2611 Router for Nat
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2003 01:51 PM - edited 03-02-2019 04:13 AM
Hello everyone, I'm playing with a 2611 router just for fun. I have gotten the router to do NAT, but I'm wondering if anyone has any solid & secure configuration files for setting up a router such as the 2611 to do NAT. I haven't completely gotten a grasp on access lists. For example, I could telnet to the router from the outside.
Thanks
Glenn
- Labels:
-
Other Networking
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2003 02:09 PM
to remove access to the router via telnet, use the following,
access-list 1 deny any
line vty 0 4
access-class 1 in
This would prevent any body to access the router from the outside.
Now if you want to permit some ip addresses ( say one ip address from the internet is allowed to telnet, while rest is to be denied)
Then add a permit statement on the access-list as follows:
access-list 1 permit host
access-list 1 deny any
The last statement of the above access-list is not needed , because every access lists have a implicit deny at the end.
Hope that helps in securing your router via telnet ....
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2003 03:01 PM
Now, do I need to do any special access lists for the inside interface doing the nat? Do I need access lists to block the non-routable networks? 10.0.0.0 ect?
Also could someone explain what the following lines do with the ***'s? These are the commands I added to my config of the router to get nat working, but I'm not really sure what they do.
---
interface Ethernet0/0
*** ip nat inside
ip address 10.68.20.1 255.255.255.0
!
interface Ethernet0/1
*** ip nat outside
ip address xx.xx.xx.xx 255.255.240.0
***ip nat inside source list 1 interface Ethernet0/1 overload
***access-list 1 permit 10.68.20.0 0.0.0.255
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2003 04:44 PM
You can use access-lists to define which addresses on the inside interface/network will be translated with the permit and deny conditions. With the example you that have posted, you are permitting ONLY the network 10.68.20.0/24 to be translated. So for example, the Ethernet0/0 ip add (10.68.20.1) will be translated to the ip add of Ethernet0/1 (xx.xx.xx.xx) before going out Eth0/1. Similarly, for example, a host with an ip add of 10.68.20.27 will use xx.xx.xx.xx as its outside ip address.
And with the "overload" command, which performs PAT (Port Address Translation), every host on the network 10.68.20.0/24 will use the ip add of Eth0/1 as its outside address. Which means if all the 254 hosts are connecting to the outside, the will have the same translated ip addresses but the router will be able to differentiate them based on the port number that it has assigned each host.
"ip nat inside" indicates that the interface is connected to the inside network (the network subject to NAT translation).
"ip nat outside" indicates that the interface is connected to the outside network.
"ip nat inside source list 1 interface Ethernet0/1 overload " indicates that access-list 1
is the source inside network and will use interface Eth0/1's ip add as its outside address.
The following URL is a common example in using NAT:
http://www.cisco.com/warp/customer/556/1.html
Useful info: Every translation uses about 160 bytes of the router's DRAM memory.
Hope this helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-15-2003 05:00 PM
Thanks for the info... How can I get a CCO account?? Would this allow us to download the updates for our PIX 515 and VPN conncentrator (they were installed by an outside client before I started at the company)
Thanks
Glenn
