NAT question

Hans

Nat IP addresses of hosts living behind an interface marked as "inside" if the traffic is flowing to an interface marked as "outside".

Access-list 1 describes which hosts are to be NATed.

Interface Dialer0's actual address shall be used instead of the local host IP's.

Rainer

Rainer Temme wrote:

This has been auto added from the SDM application, the router currently does not have any ACL's bound to any interface or nat statements yet.

Please see SH RUN below; Current configuration : 4953 bytes ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service udp-small-servers service tcp-small-servers service sequence-numbers ! hostname wibble ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret 5 (hashed) ! no aaa new-model ! resource policy ! clock timezone PCTime 0 clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 ip subnet-zero ip gratuitous-arps ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.0.0.255 10.0.255.254 ip dhcp excluded-address 10.0.0.1 ! ip dhcp pool sdm-pool1 import all network 10.0.0.0 255.255.0.0 dns-server (hashed) default-router 10.0.0.1 domain-name (hashed) ! ! ip finger ip tcp synwait-time 10 ip domain name (hashed) ip name-server (hashed) ip name-server (hashed) ip ssh time-out 60 ip ssh authentication-retries 2 ! ! crypto pki trustpoint TP-self-signed-1211653751 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1211653751 revocation-check none rsakeypair TP-self-signed-1211653751 ! ! crypto pki certificate chain TP-self-signed-(hashed) (hashed) quit username (hashed) privilege 15 secret 5 (hashed) ! ! ! ! ! ! interface ATM0 no ip address ip mask-reply ip directed-broadcast ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $FW_OUTSIDE$$ES_WAN$ ip mask-reply ip directed-broadcast pvc 0/38 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 description (hashed) ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 10.0.0.1 255.255.0.0 ip mask-reply ip directed-broadcast ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! interface Dialer0 description $FW_OUTSIDE$ ip address (hashed) ip mask-reply ip directed-broadcast ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname (hashed) ppp chap password 7 (hashed) ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source list 1 interface Dialer0 overload ip nat inside source static 10.0.0.254 (hashed) ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 10.0.0.0 0.0.255.255 dialer-list 1 protocol ip permit no cdp run ! ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 login local no modem enable transport output telnet line aux 0 login local transport output telnet line vty 0 4 privilege level 15 login local transport input telnet ssh ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end

Dudes,

Basically what i'm attempting to achieve is a device on the (inside) which is a h.323 device appearing on the outside with a public address without using NAT. I would prefer not to use NAT as it is not re-writing the IP payload with the correct external address. But I would use it if could get the NAT functioning correctly.

Does anyone know if I can get this working correctly by using 'route-map' based on ACL's?

This is a Cisco 877 ISR router BTW.

Thanks James

Jim Flockt> > James Flockt> > > ip nat inside source list 1 interface Dialer0 overload

Dialer0 is using ATM0.1 to 'dial' Dialer0 is outside

ACL 1 permits 10.0.*.*

Vlan1 (your local network) is 10.0.0.1 in network 10.0.*.* Vlan1 is inside.

The defaultroute goes to Dialer0

So all traffic comming from 10.0*.* hosts (on Vlan1) who are sending traffic for anything else than 10.0*.* destinations is routed out on Dialer0/ATM0.1 and is NATed to Dialer0's actual address.

Rainer

Not sure, but ...

ip nat service ras

might help

Rainer

Thanks very much for the help but the 'ip nat service ras' does not work. For some reason or another whenever I enter to command it does not add it to the running config. The only thing I think it can be is the router does not support that feature....

I have added the following commands in which is still not re-writing the h225 messages with the correct external IP address. IP headers are perfect but the ras messages are carring the internal address of

Can anyone think of a way of making this device have a public IP address but still be on the switch that is on the back of the router without using NAT?

