IP Nat Pool

[tester125]

Hi Everyone,

I'm new to cisco
I have a 2600 series router, I want to setup an IP Nat Pool only for a specific destination.

I only want to Nat if a user is trying to access 172.x.x.x otherwise if they try to access any other host I want no Nat.
How to I setup the Nat Pool only for a specific destination.

Thanks for any input.

 

[nawlej]

Set up Nat Pool(the x's are the range you want in the pool):
ip nat pool test 172.x.x.x 172.x.x.x netmask 255.255.255.0
ip nat inside source list 7 pool test

Set up the interface:

ip address 172.x.x.x 255.255.255.0
ip nat inside

Set up the ACL(x's are the IP address you want to use the pool):
access-list 7 permit host 172.x.x.x






___________________________________
[morse]--... ...--[/morse], Eric.

 

[tester125]

Hey nawlej,

Thanks alot of the input,
Question:

On the second column "set up the interface" Is this where I setup the destination address that I want to be natted when the users try to access.
If it is what's the exact command with the IP address, it's not taking the IP address it's looking for a word name.

Thanks again.

 

[nawlej]

Thats for the configuration of the interface itself, like ethernet0, or serial, or wherever it is.

___________________________________
[morse]--... ...--[/morse], Eric.

 

[tester125]

Thanks again nawlej
sorry after I posted the reply I then realized. How do you know that the Nat actually works, Is there a log that I could look at.

Thanks again.

 

[nawlej]

if you run "debug ip nat" it should be viewable.

___________________________________
[morse]--... ...--[/morse], Eric.

 

[tester125]

Hi,

when I entered that command it comes up "Debug IP Nat is on"

Is there anything else I need to do?

Thanks again

 

[nawlej]

Ok, now that its on, problems should show when you issue "show log".

___________________________________
[morse]--... ...--[/morse], Eric.

 

[tester125]

Hi Nawlej,

Syslog logging: enabled (0 messages dropped, 0 messages rate-limited, 0 flushes,
0 overruns)
Console logging: level debugging, 48 messages logged
Monitor logging: level debugging, 0 messages logged
Buffer logging: disabled
Logging Exception size (4096 bytes)
Count and timestamp logging messages: disabled
Trap logging: level informational, 50 message lines logged

This is what it shows, nothing about nating.

Thanks again.

 

[nawlej]

Well, start pinging around from box to box to trigger successes and failures for NAT.

___________________________________
[morse]--... ...--[/morse], Eric.

 

[tester125]

Yeah, am opening up a browser and pinging. But I don't see any logs as to the NAT.

Thanks.

 

[tester125]

He Nawlej,

Where is it that you setup the destination address.

for example I have user in the 10.9.0.0 network when they try to access 199.222.182.x I want their address to translate to 172.12.45.x

From the above instuctions it only list the Nat pool range and the address that's permitted.

thanks again.

 

[lgarner]

I gather that you want everyone on the 10.9.0.0/24 network to be translated to 172.12.45.x, but only when they access 199.222.182.x. Otherwise, no NAT is to be done and they'll go out with their actual source addresses- right?

I borrowed from nawlej, and used actual numbers to (hopefully) clarify, and switched to an extended access list so that the destination can be considered:

! create the nat pool of one address
ip nat pool test 172.12.45.3 172.12.45.3 netmask 255.255.255.0

! set traffic matching list 107 to use nat pool test
ip nat inside source list 107 pool test

! define traffic to be nat'd
access-list 107 permit ip 10.9.0.0 0.0.0.255 host 199.222.182.1

! interface ip setup
int ethernet 0
ip address 10.9.0.1 255.255.255.0
ip nat inside
!
int serial 0
ip address 172.12.45.1 255.255.255.0


I think this should work. This is similar to what's discussed at

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093fca.shtml

 

[nawlej]

Im not sure I can explain exactly what you are trying to accomplish. I dont get the actual application you are trying to apply it to. I found a document from cisco that explains it better.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080094e75.shtml

___________________________________
[morse]--... ...--[/morse], Eric.

 

[tester125]

Hey Guys,

Igarner explained exactly what I want to accomplish.

Hey IGarner, I did it the way you mention. But it's still going out it's default route.

I will still keep trying.
Thanks for the links to both of you. I will look at it.

Thanks again, any more advice will be great.

 

[tester125]

Guys,

It looks like the IP is being translated at the Cisco, but when it hit my Firewall it shows up as the original IP.
Any thoughts.

I want the IP to hit the Cisco, gets translated and route to my firewall.

Thanks again, seems that I'm getting closer.

 

[IllegalOperation]

First off, temporary deactivate your access lists and anything else that can possibly prohibit communication.


Next, do a "show ip nat stat" and a "show ip nat trans" on the router you set the NAT on - and paste it on here for us if you want. It should tell you all the vital information....

 

[IllegalOperation]

Errr, let me clarify. When I said deactivate access lists, I meant all lists that are irrelevant to the task you are trying to work out.

KEEP #107!


(I wish this forum had an edit feature)

 

[lambent]

I'm also new to Cisco but I can see 2 things (please correct me if I'm wrong, thx):

1) Logging buffer disabled:
- seems "show log" will show nothing
- seems you can only see the log appears on the console if you're using the console port. For telnet, seems you need to issue an additional command

2) ip nat outside:
- I believe you should define your NAT outside interface