Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

NAT pub IP to internal IP

Hi all,

I am trying to replace an existing old ADSL modem with a Cisco 857 ADSL router. Most of the config seems to work (my network can use the internet etc), however I am trying to configure it as follows:

INTERNET ----> 857 (static public IP on Dialer0, 192.168.2.1 on VLAN1)  ---> Firewall (WAN: 192.168.2.250 / LAN: 10.11.0.0) ---> LAN router

What I want the 857 to do is be invisible in that if someone on the net attempts to SSH to my 857's public IP (or ping or whatever), the traffic actually hits the firewall's IP. Is this something like a straight IP to IP NAT? On other modems I've configured with fancy web front-ends it's had various descriptions.

What command do I need in my 857's config to achieve this please?

My current config:

rtr-hq2-h001631#show running-config

Building configuration...

Current configuration : 4238 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

no service timestamps debug uptime

no service timestamps log uptime

service password-encryption

no service dhcp

!

hostname rtr-hq2-h001631

!

boot-start-marker

boot system flash:c850-advsecurityk9-mz.124-15.T15.bin

boot-end-marker

!

logging buffered 51200 warnings

no logging console

enable secret 5 $1$Ygn2$MtO1fGglV63UyAIJOpbXF.

enable password 7 09184A04480B

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication enable default enable

aaa authentication ppp default local

aaa authorization exec default local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-1827579225

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1827579225

revocation-check none

rsakeypair TP-self-signed-1827579225

!

!

crypto pki certificate chain TP-self-signed-1827579225

certificate self-signed 01

  30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31383237 35373932 3235301E 170D3132 30313134 31313232

  33305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38323735

  37393232 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100BA4A A1E21757 94AC9A31 4166888F 58D80E3C 107BA52C 3A40FC75 3485A48E

  00688979 66304BD9 2850D3CC 7A7C50B1 3CB287B3 8376D372 3BFA5132 C5CE6837

  AFE478D4 B153F1AD 7FF5D27D F351D0F9 27A8353B 910A06B9 5BCD7E71 B931C169

  A1669D8F 11F9A660 3FDD65AF 0BFBE3E7 915A9E85 9F3AB564 887F62F1 DCD46CB5

  30F50203 010001A3 6F306D30 0F060355 1D130101 FF040530 030101FF 301A0603

  551D1104 13301182 0F727472 2D687132 2D683030 31363331 301F0603 551D2304

  18301680 14CFA596 9037A00D DC2B2F86 DA11707D AE9AFC52 A4301D06 03551D0E

  04160414 CFA59690 37A00DDC 2B2F86DA 11707DAE 9AFC52A4 300D0609 2A864886

  F70D0101 04050003 81810040 58F63B44 F27AB457 0EB9B561 63A733F3 93EE19B6

  55FE6E84 B265DCA9 785D72A4 AA8549C2 EC73DD46 2C5A01A8 EFF8D276 B80E95C2

  949B2B91 D09D445F B178A5E9 DA98589C B5ED77AA 5466A5B5 B40F2F2B 1EE5BD6B

  C3B19F11 75141A55 0F2A146C 555775B3 C5CBCA06 8342BA07 DA2E7688 441453FC

  35C8ABA9 E0C7E915 AB32BA

      quit

dot11 syslog

no ip source-route

!

!

ip cef

!

!

!

username administrator privilege 15 secret 5 $1$8DY/$uAhjrWxTkB9HRZ14z4g3G.

username ejohnson privilege 15 secret 5 $1$f5F6$0FWpsootcXYjHZC0GqmCL0

!

!

archive

log config

  hidekeys

!

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.11.1.97 255.255.255.0 secondary

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

ip address 80.123.123.123 255.255.255.254

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap callin

ppp chap hostname hayleygp-adsl@lon1-aj1a.demonadsl.co.uk

ppp chap password 7 bhbhbtyvbyuby

ppp ipcp dns request

ppp ipcp route default

!

ip default-gateway 10.11.1.254

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list natin interface Dialer0 overload

!

ip access-list standard natin

permit 192.168.2.0 0.0.0.255

!

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

banner login ^C

-----------------------------------------------------------------------

This is a private network.

Unauthorized access is prohibited.

-----------------------------------------------------------------------

^C

!

line con 0

privilege level 15

no modem enable

line aux 0

line vty 0 4

exec-timeout 0 0

privilege level 15

transport input telnet ssh

!

scheduler max-task-time 5000

sntp server 10.11.1.217

end

rtr-hq2-h001631#

Thanks

  • WAN Routing and Switching
5 REPLIES
Cisco Employee

NAT pub IP to internal IP

Hello,

The NAT could be used as a solution but I am not sure about what is your objective: to drop the traffic targeted to your 857, or to transparently forward it to your firewall's IP address so that, for example, the firewall can be remotely configured using SSH?

If the traffic is to be dropped, we can do it on the 857 directly without forwarding it to the firewall to be dropped there.

Best regards,

Peter

New Member

NAT pub IP to internal IP

Hi Peter,

Thank you very much for your reply.

My objective is to pass all traffic (including ICMP) transparently to my firewall. From there I can set up rules to redirect HTTP, SSH, FTP, RDP etc traffic to relevant internal systems accordingly.

I did find one command for specific ports:

     ip nat inside source static tcp 192.168.2.250 23 80.123.123.123 23 extendable

But I need an equivalent rule to simply redirect/transparently pass through all traffic on all ports.

Thank you

Cisco Employee

NAT pub IP to internal IP

Hi,

I see. Well, configuring what you need should be rather simple:

ip nat inside source static 192.168.2.250 80.123.123.123

Remember to remove the lines you have configured yourself

Best regards,

Peter

New Member

NAT pub IP to internal IP

You are the weaver of magic!

Works a treat.

Thank you Peter

Cisco Employee

NAT pub IP to internal IP

Hello,

LOL, thank you!

Best regards,

Peter

446
Views
5
Helpful
5
Replies