My company has a Cisco 880 ADSL router which consists of 4 fast ethernet ports that function as switchports. On fasethernet0 assigned to vlan 2 an IP address of 199.204.21.* was assigned. Vlan 2 is connected to the Cisco 827 DSL modem that connects to the Internet. Fastethernet2 was assinged to vlan 4 with an IP address of 10.1.1.* and connects to the company's internal network. All IP address settings, IP route settings, DNS server settings were successful, pings from internal network to vlan 2 and vlan 4 worked fine. Router was able to ping the Internet and both its interfaces vlan2 (outside local) and vlan 4 (inside local). Once PAT was set up on router, all internal addresses mapped to the one public address 199.204.*.*, internal computers were able to connect to Internet and communicate with other computers on the internal network ie vlan 4 (10.1.*.*).
We do host an email server on the internal network and clients need to be able to connect to it from home or outside. In order to route Internet sourced connections to the internal email server static NAT using the same public address that was used for PAT, had ro be set up. However, once this was set up static NAT overrides the PAT set up. Email connections initiated remotely worked quite alright but internal employees were unable to connect to Internet. An example of the STATIC NAT configuration include:
ip nat inside source static 10.1.1.* 25 188.8.131.52 2025
ip nat inside source static 10.1.1.* 143 184.108.40.206.143
ip nat pool test 220.127.116.11 18.104.22.168 netmask 255.255.255.0
access-list 1 permit 10.1.1.0 0.0.0.255
interface vlan 2
ip nat outside
interface vlan 4
ip nat inside
ip nat inside source list 1 pool test overload
ip route 10.1.1.0 255.255.255 vlan 4
ip route 22.214.171.124 255.255.255.0 vlan 2
ip route 0.0.0.0 0.0.0.0 126.96.36.199
The internal employees were able to ping a site on Internet, but unable to open web browser. Establishing a TCP connection with computers on Internet seemed fuzzy. No access-lists for packet filtering have been set up as yet. Essentially email is absolutely critical and needs to running. How do we ensure sources from Internet can send emails to internal server without interrupting internal clients attempt to connect to Internet.
In addition, when we do deicde to set up access-lists how do we fullproof the ACL, to deny unsolicited connections from Internet but allow clients on internal network to connect freely to Internet. The implicit deny IP any statement at end of list blocks all other IP connection not specified in ACL, how do we circumvent that to allow outgoing internet connections (allow any return TCP ACK, SYN packets from web server on Internet), but deny other services, or initiated connections from outside that would threaten the network, apart from emails?
1) For a setup of this kind I think you need a pool of IP address.
2) The default route that you have in your config "ip route 0.0.0.0 0.0.0.0 188.8.131.52" so your next hop ip is 184.108.40.206 and hence possibly the ip address on your interface vlan 4 may be 220.127.116.11 /30 but while Natting you are giving ip address as 18.104.22.168. Didnt understand why?
3) Why are these routes configured "ip route 22.214.171.124 255.255.255.0 vlan 2" and ip route 10.1.1.0 255.255.255 vlan 4 ?
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.