FLengineerCCNA, CEH, MCSA Premium Member join:2007-06-26 Deltona, FL 4 edits |
[Config] NAT routingI've never had to mess with NAT routing on my 7206 because it kinda interferes with testing the systems that are connected to it. Until now I've always wanted static routes with static IP addresses and no redundancy so I could say without a doubt where the traffic was coming from and going. Now I am just playing with a 7206 trying to learn more about it. I've made this config, please point out any problems.
Current configuration : 1418 bytes ! version 12.4 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! enable secret 5 ****** enable password ****** ! no aaa new-model ! resource policy ! ip subnet-zero ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.10.1 192.168.10.99 ip dhcp excluded-address 192.168.10.151 192.168.10.254 ! ip dhcp pool testdhcp network 192.168.10.0 255.255.255.0 dns-server 1.2.3.4 default-router 192.168.10.254 lease 30 ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! interface FastEthernet0/0 ip address dhcp ip nat outside ip virtual-reassembly no ip mroute-cache duplex full ! interface FastEthernet2/0 ip address 192.168.10.254 255.255.255.0 ip nat inside ip virtual-reassembly no ip mroute-cache duplex full ! no ip classless no ip http server no ip http secure-server ! ! ip nat source static tcp 192.168.10.11 8000 interface FastEthernet0/0 8000 ip nat source static tcp 192.168.10.11 80 interface FastEthernet0/0 80 ip nat inside source list 1 interface FastEthernet0/0 overload ! logging alarm informational access-list 1 permit 192.168.10.0 0.0.0.255 snmp-server community public RO ! ! ! ! control-plane ! ! ! ! ! ! gatekeeper shutdown ! ! line con 0 stopbits 1 line aux 0 stopbits 1 line vty 0 4 password ****** login line vty 5 15 password ****** login ! ! end |
|
|
aryoba
MVM
2008-Jul-17 10:31 am
I can't say what the problem is (if any) if I don't know what your objective is. What are you trying to accomplish? |
|
FLengineerCCNA, CEH, MCSA Premium Member join:2007-06-26 Deltona, FL |
well, the main goal is learning currently with this config I am simply trying to make it work like a regular walmart type router. BTW I will update the config because I'm going to update to 12.4 |
|
FLengineer |
My computer is being assigned 192.168.10.1 from DHCP. How do I limit that pool to 192.168.10.100 - 192.168.10.150? |
|
4 edits |
aryoba
MVM
2008-Jul-17 12:29 pm
ip dhcp excluded-address 192.168.10.1 192.168.10.99 ip dhcp excluded-address 192.168.10.151 192.168.10.254 ip dhcp pool test1 network 192.168.10.0 255.255.255.0 dns-server 1.2.3.4 default-router 192.168.10.254
FYI; for best practice in real world implementation, it is suggested to compile a list of IP address assignment. You start from which devices that need static IP address assignment to which devices that need dynamic IP address assignment.
Typically those static IP addresses are for non workstation such as routers, switches, servers, and printers; where the dynamic IP addresses are for workstations.
Once you have that list, you then configure the DHCP IP address pool. The pool should only include the dynamic IP addresses. All of those static IP addresses should be excluded. |
|
FLengineerCCNA, CEH, MCSA Premium Member join:2007-06-26 Deltona, FL 4 edits |
I updated to 12.4 Got the dhcp fixed --ty aryoba
1) What is with all the ! in the config?
2) OK FastEthernet0/0 or the WAN is set for DHCP how do I use that to forward DNS? FastEthernet0/0 is going to get a dns server address from dhcp. clients connected to FastEthernet2/0 need to get that dns server address via dhcp instead of the 1.2.3.4 that I have in the config file. OR, the 7206 needs to be setup as a dns server.
Current solution is to manually enter the default gateway into the routing table as "ip route 0.0.0.0 0.0.0.0 1.2.3.4" where "1.2.3.4" is what ever the default gateway is that FastEthernet0/0 gets from comcast.
Updated the original post with the new config. |
|
FLengineer 1 edit |
After reading the definition of "overload" and in the spirit of turning a Cisco 7206 into a $40 linksys router I think "overload" is what I'm looking for. Can someone verify this? |
|
|
aryoba
MVM
2008-Jul-17 3:14 pm
Try to remove the following commands
ip nat pool test1 192.168.10.100 192.168.10.150 netmask 255.255.255.0 ip nat inside source list 1 pool test1
and replace them with this
ip nat inside source list 1 interface FastEthernet0/0 overload |
|
FLengineerCCNA, CEH, MCSA Premium Member join:2007-06-26 Deltona, FL 1 edit |
I'm reading this... » www.cisco.com/en/US/docs ··· p1079180Says it should be.... ip nat pool test1 192.168.10.100 192.168.10.150 netmask 255.255.255.0 access-list 1 permit 192.168.10.0 0.0.0.255 ip nat inside source list 1 pool test1 overload That right? Last question, I know I'm noobing up the forums. How do I open a tcp port? Like if I have a web server at 192.168.10.11 and wanted to open tcp port 80 and 8000 to that ip address only. |
|
|
aryoba
MVM
2008-Jul-17 3:50 pm
said by FLengineer:I'm reading this... » www.cisco.com/en/US/docs ··· p1079180Says it should be.... ip nat pool test1 192.168.10.100 192.168.10.150 netmask 255.255.255.0 access-list 1 permit 192.168.10.0 0.0.0.255 ip nat inside source list 1 pool test1 overload That right? No Your commands tell 192.168.10.0/24 to NAT to itself. There are two problems with this setup. The 192.168.10.0/24 is a Private subnet which your ISP most likely does not recognize. The idea of NAT between internal and external network is to translate internal IP subnet to subnet that the external network recognizes. The other problem is that by NAT 192.168.10.0/24 to itself, then there is no point of NAT-ting. said by FLengineer:Last question, I know I'm noobing up the forums. How do I open a tcp port? Like if I have a web server at 192.168.10.11 and wanted to open tcp port 80 and 8000 to that ip address only. Check out this forum FAQ about running server with Cisco. |
|
FLengineerCCNA, CEH, MCSA Premium Member join:2007-06-26 Deltona, FL |
Updated the original config post with the changes. Checking FAQ now. |
|
FLengineer |
to aryoba
updated the config again using info from the faq. You have been a HUGE help aryoba, thank you very much. |
|
|
aryoba
MVM
2008-Jul-17 4:06 pm
You don't need the following command ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 since the DHCP mechanism between your ISP and your router take care of it. Moreover, by adding such static route might confuse your router. Therefore it is a best practice to let DHCP mechanism works as it is without interference |
|
FLengineerCCNA, CEH, MCSA Premium Member join:2007-06-26 Deltona, FL |
Removed. TY.
Any ideas about the 20 lines of " ! " |
|
|
aryoba
MVM
2008-Jul-17 5:32 pm
! is just a code for remark. It is useful when you push the configuration down using program or software when you can put some notes regarding specific command lines. |
|
FLengineerCCNA, CEH, MCSA Premium Member join:2007-06-26 Deltona, FL |
Yea I know it's a code remark. Question is how do I remove the extra lines with ! in them. I could tftp the config to my computer and notepad edit it and tftp it back, lol. There has to be an easier way. |
|
|
to FLengineer
quote: Question is how do I remove the extra lines with ! in them.
Why take them out. Next time IOS writes the config it will put them again. They do no harm and usually make the config easier to read. |
|