Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

global outside address for a router??

Status
Not open for further replies.
tom11011

tom11011

MIS
Oct 12, 2001
537
US
Hi All,

On one of our networks, we are running NAT without the benefit of a pix. It is setup on our 2801 router. One question, how does the router know which routable ip to use as a "global outside" address? IE - my computers behind the router on the lan that are NAT'd show up to the outside world with the second routable ip in our assigned block. The first routable ip is assigned to the inside interface of our router.

To clarify, my inside local address does not match my inside global address when I do a

show ip nat trans

and I need it too. I don't understand how the router picks this global outside address if it is not told how.

Thanks for any help.
 
Sort by date Sort by votes
Why would you want your inside local to match your inside global? What exactly are you wanting to do - share an internet connection or translate between discontigous networks?

I believe what you want a nat pool. You can read about it here:



Have fun!
-Dan
 
Upvote 0 Downvote
Well, I just want to know how it is choosing the ip it is choosing. Seems odd that it has decided to pick the second ip in my block. Here is my config.


Code: 
Router#show run
Building configuration...
 
Current configuration : 3883 bytes
!
! Last configuration change at 13:13:01 edt Fri Oct 27 2006
!
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 15000 debugging
enable secret 5 $1$4GgU$9Ah2HEcl05x6m5AM.6l6A0
!
no aaa new-model
!
resource policy
!
clock timezone est -5
clock summer-time edt recurring
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip port-map user-limewireudp port udp 5910
ip port-map user-limewiretcp port tcp 5910
ip inspect name outbound tcp timeout 3600
ip inspect name outbound udp timeout 3600
ip inspect name outbound user-limewiretcp timeout 3600
ip inspect name outboudn user-limewireudp timeout 3600
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
 description outside interface
 ip address 68.xx.xx.236 255.255.255.224
 ip access-group 101 in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description inside interface
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip inspect outbound in
 ip virtual-reassembly max-reassemblies 50
 duplex auto
 speed auto
!
ip route 0.0.0.0 0.0.0.0 68.xx.xx.225
!
!
no ip http server
no ip http secure-server
ip nat pool pool1 68.xx.xx.34 68.xx.xx.47 netmask 255.255.255.240
ip nat inside source list 1 pool pool1 overload
ip nat inside source static tcp 192.168.1.34 25 68.xx.xx.34 25 extendable
ip nat inside source static tcp 192.168.1.34 1723 68.xx.xx.34 1723 extendable
ip nat inside source static tcp 192.168.1.34 3389 68.xx.xx.34 3389 extendable
ip nat inside source static tcp 192.168.1.34 6346 68.xx.xx.34 6346 extendable
ip nat inside source static udp 192.168.1.34 6346 68.xx.xx.34 6346 extendable
ip nat inside source static tcp 192.168.1.35 22 68.xx.xx.35 22 extendable
ip nat inside source static tcp 192.168.1.35 53 68.xx.xx.35 53 extendable
ip nat inside source static udp 192.168.1.35 53 68.xx.xx.35 53 extendable
ip nat inside source static tcp 192.168.1.36 20 68.xx.xx.36 20 extendable
ip nat inside source static tcp 192.168.1.36 21 68.xx.xx.36 21 extendable
ip nat inside source static tcp 192.168.1.36 22 68.xx.xx.36 22 extendable
ip nat inside source static tcp 192.168.1.36 25 68.xx.xx.36 25 extendable
ip nat inside source static tcp 192.168.1.36 80 68.xx.xx.36 80 extendable
ip nat inside source static tcp 192.168.1.36 110 68.xx.xx.36 110 extendable
ip nat inside source static tcp 192.168.1.36 443 68.xx.xx.36 443 extendable
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 permit icmp any any
access-list 101 permit tcp any 68.xx.xx.34 0.0.0.16 eq smtp
access-list 101 permit tcp any 68.xx.xx.34 0.0.0.16 eq 3389
access-list 101 permit tcp any 68.xx.xx.35 0.0.0.16 eq domain
access-list 101 permit udp any 68.xx.xx.35 0.0.0.16 eq domain
access-list 101 permit tcp any 68.xx.xx.35 0.0.0.16 eq 22
access-list 101 permit tcp any 68.xx.xx.36 0.0.0.16 eq ftp-data
access-list 101 permit tcp any 68.xx.xx.36 0.0.0.16 eq ftp
access-list 101 permit tcp any 68.xx.xx.36 0.0.0.16 eq 22
access-list 101 permit tcp any 68.xx.xx.36 0.0.0.16 eq smtp
access-list 101 permit tcp any 68.xx.xx.36 0.0.0.16 eq www
access-list 101 permit tcp any 68.xx.xx.36 0.0.0.16 eq pop3
access-list 101 permit tcp any 68.xx.xx.36 0.0.0.16 eq 443
access-list 101 permit esp any any
access-list 101 permit gre any any
access-list 101 permit tcp any 68.xx.xx.36 0.0.0.16 range 59000 60000
snmp-server community public RO
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
 password 7 14141D061C113E2E362F262C73
 login
line aux 0
line vty 0 4
 password 7 1306181F1B19102F39233D2A64
 login
!
scheduler allocate 20000 1000
ntp master
ntp server 128.95.231.7
ntp server 66.187.224.4
ntp server 146.186.218.253
ntp server 209.132.176.4
end
 
Upvote 0 Downvote
You have some static NAT statments there in addition to a dynamic NAT statement which is calling on some of the same IP addresses. This is not advisable and may cause issues for you. I would amend that pool and remove addresses 68.x.x.34 thru to 68.x.x.36 from it.

