|
Home > Archive > CCNA > February 2004 > Can a Cisco 2500 do NAT?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Can a Cisco 2500 do NAT?
|
|
| Boulware5 2004-01-29, 3:01 pm |
| Just wondering... Because if it can, couldn't you use it as your cable modem router? | |
| edmonds_robert 2004-01-29, 5:24 pm |
| As long as you are running the correct IOS version, then yes, it does support NAT. Take a look at Cisco's feature navigator to determine the correct IOS version for you particular router. | |
| Boulware5 2004-01-29, 10:21 pm |
| Has anyone used a 2500 for their cable/dsl router? I'm trying to think where the RJ-45 cable modem would plug into a 2500.. Could you plug it into a serial port with a connector? | |
| NewTecker 2004-01-30, 8:14 pm |
| Your cable router is most likely using an ethernet connection. So if you put two and two togeather you can assume you would plug it into a ETHERNET PORT. | |
| Boulware5 2004-01-30, 11:24 pm |
| quote:
Originally posted by NewTecker
Your cable router is most likely using an ethernet connection. So if you put two and two togeather you can assume you would plug it into a ETHERNET PORT.
Ermmm... The 2500 doesn't have an ethernet port if I remember correctly. Soooooo... How would you plug the cable modem into the 2500. There a serial to RJ-45 type of converter? I know a transeiver plugs into an AUI port, but not necessarily the serial port. | |
| NewTecker 2004-01-31, 12:24 am |
| What is the exact 2500 series router you have? 2501? 2514? 2524? 25xx. Some 2500 series routers have RJ-45 jacks for the ethernet connections. I used to have a 2524 that had single RJ-45 jack instead of the AUI port. The 2505 router comes with a 8 port hub with 8 RJ-45 Jacks. If your router has a AUI port on then you get the AUI transceiver and connect it to those.
Now of course if you have only a single ethernet port port I suppose you could connect your cable modem directly to a hub or switch along with the router and all the other devices on the LAN. Then assign each device on the LAN an IP address and the default gateway to a sub interface on the ethernet port. Then have the another sub interface on the ethernet interface assigned an IP from the ISP. | |
| Joe Dali 2004-01-31, 12:33 am |
| I don't think a 2500 can talk to Cox, Comcast, AT&T through its S or E port and do what you are trying to do - which is get a dynamically assigned address, and share that connection using NAT.
Perhaps if you connected the WAN connection link to a ehternet port on the 2500, and configured it with an IP config that matches what your ISP gives you, and set up routes to forward.
I dunno, I'm just a caveman with IOS trauma.
How many E ports do you have on yer router? | |
| Boulware5 2004-01-31, 12:43 am |
| quote:
Originally posted by NewTecker
What is the exact 2500 series router you have? 2501? 2514? 2524? 25xx. Some 2500 series routers have RJ-45 jacks for the ethernet connections. I used to have a 2524 that had single RJ-45 jack instead of the AUI port. The 2505 router comes with a 8 port hub with 8 RJ-45 Jacks. If your router has a AUI port on then you get the AUI transceiver and connect it to those.
Now of course if you have only a single ethernet port port I suppose you could connect your cable modem directly to a hub or switch along with the router and all the other devices on the LAN. Then assign each device on the LAN an IP address and the default gateway to a sub interface on the ethernet port. Then have the another sub interface on the ethernet interface assigned an IP from the ISP.
Well I don't have any right now. I might just get the Cisco uBR924 for my broadband needs. I was hesitant before because I didn't know the IOS. But I am learning it more and more every day. Thing is... I asked my ISP if they support the Cisco uBR cable modem and they said they don't but might work (but they can't guarantee it does.) The modem is standards-based DOCSIS and that's the standard most ISP's use, so shouldn't it work? | |
|
| yes, you can.
I have 2514 and I used it back when I had cable internet. make sure you have IOS 12.x so it can support NAT. I have e0 connected to the cable modem and recieved the ip via cable modem dhcp and e1 was my home dhcp server and NAT.
so I know for sure 2514 will go nat and be better then any broadband router you can buy that compUSA.
