I'm working on a Cisco 2800, trying to get it to NAT an internal RFC1918 to a WAN. The WAN (ISP) address is from DHCP. I've never worked with NAT on a Cisco before. Cisco's tech pages are also listing some commands that don't exist in the 2800. Please see sh run output below. Hopefully, someone sees what I'm leaving out. I can ping from each interface to its' connected network, but cannot cross the router.
=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2015.11.27 21:00:50 =~=~=~=~=~=~=~=~=~=~=~=
Cisco_Edge#sh run
Building configuration...
Current configuration : 2888 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco_Edge
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
ip domain name [redacted]
ip ssh version 2
!
crypto pki certificate chain
[redacted]
!
interface FastEthernet0/0
description WAN - Outside - Untrusted
ip dhcp client client-id FastEthernet0/0
ip dhcp client class-id Cisco
ip dhcp client hostname Cisco-Edge
ip dhcp client lease 3 0 0
ip address dhcp
ip nat outside
ip nat enable
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description LAN - Inside - Trusted
ip address 172.16.16.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly
speed auto
full-duplex
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
no ip http server
no ip http secure-server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login local
!
end
Cisco_Edge# sh ip int bri
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 10.0.1.245 YES DHCP up up
FastEthernet0/1 172.16.16.1 YES manual up up
NVI0 unassigned YES unset up up
Cisco_Edge#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.0.1.1 to network 0.0.0.0
172.16.0.0/24 is subnetted, 1 subnets
C 172.16.16.0 is directly connected, FastEthernet0/1
10.0.0.0/24 is subnetted, 1 subnets
C 10.0.1.0 is directly connected, FastEthernet0/0
S* 0.0.0.0/0 [1/0] via 10.0.1.1
Cisco_Edge#ping 10.0.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Cisco_Edge#ping 10.0.1.1 source fa0/1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.1.1, timeout is 2 seconds:
Packet sent with a source address of 172.16.16.1
.....
Success rate is 0 percent (0/5)
Cisco_Edge#exit
Best Answer
First, I strongly urge you to have a firewall in from of your router, and you could do the NAT on that. You have the interfaces described as "Trusted" and "Untrusted", but those are firewall terms. Without a firewall, nothing should be considered trusted.
If you are willing to risk your network with no firewall, something like this should work (you don't specify the IOS version, so you may need to make accommodations for differences in commands):