04-11-2002 12:42 PM - edited 03-01-2019 09:15 PM
--Moderator Note: Due to the confidential nature of router configurations, it is not recommended to post them to this or any public forum. I have edited the following configuration to remove confidential information. Since the post was public for awhile, it is recommended all passwords (including encrypted passwords) be changed. -- end Moderator note --
I am trying to set up a 2621 router on my network. Where can I obtain examples of configurations to make it work. I have one ethernet port attached to my dsl router, and the other attached to my hub for my internal network. As it sets right now I can get outside to the world but the world can not get inside to my web or exchange server. My config is as follows.
-- moderator edit --
User Access Verification
-- moderator edit --
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname -- moderator edit --
!
enable secret 5 -- moderator edit --
!
memory-size iomem 15
ip subnet-zero
ip domain-name -- moderator edit --
ip name-server 10.0.10.10
!
!
!
!
!
interface FastEthernet0/0
description connected to Internet
ip address -- moderator edit --
no ip directed-broadcast
ip nat outside
!
interface FastEthernet0/1
description connected to FastHub424
ip address 10.0.0.1 255.0.0.0
no ip directed-broadcast
ip nat inside
!
router rip
version 2
passive-interface FastEthernet0/0
network 10.0.0.0
no auto-summary
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
no ip http server
!
access-list 1 permit 10.0.0.0 0.255.255.255
snmp-server community -- moderator edit --
snmp-server location -- moderator edit --
snmp-server contact -- moderator edit --
banner motd -- moderator edit --
!
line con 0
exec-timeout 0 0
password 7 -- moderator edit --
login
transport input none
line aux 0
line vty 0 4
password 7 -- moderator edit --
login
!
no scheduler allocate
end
-- moderator edit --
Any suggestions?
04-11-2002 01:25 PM
Your NAT looks good.
Try two things (one at a time).
First, change your default route to:
ip route 0.0.0.0 0.0.0.0 x.x.x.x (where x.x.x.x is your next hop router)
instead of
ip route 0.0.0.0 0.0.0.0 fastethernet0/0
Next, try disabling fast-switching. Sometimes fast switching and NAT don't get along.
Under each interface, try:
no ip route-cache
Mick.
04-11-2002 02:03 PM
I contacted my evil ISP and they told me the address of the next hop, so I changed the IP route and it killed all out going traffic from my network. plus the no ip cache didn't help either. still no one can get to my my web server.
04-11-2002 02:13 PM
This part is really simple.
If you changed your next hop address in your route statement to what your ISP told you (and removed the old default route) and all traffic stopped, then your ISP probably gave you the wrong address. (edited out bogus ip address... too tired... need coffee...)
I completely missed the question you asked about the web server and exchange server.
You're using PAT (port address translation). Its only good for allowing inside users to get to the internet, not for allowing outside users to access inside servers.
You'll need to get an IP address from your ISP for your web server and your exchange server then use static NAT.
You can also try the following, but I've had mixed results.
ip nat inside source static tcp 80 10.x.x.x 209.211.20.217 80
where 10.x.x.x is your web server.
You'll need to double check the syntax though.
Mick.
04-11-2002 05:31 PM
still nothing, how can I cheack to ensure that my ISP is correctly routing to me correctly, ie "A records" and such?
04-11-2002 05:40 PM
Do a traceroute from the internet to see where the address dies.
Here's what I have to your router:
C:\>tracert 209.211.20.217
Tracing route to dsl27.scottsburg.com [209.211.20.217]
over a maximum of 30 hops:
1 10 ms 20 ms 10 ms 10.42.224.1
2 21 ms 10 ms 20 ms 24.25.1.147
3 10 ms 10 ms 10 ms 24.25.1.97
4 20 ms 30 ms 10 ms rdu26-33-177.nc.rr.com [66.26.33.177]
5 30 ms 20 ms 20 ms pop2-cha-P2-0.atdn.net [66.185.138.89]
6 20 ms 20 ms 20 ms bb2-cha-P0-1.atdn.net [64.236.4.53]
7 20 ms 40 ms 20 ms bb2-atm-P6-0.atdn.net [66.185.152.61]
8 20 ms 50 ms 20 ms pop1-atm-P1-0.atdn.net [66.185.147.198]
9 31 ms 20 ms 20 ms atl-edge-07.inet.qwest.net [65.112.33.129]
10 30 ms 20 ms 20 ms atl-core-01.inet.qwest.net [205.171.21.81]
11 60 ms 80 ms 60 ms chi-core-02.inet.qwest.net [205.171.8.198]
12 61 ms 70 ms 60 ms chi-edge-19.inet.qwest.net [205.171.20.66]
13 80 ms 71 ms 110 ms 65.113.255.138
14 120 ms 81 ms 100 ms dslgw.scottsburg.com [65.114.71.131]
15 * 120 ms 130 ms dsl27.scottsburg.com [209.211.20.217]
Trace complete.
What IP address are you using for your web site? What's the DNS name?
Mick.
04-11-2002 06:39 PM
my domain name is (don't laugh) church-of-bubba.com my ISP gave me the dedicated ip address of 209.211.20.217...do I need more ?
04-12-2002 03:36 AM
Got this for a web page for church-of-bubba.com:
WELCOME TO THE CHURCH OF BUBBA
NOBODY'S HOME JES YET!
SO COME BACK LATER WHEN WE R!
---------------------------
Seems to be working.
Mick.
04-12-2002 02:13 PM
Just out of curiosity how did you get to my web site? did you enter http://www.church-of-bubba.com or http://church-of-bubba.com ? When I enter the www it does not work. but I now can see my web server and send/recieve mail. now I just need to lock everythig down so I don't get whacked by some body.
04-12-2002 08:11 AM
Because you are running NAT, connections initiated from your network out will use the interface address of FA0/0. The NAT table caches the TCP/UDP connection for return TCP/UDP traffic. That works fine outbound.
.
When others(internet users) need to initiate TCP/UDP connections "into" your network, you must specify a static PAT/NAT rule that allows this connection inbound to your 10.x.x.x network.
.
EG: Lets assume your web server is 10.0.0.10. Now looking at your config, you have been given approx 60 addresses to use by your ISP (I think). Anyway, you need to choose a public address from your 209.211.20.x range and tell your DNS hosters that your web site domain name points to that address. Lets say that www.your-web.com = 209.211.20.218. Okay?
.
Now you need to tell the NAT engine on your 2621 that any traffic for 209.211.20.218 is in fact for the web server sat at 10.0.0.10. That way, when ever internet users initiate connections TO your web server, they HTTP to the 209 address, your router NATs it to the 10.0.0.10 address inside your network, and your web server responds. TADA !!! You need to make sure your Web server Default Route is pointing at the 2621 10.0.0.1 address.
Commands for creating this NAT relationship between your 10.0.0.10 address and the public 209.211.20.218 address.
.
IP NAT INSIDE SOURCE STATIC
EG: ip nat inside source static 10.0.0.10 209.211.20.218
Try i, see what happens
04-13-2002 07:55 AM
There are two concepts going on.
Outbound then Inbound.
The first item I would look at would be your internet edge router. Is it a router or is it a bridge.
Is your internal IP from that device public or private. If Public research the following and do on the 2600.
If private you can only do if you do it on your internet router or statis NAT on the internet router.
If you have multiple devices on the inside going out on one address it is not a one to one NAT which in effect is PAT (Port address translation). Which is fine for most outbound services.
Inbound you need a one to one NAT for the service. This can be accomplished be a static NAT command. Then lock the inbound NAT by using a filter for "SMTP or WWW" traffic only. Or you can use port redirection. Port redirection will take for example all inbound smtp traffic and send to a specific internal address.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide