Solved: Need a little NAT Help

Todd Vohs · ‎01-24-2012

I have a Cisco 2621 with a WIC-1ADSL and I replaced my ISP's DSL router. Fa0/0 connects to a Cisco ASA-5505. WIC-1ADSL connects via Dialer interface to Frontier Communications. Works like a champ using IOS 12.3 (26).

I would like to connect a PC to the Fa0/1 port so that I can simulate testing so that the PC would appear as though it is the Internet. Currently, I have to go home and try things out on my home PC or from an Android cell phone (which with my age and eyesite, have trouble reading the small text). I am not sure how to set the NAT statements but would assume that I can static map the single IP of the PC or the entire subnet of the interface???? This is where I am unsure. I would like to be able to access the internet from this PC also and if something happens to it for not being behind a firewall, I will just reload it. It is just an old HP running WinXP.

Anyway, just wanted to test the VPN from the PC connected to the 2621 into my network which would look like:

PC

|

Fa0/1

|

Internet - ATM0/0 - 2621 - Fa0/0 - ASA5505 - InternalNetwork

Current config:

interface Loopback0

ip address 10.10.10.1 255.255.255.0

!

interface ATM0/0

description Physical DSL Interface

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

atm ilmi-keepalive

dsl operating-mode auto

pvc X/Y

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

interface FastEthernet0/0

ip address FrontierIP FrontierNetMask

ip nat outside

ip route-cache same-interface

ip route-cache flow

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface FastEthernet0/1

ip address 10.1.100.1 255.255.255.0

ip nat inside

ip route-cache same-interface

ip route-cache flow

ip tcp adjust-mss 1452

no cdp enable

hold-queue 100 out

!

interface Dialer1

ip address negotiated

ip access-group autosec_firewall_acl in

ip verify unicast source reachable-via rx allow-default 100

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username username@frontier.com password 7 <encrypted password>

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

The ultimate goal here is to get the VPN working on the ASA-5505 so that I can access my Cisco UC320W from home via VPN. I would also like the VPN to terminate client VPN (specifically Android via Android VPN) and Windows 7. Not sure if AnyConnect or IPSec/L2TP yet but looks like AnyConnect requires me to root my phone which won't happen because it voids the warranty of the phone. Side note: this is documented on Cisco's website but am probably not sure how Cisco would feel if another company's directions explicity stated to void the warranty on a Cisco device, hmmm.

Anyone have any ideas on how to make this PC appear as though it is coming from the Internet and still have access to the Internet?

Thanks in advance.

Thanks, Todd Vohs Owner Holstein Ag Services, LLC

Neeraj Arora · ‎01-25-2012

Glad to be of help!!

Don't forget to rate the post

View solution in original post

Neeraj Arora · ‎01-25-2012

Hi Todd,

** First of all, FastEthernet0/0 interface is supposed to be connected to the ASA firewall not Frontier. Well thats what I understood by your problem description. So this interface should have ASA outside subnet and be "ip nat inside"

** Second, You can reach internet from the PC connected on Fa0/1 interface but I am not sure I understand by your statement "make this PC appear as though it is coming from the Interne". Are you looking for send traffic From this PC towards the ASA for testing? i.e from Fa0/1 interface towards Fa0/0?

If yes, then its more like a Test environment that you want to create, so just give a Public ip address lets say 1.1.1.2/30 to the PC and assign 1.1.1.1/30 to Fa0/1 interface. You don't need to do any NAT for the traffic going from the PC to ASA and to your ASA it will look like the traffic is coming from a Public ip.

** Now to make this PC go to internet as well through Dialer1, issue the config statements:

access-list 100 permit ip 1.1.1.0 0.0.0.3 any

ip nat inside source list 100 interface dialer1 overload

interface fa0/1

ip nat inside

interface dialer1

ip nat outside

** For hosting services like VPN (anyconnect or RemoteAccess), you would need a public ip address from your ISP apart from the one being assigned to Dialer1 interface dynamically. then you'll be configuring a static NAT mapping that public ip to ASA's outside interface which is going to act as the VPN end point.

Hope the above information helps

Neeraj

Todd Vohs · ‎01-25-2012

Neeraj,

Thanks, that did it. Sorry for the confusion with the Frontier side of things. The outside interface of the ASA is a static Frontier IP and I replaced their crappy little DSL modem with the 2621 so it is "all" Frontier from the outside ASA. Actually, I had real issues with getting through my ASA and Frontier told me their device was just a DSL modem but upon further inspection, it is a Router too so I was getting blocked even before traffic hit my ASA. With the 2621, I now have full control.

I already have some static NAT on the ASA for some Cisco IP Cameras and a couple of other items that I needed access to from the outside. Now, I am getting a lot of these holes poked in my firewall and would rather close them up and use a VPN solution which the ASA already has built-in and I paid for the license if I remember correctly.

Now I can enable VPN and test within the confines of my own office and not have to run home to try things out!

Thanks much!

Thanks, Todd Vohs Owner Holstein Ag Services, LLC

Neeraj Arora · ‎01-25-2012

Glad to be of help!!

Don't forget to rate the post