Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
0
Helpful
3
Replies

Cisco 861 setup to use static IPs on the lan side with port forwarding

Go to solution
jakub.bialek
Level 1
Level 1

‎12-11-2013 06:05 AM - edited ‎03-04-2019 09:50 PM

Hello,

Recently I have obtained used Cisco 861 router and I would like to use it in our network. I'm completely green if it goes about professional routers by CISCO...

Anyway: It will connect the ISP to our 24 ports switch. It needs to have static IP for itself and also should give static, predefined IPs to the machines (or rather accept IPs from the computers connected to it with custom IPs form the 192.168.2.xxx pool) For certain IPs I also need to forward ports from outside ports (the ISP) to the inside ports (on the lan side, I presume it is the NAT thing, right?). How should I program the router using console or CCP? Which is simpler?

I enclose my initial config which works with the University DHCP-provided IP and DNS (this will be changed later during the router deployment) 

Current configuration : 3647 bytes
!
! Last configuration change at 08:28:51 UTC Tue Dec 10 2013 by MH
!
version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Shorelab
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3919389865
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3919389865
 revocation-check none
 rsakeypair TP-self-signed-3919389865
!
!
crypto pki certificate chain TP-self-signed-3919389865
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33393139 33383938 3635301E 170D3133 31323039 31353339 
  30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39313933 
  38393836 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100884B B1631357 0DC4D587 21EB6A12 C717548F 1E6460BA 4155CBE5 8247DE66 
  5D7DF8E6 89138AFD F007134D 52A0D604 419F6C12 648FA058 F32E402F B18ED9A3 
  C4CEBE0B 0E8C493E 91D68A6B 668BDFE6 B0D453FF 4E7101FE 58907C5F 4C3A17B6 
  55539A65 BD1348E9 36D19BDF 5DE6D21D 7BA15F8B 7868E789 F7CC43C1 39B0CD5B 
  B3570203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D2304 18301680 1421B129 A6C80A6D 88FD2EE9 27507F99 152EB8B1 7C301D06 
  03551D0E 04160414 21B129A6 C80A6D88 FD2EE927 507F9915 2EB8B17C 300D0609 
  2A864886 F70D0101 05050003 8181006B A2FF36A0 8785AC1C CD1DB1B2 219EB4A2 
  0ABE5BDE 160652F1 FDA5ED97 E2FCDD5A 35F67303 2CE01FB6 501B765D 2AD08119 
  2F449FA7 F2BFAF3C 3850CD91 9EC252FD CA21714F 95175961 5D95E65F 3DFFC55E 
  3241E757 6551B04E 62145ADD 72D90A98 6415748D 9C35F3B2 81058E06 B816ECEF 
  0597DB09 01586F59 C7B9154B EA185A
            quit
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool INSIDE
 network 192.168.2.0 255.255.255.0
 default-router 192.168.2.254 
 dns-server xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
!
!
!
!
ip domain name nuigalway.ie
ip name-server xxx.xxx.xxx.xxx
ip name-server yyy.yyy.yyy.yyy
ip cef
no ipv6 cef
!
!
license udi pid CISCO861-K9 sn XXXXXXXXXXX
!
!
username xxxxxx
!
no cdp run
!
! 
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description OUTSIDE
 ip address dhcp hostname Shorelab
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface Vlan1
 description INSIDE
 ip address 192.168.2.254 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 0.0.0.0 0.0.0.0 Vlan1
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 1 permit 182.168.2.0 0.0.0.255
access-list 23 permit 192.168.2.0 0.0.0.255
access-list 199 permit ip any any
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 transport input telnet ssh
!
!
end

Are there any unnecesary entries BTW?

