Static NAT with 2 ISPs on CISCO router

19
2014-04
  • Alec Tarasoff

    Our company has a block of real ip addresses 91.xxx.xxx.0/24 and have bgp sessions with 2 upstream ISPs. The problem I ran into is that we need to configure static nat on a cisco router, so that 2 servers (10.10.20.10 and 10.10.20.10) were available from the internet with addresses 91.xxx.xxx.10/27 and 91.xxx.xxx.11/27 respectively.

    Below is our network diagram. We use bgp with 2 ISPs. We use /30 networks for each upstream connection. Inside we use 10.10.1.0/24 for our dmz.

    I want to know if it is possible to arrange static nat translation in such scenario. I will welcome any advice.

    my network

  • Answers
    Know someone who can answer? Share a link to this question via email, Google+, Twitter, or Facebook.

    Related Question

    Cisco NAT Config for DSL
  • Questioner

    So, we've had the two weeks from hell with a Verizon DSL install -- but after four man days of our time spent, they finally have that working. But, now I'm struggling with our LAN config.

    In short, I have a Verizon DSL connection with 5 static IPs. I want to NAT most of our machines through 1 static IP, and then the balance of static IPs would be used for public facing devices.

    The design is:

    Verizon DSL Modem -> Cisco 2600 E1/0 ... Cisco 2600 E0/0 -> 24 port managed switch

    The 2600's public interface is at 69.24.8.18.

    Below is the config that I currently have tried.

    10.20.60.0-255 is the private addresses for the LAN (e0/0). I would like the Cisco to give these out via DHCP. The dns-server 68.94.156.1 68.94.157.1 are good DNS servers. This all looks to be working fine.

    69.24.8.18-22 are our static IPs with Verizon. 69.24.8.1 is the default route through Verizon. Subnet mask is 255.255.255.0

    69.24.8.18 is the 2600 address as I said. 69.24.8.19 is the NAT pool address for 10.20.60.xxx addresses to share -- but I would love to conserve the IPs and make this pool use the same as the router address (69.24.8.18). I think that's possible, right?

    192.168.1.1 is the address of the Verizon DSL Router. 192.168.1.10 is the address of the Cisco on that segment for convenience sake.

    The switch is where I'd like to plug in all VoIP phones, and computers into ... whether they have a 10.20.60.xxx or have a public address (e.g., 69.24.8.20-22). Is that doable?

    This can't be that hard -- but I'm thinking I'm pretty lame. Any advice?

    Thanks!

    Neil


    Cisco-2600#wr

    Building configuration...

    [OK]

    Cisco-2600#sho run

    Building configuration...

    Current configuration : 2126 bytes

    !

    version 12.1

    no service single-slot-reload-enable

    service timestamps debug datetime

    service timestamps log datetime

    service password-encryption

    !

    hostname Cisco-2600

    !

    logging buffered 4096 debugging

    no logging console

    enable secret 5 $1$bNtd$Zc9axgSjxOr4nrts9kJVb/

    enable password 7 010109114F0E0B0A

    !

    !

    !

    !

    !

    memory-size iomem 15

    clock timezone PST -8

    clock summer-time PDT recurring

    ip subnet-zero

    no ip source-route

    ip dhcp excluded-address 10.20.60.1 10.20.60.99

    ip dhcp excluded-address 10.20.60.200 10.20.60.254

    !

    ip dhcp pool dhcp-MainLAN

    network 10.20.60.0 255.255.255.0

    domain-name something.com

    default-router 10.20.60.1

    dns-server 68.94.156.1 68.94.157.1

    lease 0 2

    !

    no ip bootp server

    !

    !

    !

    interface Loopback1

    no ip address

    !

    interface Ethernet0/0

    description Lakefield Private LAN

    ip address 10.20.60.1 255.255.255.0

    no ip redirects

    no ip proxy-arp

    ip nat inside

    no ip mroute-cache

    half-duplex

    no cdp enable

    !

    interface Ethernet0/1

    no ip address

    no ip redirects

    no ip mroute-cache

    shutdown

    half-duplex

    no cdp enable

    !

    interface Ethernet1/0

    description Verizon-DSL

    ip address 69.24.8.18 255.255.255.0

    ip nat outside

    no ip mroute-cache

    half-duplex

    no cdp enable

    !

    router rip

    network 10.0.0.0

    network 69.0.0.0

    !

    ip nat pool NAT-Pool 69.24.8.19 69.24.8.19 netmask 255.255.255.0

    ip nat inside source list 1 pool NAT-Pool overload

    ip classless

    ip route 0.0.0.0 0.0.0.0 69.24.8.1

    no ip http server

    !

    logging trap debugging

    logging facility local0

    access-list 1 permit 10.20.60.0 0.0.0.255

    no cdp run

    snmp-server engineID local 000000090200003080F34140

    snmp-server community RO RO

    snmp-server community Cisco-2600 RO

    snmp-server community public RO

    banner login ^CC


    • This is a private network. No *

    • unauthorized usage without *

    • permission. Thank you. *


    ^C

    !

    line con 0

    exec-timeout 60 0

    login

    line aux 0

    line vty 0 4

    exec-timeout 1440 0

    password 7 0519091A3549430C

    login

    !

    ntp clock-period 17179828

    ntp server 192.6.38.127

    end

    Cisco-2600#


  • Related Answers
  • SirStan

    This can't be that hard -- but I'm thinking I'm pretty lame. Any advice?

    I hate to suggest something non-cisco, but you are running older end of life'd Cisco routers -- so I will. When my PIX 506e burned up, I replaced it with a tinsy system from LogicSupply running Vyatta and have been nothing but impressed.

    I just shipped out a production VMWare machine running 6 static IP's, 3 internal networks (10.0.1.0/24, 10.0.2.0/24, 10.0.3.0/24), all natting out of one IP, and all 6 external IP's randomly port forwarding inward with no respect for any one to one mappings.

    If you had a spare machine you could replace the 2600 with, or purchase something solid state from LogicSupply -- you would be extremely impressed with Vyatta .. and want to shoot yourself in the foot for using the 2600 for anything but a doorstop.

    password 7 0519091A3549430C

    It goes without saying -- but you've posted your private IP's, router, router config, and hashed password online. Your going to change that password right?

  • Seasoned Advice (cooking)

    Here's what I ended up with if anyone needs this for the future...

    Current configuration : 3119 bytes

    !

    version 12.1

    no service single-slot-reload-enable

    service timestamps debug datetime

    service timestamps log datetime

    service password-encryption

    !

    hostname Xplain-2600

    !

    logging buffered 4096 debugging

    no logging console

    enable secret [snipped]

    enable password [snipped]

    !

    !

    !

    !

    !

    memory-size iomem 15

    clock timezone PST -8

    clock summer-time PDT recurring

    ip subnet-zero

    no ip source-route

    ip dhcp excluded-address 192.168.2.1 192.168.2.127

    ip dhcp excluded-address 192.168.2.192 192.168.2.254

    !

    ip dhcp pool dhcp-MainLAN

    network 192.168.2.0 255.255.255.0

    domain-name xplain.com

    default-router 192.168.2.1

    dns-server 68.238.96.12 68.238.64.12

    lease 0 2

    !

    no ip bootp server

    !

    !

    !

    interface Loopback1

    no ip address

    !

    interface Ethernet0/0

    description Lakefield Private LAN

    ip address 192.168.2.1 255.255.255.0

    no ip redirects

    no ip proxy-arp

    ip nat inside

    no ip mroute-cache

    half-duplex

    no cdp enable

    !

    interface Ethernet0/1

    no ip address

    no ip redirects

    no ip mroute-cache

    shutdown

    half-duplex

    no cdp enable

    !

    interface Ethernet1/0

    description Verizon-DSL

    ip address 98.211.4.130 255.255.255.0

    ip nat outside

    no ip mroute-cache

    half-duplex

    no cdp enable

    !

    ip nat inside source list 1 interface Ethernet1/0 overload

    ip nat inside source static 192.168.2.10 98.211.4.131 extendable

    ip nat inside source static 192.168.2.22 98.211.4.132 extendable

    ip nat inside source static tcp 192.168.2.200 407 98.211.4.134 860 extendable

    ip classless

    ip route 0.0.0.0 0.0.0.0 98.211.4.1

    no ip http server

    !

    logging trap debugging

    logging facility local0

    access-list 1 permit 192.168.2.128 0.0.0.63

    access-list 1 permit 192.168.2.64 0.0.0.63

    access-list 1 permit 192.168.2.192 0.0.0.63

    access-list 1 permit 192.168.2.0 0.0.0.63

    no cdp run

    snmp-server engineID local 000000090200003080F34140

    snmp-server community RO RO

    snmp-server community Xplain-2600 RO

    snmp-server community public RO

    banner login ^CC


    • This is a private network. No *

    • unauthorized usage without *

    • permission. Thank you. *


    ^C

    !

    line con 0

    exec-timeout 60 0

    login

    line aux 0

    line vty 0 4

    exec-timeout 1440 0

    password [snipped]

    login

    !

    ntp clock-period 17179828

    ntp server 192.6.38.127

    end