cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
967
Views
0
Helpful
11
Replies

CISCO 1721 And NAT with 3 LANS

oliverwood
Level 1
Level 1

I'm looking for a network device that can perform the following tasks:

I currently have a cisco 1721 with 3 ethernet ports (builtin one plus two wics) – maybe it could be done with this ?

Translate 6 fixed ip addresses residing (inside) on two different subnets into a block of 6 different fixed ip addresses (outside) on another subnet altogether. Here ouside contracts inside

Also Allow 2 devices on inside subnets (each device sits on both internal subnets - redundancy) to contact two outside devices, but reference them using an address that is in keeping with the internal subnets.

A sort of address translation task, but one-one, rather than the many-to-one NAT that I'm aware of.

Also need to perform some basic firewall tasks - restricting ports & traffic etc.

Before anyone asks what am I trying to achieve - its an industrial application with redundant ethernet that I need to make visible to another WAN. I can't

change the IP addresses at my end, and they can't change theirs.

Any pointers?

2 Accepted Solutions

Accepted Solutions

I have put together a quick config for you based on what I have understood so far:

- You want to use local addresses (ie. no routing) to reach the different segments

Such as D1 will contact F1 on a 192.168.2.xxx address, not the 10.200.200.210 address.

And F1 will contact D1 on a 10.200.200.xxx address, not the 192.168.2.1 or 192.168.3.1 address.

You can't have the D1 and D2 servers contacting F1 and F2 on both interfaces in the same config. I have presumed the F1 and F2 servers are relatively redundant and split the addresses on each segment for D1 and D2. Ie. D1 and D2 contacts F1 on 192.168.2.210. D1 and D2 contacts F2 on 192.168.3.211. If the requirement is that F1 and F2 should be in the same local subnets as D1 and D2, this is at least an approximation to a redundant setup.

As for the ISDN-clients, you haven't said which addresses they are using, so I have presumed they are hidden behind the 10.200.200.209 address (and therefore not done any routing to them).

You will also have to verify interface-names. The ACL's are a bit rough (only at IP-level as of now), but should serve as a starting point.

I have not considered other IP's on the subnets in great detail as you haven't mentioned how any potential other traffic flows.

!

interface FastEthernet0

ip address 10.200.200.212 255.255.255.240

ip nat outside

ip access-group fas0-in in

!

interface Ethernet0/1

ip address 192.168.2.50 255.255.255.0

ip nat inside

ip access-group e01-in in

!

interface Ethernet0/2

ip address 192.168.3.120 255.255.255.0

ip nat inside

ip access-group e02-in in

!

ip nat outside source static 10.200.200.210 192.168.2.210

ip nat outside source static 10.200.200.211 192.168.3.211

ip nat inside source static 192.168.2.4 10.200.200.214

ip nat inside source static 192.168.2.5 10.200.200.215

ip nat inside source static 192.168.3.3 10.200.200.216

ip nat inside source static 192.168.3.4 10.200.200.217

ip nat inside source static 192.168.3.5 10.200.200.218

ip nat inside source static 192.168.2.1 10.200.200.219

ip nat inside source static 192.168.2.2 10.200.200.220

ip nat inside source static 192.168.3.1 10.200.200.221

ip nat inside source static 192.168.3.2 10.200.200.222

!

ip access-list extended fas0-in

permit ip host 10.200.200.210 host 10.200.200.219

permit ip host 10.200.200.210 host 10.200.200.220

permit ip host 10.200.200.210 host 10.200.200.221

permit ip host 10.200.200.210 host 10.200.200.222

permit ip host 10.200.200.211 host 10.200.200.219

permit ip host 10.200.200.211 host 10.200.200.220

permit ip host 10.200.200.211 host 10.200.200.221

permit ip host 10.200.200.211 host 10.200.200.222

deny ip any host 10.200.200.219

deny ip any host 10.200.200.220

deny ip any host 10.200.200.221

deny ip any host 10.200.200.222

permit ip any 10.200.200.208 0.0.0.15

deny ip any any

!

ip access-list extended e01-in

permit ip host 192.168.2.1 host 192.168.2.210

permit ip host 192.168.2.2 host 192.168.2.210

deny ip any host 192.168.2.210

deny ip host 192.168.2.1 any

deny ip host 192.168.2.2 any

permit ip host 192.168.2.3 any

permit ip host 192.168.2.4 any

permit ip host 192.168.2.5 any

deny ip any any

!

ip access-list extended e02-in

permit ip host 192.168.3.1 host 192.168.3.211

permit ip host 192.168.3.2 host 192.168.3.211

deny ip any host 192.168.3.211

deny ip host 192.168.3.1 any

deny ip host 192.168.3.2 any

permit ip host 192.168.3.3 any

permit ip host 192.168.3.4 any

permit ip host 192.168.3.5 any

deny ip any any

!

Did it help?

View solution in original post

Ahh.. sorry for that, you'll need this as well:

ip route 192.168.3.210 255.255.255.255 10.194.138.210

This is to tell the router where this particular IP-address is located and therefore which interface to use as outbound (NAT'ing is done after routing).

Did it help?

View solution in original post

11 Replies 11

johansens
Level 4
Level 4

I have a couple of questions:

1) Is there 6 servers on the inside each having two interfaces?

2) Do you want ONE IP-address on the outside to map to TWO IP-addresses on the inside (the two interfaces on each server)?

The 1721 can probably do what you want given that you don't ask for something which isn't supported in IOS. :)

F.ex. having a general static "one-to-one" mapping warped into a "one-to-two" mapping will not work. A "one-to-one" mapping is no problem, you can even specify down to ip/protocol/port and map the different combinations to several IP-addresses.

Translating the outside addresses into a local address is no big problem.

If you want a very simple static access-list filtering, you can use the 1721 without any extra featuresets, but if you want more dynamic firewall with application inspection and a lot more features, then you should look into getting the firewall featureset for the 1721 router. This is just a software upgrade.

A bit more information would help us in giving you a better answer.

Did it help?

Thnx So far...

D1 and D2 (D2 is D1's backup so only one requests data at anyone time) need to access F2 and F1 only.

Servers dialing in on the ISDN router need access to F2, F3 and A1, A2, A3, A4, A5 ,A6

A1, A2, A3, A4, A5 ,A6 do not need access to F2 or F3, but do need to initiate a conversation with the servers at the other end of the ISDN ROUTER WAN.

All other nodes inside the D1, D2, A1, A2, A3, A4, A5 ,A6 subnets need to be protected from the F2, F3 , ISDN router subnet and the ISDN ROUTER WAN.

I have looked through the CISCO support files and found a few snippets, but I am still in confusion as to whether the 1721 with 2 ENET WIC Cards can do it.

I have put together a quick config for you based on what I have understood so far:

- You want to use local addresses (ie. no routing) to reach the different segments

Such as D1 will contact F1 on a 192.168.2.xxx address, not the 10.200.200.210 address.

And F1 will contact D1 on a 10.200.200.xxx address, not the 192.168.2.1 or 192.168.3.1 address.

You can't have the D1 and D2 servers contacting F1 and F2 on both interfaces in the same config. I have presumed the F1 and F2 servers are relatively redundant and split the addresses on each segment for D1 and D2. Ie. D1 and D2 contacts F1 on 192.168.2.210. D1 and D2 contacts F2 on 192.168.3.211. If the requirement is that F1 and F2 should be in the same local subnets as D1 and D2, this is at least an approximation to a redundant setup.

As for the ISDN-clients, you haven't said which addresses they are using, so I have presumed they are hidden behind the 10.200.200.209 address (and therefore not done any routing to them).

You will also have to verify interface-names. The ACL's are a bit rough (only at IP-level as of now), but should serve as a starting point.

I have not considered other IP's on the subnets in great detail as you haven't mentioned how any potential other traffic flows.

!

interface FastEthernet0

ip address 10.200.200.212 255.255.255.240

ip nat outside

ip access-group fas0-in in

!

interface Ethernet0/1

ip address 192.168.2.50 255.255.255.0

ip nat inside

ip access-group e01-in in

!

interface Ethernet0/2

ip address 192.168.3.120 255.255.255.0

ip nat inside

ip access-group e02-in in

!

ip nat outside source static 10.200.200.210 192.168.2.210

ip nat outside source static 10.200.200.211 192.168.3.211

ip nat inside source static 192.168.2.4 10.200.200.214

ip nat inside source static 192.168.2.5 10.200.200.215

ip nat inside source static 192.168.3.3 10.200.200.216

ip nat inside source static 192.168.3.4 10.200.200.217

ip nat inside source static 192.168.3.5 10.200.200.218

ip nat inside source static 192.168.2.1 10.200.200.219

ip nat inside source static 192.168.2.2 10.200.200.220

ip nat inside source static 192.168.3.1 10.200.200.221

ip nat inside source static 192.168.3.2 10.200.200.222

!

