Re: NAT on outside interface

From: gladston@br.ibm.com
Date: Fri Jul 29 2005 - 13:11:26 GMT-3

Hi John,

The config:

int e0/0.100
 ip nat outside
!
int s0/0.14
 ip nat inside
!
ip nat pool Pool 80.80.80.10 80.80.80.20 netmask 255.255.255.0
ip nat inside source list 10 pool Pool overload
ip nat inside source static 148.5.111.1 80.80.80.100
!
access-list 10 permit 148.5.0.0 0.0.255.255

It is all there is, concernet to NAT.

Here is the complete configuration:

ip subnet-zero
ip wccp web-cache
ip tcp intercept list 102
ip tcp intercept connection-timeout 30
ip tcp intercept mode watch
!
!
ip dhcp excluded-address 148.5.15.10
ip dhcp excluded-address 148.5.46.100 148.5.46.254
!
ip dhcp pool Dhcp
   network 148.5.15.0 255.255.255.0
   dns-server 148.5.15.200
   default-router 148.5.15.100
   option 31 hex 01
!
ip dhcp pool Dhcp-to-bb1
   host 148.5.15.10 255.255.255.0
   client-identifier 0100.036b.ecf3.80
!
ip dhcp pool 148.5.46.x/24
   network 148.5.46.0 255.255.255.0
!
ip cef
vpdn enable
!
vpdn-group 1
 accept-dialin
  protocol pppoe
  virtual-template 6
 pppoe limit per-vlan 200
!
ipv6 unicast-routing
mpls ldp logging neighbor-changes
!
!
!
!
!
!
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
 class-map match-all Telnet
  match access-group 106
!
!
 policy-map Set-cos
  class class-default
   set cos 4
!
!
source-bridge ring-group 2
dlsw local-peer peer-id 148.5.1.1 group 44 promiscuous
dlsw remote-peer 0 tcp 148.5.4.1
dlsw bridge-group 1
!
dspu vdlc 2 4000.cccc.dddd
dspu vdlc enable-host lsap 12
!
dspu host PU5 xid-snd 01700005 rmac 0000.0cbb.6283 rsap 4 lsap 12
!
!
!
interface Loopback0
 ip address 148.5.1.1 255.255.255.0
!
interface Loopback11
 ip address 148.5.11.1 255.255.255.0
 ip router isis
!
interface Loopback111
 ip address 148.5.111.1 255.255.255.0
!
interface Ethernet0/0
 no ip address
 no ip route-cache
 no ip mroute-cache
 full-duplex
!
interface Ethernet0/0.60
 description R1---R5 to test VRRP
 encapsulation dot1Q 60
 ip address 148.5.15.1 255.255.255.0
 ip router isis
 service-policy output Set-cos
 no ip route-cache
 no ip mroute-cache
 vrrp 50 ip 148.5.15.100
 vrrp 50 preempt delay minimum 3
 vrrp 50 authentication text ccie
 vrrp 51 ip 148.5.15.150
 vrrp 51 preempt delay minimum 3
 vrrp 51 authentication text ccie
!
interface Ethernet0/0.70
 encapsulation dot1Q 70
 no ip route-cache
 no ip mroute-cache
 pppoe enable
!
interface Ethernet0/0.100
 description R1---BB1
 encapsulation dot1Q 100
 ip address 150.100.111.1 255.255.255.0 secondary
 ip address 150.100.1.1 255.255.255.0
 ip access-group 112 in
 ip nat outside
 no ip route-cache
 ip summary-address rip 148.5.0.0 255.255.0.0
 no ip mroute-cache
 bridge-group 1
!
interface Serial0/0
 bandwidth 64
 no ip address
 encapsulation frame-relay
 no fair-queue
 no frame-relay inverse-arp
!
interface Serial0/0.14 point-to-point
 bandwidth 128
 ip address 148.5.14.1 255.255.255.0
 ip nat inside
 ip wccp web-cache redirect in
 ip router isis
 ipv6 address FEC0:148:5:14::1/64
 traffic-shape rate 96000 12000 1000 1000
 frame-relay interface-dlci 104
!
interface Serial0/1
 no ip address
 shutdown
!
interface Virtual-Template6
 mtu 1492
 ip address 148.5.115.1 255.255.255.0
!
router isis
 net 49.0014.1111.1111.1111.00
 redistribute connected route-map connected-isis level-1
!
router rip
 version 2
 passive-interface default
 no passive-interface Ethernet0/0.100
 no passive-interface Serial0/0.14
 network 148.5.0.0
 network 150.100.0.0
 distribute-list 4 out Serial0/0.14
 no auto-summary
!
router bgp 5
 no synchronization
 bgp router-id 1.1.1.1
 bgp log-neighbor-changes
 neighbor Peer-group peer-group
 neighbor Peer-group remote-as 5
 neighbor Peer-group update-source Loopback0
 neighbor Peer-group next-hop-self
 neighbor 148.5.3.1 peer-group Peer-group
 neighbor 148.5.4.1 peer-group Peer-group
 neighbor 150.100.1.254 remote-as 254
 neighbor 150.100.1.254 route-map Set-LP in
 no auto-summary
!
ip nat pool Pool 80.80.80.10 80.80.80.20 netmask 255.255.255.0
ip nat inside source list 10 pool Pool overload
ip nat inside source static 148.5.111.1 80.80.80.100
ip http server
ip classless
!
!
!
access-list 3 permit 148.5.0.0
access-list 4 deny 65.2.1.0 0.0.254.0 log
access-list 4 permit any
access-list 10 permit 148.5.0.0 0.0.255.255
access-list 24 permit 150.100.1.254 log
access-list 24 deny any log
access-list 25 permit 148.5.4.1
access-list 25 deny any
access-list 26 permit any
access-list 102 permit tcp any host 150.100.1.254 eq telnet
access-list 106 permit tcp any any eq telnet
access-list 109 permit udp any any range 1000 1500
access-list 110 permit udp any any eq 1250
access-list 112 remark Anti-spoofing
access-list 112 deny ip 127.0.0.0 0.255.255.255 any
access-list 112 deny ip 224.0.0.0 31.255.255.255 any
access-list 112 deny ip host 0.0.0.0 any
access-list 112 deny icmp any any redirect
access-list 112 deny ip 10.0.0.0 0.255.255.255 any
access-list 112 deny ip 172.16.0.0 0.15.255.255 any
access-list 112 deny ip 192.168.0.0 0.0.255.255 any
access-list 112 permit ip any any
access-list 128 permit ip 148.5.0.0 0.0.255.255 any
queue-list 12 protocol ip 4 list 109
queue-list 12 protocol ip 5 list 110
queue-list 12 default 6
queue-list 12 queue 4 byte-count 512 limit 0
queue-list 12 queue 5 byte-count 5120
queue-list 12 queue 6 byte-count 45000
!
route-map connected-isis permit 10
 match interface Loopback111
!
route-map Set-LP permit 10
 set local-preference 300
!
!
bridge 1 protocol ieee
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
rtr responder
alias exec c conf t
alias exec s show run
alias exec sib show ip interface brief
alias exec sl sh logg
alias exec cl clear logg
alias exec sb show ip bgp
alias exec sibs show ip bgp su
alias exec cb clear ip bgp * soft
alias exec sir show ip route
alias exec so show ip os ne
alias exec sip show ip protocols
alias exec cir clear ip route *
alias exec u no debug all
alias exec b sh run | begin
alias exec i sh run | i
alias exec pro sh ip protocols
!
line con 0
 exec-timeout 0 0
 privilege level 15
 logging synchronous
line aux 0
line vty 0 4
 password cisco
 login
!
ntp clock-period 17208400
ntp source Loopback0
ntp access-group peer 26
ntp server 150.100.1.254
!
end

