07-04-2006 02:32 AM - edited 03-03-2019 01:13 PM
Hello,
I have just set up a 3620 onto a network that was using a speedtouch PRO adsl modem. The current configuration has been setup that the speed touch is now fuctioning as a transparent bridge and the PPPOE authenticatin is being done by the router via one of the ethernet ports.
I have created nat rules to allow user on the internet to get access to a mail and web server sitting on th private network.
There is a problem that I Ihave run into and this problem has to do with users on the local network not being able to access the web and mail server on the local LAN.
The users need to be able to access this server via the internet front end address and not directly fom the lan. I know there is a way with nat to do this setup I believe it is called Inside to Inside NAT - NAT Virtual Interface Support but I cant seem to get this working.
I have attached my setup and would appreciate if you guru would be able to tell me where I am going wrong.
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname router1
!
boot-start-marker
boot-end-marker
!
enable secret 5 password
enable password password
!
no aaa new-model
ip subnet-zero
!
!
ip cef
ip name-server 192.x.203.132
no ip dhcp conflict logging
!
ip dhcp pool localnet
network 10.0.0.0 255.0.0.0
domain-name xyz.com
dns-server 192.x.203.132 192.231.203.3
default-router 10.0.0.200
lease 30
!
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
interface Serial0/0
no ip address
shutdown
serial restart-delay 0
!
interface Serial0/1
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Serial0/2
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Serial0/3
no ip address
shutdown
serial restart-delay 0
no cdp enable
!
interface Ethernet1/0
description ADSL WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet1/1
ip address 10.0.0.200 255.0.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip mroute-cache
half-duplex
no cdp enable
!
interface Ethernet1/2
no ip address
half-duplex
no cdp enable
!
interface Ethernet1/3
no ip address
half-duplex
no cdp enable
!
interface Dialer1
description ADSL WAN Dialer
mtu 1492
ip address negotiated
no ip unreachables
ip nat outside
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname username@isp
ppp chap password 0 isppassword
ppp pap sent-username username@isp password 0 isppassword
!
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.110 80 interface Dialer1 80
ip nat inside source static tcp 10.0.0.110 25 interface Dialer1 25
ip nat inside source static tcp 10.0.0.110 32000 interface Dialer1 32000
ip nat inside source static tcp 10.0.0.110 32001 interface Dialer1 32001
ip nat inside source static tcp 10.0.0.110 110 interface Dialer1 110
ip nat inside source static tcp 10.0.0.110 143 interface Dialer1 143
ip nat inside source static tcp 10.0.0.110 995 interface Dialer1 995
ip nat inside source static tcp 10.0.0.110 993 interface Dialer1 993
ip nat inside source static udp 10.0.0.110 53 interface Dialer1 53
ip nat inside source static tcp 10.0.0.110 1143 interface Dialer1 1143
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 10 permit any
dialer-list 1 protocol ip permit
no cdp run
!
snmp-server community public RO
snmp-server enable traps tty
!
!
dial-peer cor custom
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
password password
login
!
end
Thanks for your help
07-05-2006 11:35 AM
I don't think nat virtual interface will solve your issue. Your problem is that your inside and outside interface are the same interface. You also have the issue that you must also translate the users address to something else since the server will send the data back directly which won't work. You basically want to translate what the server thinks is his outside source address.
Because you are using the easy nat with a dynamic address I'm not sure you can do this with a single router. If it was static then you might be able to make this work with what cisco calls NAT ON A STICK.
This document gives me a headache thinking about. Maybe a combination of the virtual nat interface and nat on a stick will solve this. Without some playing in my lab I cannot say 100% for sure.
These 2 links are very helpful... if you want a headache...
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
07-06-2006 03:25 AM
My inside and outside interfaces are different the servers are hanging of ethernet 1 and the adsl modem is configured of ethernet 0 I have a spare 7200 router so the nat on a stick may work I will read the doucument and see if it makes any sence but if you have any advice it would be much appreciated.
BTW this has given me a aheadache even before the nat on a stick idea LOL.
Do you have any advice on how to get the router to do an automatic update with a Dynamic DNS setup, I have a FQQN thru melbourne it and have i hosted by Zoeedit, my previous setup using IPCOP the firewall use to automatically update zoneedit when the addess changed and I would like to be able to do that with the cisco setup if at all possible.
Thanks for your help I was worried no one was going to respond.
Imran Khan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide