NAT Question

[thewakingmind]

My question deals with NAT on a 1700 series router. There is of course the outside Serial interface, which has an IP address on the subinterface from the 70.137.x.x range. It has a public IP address (and we have been given a range of 60 some public IP addresses that coincide with this IP).

Here is where I am confused. Is this normal? I thought from reading the documentation that the sub Serial interface represented the external IP address and the ethernet port would represent an internal (private?) IP address range.

If my assumption is incorrect (and we do not want to apply external IP addresses to our internal LAN) how do I go about configuring this?

Thanks in advance!

 

[watchguardmonkey]

What do you mean by sub Serial? if you are tying many interfaces to the serial as in a PRI isdn or frame relay scenario, then all the sub interfaces will be external.

sub serial has nothing what so ever to do with the ethernat interface.

you apply NAT when you are going from a private/reserved address space to an exteranl source such as the Internet or to another company or part of your own company that also use the RFC 1918 reserved IP's.

 

[thewakingmind]

I mentioned the fact that there is one serial sub interface that has an external IP address. But that is not the question.

The internal (and sole) ethernet port has an external IP address as well (and represents on of the 64 external IP addresses the ISP has allotted to this business). The client does not wish to use public IP addresses for their internal LAN. Thus NAT is the solution they seek.

But again...the question is...since both the single serial sub interface and single ethernet interface both have public IP addresses...NAT is not an option? For example...the ethernet interface cannot have an external IP Address and also have a private IP and provide the internal and external NAT interface?

 

[LarryTheCucumber]

Where is the firewall? Are you using firewall feature set on the router?

If you are using the firewall feature set then (I have not done this is a while) You create sub-interfaces on your ethernet port. One with your private IP and one with the external IP. Then route between the sub-interaces and apply your ACL's.

 

[watchguardmonkey]

So what your saying is that you have a 70.137.x.x Ip on both the serial & ethernet interface? they cannot be on the same subnet, they must be subnetted as the router would not work, is one interface tied to the other as in;
"int s0 ip unnumbered e0"

in any case what I would do is remove the ripe ip from the ethernet int and replace it with a RFC 1918 address and then deploy NAT ie,

e0
ip 10.10.10.1 255.255.255.0
ip nat inside

s0
ip 70.137.x.x
ip nat outside

the ndefine any access-list your require and apply the access-group to the serial interface (this is usually where the access-list is applied)

hth.

 

[LarryTheCucumber]

Post your config.

 

[thewakingmind]

Here is IP info and routes:

interface FastEthernet0
description TO LOCAL LAN
ip address 68.121.157.1 255.255.255.192
speed auto
!
interface Serial0
description PB CKT 22.hcgm.013799/SBCIS Tech Support:866-937-3664
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 timeslots 1-24
frame-relay lmi-type ansi
!
interface Serial0.714 point-to-point
ip address 70.137.218.146 255.255.255.252
no cdp enable
frame-relay interface-dlci 714
!
ip route 0.0.0.0 0.0.0.0 70.137.218.145
ip route 68.121.157.0 255.255.255.192 Null0 254 permanent