How do I turn on NAT and also have Static NAT?
This may be a "dumb" question...
I am not a Cisco trained professional. So bear with me. If I change the the eth 0 from 66.x.x.128 /28 and have private addressing, how will packets destined to 66.x.x.128 - 254 know where to go? In other words, right now packets destined for my network 66.x.x.128 come to the serial interface from the T1 and get forwarded via the Eth0 to their destination on the inside network. Outbound traffic goes via the eth0 forwarded through ser0 to t1 and are on their way. If I change the eth0 to 172.17.0.1, will those same packets from the ser0 be forwarded to the eth0 interface? If so, and that is how things work, will packets destined to the 66.x.x.128 network, say 66.x.x.139 get forwarded to 172.17.0.139 if that is the way they are statically "mapped" by NAT?
here is what I have got:
Cisco 1721 Router with one Eth, one Ser.
I have a block of public IP addresses. /28
NAT is turned off. Currently the site has about 115 addresses available in DHCP pool- not enough.
Current eth interface is configured as 66.x.x.128 /28 so the whole pool is public (don't ask me why, i didn't set it up)
I want to turn NAT on and create a private network: 172.17.0.1 255.255.254.0 Broadcast 172.17.1.255 (510 IPs)
I want to enable Static NAT to map a series of public IPs to internal private IPs. i.e. 66.x.x.130-139 172.17.0.10-19 (for all ports, protocols) The reason: I have 8 Aironet 1200 Wireless AP that I want to create static NAT entries for so I can access/manage them via the public IPs also I have a server I want to remotely administer and I don't want to have to go through a VPN.
I want to also create a DHCP pool on the 1721: 172.17.0.30 - 172.17.1.254 that can operate like normal NAT/PAT
If I do this, I do not need to setup a VPN right? I can just forward the publics to their public counterparts (which will be static IPs as well) adn all will be well... I am hoping.
Also, if anyone can give me a better access list configuration, like a standard one that lets most traffic through, I would appreciate it, but that is not needed to get points.
Mainly I just want to know if it is feasible and what the conf would look like.
Here is the router's conf:
Current configuration : 1502 bytes
! No configuration change since last restart
service timestamps debug datetime msec
service timestamps log datetime
no service password-encryption
enable password xxxxxxx
clock timezone HST -10
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip dhcp-server 66.x.x.139
no ftp-server write-enable
ip address 66.x.x.129 255.255.255.128
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0.1 point-to-point
ip address 66.y.y.138 255.255.255.252
frame-relay interface-dlci 16
ip route 0.0.0.0 0.0.0.0 66.y.y.137
no ip http server
access-list 115 deny icmp any any redirect
access-list 115 deny ip 127.0.0.0 0.255.255.255 any
access-list 115 deny ip 22.214.171.124 126.96.36.199 any
access-list 115 deny ip host 0.0.0.0 any
access-list 115 deny tcp any any eq 135
access-list 115 deny udp any any eq 135
access-list 115 deny udp any any eq netbios-ns
access-list 115 deny udp any any eq netbios-dgm
access-list 115 deny tcp any any eq 139
access-list 115 deny udp any any eq netbios-ss
access-list 115 deny tcp any any eq 445
access-list 115 deny tcp any any eq 593
access-list 115 permit ip any any
line con 0
line aux 0
line vty 0 4