FLengineer
Premium
join:2007-06-26
 ·T-Mobile US
 ·Comcast
 ·Embarq
 ·Vonage
edit:
July 17th, @11:26AM
| [Config] NAT routing
I've never had to mess with NAT routing on my 7206 because it kinda interferes with testing the systems that are connected to it. Until now I've always wanted static routes with static IP addresses and no redundancy so I could say without a doubt where the traffic was coming from and going. Now I am just playing with a 7206 trying to learn more about it. I've made this config, please point out any problems.
Current configuration : 1418 bytes
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 ******
enable password ******
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.151 192.168.10.254
!
ip dhcp pool testdhcp
network 192.168.10.0 255.255.255.0
dns-server 1.2.3.4
default-router 192.168.10.254
lease 30
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
no ip mroute-cache
duplex full
!
interface FastEthernet2/0
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex full
!
no ip classless
no ip http server
no ip http secure-server
!
!
ip nat source static tcp 192.168.10.11 8000 interface FastEthernet0/0 8000
ip nat source static tcp 192.168.10.11 80 interface FastEthernet0/0 80
ip nat inside source list 1 interface FastEthernet0/0 overload
!
logging alarm informational
access-list 1 permit 192.168.10.0 0.0.0.255
snmp-server community public RO
!
!
!
!
control-plane
!
!
!
!
!
!
gatekeeper
shutdown
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password ******
login
line vty 5 15
password ******
login
!
!
end |
|
aryoba
Premium,MVM
join:2002-08-22 | I can't say what the problem is (if any) if I don't know what your objective is. What are you trying to accomplish? |
|
FLengineer
Premium
join:2007-06-26
·T-Mobile US
·Comcast
·Embarq
·Vonage
| well, the main goal is learning  currently with this config I am simply trying to make it work like a regular walmart type router.
BTW I will update the config because I'm going to update to 12.4 |
|
FLengineer
Premium
join:2007-06-26 | reply to FLengineer
My computer is being assigned 192.168.10.1 from DHCP. How do I limit that pool to 192.168.10.100 - 192.168.10.150? |
|
aryoba
Premium,MVM
join:2002-08-22
edit:
July 17th, @12:48PM
| ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.151 192.168.10.254
ip dhcp pool test1
network 192.168.10.0 255.255.255.0
dns-server 1.2.3.4
default-router 192.168.10.254
FYI; for best practice in real world implementation, it is suggested to compile a list of IP address assignment. You start from which devices that need static IP address assignment to which devices that need dynamic IP address assignment.
Typically those static IP addresses are for non workstation such as routers, switches, servers, and printers; where the dynamic IP addresses are for workstations.
Once you have that list, you then configure the DHCP IP address pool. The pool should only include the dynamic IP addresses. All of those static IP addresses should be excluded. |
|
FLengineer
Premium
join:2007-06-26
·T-Mobile US
·Comcast
·Embarq
·Vonage
edit:
July 17th, @03:00PM
| I updated to 12.4
Got the dhcp fixed --ty aryoba
1) What is with all the ! in the config?
2) OK FastEthernet0/0 or the WAN is set for DHCP how do I use that to forward DNS?
FastEthernet0/0 is going to get a dns server address from dhcp. clients connected to FastEthernet2/0 need to get that dns server address via dhcp instead of the 1.2.3.4 that I have in the config file. OR, the 7206 needs to be setup as a dns server.
Current solution is to manually enter the default gateway into the routing table as "ip route 0.0.0.0 0.0.0.0 1.2.3.4" where "1.2.3.4" is what ever the default gateway is that FastEthernet0/0 gets from comcast.
Updated the original post with the new config. |
|
FLengineer
Premium
join:2007-06-26
edit:
July 17th, @02:59PM
| After reading the definition of "overload" and in the spirit of turning a Cisco 7206 into a $40 linksys router I think "overload" is what I'm looking for. Can someone verify this? |
|
aryoba
Premium,MVM
join:2002-08-22
| Try to remove the following commands
ip nat pool test1 192.168.10.100 192.168.10.150 netmask 255.255.255.0
ip nat inside source list 1 pool test1
and replace them with this
ip nat inside source list 1 interface FastEthernet0/0 overload |
|
FLengineer
Premium
join:2007-06-26
·T-Mobile US
·Comcast
·Embarq
·Vonage
edit:
July 17th, @03:38PM
| I'm reading this...
»www.cisco.com/en/US/docs/ios/12_···p1079180
Says it should be....
ip nat pool test1 192.168.10.100 192.168.10.150 netmask 255.255.255.0
access-list 1 permit 192.168.10.0 0.0.0.255
ip nat inside source list 1 pool test1 overload
That right?
Last question, I know I'm noobing up the forums. How do I open a tcp port? Like if I have a web server at 192.168.10.11 and wanted to open tcp port 80 and 8000 to that ip address only. |
|
aryoba
Premium,MVM
join:2002-08-22
| said by FLengineer  :I'm reading this... » www.cisco.com/en/US/docs/ios/12_···p1079180Says it should be.... ip nat pool test1 192.168.10.100 192.168.10.150 netmask 255.255.255.0 access-list 1 permit 192.168.10.0 0.0.0.255 ip nat inside source list 1 pool test1 overload That right? No
Your commands tell 192.168.10.0/24 to NAT to itself. There are two problems with this setup.
The 192.168.10.0/24 is a Private subnet which your ISP most likely does not recognize. The idea of NAT between internal and external network is to translate internal IP subnet to subnet that the external network recognizes.
The other problem is that by NAT 192.168.10.0/24 to itself, then there is no point of NAT-ting. 
said by FLengineer :Last question, I know I'm noobing up the forums. How do I open a tcp port? Like if I have a web server at 192.168.10.11 and wanted to open tcp port 80 and 8000 to that ip address only. Check out this forum FAQ about running server with Cisco. |
|
FLengineer
Premium
join:2007-06-26 | Updated the original config post with the changes. Checking FAQ now. |
|
FLengineer
Premium
join:2007-06-26 | reply to aryoba
updated the config again using info from the faq. You have been a HUGE help aryoba, thank you very much. |
|
aryoba
Premium,MVM
join:2002-08-22
| You don't need the following command
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
since the DHCP mechanism between your ISP and your router take care of it. Moreover, by adding such static route might confuse your router. Therefore it is a best practice to let DHCP mechanism works as it is without interference |
|
FLengineer
Premium
join:2007-06-26 | Removed. TY.
Any ideas about the 20 lines of " ! " |
|
aryoba
Premium,MVM
join:2002-08-22 | ! is just a code for remark. It is useful when you push the configuration down using program or software when you can put some notes regarding specific command lines. |
|
FLengineer
Premium
join:2007-06-26 | Yea I know it's a code remark. Question is how do I remove the extra lines with ! in them. I could tftp the config to my computer and notepad edit it and tftp it back, lol. There has to be an easier way. |
|
Lasko
@cox.net
| reply to FLengineer
quote:
Question is how do I remove the extra lines with ! in them.
Why take them out. Next time IOS writes the config it will put them again. They do no harm and usually make the config easier to read. |
|
