Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Help with simple NAT and Rule Cisco 871

I am just not too comfortable with some of these older devices and code so if someone could please help me out here. I really just would like to know the syntax to NAT 3389 from the internet to a host 10.4.5.5 on the inside and how to do the ACL and ensure that I don't wipe any other ACL out.

 

RTR#sh ru
Building configuration...

Current configuration : 7837 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname AB_RTR
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$MqM5$8bfgX4u3/bSI1zro1JdhP1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-322684269553259
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-36854695535459
 revocation-check none5
 rsakeypair TP-self-signed-368569553559
!
!
dot11 syslog
!
dot11 ssid ILAB
   authentication open
!
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cusaseseme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
no ip domain lookup
ip domain name nslash.com
!
!
!
username admin privilege 15 secret 5 ^$^$^$YRYHH%%%Y%.

!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group ALIDEV
 key $#$#$#%$$$#
 pool SDM_POOL_1
 acl 102
 netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group ALIDEV
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set security-association idle-time 3600
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
bridge irb
!
!
interface FastEthernet0
 switchport access vlan 5
 switchport trunk native vlan 5
 switchport mode trunk
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 1.2.3.4 255.255.255.224
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet4
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 !
 ssid ALILAB
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Vlan5
 ip address 10.5.105.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 no ip address
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 10.10.105.5 10.10.105.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 66.207.69.1
ip route 10.3.105.0 255.255.255.0 10.5.105.5
ip route 10.4.105.0 255.255.255.0 10.5.105.5
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=vlan5
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.5.105.0 0.0.0.255
access-list 1 remark INSIDE_IF=BVI1
access-list 1 permit 10.3.105.0 0.0.0.255
access-list 1 permit 10.4.105.0 0.0.0.255
access-list 1 remark INSIDE_IF=Vlan1
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny   ip 10.5.105.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip any any
access-list 101 remark t
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.3.105.0 0.0.0.255 any
access-list 102 permit ip 10.4.105.0 0.0.0.255 any
access-list 102 permit ip 10.5.105.0 0.0.0.255 any

!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

1 ACCEPTED SOLUTION

Accepted Solutions
Purple

Hi,For the static PAT:ip nat

Hi,

For the static PAT:

ip nat inside source static tcp 10.4.5.5 3389 interface fa4 3389

ip nat inside source static udp 10.4.5.5 3389 interface fa4 3389

 

for the ACL:

ip access-list extended 101

5 permit tcp any host 1.2.3.4  eq 3389

6 permit udp any host 1.2.3.4 eq 3389

where 1.2.3.4 is the IP of the nat outside interface(fa4)

 

Regards

 

Alain

Don't forget to rate helpful posts.
2 REPLIES
Purple

Hi,For the static PAT:ip nat

Hi,

For the static PAT:

ip nat inside source static tcp 10.4.5.5 3389 interface fa4 3389

ip nat inside source static udp 10.4.5.5 3389 interface fa4 3389

 

for the ACL:

ip access-list extended 101

5 permit tcp any host 1.2.3.4  eq 3389

6 permit udp any host 1.2.3.4 eq 3389

where 1.2.3.4 is the IP of the nat outside interface(fa4)

 

Regards

 

Alain

Don't forget to rate helpful posts.
New Member

Worked to perfection! - TY,

Worked to perfection! - TY, was afraid of that ACL.

137
Views
0
Helpful
2
Replies
CreatePlease to create content