Re: [HELP] Help with Cisco Nat

Author	All Replies
aryoba Premium,MVM join:2002-08-22	reply to zhrike Re: [HELP] Help with Cisco Nat Where is the 172.16.0.5 IP address terminated or defined? Should the FastEthernet0/0 interface IP address be 172.16.0.1/24 or something? From your configuration, I don't see the 172.16.0.5 IP address defined or terminated anywhere. If the router can't see the IP address on its routing table, then yes as you realize already there will be communication problem with other machines.
	to forum · permalink · · 2008-07-15 09:05:00 ·
zhrike @net.ph	Okay i'll gonna specify each machine configurations in details... Server Setup OS : Windows Server 2003 SP2 R2 AD/DC : No DNS : No DHCP : No FTP : Yes WWW : Yes RDC : Yes IP : 192.168.0.5 Subnet : 255.255.255.0 Gateway: 192.168.0.2 Workstations Setup OS : Windows XP Professional SP2 IP : 192.168.0.50 - 192.168.0.100 Subnet : 255.255.255.0 Gateway: 192.168.0.2 Router Setup version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! no logging buffered enable secret 5 *** enable password 7 * ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.0.0 192.168.0.200 ! ip dhcp pool dhcp1 network 192.168.0.0 255.255.255.0 default-router 192.168.0.2 dns-server 203.115.130.8 210.4.2.61 ! ! no ip ips deny-action ips-interface ip domain name *.com ip name-server 203.115.130.8 ip name-server 210.4.2.61 ! ! ! ! username * privilege 15 password 7 * ! ! ! ! ! interface FastEthernet0/0 description Interface-Facing-Servers no ip address ip nat inside ip virtual-reassembly ip route-cache flow shutdown duplex auto speed auto ! interface FastEthernet0/1 description Interface-Facing-Users ip address 192.168.0.2 255.255.255.0 secondary ip address 121.96.27.129 255.255.255.192 secondary ip address 121.96.17.65 255.255.255.192 ip access-group 50 out ip nat inside ip virtual-reassembly ip route-cache flow speed auto full-duplex no mop enabled ! interface Serial0/0/0 description Interface-Facing-ISP ip address 202.78.78.254 255.255.255.252 ip load-sharing per-packet ip nat outside ip virtual-reassembly ip route-cache flow ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! interface Serial0/1/0 description Interface-Facing-ISP ip address 121.97.74.126 255.255.255.252 ip load-sharing per-packet ip nat outside ip virtual-reassembly ip route-cache flow ! ip classless ip route 0.0.0.0 0.0.0.0 Serial0/0/0 ip route 0.0.0.0 0.0.0.0 Serial0/1/0 ! no ip http server no ip http secure-server ip nat inside source list 1 interface FastEthernet0/1 overload ! access-list 1 permit 192.168.0.0 0.0.0.255 access-list 50 deny 209.11.168.114 access-list 50 deny 209.11.168.115 access-list 50 deny 209.11.168.112 access-list 50 deny 209.11.168.113 access-list 50 deny 209.11.168.118 access-list 50 deny 68.142.214.24 access-list 50 deny 209.11.168.119 access-list 50 deny 209.11.168.116 access-list 50 deny 209.11.168.117 access-list 50 deny 209.11.168.122 access-list 50 deny 209.11.168.123 access-list 50 deny 209.11.168.120 access-list 50 deny 209.11.168.121 access-list 50 deny 208.117.236.69 access-list 50 deny 209.11.168.126 access-list 50 deny 209.11.168.127 access-list 50 deny 209.11.168.124 access-list 50 deny 209.11.168.125 access-list 50 deny 209.11.168.110 access-list 50 deny 209.11.168.111 access-list 50 deny 216.178.38.104 access-list 50 deny 69.63.176.140 access-list 50 deny 209.17.70.11 access-list 50 deny 202.78.87.74 access-list 50 deny 212.187.229.17 access-list 50 deny 64.154.80.72 access-list 50 deny 69.63.178.11 access-list 50 deny 66.246.179.202 access-list 50 deny 216.178.38.131 access-list 50 deny 208.65.153.238 access-list 50 deny 209.11.168.130 access-list 50 