Solved

Setting up statics with PAT on a Cisco 837 DSL Router (IOS CLI)

Posted on 2004-10-06
9
507 Views
Last Modified: 2012-08-14
Hi there

My work just gave me a Cisco 837 DSL Router. I am a lot more familiar with the PIX OS rather than 'proper' IOS. This is running 12.2 (the latest  version of 12.2 - upgraded it last night). I have most of it setup, but allowing incoming traffic is causing me some problems. I know on the PIX firewalls you setup both a static mapping that tells the system that outside IP address 'A' points to inside IP address 'B' in some manner and you're then free to set your access-lists to say exactly what traffic can flow but i'm having trouble doing this on this router.

The main thing i'm trying to allow is incoming SMTP traffic. From what I can make out the command probably starts with "IP NAT OUTSIDE SOURCE...." although i'm not sure about that. To futher complicate things this is dynamic IP so I cannot just say allow outside address onto inside address. I need it to say allow whatever public IP address dialer1 has > onto my server private address.

Any thoughts greatly appreciated!

Stephan

Config follows:

version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname ST_Home
!
logging queue-limit 100
logging buffered 51200 warnings
logging console critical
enable secret 5 **shhhh**
!
username **** privilege 15 password ****
clock timezone PCTimeZone 0
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name ****
ip name-server 195.184.228.6
ip name-server 195.184.228.7
!
!
no ip bootp server
ip cef
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
interface Ethernet0
description Inside_LAN
ip address 10.0.0.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no ip mroute-cache
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
bandwidth 256
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname blahblah
ppp chap password 7 ****
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
!
ip nat inside source route-map ST_ROUTE interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
logging trap debugging
access-list 102 remark OUTBOUND
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 111 remark -------------------------------------
access-list 111 remark SMTP:
access-list 111 permit tcp any host 10.0.0.2 eq smtp
access-list 111 remark ---------------------------------------
access-list 111 remark STANDARD ENTRIES BELOW THIS LINE
access-list 111 remark -----------------------------------------
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp 10.0.0.0 0.0.0.255 any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit gre any any
access-list 111 deny   ip any anydialer-list 1 protocol ip permit
no cdp run
route-map ST_ROUTE permit 1
match ip address 102
!
!
line con 0
login local
no modem enable
transport output telnet
stopbits 1
line aux 0
login local
transport output telnet
stopbits 1
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500


0
Comment
Question by:Thax
  • 5
  • 4
9 Comments
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12236533
Use the following command to forward SMTP traffic to your inside server:

ip nat inside source static tcp 10.0.0.2 25 interface dialer1 25

Looks like you already have SMTP traffic permitted to the 10.0.0.2 server so you shouldn't need to modify your ACL's.
0
 

Author Comment

by:Thax
ID: 12236785
Ahhh ok thats excellent!! If you don't mind i'll test that when I get home tonight before accepting it but i'm sure its correct.

May I just ask if you know why it's ip nat inside rather than ip nat outside? I just presumed it would be outside (am using this as a learning excercise for IOS as well as getting a working system)

Many thanks for your swift response

Stephan
0
 

Author Comment

by:Thax
ID: 12236818
Just reading it again and I think it makes sense now - i'm guessing its "ip nat inside" as thats its destination rather than the source? I just guessed that this area of the line would be the source. Looks like i'm spectacularly wrong again!

Thanks

Stephan
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12236834
I hear you, logically thinking, you would think that you would use outside because the translation is occuring from the outside interface to the inside interface but that isn't how it works.  What ip nat outside does is actually translate the source address of the outside host to an address you define.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:Thax
ID: 12239640
Hi again

Okay that didn't seem to work. I've got my laptop next to me VPN'd into work and I cannot telnet onto port 25 at home. I use dyndns and its normally fine. I've also tested a direct email via outlook express pointing to my dyndns address with no joy - it just sits forlournly in the outbox!. The email server is definately up as have telnetted locally and its fine. I've tested various other ways and it's all pointing to it not yet working correctly.

I've used this line:

ip nat inside source static 10.0.0.2 interface Dialer1

as there will no doubt be other ports etc i'll need to open so i'd prefer just to be able to add access-list entries as needed rather than statics as well. I did try the exact line you suggested though with no joy.

Can you see where i'm going wrong? =/

Thanks

Stephan

Current config

!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname ST_Home
!
logging queue-limit 100
logging buffered 51200 warnings
logging console critical
enable secret 5 ****
!
username **** privilege 15 password 7 ****
clock timezone PCTimeZone 0
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name ****.com
ip name-server 195.184.228.6
ip name-server 195.184.228.7
ip dhcp excluded-address 10.0.0.1 10.0.0.20
!
ip dhcp pool st_dhcp
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.1
   dns-server 10.0.0.2
!
!
no ip bootp server
ip cef
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
 description Inside_LAN
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Dialer1
 bandwidth 256
 ip address negotiated
 ip access-group 111 in
 ip nat outside
 ip inspect myfw out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ****
 ppp chap password 7 ****
 ppp ipcp dns request
 ppp ipcp wins request
 hold-queue 224 in
!
ip nat inside source static 10.0.0.2 interface Dialer1
ip nat inside source route-map ST_ROUTE interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
logging trap debugging
access-list 102 remark OUTBOUND
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 111 remark -------------------------------------
access-list 111 remark SMTP:
access-list 111 permit tcp any host 10.0.0.2 eq smtp
access-list 111 remark ----------------------------------------
access-list 111 remark STANDARD ENTRIES BELOW THIS LINE
access-list 111 remark -----------------------------------------
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp 10.0.0.0 0.0.0.255 any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit gre any any
access-list 111 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
route-map ST_ROUTE permit 1
 match ip address 102
!
!
line con 0
 login local
 no modem enable
 transport output telnet
 stopbits 1
line aux 0
 login local
 transport output telnet
 stopbits 1
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
!
end
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 12240943
If you are using this command:

ip nat inside source static 10.0.0.2 interface Dialer1

Remove the overload NAT statement as they will conflict.
0
 

Author Comment

by:Thax
ID: 12241556
ok screw that idea then! Whenever I remove the overload statement the whole thing grinds to a halt. Back to the origional static question, I still cannot get it to work with just the "ip nat inside source static tcp 10.0.0.2 25 interface dialer1 25" line

I take it then its ok to have these 2? just not the 'general' line that I mentioned before?:

ip nat inside source static tcp 10.0.0.2 25 interface Dialer1 25
ip nat inside source route-map ST_ROUTE interface Dialer1 overload

*cry* why couldn't they have just given me a PIX!!!

Thanks again

Stephan

Current Config:

version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname ST_Home
!
logging queue-limit 100
logging buffered 51200 warnings
logging console critical
enable secret 5 ****
!
username **** privilege 15 password 7 ****
clock timezone PCTimeZone 0
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name ****
ip name-server 195.184.228.6
ip name-server 195.184.228.7
ip dhcp excluded-address 10.0.0.1 10.0.0.20
!
ip dhcp pool st_dhcp
   network 10.0.0.0 255.255.255.0
   default-router 10.0.0.1
   dns-server 10.0.0.2
!
!
no ip bootp server
ip cef
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
 description Inside_LAN
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Dialer1
 bandwidth 256
 ip address negotiated
 ip access-group 111 in
 ip nat outside
 ip inspect myfw out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname ****
 ppp chap password 7 ****
 ppp ipcp dns request
 ppp ipcp wins request
 hold-queue 224 in
!
ip nat inside source static tcp 10.0.0.2 25 interface Dialer1 25
ip nat inside source route-map ST_ROUTE interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
logging trap debugging
access-list 102 remark OUTBOUND
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 111 remark -------------------------------------
access-list 111 remark SMTP:
access-list 111 permit tcp any host 10.0.0.2 eq smtp
access-list 111 remark ----------------------------------------
access-list 111 remark STANDARD ENTRIES BELOW THIS LINE
access-list 111 remark -----------------------------------------
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp 10.0.0.0 0.0.0.255 any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit gre any any
access-list 111 deny   ip any any
dialer-list 1 protocol ip permit
no cdp run
route-map ST_ROUTE permit 1
 match ip address 102
!
!
line con 0
 login local
 no modem enable
 transport output telnet
 stopbits 1
line aux 0
 login local
 transport output telnet
 stopbits 1
line vty 0 4
 session-timeout 120
 timeout login response 300
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
!
end
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 12241628
Yes, having these two lines together is okay:

ip nat inside source static tcp 10.0.0.2 25 interface Dialer1 25
ip nat inside source route-map ST_ROUTE interface Dialer1 overload

Okay, I see a problem (missed it earlier)...

Your access-list 111 should be specifiying the public IP address, not 10.0.0.2.  Since you have a dynamic address, I would use the any keyword instead:

access-list 111 permit tcp any any eq smtp

Try it with that configuration...


0
 

Author Comment

by:Thax
ID: 12242498
You are the man! Thanks for all your help and especially your patience!!! Awarding points now...

Stephan
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now