Re: configuation 3620

ikhan · ‎07-04-2006

Hello,

I have just set up a 3620 onto a network that was using a speedtouch PRO adsl modem. The current configuration has been setup that the speed touch is now fuctioning as a transparent bridge and the PPPOE authenticatin is being done by the router via one of the ethernet ports.

I have created nat rules to allow user on the internet to get access to a mail and web server sitting on th private network.

There is a problem that I Ihave run into and this problem has to do with users on the local network not being able to access the web and mail server on the local LAN.

The users need to be able to access this server via the internet front end address and not directly fom the lan. I know there is a way with nat to do this setup I believe it is called Inside to Inside NAT - NAT Virtual Interface Support but I cant seem to get this working.

I have attached my setup and would appreciate if you guru would be able to tell me where I am going wrong.

!

version 12.3

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname router1

!

boot-start-marker

boot-end-marker

!

enable secret 5 password

enable password password

!

no aaa new-model

ip subnet-zero

!

ip cef

ip name-server 192.x.203.132

no ip dhcp conflict logging

!

ip dhcp pool localnet

network 10.0.0.0 255.0.0.0

domain-name xyz.com

dns-server 192.x.203.132 192.231.203.3

default-router 10.0.0.200

lease 30

!

vpdn enable

!

vpdn-group 1

request-dialin

protocol pppoe

!

interface Serial0/0

no ip address

shutdown

serial restart-delay 0

!

interface Serial0/1

no ip address

shutdown

serial restart-delay 0

no cdp enable

!

interface Serial0/2

no ip address

shutdown

serial restart-delay 0

no cdp enable

!

interface Serial0/3

no ip address

shutdown

serial restart-delay 0

no cdp enable

!

interface Ethernet1/0

description ADSL WAN

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface Ethernet1/1

ip address 10.0.0.200 255.0.0.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

no ip mroute-cache

half-duplex

no cdp enable

!

interface Ethernet1/2

no ip address

half-duplex

no cdp enable

!

interface Ethernet1/3

no ip address

half-duplex

no cdp enable

!

interface Dialer1

description ADSL WAN Dialer

mtu 1492

ip address negotiated

no ip unreachables

ip nat outside

encapsulation ppp

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname username@isp

ppp chap password 0 isppassword

ppp pap sent-username username@isp password 0 isppassword

!

ip nat inside source list 10 interface Dialer1 overload

ip nat inside source static tcp 10.0.0.110 80 interface Dialer1 80

ip nat inside source static tcp 10.0.0.110 25 interface Dialer1 25

ip nat inside source static tcp 10.0.0.110 32000 interface Dialer1 32000

ip nat inside source static tcp 10.0.0.110 32001 interface Dialer1 32001

ip nat inside source static tcp 10.0.0.110 110 interface Dialer1 110

ip nat inside source static tcp 10.0.0.110 143 interface Dialer1 143

ip nat inside source static tcp 10.0.0.110 995 interface Dialer1 995

ip nat inside source static tcp 10.0.0.110 993 interface Dialer1 993

ip nat inside source static udp 10.0.0.110 53 interface Dialer1 53

ip nat inside source static tcp 10.0.0.110 1143 interface Dialer1 1143

no ip http server

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

access-list 10 permit any

dialer-list 1 protocol ip permit

no cdp run

!

snmp-server community public RO

snmp-server enable traps tty

!

dial-peer cor custom

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password password

login

!

end

Thanks for your help

tdrais · ‎07-05-2006

I don't think nat virtual interface will solve your issue. Your problem is that your inside and outside interface are the same interface. You also have the issue that you must also translate the users address to something else since the server will send the data back directly which won't work. You basically want to translate what the server thinks is his outside source address.

Because you are using the easy nat with a dynamic address I'm not sure you can do this with a single router. If it was static then you might be able to make this work with what cisco calls NAT ON A STICK.

This document gives me a headache thinking about. Maybe a combination of the virtual nat interface and nat on a stick will solve this. Without some playing in my lab I cannot say 100% for sure.

These 2 links are very helpful... if you want a headache...

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094430.shtml

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

ikhan · ‎07-06-2006

My inside and outside interfaces are different the servers are hanging of ethernet 1 and the adsl modem is configured of ethernet 0 I have a spare 7200 router so the nat on a stick may work I will read the doucument and see if it makes any sence but if you have any advice it would be much appreciated.

BTW this has given me a aheadache even before the nat on a stick idea LOL.

Do you have any advice on how to get the router to do an automatic update with a Dynamic DNS setup, I have a FQQN thru melbourne it and have i hosted by Zoeedit, my previous setup using IPCOP the firewall use to automatically update zoneedit when the addess changed and I would like to be able to do that with the cisco setup if at all possible.

Thanks for your help I was worried no one was going to respond.

Imran Khan