[Config] NAT routing in Cisco

[Config] NAT routing in Cisco http://www.dslreports.com/forum/r20805127 en Wed, 11 Nov 2009 10:00:09 EDT Wed, 11 Nov 2009 10:00:09 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20813562 anon :

quote:
Question is how do I remove the extra lines with ! in them.

Why take them out. Next time IOS writes the config it will put them again. They do no harm and usually make the config easier to read.]]> http://www.dslreports.com/forum/remark,20813562 Fri, 18 Jul 2008 19:02:04 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20810685 FLengineer : Yea I know it's a code remark. Question is how do I remove the extra lines with ! in them. I could tftp the config to my computer and notepad edit it and tftp it back, lol. There has to be an easier way.]]> http://www.dslreports.com/forum/remark,20810685 Fri, 18 Jul 2008 08:37:51 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20807707 aryoba : ! is just a code for remark. It is useful when you push the configuration down using program or software when you can put some notes regarding specific command lines.]]> http://www.dslreports.com/forum/remark,20807707 Thu, 17 Jul 2008 17:32:39 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20807475 FLengineer : Removed. TY.

Any ideas about the 20 lines of " ! "]]> http://www.dslreports.com/forum/remark,20807475 Thu, 17 Jul 2008 16:47:33 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20807229 aryoba : You don't need the following command

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

since the DHCP mechanism between your ISP and your router take care of it. Moreover, by adding such static route might confuse your router. Therefore it is a best practice to let DHCP mechanism works as it is without interference :)]]> http://www.dslreports.com/forum/remark,20807229 Thu, 17 Jul 2008 16:06:56 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20807202 FLengineer : updated the config again using info from the faq. You have been a HUGE help aryoba, thank you very much.]]> http://www.dslreports.com/forum/remark,20807202 Thu, 17 Jul 2008 16:03:22 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20807145 FLengineer : Updated the original config post with the changes. Checking FAQ now.]]> http://www.dslreports.com/forum/remark,20807145 Thu, 17 Jul 2008 15:54:31 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20807125 aryoba :

said by FLengineer

:

I'm reading this...
»www.cisco.com/en/US/docs/ios/12_···p1079180

Says it should be....
ip nat pool test1 192.168.10.100 192.168.10.150 netmask 255.255.255.0
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 pool test1 overload

That right?

No :)

Your commands tell 192.168.10.0/24 to NAT to itself. There are two problems with this setup.

The 192.168.10.0/24 is a Private subnet which your ISP most likely does not recognize. The idea of NAT between internal and external network is to translate internal IP subnet to subnet that the external network recognizes.

The other problem is that by NAT 192.168.10.0/24 to itself, then there is no point of NAT-ting. :D

said by FLengineer

:

Last question, I know I'm noobing up the forums. How do I open a tcp port? Like if I have a web server at 192.168.10.11 and wanted to open tcp port 80 and 8000 to that ip address only.

Check out this forum FAQ about running server with Cisco.]]> http://www.dslreports.com/forum/remark,20807125 Thu, 17 Jul 2008 15:50:59 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20807041 FLengineer : I'm reading this...
»www.cisco.com/en/US/docs/ios/12_···p1079180

Says it should be....
ip nat pool test1 192.168.10.100 192.168.10.150 netmask 255.255.255.0
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 pool test1 overload

That right?

Last question, I know I'm noobing up the forums. How do I open a tcp port? Like if I have a web server at 192.168.10.11 and wanted to open tcp port 80 and 8000 to that ip address only.]]> http://www.dslreports.com/forum/remark,20807041 Thu, 17 Jul 2008 15:37:21 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20806896 aryoba : Try to remove the following commands

ip nat pool test1 192.168.10.100 192.168.10.150 netmask 255.255.255.0
ip nat inside source list 1 pool test1

and replace them with this

ip nat inside source list 1 interface FastEthernet0/0 overload]]> http://www.dslreports.com/forum/remark,20806896 Thu, 17 Jul 2008 15:14:24 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20806823 FLengineer : After reading the definition of "overload" and in the spirit of turning a Cisco 7206 into a $40 linksys router I think "overload" is what I'm looking for. Can someone verify this?]]> http://www.dslreports.com/forum/remark,20806823 Thu, 17 Jul 2008 14:58:34 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20806152 FLengineer : I updated to 12.4
Got the dhcp fixed --ty aryoba

1) What is with all the ! in the config?

