IP Addresses Block and NAT
elegua
Member Posts: 282
in CCNA & CCENT
Hi Guys,
I want to used all my availables ip's dynamically and used one static for access from the outside to my access server (Router 2511), is this NAT configuration suitable for this task?, any help will be great.
IP BLOCK: 206.xx.xx.224 206.xx.xx.231 / 255.255.255.248
Configuration:
Thanks in advance.
I want to used all my availables ip's dynamically and used one static for access from the outside to my access server (Router 2511), is this NAT configuration suitable for this task?, any help will be great.
IP BLOCK: 206.xx.xx.224 206.xx.xx.231 / 255.255.255.248
Net Address: 206.xx.xx.224 Default Gateway: 206.xx.xx.231 Usable IPs: 206.xx.xx.225 206.xx.xx.230
Configuration:
ip nat pool IP-BLOCK 206.xx.xx.224 206.xx.xx.231 netmask 255.255.255.248 ip nat inside source list NAT pool IP-BLOCK overload ip nat inside source static 192.168.200.2 206.xx.xx.230 --->> Static NAT to 2511 ip access-list standard NAT permit 192.168.1.0 0.0.0.255 permit 192.168.2.0 0.0.0.255 permit 192.168.3.0 0.0.0.255 permit 192.168.4.0 0.0.0.255 permit 192.168.5.0 0.0.0.255
Thanks in advance.
Comments
-
mikearama
Member Posts: 749
3 errors worth noting...
You included .231 in your pool, when it's the broadcast addy of your range. It's not a valid IP, so remove it.
You want a static NAT to .230, which you've set up properly. But then you also went ahead and used it in your pool as well. That means it's available for dynamic mapping as well as static... this will cause you grief.
And .224 is the network address... it's not available either.
To correct all those issues, your pool line should be:
ip nat pool IP-BLOCK 206.xx.xx.225 206.xx.xx.229 netmask 255.255.255.248
Also, just so you know, when you 'overload' a pool of addresses, only the first ip in the range gets used, and it gets PAT'ted through all available ports (65000 and change). Only if all ports are used will the next IP in the pool get cascaded to. That's why 'overload' is typically used with a single public IP. Nonetheless, you're on the right track.
MikeThere are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
why overlap the dynamic range with the static mapping? Why not exclude the sumet address? (I know that is what the mask is for, but I usually don't include them). You are overlapping your ISP's router IP address in the range, that's not good.
I would only use 1 or 2 addresses for the dynamic range and leave the others for static allocation later. The way Cisco NAT will dynamically close unneeded session you woill not run out with a single overlaoded IP address, but using 2 will back it up so you don't run into troubles.The only easy day was yesterday! -
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
nevermindThere is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
elegua
Member Posts: 282
Hi Guys,
Taking a little from both i ended with this:ip nat pool IP-BLOCK 206.xx.xx.225 206.xx.xx.226 netmask 255.255.255.248 ip nat inside source list NAT pool IP-BLOCK overload ip nat inside source static 192.168.200.2 206.xx.xx.230 --->> Static NAT to 2511 ip access-list standard NAT permit 192.168.1.0 0.0.0.255 permit 192.168.2.0 0.0.0.255 permit 192.168.3.0 0.0.0.255 permit 192.168.4.0 0.0.0.255 permit 192.168.5.0 0.0.0.255
I'll used only 2 ip's dynamically and the rest i'll use them later, is this correct or i'm missing something else?.
Thanks in advance. -
mikearama
Member Posts: 749
Yep, that's better.
Now all you'd have to do is apply it to an interface... either inbound or outbound. Do you remember the commands for that?
Also, your access list... how can you reduce 5 lines of code to just one?There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
elegua
Member Posts: 282
Yep, that's better.
Good and thanks for your help.Now all you'd have to do is apply it to an interface... either inbound or outbound. Do you remember the commands for that?
Yeah, i do.Also, your access list... how can you reduce 5 lines of code to just one?
Are you asking me how to do it ?, or to change that statement for:Gateway#conf t Gateway(config)#ip access-list standard NAT Gateway(config-std-nacl)#permit any Gateway(config-std-nacl)#exit
Sorry but i'm not sure what are you asking me, i'm lost here !!!ip nat inside source list NAT interface Dialer0 overload
This statement is what i have right now on my router, this statement is going to be changed for this:ip nat inside source list NAT pool IP-BLOCK overload
Is this also correct?
Thanks in advance. -
Netstudent
Member Posts: 1,693 ■■■□□□□□□□
I think he wants you to summarize those subnets into one single ACL entry.
ip access-list Standard NAT
permit ip 192.168.0.0 0.0.7.255
This would cover 192.168.0.0 - 192.168.7.254
Only thing here is that is includes subnets that you might not want to get out of the private network.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1! -
mikearama
Member Posts: 749
Sorry... a little too vague. I was wondering if you knew how to aggregate (summarize) those five lines into one (rather than listing five different but contiguous subnets, have just one summary address). Is that better?
Otherwise, it all looks good.There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
