?
Solved

Cisco 4500 NAT

Posted on 2005-04-22
5
Medium Priority
?
2,836 Views
Last Modified: 2012-06-27
Smacking my head on the keyboard after hours of trying to figure this one out.  Hoping someone can provide some insight.

Configuration:
- Cisco 4500
- C4500-IS-M v12.2(2)T IOS
- 2 Ethernet Interfaces

I have 6 world-routable IP addresses, range lets say is 22.33.44.55 - 22.33.44.60.

22.33.44.55 is assigned to Ethernet 0, and 192.168.0.1 is assigned to Ethernet 1.

I want to use the C4500 as a firewall to some degree, therefore my inbound connection from my provider comes in on Ethernet 0.

I want to have 22.33.44.56 - 22.33.44.59 go directly to 4 different machines, while 22.33.44.60 to be set up for internal NAT/PAT.

For example:

22.33.44.55: Cisco 4500 Router (Ethernet 0)
22.33.44.56: Server 1
22.33.44.57: Server 2
22.33.44.58: Server 3
22.33.44.59: Server 4
22.33.44.60: NAT

192.168.0.1: Cisco 4500 Router (Ethernet 1)
192.168.0.2: Server 5
192.168.0.3: Server 6

and so on.
0
Comment
Question by:purpleonyx
5 Comments
 
LVL 7

Accepted Solution

by:
corneliup earned 1000 total points
ID: 13841231
Ethernet 0
ip nat outside

ethernet 1
ip nat inside

! This is to define who will be NATed
access-list 10 permit 102.168.0.0 0.0.0.255

!This is to define to what addres will they be NATed
ip nat pool 20 22.33.44.60 22.33.44.60 netmask 255.255.255.248

! This is for NAT
ip nat inside source list 10 pool 20 overload

!This is for PAT
ip nat inside source static ip_address_server_1 22.33.44.56  > for each server

you can also be more spefic, if it's a web server:

ip nat inside source static tcp ip_address_server_1 80  22.33.44.56 80

if it's a mail server:
ip nat inside source static tcp ip_address_server_1 25  22.33.44.56 25

for more info check this:
http://www.cisco.com/warp/public/cc/pd/iosw/ioft/ionetn/prodlit/1195_pp.htm
0
 
LVL 7

Expert Comment

by:corneliup
ID: 13841233
sorry typo:
access-list 10 permit 192.168.0.0 0.0.0.255
0
 
LVL 6

Expert Comment

by:BILJAX
ID: 13842631
Yep, corneliup is right.   However, I would suggest getting a firewall.  Not too expensive now-a-days and a little easier to use (depends on who you ask).

Oh yeah, upgrade your IOS, 12.2, never hurts right?
0
 
LVL 32

Expert Comment

by:harbor235
ID: 13842703
I agree with biljax, NAT is not a security measure, a device using NAT will allow any traffic in that matches the translation currently in its cache. NAT in addition to a good stateful inspection firewall and a sound security policy is th eway to implement
security.

harbor235
0
 

Author Comment

by:purpleonyx
ID: 13848583
Thanks Corneliup, much appreciated.  Got it all working, rather extensive it seems.  But running into a new problem (minor at that).

For my block of IP addresses, (22.33.44.55 -> 22.33.44.60), 22.33.44.55 is the Cisco router lets say.  When someone pings any of the IP's in that range, I want it to always resolve to the router, not to the actual server.  So what I tried doing was:

ip nat inside source static udp 192.168.0.1 7 22.33.44.56 7 extendable no-alias
ip nat inside source static tcp 192.168.0.1 7 22.33.44.56 7 extendable no-alias

...and so on, down the line, .56, .57, .58, .59 and .60.  Added it into the access list, still no dice.  Here is my config, maybe someone can point out the problem, and provide me with a solution:

version 12.2
no parser cache
no service single-slot-reload-enable
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname bubba-gump
!
boot system flash
logging rate-limit console 10 except errors
enable secret 5 *****************
enable password 7 *****************
!
ip subnet-zero
ip name-server 192.168.0.100
ip name-server 192.168.0.101
!
no ip dhcp-client network-discovery
!
!
!
interface Ethernet0
 ip address 22.33.44.55 255.255.255.248
 ip directed-broadcast
 ip nat outside
 no ip mroute-cache
 media-type 10BaseT
 no cdp enable
!
interface Ethernet1
 ip address 192.168.0.1 255.255.255.0
 ip directed-broadcast
 ip nat inside
 no ip mroute-cache
 media-type 10BaseT
 no cdp enable
!
ip nat pool NATPool 22.33.44.55 22.33.44.55 netmask 255.255.255.248
ip nat inside source list 20 pool NATPool overload
ip nat inside source static tcp 192.168.0.100 4000 22.33.44.56 4000 extendable no-alias
ip nat inside source static tcp 192.168.0.100 4002 22.33.44.56 4002 extendable no-alias
ip nat inside source static tcp 192.168.0.100 4020 22.33.44.56 4020 extendable no-alias
ip nat inside source static tcp 192.168.0.100 4021 22.33.44.56 4021 extendable no-alias
ip nat inside source static tcp 192.168.0.100 4023 22.33.44.56 4023 extendable no-alias
ip nat inside source static udp 192.168.0.100 53 22.33.44.56 53 extendable no-alias
ip nat inside source static tcp 192.168.0.100 53 22.33.44.56 53 extendable no-alias
ip nat inside source static tcp 192.168.0.100 8080 22.33.44.56 8080 extendable no-alias
ip nat inside source static tcp 192.168.0.100 9999 22.33.44.56 9999 extendable no-alias
ip nat inside source static udp 192.168.0.101 53 22.33.44.57 53 extendable no-alias
ip nat inside source static tcp 192.168.0.101 53 22.33.44.57 53 extendable no-alias
ip nat inside source static tcp 192.168.0.101 8080 22.33.44.57 8080 extendable no-alias
ip nat inside source static tcp 192.168.0.2 110 22.33.44.56 110 extendable no-alias
ip nat inside source static tcp 192.168.0.2 140 22.33.44.56 140 extendable no-alias
ip nat inside source static udp 192.168.0.2 143 22.33.44.56 143 extendable no-alias
ip nat inside source static tcp 192.168.0.2 143 22.33.44.56 143 extendable no-alias
ip nat inside source static tcp 192.168.0.2 25 22.33.44.56 25 extendable no-alias
ip nat inside source static tcp 192.168.0.200 20 22.33.44.56 20 extendable no-alias
ip nat inside source static tcp 192.168.0.200 21 22.33.44.56 21 extendable no-alias
ip nat inside source static tcp 192.168.0.200 22 22.33.44.56 22 extendable no-alias
ip nat inside source static tcp 192.168.0.200 23 22.33.44.56 23 extendable no-alias
ip nat inside source static tcp 192.168.0.200 3306 22.33.44.56 3306 extendable no-alias
ip nat inside source static tcp 192.168.0.200 443 22.33.44.56 443 extendable no-alias
ip nat inside source static tcp 192.168.0.200 444 22.33.44.56 444 extendable no-alias
ip nat inside source static tcp 192.168.0.200 80 22.33.44.56 80 extendable no-alias
ip nat inside source static tcp 192.168.0.200 81 22.33.44.56 81 extendable no-alias
ip nat inside source static tcp 192.168.0.201 20 22.33.44.57 20 extendable no-alias
ip nat inside source static tcp 192.168.0.201 21 22.33.44.57 21 extendable no-alias
ip nat inside source static tcp 192.168.0.201 22 22.33.44.57 22 extendable no-alias
ip nat inside source static tcp 192.168.0.201 23 22.33.44.57 23 extendable no-alias
ip nat inside source static tcp 192.168.0.201 3306 22.33.44.57 3306 extendable no-alias
ip nat inside source static tcp 192.168.0.201 443 22.33.44.57 443 extendable no-alias
ip nat inside source static tcp 192.168.0.201 444 22.33.44.57 444 extendable no-alias
ip nat inside source static tcp 192.168.0.201 80 22.33.44.57 80 extendable no-alias
ip nat inside source static tcp 192.168.0.201 81 22.33.44.57 81 extendable no-alias
ip nat inside source static tcp 192.168.0.3 110 22.33.44.57 110 extendable no-alias
ip nat inside source static tcp 192.168.0.3 140 22.33.44.57 140 extendable no-alias
ip nat inside source static udp 192.168.0.3 143 22.33.44.57 143 extendable no-alias
ip nat inside source static tcp 192.168.0.3 143 22.33.44.57 143 extendable no-alias
ip nat inside source static tcp 192.168.0.3 25 22.33.44.57 25 extendable no-alias
ip classless
ip route 0.0.0.0 0.0.0.0 22.33.44.1
no ip http server
ip http access-class 10
!
!
ip access-list standard Telnet-Access
 remark **** Telnet access to this router ****
 permit 192.168.0.0 0.0.0.255
!
ip access-list extended Inet_Inbound
 remark **** Inbound ACL for Internet port ****
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any administratively-prohibited
 permit icmp any any packet-too-big
 permit icmp any any echo
 permit icmp any any time-exceeded
 permit ip 192.168.0.0 0.0.0.255 any
 permit udp any any eq isakmp
 permit esp any any
 permit tcp any host 22.33.44.56 eq smtp
 permit tcp any host 22.33.44.56 eq www
 permit tcp any host 22.33.44.56 eq pop3
 permit tcp any host 22.33.44.56 eq ftp
 permit tcp any host 22.33.44.56 eq ftp-data
 permit tcp any host 22.33.44.56 eq domain
 permit tcp any host 22.33.44.56 eq telnet
 permit tcp any host 22.33.44.56 eq 443
 permit tcp any host 22.33.44.57 eq smtp
 permit tcp any host 22.33.44.57 eq www
 permit tcp any host 22.33.44.57 eq pop3
 permit tcp any host 22.33.44.57 eq ftp
 permit tcp any host 22.33.44.57 eq ftp-data
 permit tcp any host 22.33.44.57 eq domain
 permit tcp any host 22.33.44.57 eq telnet
 permit tcp any host 22.33.44.57 eq 443
 permit udp any host 22.33.44.57 eq domain
 permit tcp any host 22.33.44.56 eq echo
 permit udp any host 22.33.44.56 eq echo
 permit tcp any host 22.33.44.57 eq echo
 permit udp any host 22.33.44.57 eq echo
 permit tcp any host 22.33.44.58 eq echo
 permit udp any host 22.33.44.58 eq echo
 permit tcp any host 22.33.44.59 eq echo
 permit udp any host 22.33.44.59 eq echo
 permit tcp any host 22.33.44.60 eq echo
 permit udp any host 22.33.44.60 eq echo
 permit tcp any any eq echo
 permit udp any any eq echo
ip access-list extended NAT
 deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended Network_Critical
 remark **** Network critical - NTP, Cisco telnet, EIGRP updates, etc. ****
 permit ip any any precedence internet
access-list 10 permit any
access-list 20 permit 192.168.0.0 0.0.0.255
no cdp run
!
!
banner motd ^C
Watch Robot Chicken on Adult Swim!
^C
!
line con 0
 exec-timeout 0 0
 password 7 *****************
 login
line aux 0
line vty 0 4
 password 7 ********************
 login
!
ntp clock-period 17180059
ntp server 192.5.41.40
end



Additionally, I previously had used ACL 101 for all of my permit/deny types, any way to reincorporate that?  I believe previously, I had inbound access-group 101 listed under interface ethernet 0. access-list Inet_Inbound, though it does work, just a different way of doing it that I am not familiar with.  Which method is better?

Thanks!
0

Featured Post

Prep for the ITIL® Foundation Certification Exam

December’s Course of the Month is now available! Enroll to learn ITIL® Foundation best practices for delivering IT services effectively and efficiently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
Make the most of your online learning experience.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question