jjk16
asked on
How to setup NAT and DHCP on a 2600 series router with cisco IOS 12.1 and above
The network I inherited is made up of 127 public IPs. There is one router. It is a cisco 2620.
Is the router capable of being a dhcp server? How do I implement NAT? Later I will upgrade the IOS and memory to enable the firewall and VPN etc. For not i need to setup NAT
I am kinda partial to the 10.10.10.0 255.255.255.128. So please help me to setup nat using that subnet if possible. I will post the running config shortly.
--------------------------
IOS (tm) C2600 Software (C2600-I-M), Version 12.1(7b), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Tue 05-Feb-02 21:48 by cmong
Image text-base: 0x80008088, data-base: 0x80802CE8
ROM: System Bootstrap, Version 12.2(6r), RELEASE SOFTWARE (fc1)
Router - uptime is 16 weeks, 4 days, 12 hours, 18 minutes
System returned to ROM by power-on
System image file is "flash:c2600-i-mz.121-7b.b
cisco 2620 (MPC860) processor (revision 0x00) with 26624K/6144K bytes of memory
Processor board ID JAD06090FD5 (1952645852)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
Is the router capable of being a dhcp server? How do I implement NAT? Later I will upgrade the IOS and memory to enable the firewall and VPN etc. For not i need to setup NAT
I am kinda partial to the 10.10.10.0 255.255.255.128. So please help me to setup nat using that subnet if possible. I will post the running config shortly.
--------------------------
IOS (tm) C2600 Software (C2600-I-M), Version 12.1(7b), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Tue 05-Feb-02 21:48 by cmong
Image text-base: 0x80008088, data-base: 0x80802CE8
ROM: System Bootstrap, Version 12.2(6r), RELEASE SOFTWARE (fc1)
Router - uptime is 16 weeks, 4 days, 12 hours, 18 minutes
System returned to ROM by power-on
System image file is "flash:c2600-i-mz.121-7b.b
cisco 2620 (MPC860) processor (revision 0x00) with 26624K/6144K bytes of memory
Processor board ID JAD06090FD5 (1952645852)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
8192K bytes of processor board System flash (Read/Write)
I suppose, your external interface is Serial 0/0 and internal - FastEthernet 0/1
-Leo-, you're missing the "ip nat inside source..." command. Also, the NAT pool is using the internal address range, you want to use public IP addresses in your NAT pool or simply overload off the public IP address assigned to the "outside" interface.
Add the following:
access-list 1 permit 10.10.10.0 0.0.0.127
ip nat inside source list 1 interface serial0/0 overload
Add the following:
access-list 1 permit 10.10.10.0 0.0.0.127
ip nat inside source list 1 interface serial0/0 overload
JFrederick29: you are right ... I just cut and paste part of my config and missed ACL and NAT source ...Thanks!
ASKER
Thanks for the quick response. Although, im hoping to go more in depth as to help increase my comfotablibilty implementing this in a live enviroment.
If I have 127 hosts, will the performance suffer by them all sharing a single IP? How is the ftp or anyother type of direct connection affected. Will I use port forwarding? Would it be best to have a public for say every 30 hosts? Say I have a server would i map a public IP to a private one? Can you post code for that as I think many people will have this same problem. Do i still use ACL's to control access? Thanks for the responses so far although im confused about where to put the "ip nat inside source list 1 interface serial0/0 overload" and why i use the overload statement.
If I have 127 hosts, will the performance suffer by them all sharing a single IP? How is the ftp or anyother type of direct connection affected. Will I use port forwarding? Would it be best to have a public for say every 30 hosts? Say I have a server would i map a public IP to a private one? Can you post code for that as I think many people will have this same problem. Do i still use ACL's to control access? Thanks for the responses so far although im confused about where to put the "ip nat inside source list 1 interface serial0/0 overload" and why i use the overload statement.
ASKER
Here is my config. Please let me know if i plugged it in correctly, also imade some comments if someone could clue me into the meaning of the statements it would be appreciated...
Current configuration : 3669 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SuperRouter
!
no logging buffered
no logging console
no logging monitor
no logging on
enable password TerriSchiavo4president
!
!
ip subnet-zero
no ip finger // whats this mean?
ip domain-name ALTER.NET
ip name-server 198.6.1.5
!
modemcap entry 18024 // what this?
