Advertisement

02.21.2007 at 11:20AM PST, ID: 22404427
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
6.2

Cisco 1801: DNS behind NAT with Dialer0 IP address do not run.

Zones: User Datagram Protocol (UDP), Network Routers, Domain Name Service (DNS)
Tags: cisco, 1801, dns, nat
I have a CISCO 1801 Router with an ADSL connection and I have configured a VLan1 with NAT.

This is the current configuration:

============================================================
!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$LFhK$fPo4ZBwF82vhZRCqINDaj.
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.10
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 195.110.128.1 212.48.4.11
   default-router 10.10.10.1
!
!
ip domain name yourdomain.com
ip name-server 195.110.128.1
ip name-server 212.48.4.11
!
!
crypto pki trustpoint TP-self-signed-3889528204
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3889528204
 revocation-check none
 rsakeypair TP-self-signed-3889528204
!
!
crypto pki certificate chain TP-self-signed-3889528204
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383839 35323832 3034301E 170D3037 30323231 31383239
  35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38383935
  32383230 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CEFA 2F4C4519 1E4ECB7D 05F0F6C4 C8DD02CA C8B098CC 8DA27886 95EAF1F6
  4DD8761A 0142FD11 BF470EAF 33A0DB5D 15F35ED0 FB501B67 B094701E E94912FE
  6D988497 2CFB8198 FDC9C6A4 5804C975 7E92FB92 7305461D 1A38ADF4 2A13948C
  F73547A7 A56BDCF4 9A7F6B2E 07BF6E4C 441D550C 261CDFC4 091ECF04 0724EE7C
  D39B0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14FA83D9 CBE097CD CD23783D 00831DB2 0616A61C
  B1301D06 03551D0E 04160414 FA83D9CB E097CDCD 23783D00 831DB206 16A61CB1
  300D0609 2A864886 F70D0101 04050003 81810045 070C2001 8A975888 F3FD9184
  A30B8BA0 2CF68F9E E50E6949 E98E0F46 BAF66D48 E65EC38F BEC87007 3E1EFF9E
  95DCD777 5B034550 6A97E779 4B3DA439 6684CF47 29E08010 CFFE45B2 AA008234
  1034CD74 9375AE1D 89212937 39C60B91 41F11375 D00DA6F7 CED5298E 95EEAC21
  47E32611 B300F1DF 8460BDDE A4CCD8AC 915A0B
  quit
username myusername privilege 15 secret 5 $1$7I1u$4wynicobPAoTM85eSZtnG.
!
!
!
!
!
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no snmp trap link-status
 pvc 8/75
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username XXXXXXXX password 7 061E0B651E170D
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
============================================================

The computers on Vlan1 can ping any address (ping 84.233.183.147), reach any ftp using ip address but they are not able to resolve dns query (ping www.google.com).

BUT
If I change the instruction
   "ip nat inside source list 1 interface Dialer0 overload" with the instruction
   "ip nat inside source list 1 interface  84.250.74.80 overload" (where 84.250.74.80 is a my public ip)
then all run ok and the pc on Vlan1 can resolve dns query.

I would like use the IP address of the Dialer0 because I need to configure an ISDN backup interface for it.
My ISDN connection does not have a fixed IP address.

Could you help me to allow the pc on Vlan1 to resolve dns query using the IP address of the Dialer0 interface?

Thank you.
Start your free trial to view this solution
Question Stats
Zone: Networking
Question Asked By: softheart
Solution Provided By: rsivanandan
Participating Experts: 1
Solution Grade: A
Views: 68
Translate:
Loading Advertisement...
02.21.2007 at 07:15PM PST, ID: 18584779

Rank: Wizard

rsivanandan:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.21.2007 at 10:42PM PST, ID: 18585411
softheart:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.21.2007 at 11:26PM PST, ID: 18585559

Rank: Wizard

rsivanandan:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.22.2007 at 04:02AM PST, ID: 18586675
softheart:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.22.2007 at 05:45AM PST, ID: 18587317

Rank: Wizard

rsivanandan:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.22.2007 at 08:11AM PST, ID: 18588825
softheart:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.22.2007 at 08:40AM PST, ID: 18589117

Rank: Wizard

rsivanandan:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.22.2007 at 10:59AM PST, ID: 18590336
softheart:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.22.2007 at 06:56PM PST, ID: 18593444

Rank: Wizard

rsivanandan:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.23.2007 at 01:14AM PST, ID: 18594554
softheart:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.23.2007 at 06:11AM PST, ID: 18595979
softheart:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.26.2007 at 12:35AM PST, ID: 18607839

Rank: Wizard

rsivanandan:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.26.2007 at 01:11AM PST, ID: 18607949
softheart:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.26.2007 at 07:09AM PST, ID: 18609523

Rank: Wizard

rsivanandan:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
02.26.2007 at 08:57AM PST, ID: 18610508
softheart:

All comments and solutions are available to Premium Service Members only.

Start your 7-day free trial and see for yourself why Experts Exchange is the easiest and most proven technology resource in the world. Get Started

Already a member? Login to view this solution.

 
 
Loading Advertisement...
Microsoft
  • Internet Protocols
  • Applications
  • Development
  • OS
  • Hardware
  • Windows Security
Apple
  • Operating Systems
  • Hardware
  • Programming
  • Networking
  • Software
Internet
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Spy / Ad Blockers
  • Web Browsers
  • New Net Users
  • Web Development
  • Chat / IM
  • Anti Spam
  • Web Servers
  • Anti-Virus
  • Email Clients
Gamers
  • Tips
  • Online / MMORPG
  • Puzzle
  • Emulators
  • Action / Adventure
  • Role Playing
  • Consoles
  • Game Programming
  • Strategy
  • Sports
  • Misc
  • Computer Games
Digital Living
  • Hardware
  • Automotive
  • New Net Users
  • New Users
  • Software
  • Digital Music
  • Gaming World
  • Home Security
  • Apple
  • Networking Hardware
Virus & Spyware
  • Vulnerabilities
  • IDS
  • Encryption
  • Anti-Virus
  • Operating Systems Security
  • Software Firewalls
  • WebApplications
  • Cell Phones
  • Operating Systems
  • Internet
  • Hardware Firewalls
Hardware
  • Displays / Monitors
  • Handhelds / PDAs
  • Components
  • Peripherals
  • Laptops/Notebooks
  • Servers
  • Misc
  • Apple
  • Embedded Hardware
  • Networking Hardware
  • Storage
  • Desktops
  • New Users
Software
  • System Utilities
  • Industry Specific
  • Network Management
  • Photos / Graphics
  • Page Layout
  • VMware
  • Misc
  • Web Development
  • OS
  • CYGWIN
  • Voice Recognition
  • Virtualization
  • Message Queue
  • Quality Assurance
  • Security
  • Firewalls
  • MultiMedia Applications
  • Development
  • Database
  • Office / Productivity
  • Business Management
  • OS/2 Apps
  • Server Software
  • Internet / Email
ITPro
  • OS
  • Storage
  • Encryption
  • Operating Systems Security
  • Apple Hardware
  • Laptops & Notebooks
  • Servers
  • Networking Hardware
  • Peripherals
  • Devices
  • Displays / Monitors
  • WebTrends / Stats
  • Search Engines
  • Firewalls
  • Web Computing
  • WebApplications
  • IDS
  • Vulnerabilities
  • Email Clients
  • File Sharing
  • Spy / Ad Blockers
  • Web Browsers
  • Web Servers
  • Networking
  • Anti-Virus
  • Consulting
  • Chat / IM
  • Anti Spam
Developer
  • Web Servers
  • Web Browsers
  • Game Programming
  • Dev Tools
  • Industry Specific
  • Office / Productivity
  • Database
  • CYGWIN
  • Web Development
  • Search Engines
  • File Sharing
  • WebTrends / Stats
  • Programming
  • Content Management
  • Application Servers
  • Protocols
Storage
  • Removable Backup Media
  • Storage Technology
  • Servers
  • Grid
  • Remote Access
  • Backup / Restore
  • Misc
  • Hard Drives
OS
  • Miscellaneous
  • Security
  • Development
  • Linux
  • VMware
  • MainFrame OS
  • Unix
  • Apple
  • OS / 2
  • AS / 400
  • BeOS
  • Microsoft
  • VMS / OpenVMS
Database
  • Oracle
  • Miscellaneous
  • MySQL
  • Software
  • Sybase
  • Contact Management
  • PostgreSQL
  • Data Manipulation
  • Clarion
  • InterSystems Cache
  • Siebel
  • MUMPS
  • OLAP
  • SQLBase
  • SAS
  • GIS & GPS
  • 4GL
  • Berkeley DB
  • DB2
  • Informix
  • Interbase / Firebird
  • FoxPro
  • Reporting
  • LDAP
  • Filemaker Pro
  • MS SQL Server
  • dBase
  • MS Access
Security
  • Misc
  • Web Browsers
  • Software Firewalls
  • Operating Systems Security
  • File Sharing
  • Spy / Ad Blockers
  • Vulnerabilities
  • WebApplications
  • IDS
  • Anti-Virus
  • Encryption
  • Anti Spam
  • Email Clients
  • VPN
  • Chat / IM
Programming
  • Editors IDEs
  • Installation
  • Handhelds / PDAs
  • Multimedia Programming
  • System / Kernel
  • Automation
  • Algorithms
  • Game
  • Signal Processing
  • Project Management
  • Open Source
  • Database
  • Misc
  • Languages
  • Processor Platforms
  • Theory
Web Development
  • Scripting
  • Blogs
  • Web Servers
  • Software
  • Search Engines
  • Web Graphics
  • Web Services
  • Images
  • Internet Marketing
  • Images and Photos
  • Components
  • Document Imaging
  • Web Languages/Standards
  • Illustration
  • WebApplications
  • Fonts
  • WebTrends / Stats
  • Authoring
  • Digital Camera Software
  • Miscellaneous
Networking
  • Protocols
  • Apple Networking
  • Network Management
  • Message Queue
  • Application Servers
  • Content Management
  • File Servers
  • Email Servers
  • Misc
  • Java Editors & IDEs
  • Wireless
  • Networking Hardware
  • Backup / Restore
  • System Utilities
  • ISPs & Hosting
  • Web Servers
  • Storage Technology
  • Removable Backup Media
  • Servers
  • Web Computing
  • Broadband
  • Grid
  • OS / 2
  • Novell Netware
  • Unix Networking
  • Windows Networking
  • Security
  • Telecommunications
  • Operating Systems
  • Linux Networking
Other
  • Lounge
  • Business Travel
  • Community Support
  • New Net Users
  • Philosophy / Religion
  • Math / Science
  • Miscellaneous
  • URLs
  • Expert Lounge
  • Politics
  • Puzzles / Riddles
  • Automotive
Community Support
  • Suggestions
  • New to EE
  • New Topics
  • CleanUp
  • Announcements
  • General
  • Feedback
  • Input
  • EE Bugs
 
02.21.2007 at 07:15PM PST, ID: 18584779

Rank: Wizard

rsivanandan:
When you have the first command (the one with dialer0)

Go to a machine in the network, open up a command prompt and do this;

nslookup www.google.com

Can you post the output here ?

Cheers,
Rajesh
 
02.21.2007 at 10:42PM PST, ID: 18585411
softheart:
C:\>nslookup www.google.com
*** Impossibile trovare nome server per l'indirizzo 195.110.128.1: Query refused

DNS request timed out.
    timeout was 2 seconds.
*** Impossibile trovare nome server per l'indirizzo 212.48.4.11: Timed out
*** I server predefiniti non sono disponibili
Server:  UnKnown
Address:  195.110.128.1

*** UnKnown non trova www.google.com: Query refused

=================================================================
TRANSLATION
=================================================================
*** Impossible to find name server for address 195.110.128.1: Query refused

DNS request timed out.
    timeout was 2 seconds.
*** Impossible to find name server for address 212.48.4.11: Timed out
*** The default servers are not available
Server:  UnKnown
Address:  195.110.128.1

*** UnKnown does not find www.google.com: Query refused
=================================================================

I report the current windows lan configuration to complete the picture.
I think that it is clear by itself and do not need translation.

C:\>ipconfig -all

Configurazione IP di Windows

        Nome host . . . . . . . . . . . . . . : SHNotebook
        Suffisso DNS primario  . . . . . . .  :
        Tipo nodo . . . . . . . . . . . . . .  : Ibrido
        Routing IP abilitato. . . . . . . . . : No
        Proxy WINS abilitato . . . . . . . .  : No

Scheda Ethernet Connessione alla rete locale (LAN):

        Suffisso DNS specifico per connessione:
        Descrizione . . . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
        Indirizzo fisico. . . . . . . . . . . : 00-0A-E4-C1-2E-BA
        DHCP abilitato. . . . . . . . . . . . : Sì
        Configurazione automatica abilitata   : Sì
        Indirizzo IP. . . . . . . . . . . . . : 10.10.10.11
        Subnet mask . . . . . . . . . . . . . : 255.255.255.0
        Gateway predefinito . . . . . . . . . : 10.10.10.1
        Server DHCP . . . . . . . . . . . . . : 10.10.10.1
        Server DNS . . . . . . . . . . . . .  : 195.110.128.1
                                                212.48.4.11
        Lease ottenuto. . . . . . . . . . . . : giovedì 22 febbraio 2007 7.19.19
        Scadenza lease . . . . . . . . . . .  : venerdì 23 febbraio 2007 7.19.19


Thank you,
Giancarlo.
 
02.21.2007 at 11:26PM PST, ID: 18585559

Rank: Wizard

rsivanandan:
Can you assign ( manually just for one machine ), the dns server address as 208.67.222.222 and see if it works. That is the OpenDNS dns server address.

and then try doing the same?

Cheers,
Rajesh
 
02.22.2007 at 04:02AM PST, ID: 18586675
softheart:
I have set a fixed configuration with your data and retried the test but the result does not change.

=========================================================
C:\>ipconfig -all

Configurazione IP di Windows
        Nome host . . . . . . . . . . . . . . : SHNotebook
        Suffisso DNS primario  . . . . . . .  :
        Tipo nodo . . . . . . . . . . . . . .  : Ibrido
        Routing IP abilitato. . . . . . . . . : No
        Proxy WINS abilitato . . . . . . . .  : No

Scheda Ethernet Connessione alla rete locale (LAN):
        Suffisso DNS specifico per connessione:
        Descrizione . . . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
        Indirizzo fisico. . . . . . . . . . . : 00-0A-E4-C1-2E-BA
        DHCP abilitato. . . . . . . . . . . . : No
        Indirizzo IP. . . . . . . . . . . . . : 10.10.10.11
        Subnet mask . . . . . . . . . . . . . : 255.255.255.0
        Gateway predefinito . . . . . . . . . : 10.10.10.1
        Server DNS . . . . . . . . . . . . .  : 208.67.222.222

C:\>nslookup www.google.com
DNS request timed out.
    timeout was 2 seconds.
*** Impossibile trovare nome server per l'indirizzo 208.67.222.222: Timed out
*** I server predefiniti non sono disponibili
Server:  UnKnown
Address:  208.67.222.222

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Tempo scaduto per la richiesta a UnKnown
=========================================================

After the test I have observed that only the IP of my ISP can be reached.
So I have called the ISP's call center and their have told me that
"I must exit from my router with one IP of my subnet."

I don't know, how I could reach IP different from IP of my ISP before today.

I thank you for your help and I will contact you after have configured the router in a different way.
 
02.22.2007 at 05:45AM PST, ID: 18587317

Rank: Wizard

rsivanandan:
That is what I suspected as well, they're doing some kind of filtering at their end and only with their ip you will be able to talk to them.

So the ip 80.x.x.x which works, is this from the same ISP ?

and what is the ip that gets assigned on the Dialer0 interface ?

Cheers,
Rajesh
 
02.22.2007 at 08:11AM PST, ID: 18588825
softheart:
The Dialer0 interface get the IP address 192.168.16.218.
The same ISP gave me the subnet 80.x.x.x/240.

The first time I asked them if I was forced to use my subnet but
they told me that my subnet is an option respect the basic ADSL connection.

On the contrary, today, I have discovered that it is not true.
One time that they have assigned me the public subnet, I have to exit with one IP of it
otherwise their routers do not connect me outside their system, on internet.

For this reason this ISP offers a service to maintain one public IP of backup for ISDN connection but it is expensive.

At the moment, I do not need to access to my servers, from internet, every time.
But it is important that my alarm cams can access on internet to send warning messages, 7/7 days, 24/24 hours.

Now I am assigning a public IP to NAT on Vlan1 (the good connection) and
I will check if I can surf on internet using an ISDN connection with dynamic IP.

Do you have any indications about it?

Thanks,
Giancarlo.

 
02.22.2007 at 08:40AM PST, ID: 18589117

Rank: Wizard

rsivanandan:
You could try that. But if you can use the 80.x.x.x address on the Dialer0 interface, I would rather do that.

Cheers,
Rajesh
Accepted Solution
 
02.22.2007 at 10:59AM PST, ID: 18590336
softheart:
I have decided to follow your indication
because securely you know it better than me and
because I am new to Cisco's World.

I have reset all.
I have configured the Dialer0 interface with the 80.x.x.x netmask 255.255.255.240.
I have assigned the ISP DNS servers on DHCP properties.

Wonderful. All run.
Behind Vlan1 (10.10.10.x NAT with Dialer0) I can ping everything and everywhere.
Inside the router, by telnet, I can ping IP and host name where before I could ping only IP address.
From browser, by pc on Vlan1, I can navigate on internet.
The connection appears more quickly than before!

Oops!
And now, how can I connect my public servers (the others 80.x.x.x devices)?

Before I had a Vlan80 with IP 80.x.x.x that I assigned to the Ethernet ports where I connected the servers, by a Cisco PIX 515E Firewall, and the VoIP PBX.

I have tried to create a new Vlan80 with IP 80.x.x.x but
the Cisco SDM interface tell me that the address overlap the IP address of the Dialer0 interface and so I can not use it.

In other words.
I have an ADSL connection with a public IP (80.x.x.x) by a Cisco 1801.
I have configured the router to use NAT on the default Vlan1.
All the router's ethernet ports have the Vlan1 as the default Vlan.

How can I connect devices with public IP (80.x.x.x) on some ethernet ports of the router?

Thank you Rajesh.
I hope that you are not tired for my problems and that my questions are enoughly clear.
I'm trying to learn quickly this new Cisco World.

Thank you again.
 
02.22.2007 at 06:56PM PST, ID: 18593444

Rank: Wizard

rsivanandan:
The other devices you're calling (web server) and stuff, it has private ip addresses assigned to their NIC right ? - confirm this for me.

You need to do static nat on the router, all is good to go then.

Say for example, if the webserver's ip address is 10.10.10.z and your public ip address for that is 80.x.x.z, the following would be the command to make it public;

ip nat inside source static tcp 10.10.10.z 80 80.x.x.z 80

There you go.

Cheers,
Rajesh
 
02.23.2007 at 01:14AM PST, ID: 18594554
softheart:
This is the structure of my LAN.

Internet
      |
     ADSL (ISDN as backup connection)
      |
    Cisco 1801 router (80.x.x.x)  
                  |
                  |----> Vlan1 (10.10.10.z) -> alarm cams and other emergency devices active h24.
                  |----> Fritz!Box WLan 7050 (80.x.x.z) -> VoIP by itself
                  |                              |
                  |                              |---> NAT subnet (192.168.178.x)  -> WLan and other trivial devices to
                  |                                                                                         surf on internet but with reduced
                  |                                                                                          traffic when VoIP is active (QoS)
                  |
                  |----> Cisco PIX 515E (OUTSIDE 80.x.x.y)
                                        |                     |
                                        |                     |--> INSIDE NAT subnet (192.178.1.x) -> Office LAN
                                        |
                                        |-> DMZ NAT subnet (172.16.1.x) -> public servers with static NAT
                                                                                                  (172.16.1.w -> 80.x.x.q:80)

I have protected the public servers with static NAT by PIX firewall.

I could change the IP address of VoIP PBX and PIX to follow your indication but,
according others informations on internet, NAT functions consume resource.

The Fritz!Box WLAN has its own firewall and I would not exagerate to configure the 1801 router to control also its traffic and the PIX traffic.

What do you think about this?

Thanks,
Giancarlo.
 
02.23.2007 at 06:11AM PST, ID: 18595979
softheart:
Meanwhile I have made any tests.

I have:
1. disabled the Dialer0 interface, to avoid conflicts during the router configuration;
2. created a new Vlan80 with static IP address 80.x.x.x netmask 255.255.255.240;
3. configured the Dialer0 with a IP Unnumered to Vlan80.
4. reconfigured the NAT on Vlan1 from Dialer0 to Vlan80 with the command
    "ip nat inside source list 1 interface Vlan80 overload".

The devices on Vlan1 can surf on internet without problems and exit with the IP address 80.x.x.x.

The devices on Vlan80 can surf on internet without problems and exit with the IP address that I have manually configured, inside the 80.x.x.x subnet.
In example: the devices connected to the Fritz!Box NAT subnet (192.168.178.x) exit with the public IP address of the Fritz!Box (80.x.x.z).

So, I have a NAT Vlan (Vlan1) where I can connect, and protect, alarm devices
and a public Vlan (Vlan80) where I can connect public devices.

According you experience, is it a good solution (I was a good student) or have I created an instable or attackable configuration (simple fortune)?

Thanks,
Giancarlo.
 
02.26.2007 at 12:35AM PST, ID: 18607839

Rank: Wizard

rsivanandan:
Just back from a trip, will look into this in a couple of hours.

Cheers,
Rajesh
 
02.26.2007 at 01:11AM PST, ID: 18607949
softheart:
No problem for time.

The router appears that run correctly, in the last 3 days.
I feel that this configuration is good because all devices surf on internet without any problems.
Moreover inside the router, by telnet, I can ping hosts by their names.
I am only worried if I have configured the router with unsecured doors.

For clarity, I report the current router configuration.

============================================================
!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$rFEB$PrLxDwD9P7r429I06vRWU0
!
no aaa new-model
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.10
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 195.110.128.1 212.48.4.11
   default-router 10.10.10.1
!
!
ip domain name yourdomain.com
ip name-server 195.110.128.1
ip name-server 212.48.4.11
!
!
crypto pki trustpoint TP-self-signed-3889528204
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3889528204
 revocation-check none
 rsakeypair TP-self-signed-3889528204
!
!
crypto pki certificate chain TP-self-signed-3889528204
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33383839 35323832 3034301E 170D3037 30323232 31383030
  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38383935
  32383230 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CEFA 2F4C4519 1E4ECB7D 05F0F6C4 C8DD02CA C8B098CC 8DA27886 95EAF1F6
  4DD8761A 0142FD11 BF470EAF 33A0DB5D 15F35ED0 FB501B67 B094701E E94912FE
  6D988497 2CFB8198 FDC9C6A4 5804C975 7E92FB92 7305461D 1A38ADF4 2A13948C
  F73547A7 A56BDCF4 9A7F6B2E 07BF6E4C 441D550C 261CDFC4 091ECF04 0724EE7C
  D39B0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14FA83D9 CBE097CD CD23783D 00831DB2 0616A61C
  B1301D06 03551D0E 04160414 FA83D9CB E097CDCD 23783D00 831DB206 16A61CB1
  300D0609 2A864886 F70D0101 04050003 81810018 FA3433DB 3B9A2FA0 4710988A
  0226F44F 8165C129 36E08737 1811D450 9EC1425F 6ABDD6A9 7CC96A95 79992909
  FE606845 AAFF449E DFAF2EA0 D1219CEE 07A9DF1D EC4942CE 8802353A 7BA27615
  0E7240B5 E31350EA FE2F3A34 52C10FAF CB836A82 CF093328 4A6F76C9 30CC8EF1
  3670AC4A 321B62F5 B60BB6B5 E2FF6090 6A37C8
  quit
username myusername privilege 15 secret 5 $1$3Utn$S/GoKBKk2ESTnSwksAFLo.
!
!
interface FastEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
!
interface FastEthernet1
 switchport access vlan 80
!
interface FastEthernet2
 switchport access vlan 80
!
interface FastEthernet3
 switchport access vlan 80
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$
 no snmp trap link-status
 pvc 8/75
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan80
 ip address 80.x.x.193 255.255.255.240
!
interface Dialer0
 ip unnumbered Vlan80
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username XXXXX password 0 XXXXXXX
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Vlan80 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 80.x.x.192 0.0.0.15
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for  one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
============================================================

At the moment I have not set the router security audit to avoid to complicate the picture.
I will apply it after you confirm that configuration is valid and I will have configured the ISDN backup interface.

Thanks,
Giancarlo.
 
02.26.2007 at 07:09AM PST, ID: 18609523

Rank: Wizard

rsivanandan:
Looks good to me, couple of comments though;

1. enable 'service password-encryption', so that it doesn't display the password in clear text while viewing the configuration.

2. For the long run, I would apply some access-list controls for incoming traffic. For example, if you are just doing web browsing, an acl with the keyword 'established' at the end makes sure that only the connection that originated from inside comes back through the router.

3. From PIX make sure only those traffic is allowed *even* to the inside of your network that you want. Otherwise it defeats the purpose, because I've seen so many configuration wherein the DMZ is full open to the inside network.

Other than that. I don't see any problemo...

:-)

Happy Networking..

Cheers,
Rajesh
Assisted Solution
 
02.26.2007 at 08:57AM PST, ID: 18610508
softheart:
Thanks for your resolutive support.

Cheers,
Giancarlo.
 
 
20080236-EE-VQP-29