Re: Configuration help with 1811w

rstalnaker · ‎09-07-2006

I have setup an 1811w in our office with multiple vlans, NAT, 802.11g, and VPN. I pretty much have everything working the way I would like, except for one thing.

We have 2 static IP addresses assigned by our cable internet company. We have 2 terminal servers in our office that need to be accessed from the Internet. So, each server has a DNS name such as server1.ourdomain.com and server2.ourdomain.com. I've setup NAT so that server1 port 3389 traffic goes to the ip address of x.x.x.200 and is directed to an internal ip of 192.168.1.253 and server2 traffic goes to the ip address of x.x.x.199 and is directed to an internal ip of 192.168.1.254. FE1 is where the cable modem plugs into and has the IP address of x.x.x.199.

When logged onto server2, and any other computer in the office, we can hit the internet just fine.

When logged onto server1, we can't browse any websites, or communicate through the internet. I've run Ethereal to see what is going on with the traffic, and server1 will request a DNS address, hits the DNS server, the DNS server sends an address back, server1 will then send to that address, but nothing returns.

I'm sure this has to do with NAT, because if I take out the NAT rule that points the 3389 traffic from x.x.x.200 to 192.168.1.253, then I can use the Internet on server1 without a problem.

I made a couple of "educated guesses" in the NAT settings the other day and saved to the startup config, and I was able to get everything working. I went to use the internet from server1 yesterday though and noticed it wasn't working anymore. I hadn't made any changes, it just stopped working. I'm confused. I'm completely new to Cisco (before getting this router).

BTW, I can remote into either server from home, just fine, so that means the NAT configuration is working in that respect. I just can't get out to the Internet from server1.

I should also mention that all configuration up to this point has been done using the SDM. I am comfortable using CLI if exact commands are given to me, but it's still too foreign for me to just tackle and figure out on my own.

This leads me to my question... what is the best way to setup the fastethernet ports on this router? I was under the impression when I ordered it, that I could use one of the WAN ports for x.x.x.199 and the other WAN port for x.x.x.200. However, when I try to set the router up this way, it tells me that x.x.x.200 is in the same range as x.x.x.199 on FE0 and won't let me do this.

Should I be assigning both IP addresses to FE0, or am I doing it correctly by only assigning one of the external addresses to FE0 and using NAT for any use of the 2nd static IP?

Any tips/suggestions would be greatly appreciated. I'd like to get this sorted out before next week as I have an 871w arriving at another site to be connected via easyVPN. (I really hope it IS Easy! :) )

Thanks!

gpulos · ‎09-07-2006

just to be sure we're all on the same page, can you post the topology of your network or at least the pieces involved and the configuration of the router?

you've done a good job explaining the NAT, IPs and ports you wish, so a topology will top it off and we can probably find your issue.

also, any configuration posts will be greatly appreciated. please continue to mask your public IPs in these posts for security sake.

rstalnaker · ‎09-07-2006

Thanks for the reply! I'm attaching my current running config.

Not sure how much info you want for topo... we've got 2 servers. One is a domain controller and one isn't. Both are terminal servers. The terminal server on the DC is used only by our local employees, and also is a local DNS server (this was referred to as Server2 in my previous post). The other terminal server is for our franchisees to login to from other states (this was referred to as Server1 in my previous post).

We have a Nortel IP phone system on 192.168.2.x, but it's pretty much all controlled by the BCM, but if you see reference to the 192.168.2.x network, it's referring to the network the phones are on.

We have 2 vlans for wireless. One is a public hotspot (internet access only), one is a protected network for employees that's bridged to the local lan.

Remote employees can vpn into the router using cisco vpn software.

That's about it... let me know if you need more info.

gpulos · ‎09-07-2006

please remove the 'route-map SDM_RMAP_9' section from your NAT statement.

this does not seem to be required in this case. then if you need the access-list to restrict access to that host from the others, use the acces-list on the interface; if you do, include the 'access-list 112 permit ip any host 192.168.1.253' line at the bottom. (for return traffic)

test and let me know.

(since the topology is not explicitly shown, this may not be the case but from what i can tell it should work when you do these steps)

rstalnaker · ‎09-07-2006

Okay, pardon my ignorance, but can you explain the easiest way to do this? I thought I knew how, but it's not working like I thought it would.

I have pumpkin tftp server running. I made the suggested changes you told me to make in a file called Config9-7-06.txt. From the CLI, I typed "copy tftp running-config" put in the IP address of the tftp server, and the filename "Config9-7-06.txt". It downloads the file, but when it tries to merge the contents of the config file, I get errors (I've attached the errors in the errors.txt file).

When I do a "show run", the line that I edited per your suggestions hasn't changed from the original configuration. It still shows the "route-map SDM_RMAP_9".

Please explain the easiest way for me to make the changes you've suggested. Thanks!

rstalnaker · ‎09-07-2006

Well, I figured out a way to do it. I'd still like to know if this is the best way or if there's a better way. I erased the startup-config, then copied from tftp to startup-config, then reloaded.

This, however, did not solve my initial NAT problem though. Thanks for taking a shot though. Any other ideas?