Re: Configuration of 2621 router -- post edited by ciscomoderato

sonic · ‎04-11-2002

--Moderator Note: Due to the confidential nature of router configurations, it is not recommended to post them to this or any public forum. I have edited the following configuration to remove confidential information. Since the post was public for awhile, it is recommended all passwords (including encrypted passwords) be changed. -- end Moderator note --

I am trying to set up a 2621 router on my network. Where can I obtain examples of configurations to make it work. I have one ethernet port attached to my dsl router, and the other attached to my hub for my internal network. As it sets right now I can get outside to the world but the world can not get inside to my web or exchange server. My config is as follows.

-- moderator edit --

User Access Verification

-- moderator edit --

Current configuration:

!

version 12.0

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname -- moderator edit --

!

enable secret 5 -- moderator edit --

!

memory-size iomem 15

ip subnet-zero

ip domain-name -- moderator edit --

ip name-server 10.0.10.10

!

interface FastEthernet0/0

description connected to Internet

ip address -- moderator edit --

no ip directed-broadcast

ip nat outside

!

interface FastEthernet0/1

description connected to FastHub424

ip address 10.0.0.1 255.0.0.0

no ip directed-broadcast

ip nat inside

!

router rip

version 2

passive-interface FastEthernet0/0

network 10.0.0.0

no auto-summary

!

ip nat inside source list 1 interface FastEthernet0/0 overload

ip classless

ip route 0.0.0.0 0.0.0.0 FastEthernet0/0

no ip http server

!

access-list 1 permit 10.0.0.0 0.255.255.255

snmp-server community -- moderator edit --

snmp-server location -- moderator edit --

snmp-server contact -- moderator edit --

banner motd -- moderator edit --

!

line con 0

exec-timeout 0 0

password 7 -- moderator edit --

login

transport input none

line aux 0

line vty 0 4

password 7 -- moderator edit --

login

!

no scheduler allocate

end

-- moderator edit --

Any suggestions?

MickPhelps · ‎04-11-2002

Your NAT looks good.

Try two things (one at a time).

First, change your default route to:

ip route 0.0.0.0 0.0.0.0 x.x.x.x (where x.x.x.x is your next hop router)

instead of

ip route 0.0.0.0 0.0.0.0 fastethernet0/0

Next, try disabling fast-switching. Sometimes fast switching and NAT don't get along.

Under each interface, try:

no ip route-cache

Mick.

sonic · ‎04-11-2002

I contacted my evil ISP and they told me the address of the next hop, so I changed the IP route and it killed all out going traffic from my network. plus the no ip cache didn't help either. still no one can get to my my web server.

MickPhelps · ‎04-11-2002

This part is really simple.

If you changed your next hop address in your route statement to what your ISP told you (and removed the old default route) and all traffic stopped, then your ISP probably gave you the wrong address. (edited out bogus ip address... too tired... need coffee...)

I completely missed the question you asked about the web server and exchange server.

You're using PAT (port address translation). Its only good for allowing inside users to get to the internet, not for allowing outside users to access inside servers.

You'll need to get an IP address from your ISP for your web server and your exchange server then use static NAT.

You can also try the following, but I've had mixed results.

ip nat inside source static tcp 80 10.x.x.x 209.211.20.217 80

where 10.x.x.x is your web server.

You'll need to double check the syntax though.

Mick.

sonic · ‎04-11-2002

still nothing, how can I cheack to ensure that my ISP is correctly routing to me correctly, ie "A records" and such?

MickPhelps · ‎04-11-2002

Do a traceroute from the internet to see where the address dies.