Based on my previous experience, when you have a statement like:

ip nat pool pool1 68.xx.xx.34 68.xx.xx.47 netmask 255.255.255.240
ip nat inside source list 1 pool pool1 overload

It typically allocates addresses 68.x.x.34 thru to 68.x.x.46 on a one by one basis. The last address 68.x.x.47 will become the overload (PAT) address for all remaining translations.

 
Upvote 0 Downvote
ok, I think I understand what you are saying but I'm not sure which direction you are recommending.

Should I just edit this line

ip nat pool pool1 68.xx.xx.34 68.xx.xx.47 netmask 255.255.255.240

to read

ip nat pool pool1 68.xx.xx.47 netmask 255.255.255.240

so that my so called "global outside" is 68.xx.xx.47 in all cases where a nat is not specifically assigned to a host?
 
Upvote 0 Downvote
A word of advice---change your passwords from level 7 to secrets. Enable secret (password) is not crackable, but your level 7 passwords are. Just copy and paste the encrypted passwords from your config you posted and paste in the utility at this link...
You will see what I mean. For example, yours for line con 0 and line vty 0 4 are both the same. Just trying to be helpful. The encryption you copy and paste, for example for line vty 0 4 would be this:1306181F1B19102F39233D2A64
That is everything after "password 7".

Tim
 
Upvote 0 Downvote
wow, that is scary Tim. How do you change these to secrets?
 
Upvote 0 Downvote
Almost. Define the pool as:

ip nat pool pool1 68.xx.xx.47 68.xx.xx.47 netmask 255.255.255.240
 
Upvote 0 Downvote
kiscokid, thanks. I also changed my nats

from

Code: 
ip nat inside source static tcp 192.168.1.34 25 68.xx.xx.34 25 extendable
ip nat inside source static tcp 192.168.1.34 1723 68.xx.xx.34 1723 extendable
ip nat inside source static tcp 192.168.1.34 3389 68.xx.xx.34 3389 extendable
ip nat inside source static tcp 192.168.1.34 6346 68.xx.xx.34 6346 extendable
ip nat inside source static udp 192.168.1.34 6346 68.xx.xx.34 6346 extendable
ip nat inside source static tcp 192.168.1.35 22 68.xx.xx.35 22 extendable
ip nat inside source static tcp 192.168.1.35 53 68.xx.xx.35 53 extendable
ip nat inside source static udp 192.168.1.35 53 68.xx.xx.35 53 extendable
ip nat inside source static tcp 192.168.1.36 20 68.xx.xx.36 20 extendable
ip nat inside source static tcp 192.168.1.36 21 68.xx.xx.36 21 extendable
ip nat inside source static tcp 192.168.1.36 22 68.xx.xx.36 22 extendable
ip nat inside source static tcp 192.168.1.36 25 68.xx.xx.36 25 extendable
ip nat inside source static tcp 192.168.1.36 80 68.xx.xx.36 80 extendable
ip nat inside source static tcp 192.168.1.36 110 68.xx.xx.36 110 extendable
ip nat inside source static tcp 192.168.1.36 443 68.xx.xx.36 443 extendable

to

Code: 
ip nat inside source static 192.168.1.34 68.xx.xx.34 extendable
ip nat inside source static 192.168.1.35 68.xx.xx.35 extendable
ip nat inside source static 192.168.1.36 68.xx.xx.36 extendable

Now I know exactly where traffic is coming from. I had a problem where one of my hosts had a virus and it blacklisted the first IP address. I spent hours on this host trying to find the virus. Turns out, it wasn't the host at all, I was just fooled into thinking it was because of the "global outside" address that was showing up in the bounces.
 
Upvote 0 Downvote
Well, Tom, just don't post the encrypted passwords---use x's, and any time you save the configs into a text file, do the same. As long as you enable secret blablabla, you're okay.

Tim
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jarod_paris
  • Locked
  • Question
firmware for an AP2800 WiFi terminal
Replies
0
Views
452
jarod_paris
jarod_paris
jobsp90
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
278
DavetheChef
DavetheChef
B
  • Locked
  • Question
Cisco IP phone 7841 8851 unable to forward all to external number
Replies
0
Views
230
badwolf1686
B
CPM86
  • Question
Cisco isr 4331 with IOS and sip busy fail over to 2nd sip number on pbx?
Replies
0
Views
373
CPM86
CPM86
disk-us
  • Locked
  • Question
RTU licensing for a901
Replies
0
Views
212
disk-us
disk-us

Part and Inventory Search

Sponsor

Back
Top