deny 209.11.168.128 access-list 50 deny 208.65.153.250 access-list 50 deny 208.65.153.251 access-list 50 deny 209.11.168.129 access-list 50 deny 208.65.153.252 access-list 50 deny 208.65.153.253 access-list 50 deny 208.65.153.254 access-list 50 deny 208.65.153.255 access-list 50 deny 64.56.205.72 access-list 50 permit any ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 exec-timeout 180 0 privilege level 15 password 7 * login local transport input telnet ! end =========================================================== The Server is on the same network block as the workstations and all of 192.168 ip's are being translated into 121.96.17.65 ip. but i want the Server** to have it's own translated address like 121.96.17.66 which we had purchased, but everytime i translated it, i can't connect to it. ip nat inside source tcp 192.168.0.5 3389 121.96.17.66 3389 // for Remote Desktop Connection ip nat inside source tcp 192.168.0.5 80 121.96.17.66 80 // for HTTP Server ip nat inside source tcp 192.168.0.5 21 121.96.17.66 21 // for FTP Server I haven't got nothing on those commands. Was I forgotten something? can you help me on this?
	to forum · permalink · 2008-07-15 10:00:07 ·
aryoba Premium,MVM join:2002-08-22	I notice there are some changes on your router configuration. Original post contains 121.96.27.64/26 and 121.96.17.0/26 subnets as the LANs; and 202.78.78.204/30 and 121.97.74.104/30 subnets as the WANs. But then on later router configuration, there are 121.96.27.128/26 and 121.96.17.64/26 subnets as the LANs; and 202.78.78.254/30 and 121.97.74.124/30 subnets as the WAN. Which ones are you using?
	to forum · permalink · · 2008-07-15 12:47:57 ·
zhrike join:2008-07-16	@aryoba This is the Original IP's given by our ISP. Because we actually have (2) E1 2MB Connections from the same ISP. We aggregated it to make it up to 4MB Connection. ====================== 1st E1 WAN - 202.78.78.254/30 LAN - 121.96.27.28/26 ====================== ====================== 2nd E1 WAN - 121.97.74.126/30 LAN - 121.96.17.64/26 ====================== Can you help me on that setup? Because all I need to do is to translate the Server's ip to any 121.96.17.6x ip's as long as users from outside access it's services and the inside users can still access it from the same network.
	to forum · permalink · · 2008-07-16 03:59:22 ·
aryoba Premium,MVM join:2002-08-22 edit: July 16th, @08:54AM	said by zhrike : @aryoba This is the Original IP's given by our ISP. Because we actually have (2) E1 2MB Connections from the same ISP. We aggregated it to make it up to 4MB Connection. ====================== 1st E1 WAN - 202.78.78.254/30 LAN - 121.96.27.28/26 ====================== ====================== 2nd E1 WAN - 121.97.74.126/30 LAN - 121.96.17.64/26 ====================== Can you confirm with your ISP as to how they setup routing redundancy on their end? This is a requirement to make sure that your network design matches the ISP network design. One thing you need to confirm is following. Would any of the LAN subnet be reachable via any WAN circuit? Is the 121.96.27.0/26 subnet reachable only via 202.78.78.252/30? Or is the 121.96.27.0/26 subnet also reachable via 121.97.74.124/30? The same question goes to the 2nd 121.96.17.64/26 LAN subnet. If all LAN subnets are reachable via any WAN circuit, then the next question is following. Is there any preference as to which WAN circuit to take to reach any LAN subnet or specific LAN subnet? Or is it just equal-cost routing to reach any or specific LAN subnet? I also notice that you are doing static routes with your ISP. Is there a reason why you don't run dynamic routing such as BGP with your ISP?