!
!
buffers huge max-free 18024
buffers huge size 100000 // any ideas on this?
!
interface Loopback0
ip address xxx.228.51.xx 255.255.255.255 // can someone explain the loopback as well?
!
ip dhcp pool theGreatestPoolever
network 10.10.10.0. 255.255.255.128 //this look right?
default-router 10.10.10.129 // this is the router or or the gateway to the ISP?
dns-server 10.10.10.132
netbios-name-server 10.10.10.132
netbios-node-type h-node
lease 10
access-list 1 permit 10.10.10.0 0.0.0.127
ip nat inside source list 1 interface serial0/0.1 overload //right spot? right interface?
interface FastEthernet0/0
description connected to EthernetLAN
ip address xx.241.xx.1 255.255.255.224 secondary
ip address xx.241.xx.129 255.255.255.128
ip access-group 100 in
no keepalive
duplex auto
speed auto
!
interface Serial0/0 // why do i have 2 serial, o/0 and 0/0.1
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
bandwidth 1536
ip unnumbered FastEthernet0/0
ip access-group 101 in
frame-relay interface-dlci 500 //whats this mean?
!
router rip
version 2
passive-interface Serial0/0.1 // why the passive?
network xx.0.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1 // why do i need default route to point serial?
no ip http server //whats this?
!
no logging trap
access-list 3 deny 146.20.33.0 0.0.0.255 // these ips are made by the rouer, unable to delete
access-list 3 deny 66.28.140.0 0.0.0.255 // ???
access-list 3 deny 204.152.186.0 0.0.0.255
access-list 3 deny 195.159.0.0 0.0.0.255
access-list 3 deny 209.171.61.0 0.0.0.255
access-list 3 deny 216.133.249.0 0.0.0.255
access-list 3 deny 217.10.143.0 0.0.0.255
access-list 3 deny 151.189.24.0 0.0.0.255
access-list 3 deny 204.89.131.0 0.0.0.255
access-list 3 deny 212.74.101.0 0.0.0.255
access-list 3 permit any
access-list 100 permit ip any any
access-list 101 permit icmp any host xx.241.xx.129
access-list 101 permit tcp any any established
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq smtp
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq ftp
access-list 101 permit tcp any eq ftp-data xx.241.xx.128 0.0.0.127
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq www
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 5631
access-list 101 permit udp any xx.241.xx.128 0.0.0.12 7eq 5632
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq telnet
access-list 101 permit udp any xx.241.xx.128 0.0.0.127 eq domain
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 5800
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 5801
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq smtp
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq ftp
access-list 101 permit tcp any eq ftp-data xx.241.xx.128 0.0.0.127
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq www
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127eq 5631
access-list 101 permit udp any xx.241.xx.128 0.0.0.127 eq 5632
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq telnet
access-list 101 permit udp any xx.241.xx.128 0.0.0.127 eq domain
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 5800
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 5801
access-list 101 permit gre any xx.241.xx.128 0.0.0.127
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 1723
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 5701
snmp-server community 0aaac4aad4 RO
snmp-server enable traps snmp
!
line con 0
exec-timeout 0 0
password TerriSchiavo4president
login
transport preferred none
transport input none
line aux 0
transport preferred none
transport output pad v120 telnet rlogin udptn
line vty 0 4
access-class 3 in
password TerriSchiavo4president
login
transport preferred none
!
no scheduler allocate
end
Current configuration : 3669 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SuperRouter
!
no logging buffered
no logging console
no logging monitor
no logging on
enable password TerriSchiavo4president
!
!
ip subnet-zero
no ip finger // whats this mean?
ip domain-name ALTER.NET
ip name-server 198.6.1.5
!
modemcap entry 18024 // what this?
!
!
buffers huge max-free 18024
buffers huge size 100000 // any ideas on this?
!
interface Loopback0
ip address xxx.228.51.xx 255.255.255.255 // can someone explain the loopback as well?
!
ip dhcp pool theGreatestPoolever
network 10.10.10.0. 255.255.255.128 //this look right?
default-router 10.10.10.129 // this is the router or or the gateway to the ISP?
dns-server 10.10.10.132
netbios-name-server 10.10.10.132
netbios-node-type h-node
lease 10
access-list 1 permit 10.10.10.0 0.0.0.127
ip nat inside source list 1 interface serial0/0.1 overload //right spot? right interface?
interface FastEthernet0/0
description connected to EthernetLAN
ip address xx.241.xx.1 255.255.255.224 secondary
ip address xx.241.xx.129 255.255.255.128
ip access-group 100 in
no keepalive
duplex auto
speed auto
!
interface Serial0/0 // why do i have 2 serial, o/0 and 0/0.1
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
bandwidth 1536
ip unnumbered FastEthernet0/0
ip access-group 101 in
frame-relay interface-dlci 500 //whats this mean?
!
router rip
version 2
passive-interface Serial0/0.1 // why the passive?
network xx.0.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1 // why do i need default route to point serial?
no ip http server //whats this?
!
no logging trap
access-list 3 deny 146.20.33.0 0.0.0.255 // these ips are made by the rouer, unable to delete
access-list 3 deny 66.28.140.0 0.0.0.255 // ???
access-list 3 deny 204.152.186.0 0.0.0.255
access-list 3 deny 195.159.0.0 0.0.0.255
access-list 3 deny 209.171.61.0 0.0.0.255
access-list 3 deny 216.133.249.0 0.0.0.255
access-list 3 deny 217.10.143.0 0.0.0.255
access-list 3 deny 151.189.24.0 0.0.0.255
access-list 3 deny 204.89.131.0 0.0.0.255
access-list 3 deny 212.74.101.0 0.0.0.255
access-list 3 permit any
access-list 100 permit ip any any
access-list 101 permit icmp any host xx.241.xx.129
access-list 101 permit tcp any any established
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq smtp
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq ftp
access-list 101 permit tcp any eq ftp-data xx.241.xx.128 0.0.0.127
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq www
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 5631
access-list 101 permit udp any xx.241.xx.128 0.0.0.12 7eq 5632
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq telnet
access-list 101 permit udp any xx.241.xx.128 0.0.0.127 eq domain
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 5800
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 5801
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq smtp
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq ftp
access-list 101 permit tcp any eq ftp-data xx.241.xx.128 0.0.0.127
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq www
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127eq 5631
access-list 101 permit udp any xx.241.xx.128 0.0.0.127 eq 5632
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq telnet
access-list 101 permit udp any xx.241.xx.128 0.0.0.127 eq domain
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 5800
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 5801
access-list 101 permit gre any xx.241.xx.128 0.0.0.127
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 1723
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any xx.241.xx.128 0.0.0.127 eq 5701
snmp-server community 0aaac4aad4 RO
snmp-server enable traps snmp
!
line con 0
exec-timeout 0 0
password TerriSchiavo4president
login
transport preferred none
transport input none
line aux 0
transport preferred none
transport output pad v120 telnet rlogin udptn
line vty 0 4
access-class 3 in
password TerriSchiavo4president
login
transport preferred none
!
no scheduler allocate
end
First off, you are using your public IP address range on your inside network so NAT is not required unless you are looking to change to private addresses on the inside network? Is this the case?
ASKER
exactly, i just posted the config so you can see what i am working with
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Alright, here is my config. ALthough the DHCP does not seem to be working, here is my config. Please let me know if my config looks ok. ALso, can someone shed some insight into static mapping and do i need to setup ACLs a again even though i use nat
thanks
Current configuration : 1708 bytes
!
version 12.1
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable secret 5
enable password
!
!
!
!
!
ip subnet-zero
no ip routing
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
!
ip dhcp pool theGreatestNatPoolever
default-router 10.10.10.129
dns-server 10.10.10.150
netbios-name-server 10.10.10.150
netbios-node-type h-node
lease 10
!
!
!
buffers huge max-free 18024
buffers huge size 100000
!
interface Loopback0
ip address 167.228.51.25 255.255.255.255
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 10.10.10.129 255.255.255.128
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
bandwidth 1536
ip unnumbered FastEthernet0/0
ip access-group 101 in
no ip route-cache
frame-relay interface-dlci 500
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
no logging trap
snmp-server community public RO
snmp-server community 0adab5abd4 RO
snmp-server enable traps snmp
!
line con 0
exec-timeout 0 0
password
login
transport preferred none
transport input none
line aux 0
transport preferred none
transport output pad v120 telnet rlogin udptn
line vty 0 4
password
login
transport preferred none
!
end
Router#
thanks
Current configuration : 1708 bytes
!
version 12.1
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable secret 5
enable password
!
