OK, this has been a fun day in the lab! Truly! To emulate a customer network so I can solve a particular customer problem, I have to emulate a multiport PIX on one of my routers. How to do so?
That is, how to have multiple outside NAT pools, such that a translation out one interface is different than a translation out another interface? The problem - to simulate such that there is The Internet out one interface, and a Business Partner Extranet out another. Obviously, internet bound traffic has to have public ip addresses, and the extranet traffic has to appear as a certain private subnet. the other problem is that the inside network consists of a number of "branch offices", each connected to the central site via frame relay point to point subinterfaces. ( well, the customer's real network is ATM, but the principal is the same ) Can it be done? Start with a search of CCO. Lots of hits using the term "nat", but one hit in particular looks promising: http://www.cisco.com/warp/public/556/index.shtml scroll down the page and see this link: http://www.cisco.com/warp/public/105/nat_routemap.html read it a while, think about it, draw up a plan, test it out. had to do a bit of tweaking, but damn! it works exactly the way I need it to work! Neat!!!!! interface Ethernet0 ip address 129.1.1.4 255.255.255.0 ip nat outside ! interface TokenRing0 ip address 10.1.1.254 255.255.255.252 ip nat outside ring-speed 4 ! !!!!! NOTE the two interfaces identified as NAT outside !!!!!!! ! interface Serial0 no ip address encapsulation frame-relay no fair-queue ! interface Serial0.1 point-to-point description SOMHC ip address 172.31.250.29 255.255.255.252 ip nat inside frame-relay interface-dlci 201 ! interface Serial0.2 point-to-point description NAHC ip address 172.31.250.1 255.255.255.252 ip nat inside frame-relay interface-dlci 202 ! interface Serial0.3 point-to-point description SAFMC ip address 172.31.250.9 255.255.255.252 ip nat inside frame-relay interface-dlci 203 ! interface Loopback0 ip address 172.31.1.1 255.255.255.255 ip nat inside ! ! !!!!!!!!!!! Note the four interfaces identified as NAT inside !!!!!!! ! ! interface Serial1 no ip address shutdown ! router eigrp 999 passive-interface Ethernet0 passive-interface Loopback0 passive-interface TokenRing0 network 172.31.0.0 no auto-summary no eigrp log-neighbor-changes ! ip nat pool 2internet 75.1.1.65 75.1.1.94 netmask 255.255.255.224 ip nat pool 2extranet 10.1.2.10 10.1.2.50 netmask 255.255.255.0 ip nat inside source route-map intointernet pool 2internet ip nat inside source route-map intoextranet pool 2extranet ip classless ip route 0.0.0.0 0.0.0.0 Ethernet0 ip route 10.1.1.1 255.255.255.255 TokenRing0 ip route 172.31.3.0 255.255.255.0 Serial0.2 ip route 172.31.5.0 255.255.255.0 Serial0.3 ip route 172.31.10.0 255.255.255.0 Serial0.1 no ip http server ! access-list 171 deny ip 172.31.0.0 0.0.255.255 host 10.1.1.1 access-list 171 permit ip 172.31.0.0 0.0.255.255 any access-list 172 permit ip 172.31.0.0 0.0.255.255 host 10.1.1.1 route-map intointernet permit 10 match ip address 171 ! route-map intoextranet permit 10 match ip address 172 ! check out the two different outputs of the show ip nat trans command: have to use extended ping to get the source addresses for the various interfaces. to the internet: SFCCC_Central#ping Protocol [ip]: Target IP address: 65.20.35.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: loop 0 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 65.20.35.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 12/14/16 ms SFCCC_Central#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 75.1.1.65:9704 172.31.1.1:9704 65.20.35.1:9704 65.20.35.1:9704 icmp 75.1.1.65:9705 172.31.1.1:9705 65.20.35.1:9705 65.20.35.1:9705 icmp 75.1.1.65:9706 172.31.1.1:9706 65.20.35.1:9706 65.20.35.1:9706 icmp 75.1.1.65:9707 172.31.1.1:9707 65.20.35.1:9707 65.20.35.1:9707 icmp 75.1.1.65:9708 172.31.1.1:9708 65.20.35.1:9708 65.20.35.1:9708 to the business partner extranet: SFCCC_Central#ping Protocol [ip]: Target IP address: 10.1.1.1 Repeat count [5]: Datagram size [100]: Timeout in seconds [2]: Extended commands [n]: y Source address or interface: loop 0 Type of service [0]: Set DF bit in IP header? [no]: Validate reply data? [no]: Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 8/8/8 ms SFCCC_Central#sh ip nat trans Pro Inside global Inside local Outside local Outside global icmp 10.1.2.10:9102 172.31.1.1:9102 10.1.1.1:9102 10.1.1.1:9102 icmp 10.1.2.10:9103 172.31.1.1:9103 10.1.1.1:9103 10.1.1.1:9103 icmp 10.1.2.10:9104 172.31.1.1:9104 10.1.1.1:9104 10.1.1.1:9104 icmp 10.1.2.10:9105 172.31.1.1:9105 10.1.1.1:9105 10.1.1.1:9105 icmp 10.1.2.10:9106 172.31.1.1:9106 10.1.1.1:9106 10.1.1.1:9106 in the customer network I won't have the issue because 1) multiple NATs can be set up on multiple PIX interfaces and 2) the policy routing will set the ip next hops to the correct vlan trunk interface. Damn it is so much fun to research, find a hint, and work through the problem! Chuck 183 and counting down Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=45602&t=45602 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