Unfortunatly I could not get my router to play nice with my MSN dsl. | |
| Boulware5 2004-01-31, 8:29 pm |
| Now I can't decide if I want to try what xakeP says or just get the Cisco uBR.  I do not know how to set up NAT on the IOS yet, though. | |
| Joe Dali 2004-01-31, 8:46 pm |
| NAT page:
http://www.cisco.com/pcgi-bin/Suppo...rnetworking:NAT
Introduction
This document provides a sample configuration for Network Address Translation on cable modems.
Before You Begin
Conventions
For more information on document conventions, see the Cisco Technical Tips Conventions.
Prerequisites
In a typical deployment of cable modem technology, Network Address Translation (NAT) is used by end customers who have:
A mid-sized network behind their cable modems
Have more IP hosts than they do registered public IP addresses
In such a scenario, private IP addresses are assigned to the hosts on the internal network, and NAT is configured on the cable modem to translate those private addresses into one or more public addresses.
Components Used
To configure NAT on a Cisco uBR900 series cable modem, the cable modem must be configured in routing mode, not bridging mode.
In implementation, all versions of the Cisco IOS available on the Cisco uBR900 series support NAT. For the configuration below we used Cisco IOS Version 12.1(6) in our uBR904.
Background Theory
In its simplest configuration, NAT operates on a router connecting two networks together.
One of these networks (designated as inside) is addressed with either private or obsolete addresses that need to be converted into legal addresses before packets are forwarded onto the other network (designated as outside).
Translation operates in conjunction with routing, so that NAT can simply be enabled on a customer-side Internet access router, such as the Cisco uBR900 series of cable access routers, when translation is desired. Use of a NAT device provides rfc 1631-style network address translation on the router platform. rfc 1631 represents a subset of Cisco IOSŪ NAT functionality. When properly configured, NAT should be transparent to the end user.
Configure
In this section, you are presented with the information to configure the features described in this document.
Note: To find additional information on the commands used in this document, use the IOS Command Lookup tool
Network Diagram
This document uses the network setup shown in the diagram below.
Configurations
uBR900
version 12.1
no service pad
service times tamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname ubr904
!
enable password ww
!
!
!
!
!
clock timezone - -8
ip subnet-zero
no ip finger
!
!
!
!
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
!-- Ip address of the Ethernet
ip nat inside
!-- inside network with private addresses
!
interface cable-modem0
!-- Some ios releases show the command ip address
!-- negotiated, others show the ip address
ip nat outside
!-- outside network with public addresses
cable-modem downstream saved channel 555000000 42 1
cable-modem mac-timer t2 80000
no cable-modem compliant bridge
!-- Put cable modem in routing mode, not bridging mode
!
ip default-gateway 172.16.30.1
ip nat inside source list 1 interface cable-modem0 overload
!-- enable NAT
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.30.1
!-- Default route for IP packets
ip http server
!
access-list 1 permit 10.1.1.0 0.0.0.255
!-- list of specific inside addresses to translate
snmp-server manager
!
line con 0
transport input none
line vty 0 4
password ww
login
!
end
Note: Cable-modem 0 interface does not show any information about the ip address. The cable interface sometimes shows the ip address (in this case it would be ip address 172.16.30.20 255.255.255.0). In later releases of the Cisco IOS there is a command that reads "ip address negotiated" or "ip address docsis". This depends on the cable modem platform and the Cisco IOS release.
