02-12-2009 09:33 PM - edited 03-06-2019 04:01 AM
Hi All,
Configuration for Cisco 2611xm router. My ISP provided me with 16 public IP address block.
So here is the configuration.
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa session-id common
ip subnet-zero
no ip source-route
!
ip tcp synwait-time 10
!
ip cef
no ip bootp server
ip name-server 203.xxx.xxx.32
ip name-server 203.xxx.xxx.13
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
no crypto isakmp enable
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $FW_INSIDE$
ip address 122.xxx.xxx.1 255.255.255.240
ip access-group 101 in
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface FastEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$
ip address 122.xxx.xxx.154 255.255.255.252
ip access-group 103 in
ip verify unicast reverse-path
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip route-cache flow
duplex auto
speed auto
no cdp enable
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 122.xxx.xxx.153
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
access-list 101 permit icmp any host 122.xxx.xxx.154 echo-reply
access-list 101 deny ip 122.xxx.xxx.152 0.0.0.3 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 103 permit udp host 203.xxx.xxx.13 eq domain host 122.xxx.xxx.154
access-list 103 permit udp host 203.xxx.xxx.32 eq domain host 122.xxx.xxx.154
access-list 103 permit udp host 64.52.111.11 eq ntp host 122.xxx.xxx.154 eq ntp
access-list 103 permit tcp any eq 443 any log
access-list 103 deny ip 122.xxx.xxx.0 0.0.0.15 any log
access-list 103 permit icmp any host 122.xxx.xxx.154 traceroute log
access-list 103 permit icmp any host 122.xxx.xxx.154 time-exceeded
access-list 103 permit icmp any host 122.xxx.xxx.154 unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
!
control-plane
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17208632
ntp server 64.52.111.11
!
!
end
I'm having two servers and a office lan. I want to all services for each IP. Lets take Server A with 122.xxx.xxx.2 need to be allowed port 21,80, 443, Server B with 122.xxx.xxx.3 need to be allowed port 80. For Office lan i'm using 122.xxx.xxx.4 a D-link router for all these I'm able to access internet inside. And from outside I'm able to ping all the IP range but unable to assign the services to each ip address. Also unable to perform tracert also. Another main issue if I remove all the access-list I'm able to access normally but after continues usage of 4-5 hours router is getting hanged and unable to use internet.
Hope I'm clear with the query. Please correct me.
Regards,
ramsri
02-12-2009 10:13 PM
Hello Ramsri,
I don't see the ip nat command in global config.
However, the command that can help you is
ip nat inside source static local-address public-address
you need one line for each server
then you create a pool for the remaining public addresses to be used for internet access
ip nat pool xyz 122.x.x.4 122.x.x.4 netmask 255.255.255.240
ip nat inside source list 1 pool xyz
access-list 1 deny host server1-local-ip
access-list 1 deny host server2-local-ip
access-list 1 permit host D-link-router-ip-addr
Be aware that you have CBAC configured and also ACLs:
you need to enable access on global ip address on outside interface to the ports you need
So access-list 103 needs lines for
access-list 103 permit tcp any host 122.x.x.2 eq 21
access-list 103 permit tcp any host 122.x.x.2 eq 80
access-list 103 permit tcp any host 122.x.x.2 eq 443
and for the second server:
access-list 103 permit tcp any host 122.x.x.3 eq 80
Try with these changes but also the inspect can be a problem.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide