Solved: Re: CISCO 1721 And NAT with 3 LANS

oliverwood · ‎07-28-2005

I'm looking for a network device that can perform the following tasks:

I currently have a cisco 1721 with 3 ethernet ports (builtin one plus two wics) – maybe it could be done with this ?

Translate 6 fixed ip addresses residing (inside) on two different subnets into a block of 6 different fixed ip addresses (outside) on another subnet altogether. Here ouside contracts inside

Also Allow 2 devices on inside subnets (each device sits on both internal subnets - redundancy) to contact two outside devices, but reference them using an address that is in keeping with the internal subnets.

A sort of address translation task, but one-one, rather than the many-to-one NAT that I'm aware of.

Also need to perform some basic firewall tasks - restricting ports & traffic etc.

Before anyone asks what am I trying to achieve - its an industrial application with redundant ethernet that I need to make visible to another WAN. I can't

change the IP addresses at my end, and they can't change theirs.

Any pointers?

johansens · ‎07-29-2005

I have put together a quick config for you based on what I have understood so far:

- You want to use local addresses (ie. no routing) to reach the different segments

Such as D1 will contact F1 on a 192.168.2.xxx address, not the 10.200.200.210 address.

And F1 will contact D1 on a 10.200.200.xxx address, not the 192.168.2.1 or 192.168.3.1 address.

You can't have the D1 and D2 servers contacting F1 and F2 on both interfaces in the same config. I have presumed the F1 and F2 servers are relatively redundant and split the addresses on each segment for D1 and D2. Ie. D1 and D2 contacts F1 on 192.168.2.210. D1 and D2 contacts F2 on 192.168.3.211. If the requirement is that F1 and F2 should be in the same local subnets as D1 and D2, this is at least an approximation to a redundant setup.

As for the ISDN-clients, you haven't said which addresses they are using, so I have presumed they are hidden behind the 10.200.200.209 address (and therefore not done any routing to them).

You will also have to verify interface-names. The ACL's are a bit rough (only at IP-level as of now), but should serve as a starting point.

I have not considered other IP's on the subnets in great detail as you haven't mentioned how any potential other traffic flows.

!

interface FastEthernet0

ip address 10.200.200.212 255.255.255.240

ip nat outside

ip access-group fas0-in in

!

interface Ethernet0/1

ip address 192.168.2.50 255.255.255.0

ip nat inside

ip access-group e01-in in

!

interface Ethernet0/2

ip address 192.168.3.120 255.255.255.0

ip nat inside

ip access-group e02-in in

!

ip nat outside source static 10.200.200.210 192.168.2.210

ip nat outside source static 10.200.200.211 192.168.3.211

ip nat inside source static 192.168.2.4 10.200.200.214

ip nat inside source static 192.168.2.5 10.200.200.215

ip nat inside source static 192.168.3.3 10.200.200.216

ip nat inside source static 192.168.3.4 10.200.200.217

ip nat inside source static 192.168.3.5 10.200.200.218

ip nat inside source static 192.168.2.1 10.200.200.219

ip nat inside source static 192.168.2.2 10.200.200.220

ip nat inside source static 192.168.3.1 10.200.200.221

ip nat inside source static 192.168.3.2 10.200.200.222

!

ip access-list extended fas0-in

permit ip host 10.200.200.210 host 10.200.200.219

permit ip host 10.200.200.210 host 10.200.200.220

permit ip host 10.200.200.210 host 10.200.200.221

permit ip host 10.200.200.210 host 10.200.200.222

permit ip host 10.200.200.211 host 10.200.200.219

permit ip host 10.200.200.211 host 10.200.200.220

permit ip host 10.200.200.211 host 10.200.200.221

permit ip host 10.200.200.211 host 10.200.200.222

deny ip any host 10.200.200.219

deny ip any host 10.200.200.220

deny ip any host 10.200.200.221

deny ip any host 10.200.200.222

permit ip any 10.200.200.208 0.0.0.15

deny ip any any

!

ip access-list extended e01-in

permit ip host 192.168.2.1 host 192.168.2.210

permit ip host 192.168.2.2 host 192.168.2.210

deny ip any host 192.168.2.210

deny ip host 192.168.2.1 any

deny ip host 192.168.2.2 any

permit ip host 192.168.2.3 any

permit ip host 192.168.2.4 any

permit ip host 192.168.2.5 any

deny ip any any

!

ip access-list extended e02-in

permit ip host 192.168.3.1 host 192.168.3.211

permit ip host 192.168.3.2 host 192.168.3.211

deny ip any host 192.168.3.211

deny ip host 192.168.3.1 any

deny ip host 192.168.3.2 any

permit ip host 192.168.3.3 any

permit ip host 192.168.3.4 any

permit ip host 192.168.3.5 any

deny ip any any

!

Did it help?

View solution in original post

johansens · ‎08-03-2005

Ahh.. sorry for that, you'll need this as well:

ip route 192.168.3.210 255.255.255.255 10.194.138.210

This is to tell the router where this particular IP-address is located and therefore which interface to use as outbound (NAT'ing is done after routing).

Did it help?

View solution in original post

johansens · ‎07-28-2005

I have a couple of questions:

1) Is there 6 servers on the inside each having two interfaces?

2) Do you want ONE IP-address on the outside to map to TWO IP-addresses on the inside (the two interfaces on each server)?

The 1721 can probably do what you want given that you don't ask for something which isn't supported in IOS. :)

F.ex. having a general static "one-to-one" mapping warped into a "one-to-two" mapping will not work. A "one-to-one" mapping is no problem, you can even specify down to ip/protocol/port and map the different combinations to several IP-addresses.

Translating the outside addresses into a local address is no big problem.

If you want a very simple static access-list filtering, you can use the 1721 without any extra featuresets, but if you want more dynamic firewall with application inspection and a lot more features, then you should look into getting the firewall featureset for the 1721 router. This is just a software upgrade.

A bit more information would help us in giving you a better answer.

Did it help?

oliverwood · ‎07-28-2005

Thnx So far...

D1 and D2 (D2 is D1's backup so only one requests data at anyone time) need to access F2 and F1 only.

Servers dialing in on the ISDN router need access to F2, F3 and A1, A2, A3, A4, A5 ,A6

A1, A2, A3, A4, A5 ,A6 do not need access to F2 or F3, but do need to initiate a conversation with the servers at the other end of the ISDN ROUTER WAN.

All other nodes inside the D1, D2, A1, A2, A3, A4, A5 ,A6 subnets need to be protected from the F2, F3 , ISDN router subnet and the ISDN ROUTER WAN.

I have looked through the CISCO support files and found a few snippets, but I am still in confusion as to whether the 1721 with 2 ENET WIC Cards can do it.

johansens · ‎07-29-2005