john matijevic <john.matijevic@gmail.com>
29/07/2005 13:01
Please respond to
john matijevic <john.matijevic@gmail.com>

To
Alaerte Gladston Vidali/Brazil/IBM@IBMBR
cc
ccielab@groupstudy.com
Subject
Re: NAT on outside interface

Hello Gladston,
Please post your configs.
Sincerely,
John

 
On 7/29/05, gladston@br.ibm.com <gladston@br.ibm.com> wrote:R1
s0/0 = nat inside
e0/0.100 = nat outside

If traffic is originated with source IP of s0/0, NAT does not occur.
If traffic is originated with source IP of any other interface, including
interfaces that does not have 'nat inside', nat occurs.

Weird question: Is there a way to have the source IP of e0/0.100
converted?

Check:

Rack2R1#teln 150.100.1.254 /source-interface Ethernet0/0.60

.Jul 29 07:03:57: NAT: s=148.5.15.1->80.80.80.10, d= 150.100.1.254 [0]
.Jul 29 07:03:57: NAT: s=150.100.1.254, d=80.80.80.10->148.5.15.1 [0]
.Jul 29 07:03:57: NAT: s=148.5.15.1-> 80.80.80.10, d=150.100.1.254 [1]
.Jul 29 07:03:57: NAT: s=148.5.15.1->80.80.80.10, d=150.100.1.254 [2]

teln 150.100.1.254 /source-interface Ethernet0/0.100

User Access Verification

Password:
bb1>sh tcp bri
TCB Local Address Foreign Address (state)
61B92F98 150.100.1.254.23 150.100.1.1.11025 ESTAB

This archive was generated by hypermail 2.1.4 : Sun Sep 04 2005 - 17:00:32 GMT-3