If using a Cable Modem with a limited amount of memory such as the uBR924 (default 16 Meg) it's recommended that the following global configuration be added:
ip nat translation max-entries 6000
Verify
Useful commands that can be used to make sure that NAT is working properly are:
sh ip interface brief
sh ip nat translation
sh ip nat statistics
debug ip nat [ <list> ] [ detailed]
First we do a show ip interface brief on the ubr904 to see the interfaces are up:
ubr904#sh ip int brie
Interface IP-Address OK? Method Status Protocol
Ethernet0 10.1.1.1 YES manual up up
cable-modem0 172.16.30.20 YES unset up up
We can also see the arp table by doing sh arp
ubr904#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.2 23 0010.7964.e43c ARPA Ethernet0
Internet 10.1.1.1 - 0010.7bed.9b44 ARPA Ethernet0
Internet 172.16.30.1 20 00b0.8ef5.9070 ARPA cable-modem0
Internet 172.16.30.20 - 0010.7bed.9b45 ARPA cable-modem0
Another useful show command is sh ip route
ubr904#sh ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is 172.16.30.1 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.30.0 is directly connected, cable-modem0
10.0.0.0/24 is subnetted, 1 subnets
C 10.1.1.0 is directly connected, Ethernet0
S* 0.0.0.0/0 [1/0] via 172.16.30.1
The command sh ip nat statistics allows you to see how many hits and missed NAT has have since last time of clearing the table
ubr904#sh ip nat stat
Total active translations: 3 (0 static, 3 dynamic; 3 extended)
Outside interfaces:
cable-modem0
Inside interfaces:
Ethernet0
Hits: 65 Misses: 13
Expired translations: 10
Dynamic mappings:
-- Inside Source
access-list 1 interface cable-modem0 refcount 3
Troubleshoot
To verify the above sh arpconfiguration, enable debug ip nat detail and generate some traffic from the client. In this case, we initiated a Telnet session from the PC with IP address 10.1.1.2 to a server behind the CMTS with an address 172.16.135.11.
ubr904#deb ip nat detailed
IP NAT detailed debugging is on
ubr904#
06:25:18: NAT: Allocated Port for 10.1.1.2 -> 172.16.30.20: wanted 7435 got 7435
06:25:18: NAT: i: icmp (10.1.1.2, 7435) -> (172.16.135.11, 7435) [245]
06:25:18: NAT*: o: icmp (172.16.135.11, 7435) -> (172.16.30.20, 7435) [245]
06:25:18: NAT: Allocated Port for 10.1.1.2 -> 172.16.30.20: wanted 7436 got 7436
06:25:18: NAT: i: icmp (10.1.1.2, 7436) -> (172.16.135.11, 7436) [246]
06:25:18: NAT*: o: icmp (172.16.135.11, 7436) -> (172.16.30.20, 7436) [246]
06:25:18: NAT: Allocated Port for 10.1.1.2 -> 172.16.30.20: wanted 7437 got 7437
06:25:18: NAT: i: icmp (10.1.1.2, 7437) -> (172.16.135.11, 7437) [247]
06:25:18: NAT*: o: icmp (172.16.135.11, 7437) -> (172.16.30.20, 7437) [247]
06:25:18: NAT: Allocated Port for 10.1.1.2 -> 172.16.30.20: wanted 7438 got 7438
06:25:18: NAT: i: icmp (10.1.1.2, 7438) -> (172.16.135.11, 7438) [248]
06:25:18: NAT*: o: icmp (172.16.135.11, 7438) -> (172.16.30.20, 7438) [248]
06:25:18: NAT: Allocated Port for 10.1.1.2 -> 172.16.30.20: wanted 7439 got 7439
06:25:18: NAT: i: icmp (10.1.1.2, 7439) -> (172.16.135.11, 7439) [249]
06:25:18: NAT*: o: icmp (172.16.135.11, 7439) -> (172.16.30.20, 7439) [249]
ubr904#
Notice in the debug that the client (10.1.1.2) is sending icmp packets to the destination of the ping (172.16.135.11). In this case the router is allocating ports to do the NAT.
We can also enable sh ip nat translation to see how NAT did its job.
