redirects
 no ip unreachables
 no ip proxy-arp
 ip nat
            outside
 ip virtual-reassembly

 load-interval
            60
 duplex auto
 speed auto
!
interface
            FastEthernet1
 description $FW_INSIDE$
 bandwidth 34000

            ip address 192.168.0.254 255.255.255.0
 no ip redirects
 no ip
            unreachables

 no ip proxy-arp
 ip nat inside

            ip virtual-reassembly
 load-interval 60
 duplex auto

            speed auto
!
ip nat pool GLOBAL_IP_POOL 1.2.3.139 1.2.3.141
            prefix-length 24
ip nat inside source route-map natmap pool GLOBAL_IP_POOL
            overload
!

ip access-list extended natrules

            deny ip 192.168.0.0 0.0.0.255 10.180.3.0 0.0.0.255
 permit ip 192.168.0.0
            0.0.255.255 any
!
route-map natmap permit 10
 match ip
            address natrules


Hope this
helps.




/>Edited:



I
cannot spot anything weird with your config. Since you seem not to have any hits in
translation tables at all, there must be a problem either on the connectivity or
configuration on the client, or simply an access-list that denies the
traffic.



Can
you:



1) ping from the router, make sure you do
it from the correct interface by
entering:




ping
8.8.8.8 source
10.1.1.1





2)
show access-lists





show access-lists




I set up three
routers in a lab and configured rip + nat, and it works just as it is.
href="http://pastebin.com/eQyempV9" rel="nofollow noreferrer">The router in
question and the remote router that specifically denies the internal network
of 'the router in question'.



Comments

Post a Comment

Popular posts from this blog

linux - iDRAC6 Virtual Media native library cannot be loaded

When attempting to mount Virtual Media on a iDRAC6 IP KVM session I get the following error: I'm using Ubuntu 9.04 and: $ javaws -version Java(TM) Web Start 1.6.0_16 $ uname -a Linux aud22419-linux 2.6.28-15-generic #51-Ubuntu SMP Mon Aug 31 13:39:06 UTC 2009 x86_64 GNU/Linux $ firefox -version Mozilla Firefox 3.0.14, Copyright (c) 1998 - 2009 mozilla.org On Windows + IE it (unsurprisingly) works. I've just gotten off the phone with the Dell tech support and I was told it is known to work on Linux + Firefox, albeit Ubuntu is not supported (by Dell, that is). Has anyone out there managed to mount virtual media in the same scenario?
Post a Comment
Read more

hp proliant - Smart Array P822 with HBA Mode?

We get an HP DL360 G8 with an Smart Array P822 controller. On that controller will come a HP StorageWorks D2700 . Does anybody know, that it is possible to run the Smart Array P822 in HBA mode? I found only information about the P410i, who can run HBA. If this is not supported, what you think about the LSI 9207-8e controller? Will this fit good in that setup? The Hardware we get is used but all original from HP. The StorageWorks has 25 x 900 GB SAS 10K disks. Because the disks are not new I would like to use only 22 for raid6, and the rest for spare (I need to see if the disk count is optimal or not for zfs). It would be nice if I'm not stick to SAS in future. As OS I would like to install debian stretch with zfs 0.71 as file system and software raid. I have see that hp has an page for debian to. I would like to use hba mode because it is recommend, that zfs know at most as possible about the disk, and I'm independent from the raid controller. For us zfs have many benefits,
Post a Comment
Read more

apache 2.2 - Server Potentially Compromised -- c99madshell

So, low and behold, a legacy site we've been hosting for a client had a version of FCKEditor that allowed someone to upload the dreaded c99madshell exploit onto our web host. I'm not a big security buff -- frankly I'm just a dev currently responsible for S/A duties due to a loss of personnel. Accordingly, I'd love any help you server-faulters could provide in assessing the damage from the exploit. To give you a bit of information: The file was uploaded into a directory within the webroot, "/_img/fck_uploads/File/". The Apache user and group are restricted such that they can't log in and don't have permissions outside of the directory from which we serve sites. All the files had 770 permissions (user rwx, group rwx, other none) -- something I wanted to fix but was told to hold off on as it wasn't "high priority" (hopefully this changes that). So it seems the hackers could've easily executed the script. Now I wasn't able
Post a Comment
Read more