	to forum · permalink · · 2008-07-16 08:49:50 ·
zhrike join:2008-07-16	said by aryoba : said by zhrike : @aryoba This is the Original IP's given by our ISP. Because we actually have (2) E1 2MB Connections from the same ISP. We aggregated it to make it up to 4MB Connection. ====================== 1st E1 WAN - 202.78.78.254/30 LAN - 121.96.27.28/26 ====================== ====================== 2nd E1 WAN - 121.97.74.126/30 LAN - 121.96.17.64/26 ====================== Can you confirm with your ISP as to how they setup routing redundancy on their end? This is a requirement to make sure that your network design matches the ISP network design. One thing you need to confirm is following. Would any of the LAN subnet be reachable via any WAN circuit? Is the 121.96.27.0/26 subnet reachable only via 202.78.78.252/30? Or is the 121.96.27.0/26 subnet also reachable via 121.97.74.124/30? The same question goes to the 2nd 121.96.17.64/26 LAN subnet. If all LAN subnets are reachable via any WAN circuit, then the next question is following. Is there any preference as to which WAN circuit to take to reach any LAN subnet or specific LAN subnet? Or is it just equal-cost routing to reach any or specific LAN subnet? I also notice that you are doing static routes with your ISP. Is there a reason why you don't run dynamic routing such as BGP with your ISP? Yes. 1st WAN can only access 1st LAN IPs, that goes for the 2nd WAN and LAN IPs. But we have configured it's Serial's to load-sharing per-packet, that goes to their end too. That's why I want to translate my Server's ip address 192.168.0.5 to any of the 121.96.17.6x ip's since it's the first ip address on my FastEthernet interface. Is there any hope on this? And about static routes, i'm really new to Cisco and i don't have any knowledge to BGP.
	to forum · permalink · · 2008-07-16 09:02:42 ·
aryoba Premium,MVM join:2002-08-22 edit: July 16th, @12:15PM	If 1st WAN can only access 1st LAN subnet and 2nd WAN can only access 2nd LAN subnet, then there is no point of configuring load-sharing per packet since one circuit is always forced to use to access specific LAN subnet. I believe either LAN subnet should be accessible via either WAN circuit to have proper load sharing and/or automatic failover. I can see setting up your Server NAT need is straight forward in your case. However before configuring the server NAT statement and reachability, I would suggest that you (with everybody responsible of your company network) assess the best practice of network design with your ISP to establish proper load balancing between two WAN circuits. Keep in mind that any service or application (including your server) reachability and functionality rely on and run over both WAN circuits. Such reachability and functionality require a good network design to have stable connectivity. Without having a good network design, you just shoot yourself on the foot and rely on luck If I were you I would start by designing a good BGP network design with your ISP. Once it is done, tested, and looking good; then you can move on to the server NAT configuration.
	to forum · permalink · · 2008-07-16 09:43:47 ·
zhrike join:2008-07-16	But that was before load-sharing was configured. Since we started load-sharing, our ISP at the remote side configured our 2 WAN and LAN IP's to able to communicate to each other. Can you help me with the basic networking stuff. we really need to broadcast our Server, because my co-workers here need some access to it from home.
