Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need a little NAT Help

I have a Cisco 2621 with a WIC-1ADSL and I replaced my ISP's DSL router.  Fa0/0 connects to a Cisco ASA-5505.  WIC-1ADSL connects via Dialer interface to Frontier Communications.  Works like a champ using IOS 12.3 (26). 

I would like to connect a PC to the Fa0/1 port so that I can simulate testing so that the PC would appear as though it is the Internet.  Currently, I have to go home and try things out on my home PC or from an Android cell phone (which with my age and eyesite, have trouble reading the small text).  I am not sure how to set the NAT statements but would assume that I can static map the single IP of the PC or the entire subnet of the interface????  This is where I am unsure.  I would like to be able to access the internet from this PC also and if something happens to it for not being behind a firewall, I will just reload it.  It is just an old HP running WinXP.

Anyway, just wanted to test the VPN from the PC connected to the 2621 into my network which would look like:

                            PC

                              |

                           Fa0/1

                              |

Internet - ATM0/0 - 2621 - Fa0/0 - ASA5505 - InternalNetwork

Current config:

interface Loopback0

ip address 10.10.10.1 255.255.255.0

!

interface ATM0/0

description Physical DSL Interface

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no ip mroute-cache

atm ilmi-keepalive

dsl operating-mode auto

pvc X/Y

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0/0

ip address FrontierIP FrontierNetMask

ip nat outside

ip route-cache same-interface

ip route-cache flow

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface FastEthernet0/1

ip address 10.1.100.1 255.255.255.0

ip nat inside

ip route-cache same-interface

ip route-cache flow

ip tcp adjust-mss 1452

no cdp enable

hold-queue 100 out

!

interface Dialer1

ip address negotiated

ip access-group autosec_firewall_acl in

ip verify unicast source reachable-via rx allow-default 100

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username username@frontier.com password 7 <encrypted password>

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

The ultimate goal here is to get the VPN working on the ASA-5505 so  that I can access my Cisco UC320W from home via VPN.  I would also like  the VPN to terminate client VPN (specifically Android via Android VPN)  and Windows 7.  Not sure if AnyConnect or IPSec/L2TP yet but looks like  AnyConnect requires me to root my phone which won't happen because it  voids the warranty of the phone.  Side note: this is documented on  Cisco's website but am probably not sure how Cisco would feel if another  company's directions explicity stated to void the warranty on a Cisco  device, hmmm.

Anyone have any ideas on how to make this PC appear as though it is coming from the Internet and still have access to the Internet?

Thanks in advance.

Thanks, Todd Vohs Owner Holstein Ag Services, LLC
1 ACCEPTED SOLUTION

Accepted Solutions

Need a little NAT Help

Glad to be of help!!

Don't forget to rate the post

3 REPLIES

Need a little NAT Help

Hi Todd,

** First of all, FastEthernet0/0 interface is supposed to be connected to the ASA firewall not Frontier. Well thats what I understood by your problem description. So this interface should have ASA outside subnet and be "ip nat inside"

** Second, You can reach internet from the PC connected on Fa0/1 interface but I am not sure I understand by your statement "make this PC appear as though it is coming from the Interne". Are you looking for send traffic From this PC towards the ASA for testing? i.e from Fa0/1 interface towards Fa0/0?

If yes, then its more like a Test environment that you want to create, so just give a Public ip address lets say 1.1.1.2/30 to the PC and assign 1.1.1.1/30 to Fa0/1 interface. You don't need to do any NAT for the traffic going from the PC to ASA and to your ASA it will look like the traffic is coming from a Public ip.

** Now to make this PC go to internet as well through Dialer1, issue the config statements:

access-list 100 permit ip 1.1.1.0 0.0.0.3 any

ip nat inside source list 100 interface dialer1 overload

interface fa0/1

ip nat inside

interface dialer1

ip nat outside

** For hosting services like VPN (anyconnect or RemoteAccess), you would need a public ip address from your ISP apart from the one being assigned to Dialer1 interface dynamically. then you'll be configuring a static NAT mapping that public ip to ASA's outside interface which is going to act as the VPN end point.

Hope the above information helps

Neeraj

New Member

Need a little NAT Help

Neeraj,

Thanks, that did it.  Sorry for the confusion with the Frontier side of things.  The outside interface of the ASA is a static Frontier IP and I replaced their crappy little DSL modem with the 2621 so it is "all" Frontier from the outside ASA.  Actually, I had real issues with getting through my ASA and Frontier told me their device was just a DSL modem but upon further inspection, it is a Router too so I was getting blocked even before traffic hit my ASA.  With the 2621, I now have full control.

I already have some static NAT on the ASA for some Cisco IP Cameras and a couple of other items that I needed access to from the outside.  Now, I am getting a lot of these holes poked in my firewall and would rather close them up and use a VPN solution which the ASA already has built-in and I paid for the license if I remember correctly.

Now I can enable VPN and test within the confines of my own office and not have to run home to try things out!

Thanks much!

Thanks, Todd Vohs Owner Holstein Ag Services, LLC

Need a little NAT Help

Glad to be of help!!

Don't forget to rate the post

499
Views
0
Helpful
3
Replies
CreatePlease login to create content