Help with Cisco Router ACL, and NAT
Posted on 2003-11-17
I would like some help, pointers on ACL, and NAT. I have two static public IP
addresses, and would like to use NAT between public and private address. Current Router is a 2514, will change over to a 2621XM in a couple of months.
I would like IP x.x.x.17 inbound to point to the web/DNS server 172.x.x.14.
I would like IP x.x.x.136 Outbound for all users inside on local network.
I believe I can assign both static IP's on E0, with "IP address x.x.x.136 255.255.255.0
secondary" command for second IP on Interface.
Currently second IP x.x.x.136 is going out VIA Linksys router, until I get the 2514 working
Thanks in advance for your time and help with this.
DSL 2 Public IP Private Net
ISP------ x.x.x.17and136 --- E0 [Router] E1 --- 172.x.x.254 ---
Cat 2950T SW --- 172.x.x.14
If I have to much information posted below, sorry. I have come across many posts asking for
more details, config information, so here it is.
Gizmo = Cisco 2514 Router
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-JK8OS-L), Version 12.2(1), RELEASE SOFTWARE (fc2)
ROM: System Bootstrap, Version 11.0(10c)XB2,
BOOTFLASH: 3000 Bootstrap Software (IGS-BOOT-R), Version 11.0(10c)XB2,
gizmo uptime is 4 hours, 33 minutes
System returned to ROM by power-on
System image file is "flash:c2500-jk8os-l.122-1.bin"
cisco 2500 (68030) processor (revision L) with 14336K/2048K bytes of memory.
16384K bytes of processor board System flash (Read ONLY)
Current configuration : 2362 bytes
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
logging rate-limit console 10 except errors
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxxxx
no ip finger
no ip domain-lookup
ip host this 172.x.x.14 < --- Web and DNS Server
ip host that 172.x.x.13
no ip dhcp-client network-discovery
description connected to cat 0/15 VLan x
ip address x.x.x.17 255.255.255.0
ip access-group 102 in
ip nat outside
description connected to cat 0/18 VLan y
ip address 172.x.x.254 255.255.255.0
ip nat inside
ip kerberos source-interface any
ip nat inside source list 1 interface Ethernet0 overload
no ip http server
access-list 1 permit 172.x.x.0 0.0.0.255
access-list 102 permit tcp any any established
<-- Should the following be the Public IP, or the Private IP of the web/DNS server?
access-list 102 permit udp any host x.x.x.17 eq domain
access-list 102 permit tcp any host x.x.x.17 eq domain
access-list 102 permit tcp any host x.x.x.17 eq www
access-list 102 permit tcp any host x.x.x.17 eq 443
access-list 102 permit icmp any host x.x.x.17 echo
access-list 102 deny ip any any log
line con 0
exec-timeout 0 0
transport input lat pad v120 mop telnet rlogin udptn nasi
transport output lat pad v120 mop telnet rlogin udptn nasi
line aux 0
transport input all
line vty 0 4
password 7 xxxxxxxxxxxx