[c-nsp] NAT with 2 routers

Robert Boyle robert at tellurian.com
Thu Apr 6 23:44:13 EDT 2006


At 11:11 PM 4/6/2006, you wrote:
>I am working with a client who is trying to NAT with 2 routers where
>in nat outside interface is on one router and the inside nat IP's/hosts
>are located off the second router. There is a T-1 between the 2 routers.
>I think I need to bridge the T-1's, making the 2 routers on the same LAN
>(no need for the static routes) but I only have remote access and can't
>try any commands that might lock me out. They are needing to one to one
>NAT the radmin port, 4899 to host 10.166.65.50. Here is the config they
>have so far, could someone give me some hints ? Am I correct in thinking
>NAT's public and private interfaces must be on the same router ?

Inside and outside interfaces must be on the same router. However, 
you can have one router NAT for as many networks as you want behind 
it with as many other routers as you want. You will only be limited 
by the router's CPU, memory, and the number of ports available for 
translation. Why do you want to bridge? It doesn't sound like you 
have a good reason to do so. In fact, I haven't seen a good reason to 
bridge in the past 15 years. Why does router1 have a loopback which 
is the same as e0/0 on router 2? Get rid of the lo1 on router1 and 
get rid of the host route for 10.166.65.50.  With the loopback 
connected, return traffic will never be sent over the T1 line since 
the network is directly connected. I would also recommend using 
(unique) private addresses for the T1 link - set it up as a numbered 
interface. If you lose your link on either side, the T1 will not work.

-Robert



>james
>
>RTR 1:
>
>!
>interface Loopback1
>  ip address 10.166.65.254 255.255.255.0
>  ip nat inside
>!
>interface Ethernet0/0
>  ip address 75.40.171.226 255.255.255.248
>  ip nat outside
>!
>interface Serial0/0
>  ip unnumbered Ethernet0/0
>!
>ip nat inside source list 2 interface Ethernet0/0 overload
>ip nat inside source static tcp 10.166.65.50 4899 75.40.171.226 4899
>extendable
>ip classless
>ip route 0.0.0.0 0.0.0.0 75.40.171.230
>ip route 10.166.65.0 255.255.255.0 Serial0/0
>ip route 10.166.65.50 255.255.255.255 Serial0/0
>!
>access-list 2 remark Outbound packets on ethernet
>access-list 2 permit 10.166.65.0 0.0.0.255
>
>
>RTR 2:
>
>
>!
>interface Ethernet0/0
>  ip address 10.166.65.1 255.255.255.0
>  half-duplex
>!
>interface Serial0/0
>  ip unnumbered Ethernet0/0
>!
>ip classless
>ip route 0.0.0.0 0.0.0.0 Serial0/0
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin



More information about the cisco-nsp mailing list