!
!
!
!
ip subnet-zero
no ip routing
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
!
ip dhcp pool theGreatestNatPoolever
default-router 10.10.10.129
dns-server 10.10.10.150
netbios-name-server 10.10.10.150
netbios-node-type h-node
lease 10
!
!
!
buffers huge max-free 18024
buffers huge size 100000
!
interface Loopback0
ip address 167.228.51.25 255.255.255.255
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 10.10.10.129 255.255.255.128
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no ip route-cache
no ip mroute-cache
shutdown
no fair-queue
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
bandwidth 1536
ip unnumbered FastEthernet0/0
ip access-group 101 in
no ip route-cache
frame-relay interface-dlci 500
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
no logging trap
snmp-server community public RO
snmp-server community 0adab5abd4 RO
snmp-server enable traps snmp
!
line con 0
exec-timeout 0 0
password
login
transport preferred none
transport input none
line aux 0
transport preferred none
transport output pad v120 telnet rlogin udptn
line vty 0 4
password
login
transport preferred none
!
end
Router#
I'm not sure quite where to start...
>the DHCP does not seem to be working
You need to "turn on" the dhcp service:
service dhcp
>interface Serial0/0
shutdown <== this interface is "adminitratively down" - no traffic will pass
Correct this with
interface serial0/0
no shutdown
You do not have NAT set up at all.. add these lines
interface Serial0/0.1
ip nat outside
interface Fast0/0
ip nat inside
access-list 2 permit 10.10.10.0 0.0.0.255
ip nat inside source list 2 interface Serial0/0.1 overload
>the DHCP does not seem to be working
You need to "turn on" the dhcp service:
service dhcp
>interface Serial0/0
shutdown <== this interface is "adminitratively down" - no traffic will pass
Correct this with
interface serial0/0
no shutdown
You do not have NAT set up at all.. add these lines
interface Serial0/0.1
ip nat outside
interface Fast0/0
ip nat inside
access-list 2 permit 10.10.10.0 0.0.0.255
ip nat inside source list 2 interface Serial0/0.1 overload
ASKER
I got the DHCP working, i had to debug it, i kept getting an error that said dhcp pool ip not in pool. I think it was because the eth0/0 ip and the pool were conflicting. Please let me know if my config is working. I am writing the config on a spare router and do not have a t1 line at home so that is probably why the serial is down. DId i setup nat correctly? I know that the overload command is supposed make it so that all private ips use the same wan ip. How does the router know what public ip to use? i have 127 of them. In the previous config i didnt state a public ip but the network was made up of public ips? should i bind an IP to the serial0/0 ? 0.1?
THanks for the help and i look forward to the critism.
!
version 12.1
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
no logging buffered
no logging console
no logging monitor
no logging on
enable password ma5Ter
!
!
!
!
!
ip subnet-zero
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
no ip dhcp conflict logging
ip dhcp excluded-address 10.0.0.1 10.0.0.80
!
buffers huge max-free 18024
buffers huge size 100000
!
interface Loopback0
ip address 167.228.51.25 255.255.255.255
!
ip dhcp pool lan-ips
network 10.0.0.0 255.255.255.0
domain-name c21en.com
dns-server 4.2.2.1 4.2.2.2
default-router 10.0.0.1
netbios-name-server 10.0.0.70
netbios-node-type h-node
!
!
!
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
keepalive
speed auto
full-duplex
!
interface Serial0/0
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
bandwidth 1536
ip unnumbered FastEthernet0/0
ip access-group 101 in
frame-relay interface-dlci 500
ip nat outside
!
router rip
version 2
passive-interface Serial0/0.1
network 65.0.0.0
no auto-summary
!
ip nat inside source list 2 interface Serial0/0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
no logging trap
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 100 permit ip any any
snmp-server community 0adab5abd4 RO
snmp-server enable traps snmp
!
line con 0
exec-timeout 0 0
password
login
transport preferred none
transport input none
line aux 0
transport preferred none
transport output pad v120 telnet rlogin udptn
line vty 0 4
password
login
transport preferred none
!
no scheduler allocate
end
THanks for the help and i look forward to the critism.
