[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco 7206 configuration using Routed Block ip's from ISP

Posted on 2004-11-24
5
Medium Priority
?
579 Views
Last Modified: 2010-08-05
Here is the situation:

My isp assigned me a static ip for my serial interface, along with a block of routed ip's used.  Let's use the following ip's for this example:

Serial address:  69.43.xx.xx  255.255.255.252
Routeable ip block: 69.43.40.xx 255.255.255.192
Internal ip: 192.168.xx.xx 255.255.255.0


I need to assign some static mappings to my internal servers.  I can use the Serial address to setup static nat's to an inside server with no problems.  This is the config:

show run
Building configuration...

Current configuration : 2384 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 7206_Edge
!
enable secret 5 $1$g1Zy$RNkT0wI9pT0ZlQrh9y8a1/
!
ip subnet-zero
!
!
!
ip cef
ip audit notify log
ip audit po max-events 100
call rsvp-sync
!
!
!
!
!
!
interface FastEthernet0/0
 no ip address
 shutdown
 duplex half
!
interface Serial1/0
 ip address 69.43.xx.xx 255.255.255.252
 ip nat outside
 framing c-bit
 cablelength 150
 dsu bandwidth 44210
 serial restart-delay 0
!
interface Serial1/0.1
!
interface Serial1/1
 no ip address
 shutdown
 framing c-bit
 cablelength 250
 dsu bandwidth 44210
 serial restart-delay 0
!
interface FastEthernet2/0
 no ip address
 shutdown
 duplex half
!
interface FastEthernet2/1
 no ip address
 shutdown
 duplex half
!
interface FastEthernet3/0
 ip address 192.168.3.xx 255.255.255.0
 ip nat inside
 duplex full
!
router rip
 network 69.0.0.0
!
ip nat pool ovrld 69.43.xx.xx 69.43.xx.xx prefix-length 25
ip nat inside source list 7 pool ovrld overload
ip nat inside source static tcp 192.168.xx.xx 3389 69.43.xx.xx 3389 extendable
ip nat inside source static tcp 192.168.xx.xx 443 69.43.xx.xx 443 extendable
ip nat inside source static tcp 192.168.xx.xx 25 69.43.xx.xx 25 extendable
ip nat inside source static tcp 192.168.xx.xx 110 69.43.xx.xx 110 extendable
ip nat inside source static tcp 192.168.xx,xx 8383 69.43.xx.xx 8383 extendable
ip nat inside source static tcp 192.168.xx.xx 8555 69.43.xx.xx 8555 extendable
ip nat inside source static tcp 192.168.xx.xx 8556 69.43.xx.xx 8556 extendable
ip nat inside source static tcp 192.168.xx.xx 8558 69.43.xx.xx 8558 extendable
ip nat inside source static tcp 192.168.xx.xx 8484 69.43.xx.xx 8484 extendable
ip nat inside source static tcp 192.168.xx.xx 8559 69.43.xx.xx 8559 extendable
ip nat inside source static tcp 192.168.xx.xx 5631 69.43.xx.xx 5631 extendable
ip nat inside source static tcp 192.168.xx.xx 8560 69.43.xx.xx 8560 extendable
ip nat inside source static udp 192.168.xx.xx 5632 69.43.xx.xx 5632 extendable
no ip classless
ip route 0.0.0.0 0.0.0.0 Serial1/0
ip route 192.168.xx.xx 255.255.255.0 192.168.3.xx
no ip http server
!
access-list 7 permit any
!
!
dial-peer cor custom
!
!
!
!
gatekeeper
 shutdown
!
!
line con 0
 password 'omitted'
line aux 0
line vty 0 4
 password 'omitted'
 login
!
end

7206_Edge#


This config works fine using the Serial ip address to static nat inside.  I now want to use ip's from the routed block to map back to other inside servers.

Can someone help me out with this?

Thanks in advance.
0
Comment
Question by:cbillips
  • 3
  • 2
5 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12670974
All you need to do is create your static nat mappings, i.e.

  ip nat inside source static 192.168.xx.xx 69.43.40.xx
  ip nat inside source static 192.168.xx.xy 69.43.40.xy
  ip nat inside source static 192.168.xx.xz 69.43.40.xz

Then, for sure, you want to apply an inbound access-list to the serial interface:
  ip access-list extended inbound
    permit tcp any any established
    permit udp any eq domain any
    permit tcp any host 69.43.xx.xx eq 3389
    permit tcp any host 69.43.xx.xy eq 443
    permit tcp any host 69.43.xx.xz eq 80
    permit tcp any host 69.43.xx.xz eq 110
    permit tcp any host 69.43.xx.xz eq 3389
   <etc>
 interface serial 1/0
   ip access-group inbound in

0
 

Author Comment

by:cbillips
ID: 12671075
OK,

Tried the above configuration, when applied my users from the inside can't get out to the internet.  I'm sure it's breaking something in the ACL, but not sure what.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12671147
Can you make the static nat mappings work without the access-list being applied?
We can take it one step at a time...



0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12671154
You can always add a bottom line on the acl

   deny ip any any log

enable logging:
   logg buff 4096

then you can see in the logs anything that is being denied..

   sho log
0
 

Author Comment

by:cbillips
ID: 12691661
This is a text book example that worked flawlessly.  I spent two weeks working on this problem, only to find out the my isp had my assigned block of IP's routed improperly.  After finally convincing the arrogant little $*)*%#( that the problem wasn't on my end, I got a new block assigned.

Low and behold the above examle works flawlessly when everyone else had done their job.

Thanks again for the great help!!!!!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question