09-15-2008 12:17 PM - edited 03-03-2019 11:33 PM
Right now my network has a T1 coming into my 1841. We then have the 1841 connected to a PIX 501 which handles our routing (very basic).
We want to get rid of the PIX and have the 1841 handle the routing, VPN, and firewall functions that the PIX is currently doing.
My problem is is that the ethernet interface on the 1841 has a public IP going into the PIX and once I take the PIX out of the picture, I am not sure how to configure the 1841.
Attached is a diagram of the relevant network portion.
Currently we have the PIX setup with NAT so that everything leaving the PIX goes out as 208.x.x.101. So when the PIX leaves, NAT has to be setup on 1841.
Basically, I am confused on how to setup the IP's when the PIX is out of the picture. I am assuming I keep the serial interface of the 1841 as 69.x.x.x but what would I setup the e0/0 interface to be that will now be directly connected to our switch (192.168.1.5)
09-15-2008 12:54 PM
Keep the ip the same on the 1841 and just map the 69.x.x.x external ip address to the internal servers or dont if you have nothing access from outside.
09-15-2008 12:58 PM
Here you go. I modified the cisco sample for you network.
interface ethernet 0
ip address 192.168.1.254 255.255.255.0
ip nat inside
interface serial 0
ip address 69.x.x.x 255.255.x.x (your router outside/internet interface)
ip nat outside
ip nat pool insidesubnetsovrld 208.x.x.102 208.x.x.102 netmask 255.255.255.x
ip nat inside source list 7 pool insidesubnetsovrld overload
access-list 7 permit 192.168.1.0 0.0.0.255
Cisco reference:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml#examples
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic3
The topic you would need to read about is "NAT Overloading"
Rate if its helpfull
09-15-2008 01:29 PM
I was actually reading my Cisco CCNA book right now and am on the NAT section.
One more question. We have a mail server on the internal network that needs to be accessed for the outside. Assume the public IP of the mail server is 208.95.223.100 and the private IP of the mail server is 192.168.1.250.
From reading the book, I would assume I need a static NAT entry for that? But how would that look? And I would place that on the outside (s0) interface, right?
09-15-2008 05:20 PM
Yes, for an internal server to be accesible via outside address you will need a static translation.
Now, you have to choices to get this to work.
1. One-to-One - Meaning ALL request going to 208.95.223.100 will be fwd to 192.168.1.250
Config.
ip nat inside source static 192.168.1.250 208.95.223.100
2. Static port translation (port fwding) - Meaning only when request to specific port gets fwd (to a specific port) Example. smtp (TCP 25)request to 208.95.223.100 will be fwd to 192.168.1.250 but ftp (TCP 20/21) will not (but can be defined to go to another IP)
Config.
ip nat inside source static tcp 192.168.1.250 25 208.95.223.100 25 (SMTP)
ip nat inside source static tcp 192.168.1.250 110 208.95.223.100 110 (POP3)
Samples above are just some of the common used MAIL related ports
Here is a reference for tcp ports for other MAIL services (Exchange)
http://support.microsoft.com/kb/176466
NOTE: Remember to PAIR these with ACL filters for security.
09-16-2008 06:40 AM
How does the router know that I want all requests with a destination of 208.95.223.100 to go to 192.168.1.250?
With the first command you gave me, "ip nat inside source static 192.168.1.250 208.95.223.100 " I assumed that meant: anything with a source address of 192.168.1250 send out to the web with an address of 208.95.223.100.
Reason i say that is because the cisco book has a similar example of:
ip nat inside source static 10.1.1.1 170.46.2.2
And they explain it such that, "configures a static translation between the inside local IP address 10.1.1.1 to the outside global IP address 170.46.2.2"
Or am I just not understanding completely and does that command have a 2-fold effect, in that anything coming to it with the private IP will get translated to the public, AND anything coming in with the public will get translated to the private?
09-16-2008 12:06 PM
How does the router know that I want all requests with a destination of 208.95.223.100 to go to 192.168.1.250?
Yes the explanation is correct but i think you are confused on the direction of the packet outgoing (out to the internet) and incoming (internet going in) has a different explanation.
INCOMING
When a packet reaches the outside interface or your router the first thing that the router checks is ACL (to allow or deny the packet) second, checks NAT, if an entry exist to translate the address and third route the packet to the destination.
In your scenario this is what happens.
1. Packet destined for 208.95.223.100 reaches you routers OUTSIDE interface
2. Router either allows or drops packet based on ACL.
3. Router sees translation exist for that DESTINATION so translates DESTINATION IP OF 208.95.223.100 to 192.168.1250.
4. Router forwards the packets to DESTINATION 192.168.1250
OUTGOING
1. Packet destined for the internet reaches you INSIDE interface
2. Router either allows or drops packet based on ACL.
3. Router sees translation exist for that SOURCE so translates SOURCE ip 192.168.1250 to 208.95.223.100.
4. Router forwards the packets to the internet with a SOURCE of 208.95.223.100.
Still confused?
Remember that one of the steps of configuring NAT is to configure the "inside" and "outside" interfaces? Well thats the part that tells the router what action to take when a packet reaches the interfaces.
09-17-2008 11:08 AM
I understand that, and thank you for the detailed explanation. I am just a little confused on the command itself:
ip nat inside source static 192.168.1.250 208.95.223.100
What would be different if I replaced 'inside' with 'outside'?
And also, with that single command, the router will know to translate both packets leaving the network for the internet and packets coming in from the internet?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide