Hi, I have an Apple Time Capsule gateway and port mapping is configured. However, I have to replace the Time Capsule with a Cisco 1841 router. I am stuck with how to transfer the current port mappings on the Time Capsule to the Cisco router.
At the moment, my current ACL & PAT configuration on the router are as below:
ip nat pool office 212.xxx.xxx.2x0 212.xxx.xxx.2x0 netmask 255.255.255.252
access-list 10 permit 10.0.1.0 0.0.0.255
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 10 permit 192.168.2.0 0.0.0.255
ip nat inside source list 10 interface fa0/0
!!int fa0/0 is configured with 212.xxx.xxx.2x0
Grateful for any response.
A few comments to your config.
Your interface VLAN10 is currently configured with the IP address 22.214.171.124/24. That is probably an error: correctly, it should be 172.16.1.1/24.
As the NAT configuration refers directly to the outgoing Fa0/0 interface, you do not need the NAT pool created with the ip nat pool office command. It can be removed, as it is currently unused.
The NAT, however, will need to be configured using a single ACL. In your case, you are combining static NAT translations with dynamic PAT. In the ACL, the static translations will need to be exempted so that they do not conflict with the dynamic PAT. You have basically done that with the ACL 100 and the second ip nat inside source list 100 command. We will continue using the ACL 100, and the ACL 10 should be removed together with the ip nat inside source list 10 command that refers to it.
The ACL 100 needs a slight correction, however. You have correctly indicated the source ports in the ACL but the external ports refer to the TCP/UDP ports on clients that are connecting to the server ports 137-139, 445 and 3389 on 10.0.1.100. They can be arbitrary so the ACL should not specify them. Also, the ACL 100 should permit all internal networks to be translated.
The correct form of the ACL 100 would be as follows:
access-list 100 deny tcp host 10.0.1.100 eq 139 any
access-list 100 deny udp host 10.0.1.100 eq 137 any
access-list 100 deny udp host 10.0.1.100 eq 138 any
access-list 100 deny tcp host 10.0.1.100 eq 445 any
access-list 100 deny tcp host 10.0.1.100 eq 3389 any
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip 172.16.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
You have the RIPv2 routing protocol running. Are there any other routers connected to your router? If not then it makes no sense to run a routing protocol because you do not have any peer to exchange the routing tables with. In that case, remove the RIP protocol by simply writing no router rip
Also, you have currently allowed only the directly connected networks to access the Internet thanks to NAT/PAT. Are there perhaps other networks aside from 10.0.1.0/24, 172.16.1.0/24 and 192.168.1.0/24 that will also be accessing the internet through your router? If yes then the ACL 100 will need to permit those networks as well.
Otherwise, the config looks fine.
I will make the backup of the current config and try out the modified configuration.
Looking forward to hearing whether it worked!
Regarding the DNS, I have an external DNS server address (given by the ISP) as noted in my config. Will the router point to it after activating caching on it and this information transfer to the clients on the different vlans whose gateway is the respective router interfaces?
Correctly. The router starts behaving as a DNS proxy. Clients ask the router to make a DNS lookup, the router either answers from its cache (if the lookup has been performed before) or asks the preconfigured the DNS servers and passes the original client the reply.
I have a Server 2008 Standard with DHCP for the 10.0.1.0 network. It is still currently disabled but when I activate it, won't it affect the routing on the other interfaces?
The router itself will not be affected by any DHCP server because it does not make use of any DHCP server in its current configuration. Also, a DHCP server will not affect your router's routing table. However, depending on information the DHCP server provides to clients, the clients may have problems using the default gateway (if the DHCP server assigns incorrect default gateway IP address) or talking to DNS server (if the DHCP assigns an incorrect DNS server). Make sure you assign correct IP configuration to clients via the DHCP.
What you want to do is establishing a static mapping between an outside IP address/port and its internal counterpart. This configuration does not need to use ACLs, and can be performed, according to your input, as follows:
ip nat inside source static tcp 10.0.1.103 139 212.xxx.xxx.xxx 139
ip nat inside source static udp 10.0.1.103 137 212.xxx.xxx.xxx 137
ip nat inside source static udp 10.0.1.103 138 212.xxx.xxx.xxx 138
Note that for today's Windows filesharing services, you should also map the TCP port 445:
ip nat inside source static tcp 10.0.1.103 445 212.xxx.xxx.xxx 445
You will still need to designate your interfaces with ip nat inside and ip nat outside but you do not need other NAT commands for these translations to work. Of course, if you want to perform other NAT/PAT, you can add the commands in addition to these here. I assume that you will want to perform an ordinary PAT on the entire internal network 10.0.1.0/24 (?). In this case, you have to pay attention to explicitely exclude the already statically set translations from the PAT. The configuration would be as follows:
access-list 100 deny tcp host 10.0.1.103 eq 139 any eq 139
access-list 100 deny udp host 10.0.1.103 eq 137 any eq 137
access-list 100 deny udp host 10.0.1.103 eq 138 any eq 138
access-list 100 deny tcp host 10.0.1.103 eq 445 any eq 445
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
ip nat pool NATPOOL 212.xxx.xxx.xxx 212.xxx.xxx.xxx netmask 255.255.255.0
ip nat inside source list 100 pool NATPOOL overload
Instead of the NAT pool, you could also use the outgoing interface's address - I assume you know how to do that but in case you are not familiar with that, feel free to ask further.