2) OK FastEthernet0/0 or the WAN is set for DHCP how do I use that to forward DNS?
FastEthernet0/0 is going to get a dns server address from dhcp. clients connected to FastEthernet2/0 need to get that dns server address via dhcp instead of the 1.2.3.4 that I have in the config file. OR, the 7206 needs to be setup as a dns server.

Current solution is to manually enter the default gateway into the routing table as "ip route 0.0.0.0 0.0.0.0 1.2.3.4" where "1.2.3.4" is what ever the default gateway is that FastEthernet0/0 gets from comcast.

Updated the original post with the new config.]]> http://www.dslreports.com/forum/remark,20806152 Thu, 17 Jul 2008 13:06:00 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20805970 aryoba : ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.151 192.168.10.254
ip dhcp pool test1
network 192.168.10.0 255.255.255.0
dns-server 1.2.3.4
default-router 192.168.10.254

FYI; for best practice in real world implementation, it is suggested to compile a list of IP address assignment. You start from which devices that need static IP address assignment to which devices that need dynamic IP address assignment.

Typically those static IP addresses are for non workstation such as routers, switches, servers, and printers; where the dynamic IP addresses are for workstations.

Once you have that list, you then configure the DHCP IP address pool. The pool should only include the dynamic IP addresses. All of those static IP addresses should be excluded.]]> http://www.dslreports.com/forum/remark,20805970 Thu, 17 Jul 2008 12:29:41 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20805950 FLengineer : My computer is being assigned 192.168.10.1 from DHCP. How do I limit that pool to 192.168.10.100 - 192.168.10.150?]]> http://www.dslreports.com/forum/remark,20805950 Thu, 17 Jul 2008 12:24:29 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20805403 FLengineer : well, the main goal is learning :) currently with this config I am simply trying to make it work like a regular walmart type router.

BTW I will update the config because I'm going to update to 12.4]]> http://www.dslreports.com/forum/remark,20805403 Thu, 17 Jul 2008 10:57:02 EDT Re: [Config] NAT routing http://www.dslreports.com/forum/remark,20805267 aryoba : I can't say what the problem is (if any) if I don't know what your objective is. What are you trying to accomplish?]]> http://www.dslreports.com/forum/remark,20805267 Thu, 17 Jul 2008 10:31:47 EDT [Config] NAT routing http://www.dslreports.com/forum/remark,20805127 FLengineer : I've never had to mess with NAT routing on my 7206 because it kinda interferes with testing the systems that are connected to it. Until now I've always wanted static routes with static IP addresses and no redundancy so I could say without a doubt where the traffic was coming from and going. Now I am just playing with a 7206 trying to learn more about it. I've made this config, please point out any problems.

Current configuration : 1418 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 ******
enable password ******
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.151 192.168.10.254
!
ip dhcp pool testdhcp
network 192.168.10.0 255.255.255.0
dns-server 1.2.3.4
default-router 192.168.10.254
lease 30
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex full
!
interface FastEthernet2/0
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex full
!
no ip classless
no ip http server
no ip http secure-server
!
!
ip nat source static tcp 192.168.10.11 8000 interface FastEthernet0/0 8000
ip nat source static tcp 192.168.10.11 80 interface FastEthernet0/0 80
ip nat inside source list 1 interface FastEthernet0/0 overload
!
logging alarm informational
access-list 1 permit 192.168.10.0 0.0.0.255
snmp-server community public RO
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password ******
login
line vty 5 15
password ******
login
!
!
end]]> http://www.dslreports.com/forum/remark,20805127 Thu, 17 Jul 2008 10:06:17 EDT