!
version 12.1
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
no logging buffered
no logging console
no logging monitor
no logging on
enable password ma5Ter
!
!
!
!
!
ip subnet-zero
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
no ip dhcp conflict logging
ip dhcp excluded-address 10.0.0.1 10.0.0.80
!
buffers huge max-free 18024
buffers huge size 100000
!
interface Loopback0
ip address 167.228.51.25 255.255.255.255
!
ip dhcp pool lan-ips
network 10.0.0.0 255.255.255.0
domain-name c21en.com
dns-server 4.2.2.1 4.2.2.2
default-router 10.0.0.1
netbios-name-server 10.0.0.70
netbios-node-type h-node
!
!
!
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
keepalive
speed auto
full-duplex
!
interface Serial0/0
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
bandwidth 1536
ip unnumbered FastEthernet0/0
ip access-group 101 in
frame-relay interface-dlci 500
ip nat outside
!
router rip
version 2
passive-interface Serial0/0.1
network 65.0.0.0
no auto-summary
!
ip nat inside source list 2 interface Serial0/0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
no logging trap
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 100 permit ip any any
snmp-server community 0adab5abd4 RO
snmp-server enable traps snmp
!
line con 0
exec-timeout 0 0
password
login
transport preferred none
transport input none
line aux 0
transport preferred none
transport output pad v120 telnet rlogin udptn
line vty 0 4
password
login
transport preferred none
!
no scheduler allocate
end
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Im not trying to use up all of the public IP's, I would prefer that they all share one wan IP. In a similar functionality to how a name brand soho router works. I will need one public IP for vpn connections. Maybe an IP for an exchange server. Sorry about the 127 IPs, i think its a block of 128, i wasnt counting the router's IP. Dont think they give out odd numbers of IPs anyway.
so i was thinking then, if the ip bound to the serial 0/0.1 is the one that the computers will share; then the config would be...
interface Serial0/0.1 point-to-point
description connected to Internet
bandwidth 1536
p address xxx.241.xx.200 255.255.255.128
ip access-group 101 in
// if im using NAT, do i still need to worry about ACLs?
frame-relay interface-dlci 500
ip nat outside
or using the loopback as suggested:
Interface loopback 0
ip address abc.241.xxx.200 255.255.255.128
nterface serial 0/0.1
ip unnumbered loopback0
etc
Is there a prefered method of doing it?
so i was thinking then, if the ip bound to the serial 0/0.1 is the one that the computers will share; then the config would be...
interface Serial0/0.1 point-to-point
description connected to Internet
bandwidth 1536
p address xxx.241.xx.200 255.255.255.128
ip access-group 101 in
// if im using NAT, do i still need to worry about ACLs?
frame-relay interface-dlci 500
ip nat outside
or using the loopback as suggested:
Interface loopback 0
ip address abc.241.xxx.200 255.255.255.128
nterface serial 0/0.1
ip unnumbered loopback0
etc
Is there a prefered method of doing it?
>ip access-group 101 in
// if im using NAT, do i still need to worry about ACLs?
Not necessarily. When you do want to permit inbound traffic such as email to the exchange server, then I'd worry about adding an acl. Only if you have static 1-1 nat ..
You can do it either way you have it, I would do it with the loopback0 and ipunnumbered..
// if im using NAT, do i still need to worry about ACLs?
Not necessarily. When you do want to permit inbound traffic such as email to the exchange server, then I'd worry about adding an acl. Only if you have static 1-1 nat ..
You can do it either way you have it, I would do it with the loopback0 and ipunnumbered..
ASKER
Well, im about to connect it to the t1 at the office.. Ill post my config once more,please look it over and see if there are any holes or problems with the frame-relay etc. I bound an ip to the serial as im a little paranoid about the loopback as I hope that there is a point to most of the IOS code I inherited and not just a previous tech throwing stuff at the wall and hoping something sticks. Although, i am leaning towards the latter scenario. I've learned alot, thanks.
!
version 12.1
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
no logging buffered
no logging console
no logging monitor
no logging on
enable password
!
