stwilga
asked on
Basic Cisco 2851 Router Config Inside to Outside
Need help with basic configuration of Cisco 2851 router. ISP provided the following four static IP addresses:
XXX.XXX.XXX.232
XXX.XXX.XXX.233
XXX.XXX.XXX.245
XXX.XXX.XXX.246
Gateway XXX.XXX.XXX.1
Subnet Mask 255.255.254.0
I want to route as follows:
XXX.XXX.XXX.232 default outside for all network 192.168.16.0
XXX.XXX.XXX.232 static to machine 192.168.16.16 for web and mail servers
XXX.XXX.XXX.232 static to machine 192.168.16.2 for pptp vpn
XXX.XXX.XXX.232 static to machine 192.168.16.20 for SIP phone server
Thus far, I have basic configuration that permits me to ping to the ISP gateway, nothing else. I am using command line. Please offer help. Thank you. My running-config follows:
Current configuration : 3514 bytes
!
! Last configuration change at 11:43:04 UTC Tue Oct 6 2015 by XXXXXXX
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco2851
!
boot-start-marker
boot system flash:c2800nm-adventerpris ek9-mz.151 -4.M9.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxx
enable password xxxxxxx
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
ip domain name cisco2851.xxxxxxx.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-4152266703
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-41522 66703
revocation-check none
rsakeypair TP-self-signed-4152266703
!
!
crypto pki certificate chain TP-self-signed-4152266703
certificate self-signed 01
3082022B ...blah
blah... 29EE35
quit
!
!
license udi pid CISCO2851 sn FTX1244A3SA
username xxxxxxprivilege 15 password 0 xxxxxxxxx
!
redundancy
!
!
ip ssh time-out 60
ip ssh version 1
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.16.7 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description outside
ip address xxx.xxx.xxx.232 255.255.254.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 101 interface GigabitEthernet0/1 overload
ip default-network 192.168.16.0
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
!
!
!
!
!
!
!
!
snmp-server community public RO
!
!
control-plane
!
!
voice-port 2/0/0
!
voice-port 2/0/1
!
voice-port 2/0/2
!
voice-port 2/0/3
!
voice-port 2/0/4
!
voice-port 2/0/5
!
voice-port 2/0/6
!
voice-port 2/0/7
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
privilege level 15
password xxxxxxxx
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
XXX.XXX.XXX.232
XXX.XXX.XXX.233
XXX.XXX.XXX.245
XXX.XXX.XXX.246
Gateway XXX.XXX.XXX.1
Subnet Mask 255.255.254.0
I want to route as follows:
XXX.XXX.XXX.232 default outside for all network 192.168.16.0
XXX.XXX.XXX.232 static to machine 192.168.16.16 for web and mail servers
XXX.XXX.XXX.232 static to machine 192.168.16.2 for pptp vpn
XXX.XXX.XXX.232 static to machine 192.168.16.20 for SIP phone server
Thus far, I have basic configuration that permits me to ping to the ISP gateway, nothing else. I am using command line. Please offer help. Thank you. My running-config follows:
Current configuration : 3514 bytes
!
! Last configuration change at 11:43:04 UTC Tue Oct 6 2015 by XXXXXXX
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco2851
!
boot-start-marker
boot system flash:c2800nm-adventerpris
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxx
enable password xxxxxxx
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
!
ip domain name cisco2851.xxxxxxx.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-4152266703
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-4152266703
!
!
crypto pki certificate chain TP-self-signed-4152266703
certificate self-signed 01
3082022B ...blah
blah... 29EE35
quit
!
!
license udi pid CISCO2851 sn FTX1244A3SA
username xxxxxxprivilege 15 password 0 xxxxxxxxx
!
redundancy
!
!
ip ssh time-out 60
ip ssh version 1
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.16.7 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description outside
ip address xxx.xxx.xxx.232 255.255.254.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 101 interface GigabitEthernet0/1 overload
ip default-network 192.168.16.0
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.1
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
!
!
!
!
!
!
!
!
snmp-server community public RO
!
!
control-plane
!
!
voice-port 2/0/0
!
voice-port 2/0/1
!
voice-port 2/0/2
!
voice-port 2/0/3
!
voice-port 2/0/4
!
voice-port 2/0/5
!
voice-port 2/0/6
!
voice-port 2/0/7
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
privilege level 15
password xxxxxxxx
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I need the .16 web server ported to .233 outside address. Thanks for your help.
That's the way to do it. :)
Do you have some firewall (hardware or software), antivirus or something else that could block port?
You can check if port is open.
You can temporary disable all firewalls etc... to check is everything OK.
Do you have some firewall (hardware or software), antivirus or something else that could block port?
You can check if port is open.
You can temporary disable all firewalls etc... to check is everything OK.
ASKER
No, the Cisco 2851 is plugged directly into the ISP gateway. Do I need to have an access-list line to permit traffic from an external address not otherwise named? Interface g0/1 is assigned .232 and all internal traffic routes through that fine, but .232, .245, .246 static IPs are not otherwise names in the router except by adding the NAT rules we covered above.
Thanks very much for your help.
Thanks very much for your help.
ASKER
ip nat inside source static tcp 192.168.16.16 80 64.136.223.233 80 extendable
Here's what I have now:
ip source-route
!
!
ip cef
!
ip dhcp excluded-address 192.168.16.1 192.168.16.149
!
ip dhcp pool Pool1
network 192.168.16.0 255.255.255.0
default-router 192.168.16.7
dns-server 64.126.4.212 64.126.4.216 8.8.8.8
!
!
no ip domain lookup
ip domain name cisco2851.latentllc.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
redundancy
!
!
interface GigabitEthernet0/0
description connection to switch
ip address 192.168.16.7 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description outside
ip address xxx.xxx.xxx.232 255.255.254.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list NAT-INSIDE interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.16.16 80 xxx.xxx.xxx.233 80 extendable
ip route 0.0.0.0 0.0.0.0 64.136.222.1
!
ip access-list standard NAT-INSIDE
permit 192.168.16.0 0.0.0.255