Here's what I have to your router:

C:\>tracert 209.211.20.217

Tracing route to dsl27.scottsburg.com [209.211.20.217]

over a maximum of 30 hops:

1 10 ms 20 ms 10 ms 10.42.224.1

2 21 ms 10 ms 20 ms 24.25.1.147

3 10 ms 10 ms 10 ms 24.25.1.97

4 20 ms 30 ms 10 ms rdu26-33-177.nc.rr.com [66.26.33.177]

5 30 ms 20 ms 20 ms pop2-cha-P2-0.atdn.net [66.185.138.89]

6 20 ms 20 ms 20 ms bb2-cha-P0-1.atdn.net [64.236.4.53]

7 20 ms 40 ms 20 ms bb2-atm-P6-0.atdn.net [66.185.152.61]

8 20 ms 50 ms 20 ms pop1-atm-P1-0.atdn.net [66.185.147.198]

9 31 ms 20 ms 20 ms atl-edge-07.inet.qwest.net [65.112.33.129]

10 30 ms 20 ms 20 ms atl-core-01.inet.qwest.net [205.171.21.81]

11 60 ms 80 ms 60 ms chi-core-02.inet.qwest.net [205.171.8.198]

12 61 ms 70 ms 60 ms chi-edge-19.inet.qwest.net [205.171.20.66]

13 80 ms 71 ms 110 ms 65.113.255.138

14 120 ms 81 ms 100 ms dslgw.scottsburg.com [65.114.71.131]

15 * 120 ms 130 ms dsl27.scottsburg.com [209.211.20.217]

Trace complete.

What IP address are you using for your web site? What's the DNS name?

Mick.

sonic · ‎04-11-2002

my domain name is (don't laugh) church-of-bubba.com my ISP gave me the dedicated ip address of 209.211.20.217...do I need more ?

MickPhelps · ‎04-12-2002

Got this for a web page for church-of-bubba.com:

WELCOME TO THE CHURCH OF BUBBA

NOBODY'S HOME JES YET!

SO COME BACK LATER WHEN WE R!

---------------------------

Seems to be working.

Mick.

sonic · ‎04-12-2002

Just out of curiosity how did you get to my web site? did you enter http://www.church-of-bubba.com or http://church-of-bubba.com ? When I enter the www it does not work. but I now can see my web server and send/recieve mail. now I just need to lock everythig down so I don't get whacked by some body.

nohare · ‎04-12-2002

Because you are running NAT, connections initiated from your network out will use the interface address of FA0/0. The NAT table caches the TCP/UDP connection for return TCP/UDP traffic. That works fine outbound.

.

When others(internet users) need to initiate TCP/UDP connections "into" your network, you must specify a static PAT/NAT rule that allows this connection inbound to your 10.x.x.x network.

.

EG: Lets assume your web server is 10.0.0.10. Now looking at your config, you have been given approx 60 addresses to use by your ISP (I think). Anyway, you need to choose a public address from your 209.211.20.x range and tell your DNS hosters that your web site domain name points to that address. Lets say that www.your-web.com = 209.211.20.218. Okay?

.

Now you need to tell the NAT engine on your 2621 that any traffic for 209.211.20.218 is in fact for the web server sat at 10.0.0.10. That way, when ever internet users initiate connections TO your web server, they HTTP to the 209 address, your router NATs it to the 10.0.0.10 address inside your network, and your web server responds. TADA !!! You need to make sure your Web server Default Route is pointing at the 2621 10.0.0.1 address.

Commands for creating this NAT relationship between your 10.0.0.10 address and the public 209.211.20.218 address.

.

IP NAT INSIDE SOURCE STATIC

EG: ip nat inside source static 10.0.0.10 209.211.20.218

Try i, see what happens

tmoreo · ‎04-13-2002

There are two concepts going on.

Outbound then Inbound.

The first item I would look at would be your internet edge router. Is it a router or is it a bridge.

Is your internal IP from that device public or private. If Public research the following and do on the 2600.

If private you can only do if you do it on your internet router or statis NAT on the internet router.

If you have multiple devices on the inside going out on one address it is not a one to one NAT which in effect is PAT (Port address translation). Which is fine for most outbound services.

Inbound you need a one to one NAT for the service. This can be accomplished be a static NAT command. Then lock the inbound NAT by using a filter for "SMTP or WWW" traffic only. Or you can use port redirection. Port redirection will take for example all inbound smtp traffic and send to a specific internal address.

Configuration of 2621 router -- post edited by ciscomoderator --