10-13-2007 09:15 PM - edited 03-03-2019 07:09 PM
Hi,
We are having 1841 router for service provider connetivity. ISP has asigned us a pool of 14 public address. One IP we want to dedicate for our e-mail server. And remaining we plan to be used by internal users to for internet browsing.
we have inside mail server as 172.30.1.1 mapped with first address in the pool service provider gave us. comamnd used is
ip nat inside source static 172.30.1.1 First_Address_ISP_Pool.
select fa0/0 ( connected to internal switch )
ip nat inside
select serial 0/1/0 ( connected to ISP router )
ip nat outside
so far so good !
next, if we put access list ( incoming directin ) on serial 0/1/0 that allows only 110 port on the First_Address_ISP_Pool. I think it will block anything else except this traffic.
then how do we allow other internal users to use the internet by remaining free public ip address. Or does router works like PIX which allows return connections which were initiated from inside. And for connections initiated from outside we use static comand to allow access to internal servers. (in PIX).In a nutshell we want internal users to access internet with free ip address and fix up one ip address for e-mail server which will be accessed on 110 port from outside world mail servers how do achieve this ? any link on cisco is highly appreciable !
Thanx in advance
Subodh
10-14-2007 07:09 AM
Let's pretend your email server external address is 1.1.1.1, here is the ACL for the external interface
ip access-list extended Subodh
permit tcp any host 1.1.1.1 eq pop3
deny ip any host 1.1.1.1
permit ip any any
interface s0/1/0
ip access-group Subodh in
10-14-2007 07:14 AM
Hi Bapat,
Will you be using the router for this requirements or is there a pix in this equation? If you have a PIX you could use pix and have fw do this process.
You could also use ip nat ouside interface to PAT outbound internet traffic and use the remaining free public IP addresses for spare that you may need for later nats,but will throw couple of examples.
Assume you have 10 public IP addresses,one outside interface facing ISP and one inside
interfaces facing users just as your discription.
Public Ip block: 20.20.20.1 to 20.20.20.10
IP NAT outside interface: 20.20.20.1(SE0/1/0 )
IP NAT Inside interface subnet: 172.30.1.0/24 (FE0/0 )
Inside Mail server IP:172.30.1.1
for your mail server since it will have a static nat(its pub ip is not part of the pool)
when you apply ip access group to se0/1/0 101 in acl will know static nat is not part of pool and therefore allow inbound traffic for static nat on port 110
using complete pub IP block pool and one static for mail server:
ip nat pool mypool 20.20.20.3-20.20.20.10 netmask 255.255.255.0
ip nat inside source list 101 pool mypool overload
ip nat inside source static 172.30.1.1 20.20.20.2
access-list 101 permit 172.30.1.0 0.0.0.255 log
access-list 101 permit tcp any host 172.30.1.1 eq 110 log
int se0/1/0
ip access-group 101 in
or using se0/1/0 interface IP to PAT outbound internet traffic, and save remaining pub ip for spare and later use:
ip nat pool mypool 20.20.20.1 20.20.20.1 netmask 255.255.255.0
ip nat inside source list 101 pool mypool overload
ip nat inside source static 172.30.1.1 20.20.20.2
access-list 101 permit 172.30.1.0 0.0.0.255 log
access-list 101 permit tcp any host 172.30.1.1 eq 110 log
int se0/1/0
ip access-group 101 in
HTH
Jorge
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide