RE: NAT with secondary address

From: BUI, TIN T (SBCSI) (tb4565@xxxxxxx)
Date: Fri Jan 12 2001 - 12:51:37 GMT-3

• Next message: Virnoche, Phil: "CCbootcamp lab 2"
• Previous message: Atif Awan: "Re: DLSw - Establishing Broadcast Domains between an Enet and a Token Ring"
• Maybe in reply to: Dan Skiptunas: "NAT with secondary address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Dan, looks exactly like one of my questions on my prep lab. Here is how I
would tackle this:

Ip nat pool InsideIP 170.100.42.242 170.100.42.254 prefix-length 28
Ip nat inside source list 1 pool InsideIP
Access-list 1 permit 1.1.1.0 0.0.0.255 log
Int e0
   Ip address 170.100.42.241 255.255.255.240
   Ip address 1.1.1.254 255.255.255.0 secondary
   Ip nat inside
Int s0.0.1
  ip nat outside
int S0.0.2
  ip nat outside

Router IGRP 100
   Network 170.100.0.0

> Tin T. Bui
> Senior Network Manager
> Network Management Center
> SBC Services Inc.
> 7337 Trade Street, Rm 1110
> San Diego, Ca 92121
> Office #: 858-886-4644/858-886-4589
> Pager #: 858-494-0482
> Fax #: 858-549-4103
> Email: tb4565@sbc.com
>

-----Original Message-----
From: Dan Skiptunas [mailto:dskiptunas@jannon.com]
Sent: Thursday, January 11, 2001 1:27 PM
To: ccielab@groupstudy.com
Subject: Re: NAT with secondary address

The question was (this is a study lab) Configure NAT on vlan 2. Host
addresses are 1.1.1.1 to 1.1.1.253.
Use the valid 14-host network on r5's E0 as valid addresses (into the rest
of the network). make sure that the other routers see the 170.100.42.x route
but not the 1.1.1.0 network .

  now I may be thinking wrong but how would you do this ? I added the
secondary address because I thought that the hosts would be on the same
interface , I may be very wrong. any thoughts? Nowhere in this lab does it
state where the 1.1.1.0 network is
----- Original Message -----
From: "Andrew" <arousch@home.com>
To: "Dan Skiptunas" <dskiptunas@jannon.com>; <ccielab@groupstudy.com>
Sent: Thursday, January 11, 2001 2:39 PM
Subject: Re: NAT with secondary address

> I might be unclear. Do you mean 'ip nat inside' and 'ip nat outside' on
> the same interface between primary and secondary addresses? If so, no.
IF
> you mean having a primary and secondary address both participate in the
'ip
> nat inside' group then yes. You can place both subnets in your NAT permit
ACL.
>
> Either way denotes extremely poor design ;)
>
> -Cheers
> -A
>
> At 01:32 PM 1/11/01 -0500, Dan Skiptunas wrote:
> >Hello,
> > I am trying to find out if you can do NAT on the same interface as =
> >your secondary addresses... both the inside and outside interface the =
> >same . see config
> >
> >
> >Thank You,
> >Dan Skiptunas
> >Network Engineer
> >Jannon Solutions
> > =20
> >
> >r5#sho run
> >Building configuration...
> >=20
> >Current configuration:
> >!
> >version 12.0
> >service timestamps debug uptime
> >service timestamps log uptime
> >no service password-encryption
> >!
> >hostname r5
> >!
> >enable password cisco
> >!
> >username r3 password 0 cisco
> >ip subnet-zero
> >no ip domain-lookup
> >isdn switch-type basic-ni
> >!
> >!
> >!
> >interface Ethernet0
> > ip address 1.1.1.1 255.255.255.0 secondary
> > ip address 170.100.42.241 255.255.255.240
> > no ip directed-broadcast
> > ip nat outside
> >!
> >interface Serial0
> > no ip address
> > no ip directed-broadcast
> > encapsulation frame-relay
> > no ip mroute-cache
> > frame-relay lmi-type ansi
> >!
> >interface Serial0.1 multipoint
> > ip address 170.100.100.1 255.255.255.0
> > no ip directed-broadcast
> > ip ospf network point-to-multipoint
> > ip ospf interface-retry 0
> > frame-relay map ip 170.100.100.3 203 broadcast
> > frame-relay map ip 170.100.100.5 202 broadcast
> >!
> >interface Serial0.2 point-to-point
> > ip address 170.100.101.1 255.255.255.0
> > no ip directed-broadcast
> > frame-relay interface-dlci 204
> >!
> >interface Serial1
> > no ip address
> > no ip directed-broadcast
> > shutdown
> >!
> >interface BRI0
> > ip address 170.100.10.1 255.255.255.240
> > no ip directed-broadcast
> > encapsulation ppp
> > ip ospf interface-retry 0
> > dialer idle-timeout 300
> > dialer map ip 170.100.10.2 name r3 broadcast 0835866101
> > dialer map ip 170.100.10.2 name r3 broadcast 0835866301
> > dialer load-threshold 1 either
> > dialer-group 1
> > isdn switch-type basic-ni
> > isdn spid1 0835866201 8358662
> > isdn spid2 0835866401 8358664
> > ppp authentication chap
> > ppp multilink
> >!
> >router ospf 50
> > summary-address 1.1.1.0 255.255.255.0 not-advertise
> > redistribute rip metric 100 metric-type 1 subnets
> > network 170.100.10.0 0.0.0.255 area 0
> > network 170.100.100.0 0.0.0.255 area 0
> > default-information originate metric 100 metric-type 1
> >!
> >router rip
> > version 2
> > network 170.100.0.0
> > no auto-summary
> >!
> >router igrp 1
> > redistribute ospf 50 metric 1500 2000 255 1 1500
> > network 170.100.0.0
> >!
> >ip nat pool pool 170.100.42.242 170.100.42.254 netmask 255.255.255.240
> >ip nat inside source list 11 pool pool overload
> >ip classless
> >!
> >access-list 1 deny 170.100.101.0
> >access-list 1 permit any
> >access-list 11 permit 1.1.1.0 0.0.0.254
> >dialer-list 1 protocol ip permit
> >!
> >!
> >line con 0
> > transport input none
> >line aux 0
> >line vty 0 4
> > password cisco
> > login
> >!
> >end
> >=20
> >
> >

• Next message: Virnoche, Phil: "CCbootcamp lab 2"
• Previous message: Atif Awan: "Re: DLSw - Establishing Broadcast Domains between an Enet and a Token Ring"
• Maybe in reply to: Dan Skiptunas: "NAT with secondary address"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:27:28 GMT-3