Thanks in advance!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎12-11-2013 08:55 AM

Jakub,

To add a static address, you need to go under the interface:

interface FastEthernet4
 description OUTSIDE
 ip address dhcp hostname Shorelab

Change this to:

int fa4

ip address

Your nat statement for access-list 1 is good, but remove 199 because it's not needed:

no ip nat inside source list 199 interface FastEthernet4 overload

You don't need the following lines:

ip route 0.0.0.0 0.0.0.0 Vlan1
ip route 0.0.0.0 0.0.0.0 dhcp

Access-list 1 is incorrect for the nat statement that references it:

access-list 1 permit 182.168.2.0 0.0.0.255

It should be:

access-list 1 permit 192.168.2.0 0.0.0.255

If you have the default gateway's ip address from the provider, I would use that instead of the physical interface. "ip route 0.0.0.0 0.0.0.0 fa4"

If you can get the address, you would change this with:

no ip route 0.0.0.0 0.0.0.0 fa4

and fix with:

ip route 0.0.0.0 0.0.0.0

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to jakub.bialek

‎12-11-2013 03:11 PM

Jakub,

You can statically set your computers if you want. If so, you can remove the dhcp pool that you have configured on the router:

no ip dhcp pool INSIDE

To do natting inbound, you would do something like the following:

ip nat inside source static tcp 192.168.2.110 22 interface fa4 8670

ip nat inside source static tcp 192.168.2.111 22 interface fa4 8680

ip nat inside source static tcp 192.168.2.12 750 interface fa4 8690

You can replace "interface fa4" with a real public static address if you want to. Currently, since we don't know what that address is, you can have the external interface assume that role.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

0 Helpful
3 Replies 3

Go to solution
John Blakley
VIP Alumni
VIP Alumni

‎12-11-2013 08:55 AM

Jakub,

To add a static address, you need to go under the interface:

interface FastEthernet4
 description OUTSIDE
 ip address dhcp hostname Shorelab

Change this to:

int fa4

ip address

Your nat statement for access-list 1 is good, but remove 199 because it's not needed:

no ip nat inside source list 199 interface FastEthernet4 overload

You don't need the following lines:

ip route 0.0.0.0 0.0.0.0 Vlan1
ip route 0.0.0.0 0.0.0.0 dhcp

Access-list 1 is incorrect for the nat statement that references it:

access-list 1 permit 182.168.2.0 0.0.0.255

It should be:

access-list 1 permit 192.168.2.0 0.0.0.255

If you have the default gateway's ip address from the provider, I would use that instead of the physical interface. "ip route 0.0.0.0 0.0.0.0 fa4"

If you can get the address, you would change this with:

no ip route 0.0.0.0 0.0.0.0 fa4

and fix with:

ip route 0.0.0.0 0.0.0.0

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

Go to solution
jakub.bialek
Level 1
Level 1
In response to John Blakley

‎12-11-2013 01:32 PM

Thank you. What about port forwarding? Say, I have 3 computers connected to the switch which will be connected to one of the Vlan1 ports with ip 192.168.2.254 (which are ports fa0-fa3).

192.168.2.110 Internal port 22 external port 8670

192.168.2.111 Internal port 22 external port 8680

192.168.2.112 Internal port 750 external port 8690

How to set up NAT for this to work? Only those computers will require port forwarding.

And also: I don't want to use internal DHCP. I want for any computer connected to the switch with IP configured by the user (under condition that it will be from the 192.168.2.0 pool) to be able to connect through to the internet.

Thanks again!

0 Helpful

Go to solution
John Blakley
VIP Alumni
VIP Alumni
In response to jakub.bialek

‎12-11-2013 03:11 PM

Jakub,

You can statically set your computers if you want. If so, you can remove the dhcp pool that you have configured on the router:

no ip dhcp pool INSIDE

To do natting inbound, you would do something like the following:

ip nat inside source static tcp 192.168.2.110 22 interface fa4 8670

ip nat inside source static tcp 192.168.2.111 22 interface fa4 8680

ip nat inside source static tcp 192.168.2.12 750 interface fa4 8690

You can replace "interface fa4" with a real public static address if you want to. Currently, since we don't know what that address is, you can have the external interface assume that role.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card