Help setting up 1841 as a router

AdvancedLifeSciences · ‎09-15-2008

Right now my network has a T1 coming into my 1841. We then have the 1841 connected to a PIX 501 which handles our routing (very basic).

We want to get rid of the PIX and have the 1841 handle the routing, VPN, and firewall functions that the PIX is currently doing.

My problem is is that the ethernet interface on the 1841 has a public IP going into the PIX and once I take the PIX out of the picture, I am not sure how to configure the 1841.

Attached is a diagram of the relevant network portion.

Currently we have the PIX setup with NAT so that everything leaving the PIX goes out as 208.x.x.101. So when the PIX leaves, NAT has to be setup on 1841.

Basically, I am confused on how to setup the IP's when the PIX is out of the picture. I am assuming I keep the serial interface of the 1841 as 69.x.x.x but what would I setup the e0/0 interface to be that will now be directly connected to our switch (192.168.1.5)

johnakeating · ‎09-15-2008

Keep the ip the same on the 1841 and just map the 69.x.x.x external ip address to the internal servers or dont if you have nothing access from outside.

merryllem · ‎09-15-2008

Here you go. I modified the cisco sample for you network.

interface ethernet 0

ip address 192.168.1.254 255.255.255.0

ip nat inside

interface serial 0

ip address 69.x.x.x 255.255.x.x (your router outside/internet interface)

ip nat outside

ip nat pool insidesubnetsovrld 208.x.x.102 208.x.x.102 netmask 255.255.255.x

ip nat inside source list 7 pool insidesubnetsovrld overload

access-list 7 permit 192.168.1.0 0.0.0.255

Cisco reference:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094831.shtml#examples

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic3

The topic you would need to read about is "NAT Overloading"

Rate if its helpfull

AdvancedLifeSciences · ‎09-15-2008

I was actually reading my Cisco CCNA book right now and am on the NAT section.

One more question. We have a mail server on the internal network that needs to be accessed for the outside. Assume the public IP of the mail server is 208.95.223.100 and the private IP of the mail server is 192.168.1.250.

From reading the book, I would assume I need a static NAT entry for that? But how would that look? And I would place that on the outside (s0) interface, right?

merryllem · ‎09-15-2008

Yes, for an internal server to be accesible via outside address you will need a static translation.

Now, you have to choices to get this to work.

1. One-to-One - Meaning ALL request going to 208.95.223.100 will be fwd to 192.168.1.250

Config.

ip nat inside source static 192.168.1.250 208.95.223.100

2. Static port translation (port fwding) - Meaning only when request to specific port gets fwd (to a specific port) Example. smtp (TCP 25)request to 208.95.223.100 will be fwd to 192.168.1.250 but ftp (TCP 20/21) will not (but can be defined to go to another IP)

Config.

ip nat inside source static tcp 192.168.1.250 25 208.95.223.100 25 (SMTP)

ip nat inside source static tcp 192.168.1.250 110 208.95.223.100 110 (POP3)

Samples above are just some of the common used MAIL related ports

Here is a reference for tcp ports for other MAIL services (Exchange)

http://support.microsoft.com/kb/176466

NOTE: Remember to PAIR these with ACL filters for security.

AdvancedLifeSciences · ‎09-16-2008

How does the router know that I want all requests with a destination of 208.95.223.100 to go to 192.168.1.250?

With the first command you gave me, "ip nat inside source static 192.168.1.250 208.95.223.100 " I assumed that meant: anything with a source address of 192.168.1250 send out to the web with an address of 208.95.223.100.

Reason i say that is because the cisco book has a similar example of:

ip nat inside source static 10.1.1.1 170.46.2.2

And they explain it such that, "configures a static translation between the inside local IP address 10.1.1.1 to the outside global IP address 170.46.2.2"

Or am I just not understanding completely and does that command have a 2-fold effect, in that anything coming to it with the private IP will get translated to the public, AND anything coming in with the public will get translated to the private?

merryllem · ‎09-16-2008

How does the router know that I want all requests with a destination of 208.95.223.100 to go to 192.168.1.250?

Yes the explanation is correct but i think you are confused on the direction of the packet outgoing (out to the internet) and incoming (internet going in) has a different explanation.

INCOMING

When a packet reaches the outside interface or your router the first thing that the router checks is ACL (to allow or deny the packet) second, checks NAT, if an entry exist to translate the address and third route the packet to the destination.

In your scenario this is what happens.

1. Packet destined for 208.95.223.100 reaches you routers OUTSIDE interface

2. Router either allows or drops packet based on ACL.

3. Router sees translation exist for that DESTINATION so translates DESTINATION IP OF 208.95.223.100 to 192.168.1250.

4. Router forwards the packets to DESTINATION 192.168.1250

OUTGOING

1. Packet destined for the internet reaches you INSIDE interface

2. Router either allows or drops packet based on ACL.

3. Router sees translation exist for that SOURCE so translates SOURCE ip 192.168.1250 to 208.95.223.100.

4. Router forwards the packets to the internet with a SOURCE of 208.95.223.100.

Still confused?

Remember that one of the steps of configuring NAT is to configure the "inside" and "outside" interfaces? Well thats the part that tells the router what action to take when a packet reaches the interfaces.

AdvancedLifeSciences · ‎09-17-2008

I understand that, and thank you for the detailed explanation. I am just a little confused on the command itself:

ip nat inside source static 192.168.1.250 208.95.223.100

What would be different if I replaced 'inside' with 'outside'?

And also, with that single command, the router will know to translate both packets leaving the network for the internet and packets coming in from the internet?