DHCP Group Assignment

[fnkylinguist]

Hello Everyone,

I have a Cisco 2621 which i use as a gateway to the internet. I now use a Windows 2000 server as my DHCP. Now, we have a need to Nat the users from the customer care department and I think I should assign that group a pool of addresses. Does anyone know how to do this? My thoughts is that it may be easier to nat a range rather than happing to translate each address independently.

Any help would be appreciated.

 

[KiscoKid]

Standard dynamic NAT pool configuration is as below:

ip nat pool test 192.212.6.2 194.212.6.10 netmask 255.255.240.0
ip nat inside source list 7 pool test

interface s 0
ip address 10.10.1.254 255.255.255.0
ip nat inside

interface s 1
ip address 194.212.6.1 255.255.255.240
ip nat outside

access-list 7 permit 10.10.1.0 0.0.0.255


I think it's fairly self-explanatory. Drop a note if you need anything clarified.

 

[fnkylinguist]

Thanks Kisco. That scenario helps me a bit but I'm still a bit stumped. I'll post the config down below

interface FastEthernet0/0
description connected to EthernetLAN
ip address xxx.xxx.xx.1 255.255.254.0
ip nat inside
speed 100
full-duplex

interface Serial0/0
no ip address
encapsulation frame-relay
service-module t1 timeslots 1-2
frame-relay lmi-type cisco

interface Serial0/0.1 point-to-point
description Connection to Bellsouth Atlanta
ip address xxx.xx.x.121 255.255.255.252
frame-relay interface-dlci 33 IETF

interface Serial0/0.4 point-to-point
description connection to Denver Colorado Qwest
ip address xxx.xxx.xx.10 255.255.255.252
frame-relay interface-dlci 34

interface Serial0/0.5 point-to-point
description Connection to Verizon (Tampa)
ip address xxx.xx.xx.90 255.255.255.252
frame-relay interface-dlci 31

interface FastEthernet0/1
description connected to Internet
ip address xx.xxx.xxx.106 255.255.255.248
ip access-group extended-outbound out
ip nat outside
speed 100
full-duplex
********************************************************

The customer care dept needs to go out over S0/0.1.
Everyone uses Interface 0/1 for internet and all traffic is natted to the xxx...106.
ARghhhh i'm pulling my hair out here. I just need it to work properly.

Actual Problem
5 users in Customer care dept will be telnetting to 139.xxx.xxx.51,52 and 53. So this needs to be natted to 192.168.10.30 and routed across S0/0.1

199.181.0.1 traffic needs to be natted and routed across s0/0.4

188.210.0.2 traffic needs to be natted and routed across s0/0.5

I pondered taking away the ip nat outside from fast ethernet 0/1 and use a firewall for the internet on the lan but I still don't know how i'm gonna nat all this traffic with just this one router.

 

[fnkylinguist]

Puhleaseeeeeeeeee can someone helpppppppppp meeeeee
Oh my head hurts

 

[KiscoKid]

If you need traffic NAT'ing before going via the serials, the serial sub-ints should be NAT-enabled interfaces to allow this to happen.

Can you clarify the following:

What are the source addresses for customer care dept? For this NAT range, what address(es) do you have available for this traffic?

Can you confirm 199.181.0.1 and 188.210.0.2 are hosts on the LAN subnet (attached to fastethernet0/0)? Can you also confirm what you want these 2 addresses to be translated to.

 

[fnkylinguist]

Ok so I should add the ip nat outside to the serial interfaces?

192.168.10.11 12, and 13 are the addresses for the customer care dept users.

They willl be telnetting to 139.xxx.xxx.51,52 and 53 in that order with 51 being the production box and 53 being testing.

199.181.01 and 188.210.0.2 comes from an application used on our lan attempting to communicate with hosts on the remote site. So this address will be the address that I have to route across the two serial interfaces.

Thanks for your help so far Kisco, I really appreciate it.

 

[KiscoKid]

I would envisage that ip nat outside is needed on your serials where you feel address translation is required between those subnets and the local LAN subnet.

Based on what you've told me to date, i.e. translate customer care addresses (192.168.10.10-13) to 192.168.10.30 when routed across s0/0.1, the following should work:


ip nat pool test 192.168.10.30 netmask 255.255.255.0
ip nat inside source list 7 pool test overload

interface s0/0.1
ip nat outside

interface f0/0
ip nat inside


access-list 7 permit host 192.168.10.10
access-list 7 permit host 192.168.10.11
access-list 7 permit host 192.168.10.12
access-list 7 permit host 192.168.10.13


You can manipulate what I've done above and apply to your other scenarios to hopefully achieve what you want.

If you have any more questions, drop em in here.

 

[fnkylinguist]

Kisco,

Thanks for all of your help so far. I have been trying several configurations and have yet to be successful. I have pasted the translation table below so we can see what is happening.

tcp xx.xxx.x.106:3576 192.168.10.2:3576 x.x.x.51:23 x.x.x.51:23

As you can see it is still translating everything into the ethernet address of my fe0/1.

Is there a way to make the translations of the fe0/0 interface take place after the translation of the s0/0.1 interface. Perhaps i'm having a routing issue?

ip route 0.0.0.0 0.0.0.0 x.x.x.105
ip route x.x.x.54 255.255.255.255 x.x.32.89
ip route x.x.x.0 255.255.252.0 x.x.2.122
ip route x.x.x.0 255.255.255.0 x.x.2.122
ip route x.x.x.28 255.255.255.255 x.x.x2.89
ip route x.x.x.146 255.255.255.255 x.x.x4.9
ip route x.x.x.59 255.255.255.255 x.x.x4.9
ip route x.x.x.71 255.255.255.255 x.x.x4.0

I'm pulling out my hair now.

I received some advice to use the ip nat inside source statement.

ip nat inside-source interface 0/0.5 overload and I haven't used it yet. Any clue?

 

[fnkylinguist]

Kisco,

This configuration worked for me. Thanks for your help so far. The only thing I have to figure out now is how to modify it so that we can access the internet at the same time.

If you can advise that would be great. Thanks for your help so far.

ip access-list extended host1
permit ip host a.b.c.d any
ip access-list extended host2
permit ip host e.f.g.h any
ip access-list extended host3
permit ip host w.x.y.z any
!
route-map host123 permit 10
match ip address list host1
set ip next-hop s0/0.1
route-map host123 permit 20
match ip address list host2
set ip next-hop s0/0.2
route-map host123 permit 30
match ip address list host3
set ip next-hop s0/0.3
!
int f0/0
ip policy route-map host123