	to forum · permalink · · 2008-07-16 10:08:21 ·
aryoba Premium,MVM join:2002-08-22	Assuming your router has BGP relationship with your ISP, following is one way of designing your network. On this sample configuration, the 172.16.0.5 IP address is the FTP and Web server you like to broadcast. All users are within 192.168.0.0/24 subnet. This configuration takes care of both your load sharing and/or automatic failover design and your Server NAT problem. ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname U-MainRouter ! boot-start-marker boot-end-marker ! no logging buffered enable secret 5 ******** enable password 7 ****** ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.0.0 192.168.0.200 ! ip dhcp pool dhcp1 network 192.168.0.0 255.255.255.0 default-router 192.168.0.2 dns-server 203.115.130.8 210.4.2.61 ! ! no ip ips deny-action ips-interface ip domain name yourdomain.com ip name-server 203.115.130.8 ip name-server 210.4.2.61 ! ! ! ! username test privilege 15 password 7 ****** ! ! ! ! ! interface FastEthernet0/0 description Internet-accessible servers ip address 172.16.0.1 255.255.255.0 ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto ! interface FastEthernet0/1 description Interface-Facing-Users ip address 192.168.0.2 255.255.255.0 ip access-group 50 out ip nat inside ip virtual-reassembly ip route-cache flow speed auto duplex auto no mop enabled ! interface Serial0/0/0 description Interface-Facing-ISP ip address 202.78.78.254 255.255.255.252 ip nat outside ip virtual-reassembly ip route-cache flow ! interface Serial0/0/1 no ip address shutdown clock rate 2000000 ! interface Serial0/1/0 description Interface-Facing-ISP ip address 121.97.74.126 255.255.255.252 ip nat outside ip virtual-reassembly ip route-cache flow ! router bgp [YOUR BGP AS NUMBER HERE] no synchronization bgp log-neighbor-changes network 121.97.74.124 mask 255.255.255.252 network 202.78.78.252 mask 255.255.255.252 network 121.96.17.64 mask 255.255.255.192 network 121.96.27.0 mask 255.255.255.192 neighbor 121.97.74.125 remote-as [YOUR ISP BGP AS NUMBER HERE] neighbor 121.97.74.125 description BGP AS Peer #1 neighbor 121.97.74.125 soft-reconfiguration inbound neighbor 202.78.78.253 remote-as [YOUR ISP BGP AS NUMBER HERE] neighbor 202.78.78.253 description BGP AS Peer #2 neighbor 202.78.78.253 soft-reconfiguration inbound no auto-summary ! ip classless ! no ip http server no ip http secure-server ip nat pool User 121.96.27.28 121.96.27.28 prefix-length 26 ip nat inside source list 1 pool User ip nat inside source static tcp 172.16.0.5 21 121.96.17.70 21 extendable ip nat inside source static tcp 172.16.0.5 80 121.96.17.70 80 extendable ip nat inside source static tcp 172.16.0.5 3389 121.96.17.70 3389 extendable ! access-list 1 permit 192.168.0.0 0.0.0.255 access-list 50 deny 209.11.168.114 -- these are youtube's and access-list 50 deny 209.11.168.115 and friendster addresses. access-list 50 deny 209.11.168.112 access-list 50 deny 209.11.168.113 access-list 50 deny 209.11.168.118 access-list 50 deny 209.11.168.119 access-list 50 deny 209.11.168.116 access-list 50 deny 209.11.168.117 access-list 50 deny 209.11.168.122 access-list 50 deny 209.11.168.123 access-list 50 deny 209.11.168.120 access-list 50 deny 209.11.168.121 access-list 50 deny 208.117.236.69 access-list 50 deny 209.11.168.126 access-list 50 deny 209.11.168.127 access-list 50 deny 209.11.168.124 access-list 50 deny 209.11.168.125 access-list 50 deny 209.11.168.110 access-list 50 deny 209.11.168.111 access-list 50 deny 208.65.153.238 access-list 50 deny 209.11.168.130 access-list 50 deny 209.11.168.128 access-list 50 deny 208.65.153.250 access-list 50 deny 208.65.153.251 access-list 50 deny 209.11.168.129 access-list 50 deny 208.65.153.252 access-list 50 deny 208.65.153.253 access-list 50 deny 208.65.153.254 access-list 50 deny 208.65.153.255 access-list 50 permit any ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 exec-timeout 180 0 privilege level 15 password 7 ******** login local transport input telnet ! end
	to forum · permalink · · 2008-07-17 10:28:16 ·


Friday, 05-Dec 01:28:47	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 9 years online! © 1999-2008 dslreports.com. page compression OFF