The following commands have been added to the config which is working but RAS is not;

-- ip nat source route-map No-BC-Internet interface Dialer0 overload ip nat inside source static 10.0.0.254 xxx.xxx.xxx.xxx route-map BC-Internet extendable ! ip access-list extended BC-Internet permit ip host 10.0.0.254 any ip access-list extended No-BC-Internet deny ip host 10.0.0.254 any permit ip 10.0.0.0 0.0.255.255 any ! dialer-list 1 protocol ip permit ! route-map BC-Internet permit 10 match ip address BC-Internet ! route-map No-BC-Internet permit 10 match ip address No-BC-Internet

-- Many thanks in advance for all your help. James Flockton

Ra> > Dudes,

Rainer,

Thank you for your feedback, but I understand that I wrote the config but in actual fact the device on 10.0.0.254 is being routed out of another IP address by the use of the route-map statements. This is the device that is causing me the problem. The router is not re-writing the H.245 messages on the outside egres with the correct external address. All other protocols that I have tried are working perfectly like https, http, telnet, SSH. It's just RAS that is not working by the look of it!

Is there a way of designating a physical port which will be another outside port so I can utilise the subnet allocated to me from the ISP? I want the IP 10.0.0.254 to be changed to a different public IP address so I can have a totally unfilter un-NAT'd device free and available publically.

Many thanks James Flockt> Jim Flockt> >> James Flockt> >>> ip nat inside source list 1 interface Dialer0 overload

Theoretically yes, but I doubt that it would pratically work...

Given 150.150.150.0/29 would be the subnet allocated to you by your provider, and you choose the 150.150.150.1 to be the public ip of the device that needs h323, and the internal ip is 10.0.0.254 ... you could:

exclude 10.0.0.254 from being NATed in list 1

route 150.150.150.2 255.255.255.255 10.0.0.254 so the traffic would be forwarded to this host

assing 150.150.150.2 as a secondary address on this host.

Incomming h323 calls might work with that, but outgoing calls will (likely) still use the 10.0.0.254 as source address.

-----

According to ciscos descriptions they do have proper NAT support for h323 (including ip and port translation in the payload).

Disable all NAT except of what was shown in your config (10.0.*.* -> Dialer0) In particular disable all attempts to do something special for 10.0.0.254. ... do a

debup ip nat h323 terminal monitor

and make a connection attempt.

BTW... the fact that ip nat service ras and ip nat service h225 is not shown when you do a "show run" is due to that being the default ... if you would disable it (with no ip nat service ...) it would be displayed (but then the feature would be switched off).

Rainer

Rainer,

Many thanks again for you help on this matter. The information you have provided me with is very useful.

I will try the debug and post the outputs here.

Do you think this will be possible?

To create a vlan on the switch built into the router that will have a subnet associated with is that is a split of the network provided by the ISP, state that the VLAN is outside and then bind the h323 device with that vlan, then give it a public IP address? I guess it will not work bearing in mind that the switch is layer2 and I cannot have multiple vlan IP address' so I cannot have a default gateway running on the router.... Is there anyother way I can do this using Vlan routing or anything?

Starting to pull my hair out now!

James Flockton

If I take the network which has been given to me i.e. 80.1.2.3.4/26

If I create another subnet from the network given to me from the ISP

Ra>

James,

i tried that on a 1812 ... and it seems to work ... but I have to admit I haven't done much with Vlans so far ...

my 1812 has a group of switchports (fast2 ... fast9)

I did a

int vlan1 ip address 10.0.0.1 ... vlan-id dot1q 10 ...

int fast2 vlan-id dot1q 10 ...

... dont forget to include all ports needed into vlan-id 10 ...

int vlan2 ip address 150.150.150.1 ..... vlan-id dot1q 20 ...

int fast3 vlan-id dot1q 20 ...

so, seems that your idea would work.

But you should setup a dedicated access-list because with this config, your host is exposed to the internet!! (as well is your router on the ip that the vlan2-interface holds)

Rainer

Rainer,

Thanks very much for your response, is it not the case that you can only have one active IP address for a vlan per switch on layer 2 switches? I'm going to give this a try though. I will let you know.

Again thanks a million for all your help!

James Flockt> James Flockt> > Do you think this will be possible?

Rainer,

Just wanted to let you know I have sorted out my clients problem and it is now working perfectly without the NASTY NAT running!

I simply took the subnet that had been provided to me by the service provider split it again, took one subnet and put it on the dialer interface and the other onto the new vlan.

Placed the port with the h323 device onto the new vlan, gave it a public IP and default gateway of the vlan. And all is fine. Client has signed it off and everyone is happy including me!!

Thanks very much for all your help, hope to speak to you again soon.

James

James Flockt> Rainer,

Well done, at least one thing sorted out. (I bet some more stuff is waiting for your attention ;-) )

Rainer