1. Home
  2. Cisco Systems
  3. Simple virtual NAT question

Simple virtual NAT question

2691 IOS 12.3(14)T6 SP Services

I am working on setting up a simple dynamic NAT connection to an ADSL ISP. The ISP's device is very simple and there is basically nothing I can do to fix that.

My setup is:

--------- == 172.20.10.0 ==| | ------- | 2691 | | | == 172.20.20.0 ==| 0/4|= 2.2.2.2 === 2.2.2.1=| ISP |== 3.3.3.3 | | | box | == 172.20.30.0 ==| | ------- ---------

where 2.2.2.1 and 2.2.2.2 are valid IP addresses provided by the ISP. There are about 30 hosts (PCs) per private network. The ISP box will not NAT multiple connections.

Is this as simple as doing a

conf t int FE 0/4 ip nat enable exit exit

or is there more to it than that? I am suspicious because the Cisco document (Configuring NAT for IP Address Conservaton) appears too simple!

Thanks.

sPh

Reply to
sphealey
Loading thread data ...

You have to do a few things here.

First you have to define what you are natting to (be it an interface, or an IP address; you can do both). Then you have to indicate what traffic you are NATting. Because you have only 1 IP address on the public side, you will need to do a NAT overload

A basic configuration would be something like this:

access-list 101 permit ip 172.20.0.0 0.0.31.255 any ip nat inside source list 101 interface dialer1 overload

interface fastethernet0/0 !(or whatever your LAN interface is) ip nat inside

interface dialer1 !(the interface that is configured with your WAN IP address) ip nat outside

I usually indicate the WAN interface that has the IP address configured, as it's the easiest way I know

H> 2691

Reply to
Mike Rahl

I am looking at the "NAT virtual interface" option though which seems to remove the requirement for defining outside and insider interfaces per the above-mentioned document.

sPh

Reply to
sphealey

Why to go with virtual interface when every thing can by NATTING outside interface..

Config should be as simple to understand.

CK

Reply to
CK

The Virtual NAT option just seemed like a very clean way to connect to the ISP without having to worry about affecting any other interface or function of the router (some of which are not under my jurisdiction). I am just having trouble grasping exactly what the options do, particularly how the access list comes into play when I simply want to allow full access from any connected network. Also the defintion of vrf is unclear.

sPh

Reply to
sphealey

Virtual Interface is nothing but assigning multiple ip to an Interface.Primary Ip wilbe recogonised and secondary Ip is virtually working on same interface.Like in case of VLAN Topology we can t have multiple ips on single interface by creating Subinterfaces.

May be it help

formatting link

CK

Reply to
CK

Are you sure this is the same thing as Virtual NAT, which is a new feature under 12.3T? The examples in the Cisco document "Configuring NAT for IP Address Conservation" do not use more than one IP on the NAT'd interface, although they do apply a NAT pool to that interface.

Quoting: "The NAT Virtual Interface (NVI) feature removes the requirement to configure an interface as either NAT inside or NAT outside".

sPh

Reply to
sphealey

Virtual Interface is diffrent from Virtual NAT.

GO through CISCO ROuter hand book available on CISCO.com for brief specifications for noth.

CK

Reply to
CK

To the OP:-

You should use ip nat inside, ip nat outside.

The reason is that there are hundreds of examples and documents available, and years of experience with it.

"ip nat enable" is barely documented, I can find only one example on cisco.com which is more complex that I need or want (uses vrf) and is not complete. As you can see no one here is willing/able to assist whereas there is help available with conventional cisco NAT.

I have been trying to get it working today and I am not able to so far.

int dialer 1 ip nat enable ip nat source list ACL.nat interface Dialer1 overload

When I add, yes add, don't need to take anything out NAT comes to life.

int dialer 1 ip nat outside

int eth 0 ip nat inside

ip nat inside source list ACL.nat interface Dialer1 overload

c837-k9o3sy6-mz.124-8.bin

Reply to
Bod43

Well!

I have had a go with

c850-advsecurityk9-mz.124-6.T.bin

It seems to work there.

I have not tested it properly but by faking up some stuff it seems to do what is expected.

interface Loopback0 ip address 1.1.1.1 255.255.255.0 ip nat enable

interface BVI1 ip address 10.3.3.2 255.255.255.0

ip nat source list ACL.nat.test interface Loopback0 overload

HR#sh ip nat tr

HR#sh ip nat nvi tr

HR#

HR#ping 1.1.1.2 source bvi 1

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 1.1.1.2, timeout is 2 seconds: Packet sent with a source address of 10.3.3.2 ..... Success rate is 0 percent (0/5) HR#sh ip nat tr Pro Inside global Inside local Outside local Outside global HR#sh ip nat nvi tr Pro Source global Source local Destin local Destin global icmp 1.1.1.1:6 10.3.3.2:6 1.1.1.2:6 1.1.1.2:6 HR#

So:-

Back to the OP's issue.

I recommend sticking to the inside/outside thing. It is only one extra line after all and the previous reasons given are valid.

ip nat enable is very new and I would not recommend it unless you needed it.

If you insisted on using it you could try an IOS update.

I will try researching the supported IOS if I Can figure out the Feature to look for.

Reply to
Bod43

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.