!
!
!
!
ip subnet-zero
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
no ip dhcp conflict logging
ip dhcp excluded-address 10.0.0.1 10.0.0.80
!
buffers huge max-free 18024
buffers huge size 100000
!
interface Loopback0
ip address 167.228.51.25 255.255.255.255
!
ip dhcp pool lan-ips
network 10.0.0.0 255.255.255.0
domain-name c21en.com
dns-server 4.2.2.1 4.2.2.2
default-router 10.0.0.1
netbios-name-server 10.0.0.70
netbios-node-type h-node
!
!
!
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
keepalive
speed auto
full-duplex
!
interface Serial0/0
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
bandwidth 1536
ip address abc.241.xx.200 255.255.255.128
ip access-group 101 in
frame-relay interface-dlci 500
ip nat outside
!
ip nat inside source list 2 interface Serial0/0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
no logging trap
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 100 permit ip any any
snmp-server community 0adab5abd4 RO
snmp-server enable traps snmp
!
line con 0
exec-timeout 0 0
password
login
transport preferred none
transport input none
line aux 0
transport preferred none
transport output pad v120 telnet rlogin udptn
line vty 0 4
password
login
transport preferred none
!
no scheduler allocate
end
!
version 12.1
service config
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
no logging buffered
no logging console
no logging monitor
no logging on
enable password
!
!
!
!
!
ip subnet-zero
no ip finger
ip domain-name ALTER.NET
ip name-server 198.6.1.5
no ip dhcp conflict logging
ip dhcp excluded-address 10.0.0.1 10.0.0.80
!
buffers huge max-free 18024
buffers huge size 100000
!
interface Loopback0
ip address 167.228.51.25 255.255.255.255
!
ip dhcp pool lan-ips
network 10.0.0.0 255.255.255.0
domain-name c21en.com
dns-server 4.2.2.1 4.2.2.2
default-router 10.0.0.1
netbios-name-server 10.0.0.70
netbios-node-type h-node
!
!
!
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 10.0.0.1 255.255.255.0
ip nat inside
keepalive
speed auto
full-duplex
!
interface Serial0/0
bandwidth 1536
no ip address
encapsulation frame-relay IETF
no fair-queue
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
bandwidth 1536
ip address abc.241.xx.200 255.255.255.128
ip access-group 101 in
frame-relay interface-dlci 500
ip nat outside
!
ip nat inside source list 2 interface Serial0/0.1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
no logging trap
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 100 permit ip any any
snmp-server community 0adab5abd4 RO
snmp-server enable traps snmp
!
line con 0
exec-timeout 0 0
password
login
transport preferred none
transport input none
line aux 0
transport preferred none
transport output pad v120 telnet rlogin udptn
line vty 0 4
password
login
transport preferred none
!
no scheduler allocate
end
>no logging buffered
I would at least leave logging to buffer enabled, at least until you get everything up and running. It helps to have the capability to log some things if you need to...
logg buff 4096 debug
>interface Serial0/0.1 point-to-point
ip access-group 101 in <== you do nothave an access-list 101 defined anywhere. Please remove this line
Everything else should be just fine..
I would at least leave logging to buffer enabled, at least until you get everything up and running. It helps to have the capability to log some things if you need to...
logg buff 4096 debug
>interface Serial0/0.1 point-to-point
ip access-group 101 in <== you do nothave an access-list 101 defined anywhere. Please remove this line
Everything else should be just fine..
ASKER
I swapped the routers. The internet works great. I was able to ftp, visit secure sites. Although, now i need to learn about static mapping, but ill post another question for that if i get stuck. Thanks to all those who contributed. Lrmoore thanks once again for the router help. I hope that I will be able to return the favor some day and contribute to a computer problem you are having.
Good job!
ip dhcp pool <pool name>
network <your internal network>
default-router <gateway IP>
dns-server <DNS server IP>
netbios-name-server <WINS server IP>
netbios-node-type h-node
lease 10
!
interface Serial0/0
IP addr <your IP address>
ip nat outside
!
!
interface FastEthernet0/1
ip address <your IP address>
ip nat inside
!
ip nat pool <pool name> 10.10.10.1 10.10.10.127 prefix-length 25