Re: 2611 Router for Nat

gjeff80 · ‎01-15-2003

Hello everyone, I'm playing with a 2611 router just for fun. I have gotten the router to do NAT, but I'm wondering if anyone has any solid & secure configuration files for setting up a router such as the 2611 to do NAT. I haven't completely gotten a grasp on access lists. For example, I could telnet to the router from the outside.

Thanks

Glenn

thisisshanky · ‎01-15-2003

to remove access to the router via telnet, use the following,

access-list 1 deny any

line vty 0 4

access-class 1 in

This would prevent any body to access the router from the outside.

Now if you want to permit some ip addresses ( say one ip address from the internet is allowed to telnet, while rest is to be denied)

Then add a permit statement on the access-list as follows:

access-list 1 permit host

access-list 1 deny any

The last statement of the above access-list is not needed , because every access lists have a implicit deny at the end.

Hope that helps in securing your router via telnet ....

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

gjeff80 · ‎01-15-2003

Now, do I need to do any special access lists for the inside interface doing the nat? Do I need access lists to block the non-routable networks? 10.0.0.0 ect?

Also could someone explain what the following lines do with the ***'s? These are the commands I added to my config of the router to get nat working, but I'm not really sure what they do.

---

interface Ethernet0/0

*** ip nat inside

ip address 10.68.20.1 255.255.255.0

!

interface Ethernet0/1

*** ip nat outside

ip address xx.xx.xx.xx 255.255.240.0

***ip nat inside source list 1 interface Ethernet0/1 overload

***access-list 1 permit 10.68.20.0 0.0.0.255

a.manosca · ‎01-15-2003

You can use access-lists to define which addresses on the inside interface/network will be translated with the permit and deny conditions. With the example you that have posted, you are permitting ONLY the network 10.68.20.0/24 to be translated. So for example, the Ethernet0/0 ip add (10.68.20.1) will be translated to the ip add of Ethernet0/1 (xx.xx.xx.xx) before going out Eth0/1. Similarly, for example, a host with an ip add of 10.68.20.27 will use xx.xx.xx.xx as its outside ip address.

And with the "overload" command, which performs PAT (Port Address Translation), every host on the network 10.68.20.0/24 will use the ip add of Eth0/1 as its outside address. Which means if all the 254 hosts are connecting to the outside, the will have the same translated ip addresses but the router will be able to differentiate them based on the port number that it has assigned each host.

"ip nat inside" indicates that the interface is connected to the inside network (the network subject to NAT translation).

"ip nat outside" indicates that the interface is connected to the outside network.

"ip nat inside source list 1 interface Ethernet0/1 overload " indicates that access-list 1

is the source inside network and will use interface Eth0/1's ip add as its outside address.

The following URL is a common example in using NAT:

http://www.cisco.com/warp/customer/556/1.html

Useful info: Every translation uses about 160 bytes of the router's DRAM memory.

Hope this helps.

gjeff80 · ‎01-15-2003

Thanks for the info... How can I get a CCO account?? Would this allow us to download the updates for our PIX 515 and VPN conncentrator (they were installed by an outside client before I started at the company)

Thanks

Glenn