ubr904#sh ip nat translation
Pro Inside global Inside local Outside local Outside global
icmp 172.16.30.20:7435 10.1.1.2:7435 172.16.135.11:7435 172.16.135.11:7435
icmp 172.16.30.20:7436 10.1.1.2:7436 172.16.135.11:7436 172.16.135.11:7436
icmp 172.16.30.20:7437 10.1.1.2:7437 172.16.135.11:7437 172.16.135.11:7437
icmp 172.16.30.20:7438 10.1.1.2:7438 172.16.135.11:7438 172.16.135.11:7438
icmp 172.16.30.20:7439 10.1.1.2:7439 172.16.135.11:7439 172.16.135.11:7439
ubr904#
Note: For a detailed explanation on this output read NAT: Local and Global Definitions
--------------------------------------------------------------------------------
Related Information
NAT Support Page
Bridging and Routing Features for the Cisco uBR904 Cable Modem
Cisco IOS Network Address Translation (NAT)
NAT Frequently Asked Questions
NAT Support for Multiple Pools Using Route Maps
Configuring Cable Modem Option Sets
Bridging and Routing Features for the Cisco uBR904 Cable Modem
RFC 1631-style network address translation
Technical Support - Cisco Systems
-------------------------------------------------------------------------------- | |
| smrkdown 2004-01-31, 8:47 pm |
| The uBR924's work great as cable modems and should work with most ISP's services. The only problem is if you want to use it as a cable modem and router at the same time. In a regular set-up, the cable modem gets the private IP and acts as a bridge between a separate router which gets the public IP and assigns privates to the PC's and does NAT. When you only have the uBR, you'd have to get your ISP to assign the public IP directly to the uBR and their tftp server would have to be able to send the DOCSIS config file to that public IP. That can be a problem. Then you'd have to configure routing and a DHCP server on the uBR. Basically, it probably won't work using the one device as both a modem and router at the same time. | |
| Boulware5 2004-01-31, 9:00 pm |
| Out of curiosity, does the CCNA expect you to be able to configure NAT? Or is that more CCNP territory? | |
| Joe Dali 2004-01-31, 10:07 pm |
| The test wants you to understand the address ranges used in NAT, and the concept of Overloading.
Specific commands are prolly not required, this I gather from the stuff I'm studying as I type, and watching ugly lesbos getting arrested on Cops. | |
| Boulware5 2004-01-31, 10:23 pm |
| quote:
Originally posted by Joe Dali
The test wants you to understand the address ranges used in NAT, and the concept of Overloading.
Specific commands are prolly not required, this I gather from the stuff I'm studying as I type, and watching ugly lesbos getting arrested on Cops.
Yeah I was watching that too, LOL. | |
| Joe Dali 2004-01-31, 10:37 pm |
| Scary stuff man ... I'm reading a popular CCNA guide tonight (an exam notes sponsor) and I came across the overloading question. I don't see any specific NAT config commands. | |
| darthfeces 2004-02-01, 1:51 am |
| guys this isn't that hard .....
if you have a 2500 with two aui
(or ethernet) configure one to be a dhcp client plugged into the cable/dsl modem and
route the other ethernet.
or configure nat between the two interfaces
or if you have one ethernet do "nat on a stick" by pluggin both the inside and outside into a hub or switch.
http://makeashorterlink.com/?D1AA52247  | |
| Joe Dali 2004-02-01, 8:38 am |
| Dang Darth, you are right. Hey I was 50% right in my post ... i figured if he had 2 Ethernet ports, it would be doable. I guess I can do it with my 3640, but the Linksys is so much easier, and working great ... :] | |
| Kacela 2004-02-01, 9:35 am |
| I had a uBR904 cable modem which used to work great - then one day it wouldn't get a DHCP address. I called my cable company and they told me it was no longer supported by their head-end unit. They told me they weren't able to "cap" the troughput on the uBR904, so it was disabled from their end. I didn't realize it at the time, but I was getting at least full T1 speeds both ways! I went to Circuit City and bought a Motorola Surfboard - works fine now, but I'm I regular 356k shlub now. BTW, my cable company is Optimum Online in southern Connecticut. | |
| Joe Dali 2004-02-01, 5:13 pm |
| I found 2 useful configs on this topic ...
I have tried to use a config that I found on Packetattack.com to
configure my 3620 for my Comcast internet provider. I have it connected
through a 3550 switch to my cable modem. I have changed the local
network ip's to match what already works for me.
I can see through the switch to other hosts on my network, but I cannot
reach the web from any of my computers.
Can anyone give me half a clue what is missing/wrong?
Thanks,
SPN
config follows except for passwords and usernames.
--
!
! begin configuration here
!
!
version 12.1
!
clock timezone EST -3
ip subnet-zero
!
!Use your favorite nameserver either ISP or other
!
ip name-server 68.38.224.5
ip name-server 68.39.224.6
!
!Use the router as a DHCP server for your network
!
no ip dhcp conflict logging
!
! exclude a range for your printers, router and any other static device
!
ip dhcp excluded-address 10.1.1.1 10.1.1.9
!
ip dhcp pool DHCP-POOL
network 10.1.1.0 255.255.255.0
domain-name cox.rr.com
dns-server 24.28.192.64 24.28.192.65
default-router 10.1.1.1
!