ip access-list extended fas0-in

permit ip host 10.200.200.210 host 10.200.200.219

permit ip host 10.200.200.210 host 10.200.200.220

permit ip host 10.200.200.210 host 10.200.200.221

permit ip host 10.200.200.210 host 10.200.200.222

permit ip host 10.200.200.211 host 10.200.200.219

permit ip host 10.200.200.211 host 10.200.200.220

permit ip host 10.200.200.211 host 10.200.200.221

permit ip host 10.200.200.211 host 10.200.200.222

deny ip any host 10.200.200.219

deny ip any host 10.200.200.220

deny ip any host 10.200.200.221

deny ip any host 10.200.200.222

permit ip any 10.200.200.208 0.0.0.15

deny ip any any

!

ip access-list extended e01-in

permit ip host 192.168.2.1 host 192.168.2.210

permit ip host 192.168.2.2 host 192.168.2.210

deny ip any host 192.168.2.210

deny ip host 192.168.2.1 any

deny ip host 192.168.2.2 any

permit ip host 192.168.2.3 any

permit ip host 192.168.2.4 any

permit ip host 192.168.2.5 any

deny ip any any

!

ip access-list extended e02-in

permit ip host 192.168.3.1 host 192.168.3.211

permit ip host 192.168.3.2 host 192.168.3.211

deny ip any host 192.168.3.211

deny ip host 192.168.3.1 any

deny ip host 192.168.3.2 any

permit ip host 192.168.3.3 any

permit ip host 192.168.3.4 any

permit ip host 192.168.3.5 any

deny ip any any

!

Did it help?

Thankyou I will try it over this weekend with a testbed and get back to you, but from what you have said with regards to how it is intended to function, it is looking good.

Thankyou

I have simplified the config to a minimum, see attached config.

D1 just loops back when you ping 192.168.3.120, never gets to the NAT stage (see debug info attached)

F2 reaches D1 but the return never gets back to F2 (see debug info attached)

Also attached translation table.

if you remove the ip nat outside static line then F2 can ping D1 and performs the NAT ok, but unfortunately i need D1 to get to F2.

Any more ideas !!

Spent a few days changing things with out success.

See next post for other attachments...

Thanks for you Help

Olly

Ahh.. sorry for that, you'll need this as well:

ip route 192.168.3.210 255.255.255.255 10.194.138.210

This is to tell the router where this particular IP-address is located and therefore which interface to use as outbound (NAT'ing is done after routing).

Did it help?

Seems to have done the trick.

On a side, as the router I am testing on is one module short (just fastethernet and one wic-1enet) is it possible to place the two inside subnets:

192.168.3 and 192.168.2 onto one physical port on the 1721 ? (ios 12.3).

Thanks yet again for you wisdom

Olly

For this testing you could place the inside subnets on ethernet0 like this:

interface Ethernet0

ip address 192.168.3.120 255.255.255.0

ip address 192.168.2.50 255.255.255.0 secondary

!

An alternative would be to put the outside network on the Ethernet0, use 802.1q VLAN on the FastEthernet0 interface and run two subinterfaces there to support the inside subnets.. :)

I am happy to help, but you can help too. If you find the time to do it, please rate the posts you found helpful, and possibly indicate if any of them 'solved' your original question.

Could you elaborate on the VLAN's please !

Can they only be created on the FastEthernet0 port and not the normal WIC-1ENET ports.

What would the benefit be on using the VLAN option over the secondary subnet option ?

Thnx yet again

Olly

I have tried the following config (see attached), but with the vlans the only one that works is vlan 1 the one with native at the end.

also included sho vlans as well

if you do a debug ip nat and debug ip packets it does not show anything when you ping from vlan 2.

Is this the correct way to set up the vlans so that hosts can be placed on fastethernet0 interface with out going through another switch ?

Thnx yet again

Olly

Other attachments for previous post from myself

I am only using the Fastethernet0 and ethernet0 interfaces to simplyfy things before I add the the ethernet1 (192.168.2) interface and the acl's

Cheers again for your help

Olly

Review Cisco Networking for a $25 gift card