!
interface Ethernet0/0
description Outside interface to COX/RR
!
!This will force the assigned MAC(if needed) to the Ethernet interface
!
mac-address 0050.9999.c3be
ip address dhcp
ip nat outside
ip access-group 107 in
!
interface Ethernet0/1
description Inside interface to your network
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
ip nat inside source list 1 interface Ethernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0
no http server
!
access-list 1 permit 10.1.1.0 0.0.0.255
!
!Access list 107 will deny private IP ranges from outside your network
to come it as a
!security measure. It also denies ICMP PINGs to help *hide* the router
from scanners. Lastly
!it denies the FINGER protocol.
!
access-list 107 deny ip 10.0.0.0 0.255.255.255 any log
access-list 107 deny ip 172.0.0.0 0.255.255.255 any log
access-list 107 deny ip 127.0.0.0 0.255.255.255 any log
access-list 107 deny ip 255.0.0.0 0.255.255.255 any log
access-list 107 deny ip 224.0.0.0 0.255.255.255 any log
access-list 107 deny ip 192.168.50.0 0.0.0.255 any log
access-list 107 deny icmp any any echo log
access-list 107 deny tcp any any eq finger
access-list 107 permit ip any any
! no cdp run
==============================
==========
This is (with some cuts) the 2514 (12.2.12) config i am using for my
cable provider. Works fine for me. As you see there is no ip routing
statement - the box decides for itself (via dhcp client) that the router
on the outside interface is the gateway of last resort. Which is good,
since i have no way of knowing it in advance.
interface Ethernet0
mac-address 0060.xxxx.xxxx
ip address dhcp client-id Ethernet0
ip nat outside
!
interface Ethernet1
ip address 192.168.24.2 255.255.255.0
ip nat inside
!
ip nat inside source list 7 interface Ethernet0 overload
!
access-list 7 permit 192.168.24.0 0.0.0.255 | |
| Boulware5 2004-02-01, 5:23 pm |
| Anyone have experience using a cisco 806 for a cable modem router? | |
| darthfeces 2004-02-01, 6:08 pm |
| couple of things
nat overload is actually what you have to use in this instance
nat overload = pat.
when you have a linksys you are actually pat'ing your single isp address to your multiple inside hosts. you can't actually use nat
nat is a 1 to 1 mapping
you'd have to get 5 -10 static ip's from the isp to use nat and i don't think you want to do that.
one other thing with the ubr ?
how do they know what you're using ?
did they just shut you down because you used too much bandwidth ?
you could find out the mac address of your
new router and configure it on the ubr's interface. they could be spying the cisco vendor code ???? | |
| marathoner 2004-02-02, 1:18 am |
| I configured win doze ex-pee* to share a dialup. It was ghastly but it worked.
If all you want is to share your cable connection couldn't you let one XP box hook to the cable, hook the lan out the eth on another NIC and just let XP do it? It is perfectly capable of assigning and managing private IP addys in the 192.168 block. I havent ever done it for cable but it seems to me if it would work for a dialup it would work for cable.
(spell it right and the site turns it into a book ad--with a kickback for Dmitry!!) | |
| ziutek 2004-02-02, 4:04 am |
| Just buy a regular cable/dsl router, Linksys comes to mind. I've had one for almost five years, and never had a single problem with it. The config is done via a web browser, and will take you all of 5 minutes. Almost all of the currently available cable/DSL routers are incredibly easy to use, and dirt cheap.
Why make it so hard on yourself, and expensive at the same time.
Why do you think Cisco bought Linksys! | |
|
| Yes but only the 2514. (You need two ethernet ports.) Do not get fooled by the models with build in hubs (8 jacks but only one port).
Set up cable modem or dsl connection port to DHCP client and the other Eth port a static address or DHCP server.
NAT should work.
Bonus: Access control list for a good firewall.
You can also look for the Cisco 831 or 806 series gateway routers. 831 has 100 base switch, 806 has 10 base switch. Remember that WAN connection is about 1.5 MHz at best for cable usually less for DSL.
10 base T WAN ports are fine. The possible need for the fast switch is internally among your workstations.
Good luck |
|
|
|
|