Re: Urgent help with 1700 series router

bzaayer299 · ‎12-29-2004

Hi all,

I am a novice and I need some help. I have a 1700 router and I need to know what commands to give the router to point an external ip address to an internal ip address. We already have 3 external ip address pointing to 3 internal ip addresses. I need to point xxx.xxx.xxx.xxx to 192.168.1.252. I have no idea on how to do this and when I have finished inputting the commands into the router I do not know how to save the new configuration. Please help. My boss needs me to get this working! Please be as detailed as possible. I appreciate the help. You will be saving my butt.

Thanks,

Brina

m-carey · ‎12-29-2004

If you are looking to have a secondary IP address, in interface config mode, enter this command:

R(config-if)#ip address 10.1.2.1 255.255.255.0 secondary

R(config-if)#end

R#copy running-config startup-config

b.eman · ‎12-29-2004

Are you referring to a static nat translation? If you are you should see something like below in your config. Log into the router and type 'sh run' and look for something like the command below.

ip nat inside source static tcp 201.65.23.2 80 192.168.1.251 80 extendable

If you do not see that command type in 'show ip nat translation' and copy and past what you see here on the board.

Do you know what port you want to be able to access from the outside on this new machine? It is not a good idea to just open up any outside to any inside to this machine.

Let us know what you find out.

bzaayer299 · ‎12-29-2004

I'm sorry I was mistaken. The NAT is being done with our PIX box. How do I add the fowarding of 65.170.13.91 to 192.168.1.252 allowing only port 25 through? Below is my Pix config:

PIX Version 5.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxxx

hostname const1pix

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

no logging buffered

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 65.x.x.x.255.255.248

ip address inside 192.168.1.1 255.255.255.0

arp timeout 14400

global (outside) 1 65.x.x.90

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 65.170.13.91 192.168.1.254 netmask 255.255.255.255 0 0

static (inside,outside) 65.170.x.x.x.1.168 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host 65.170.13.91 eq smtp any

conduit permit tcp host 65.170.13.91 eq pop3 any

conduit permit tcp host 65.170.13.91 eq www any

conduit permit tcp host 65.170.13.92 eq 1494 any

conduit permit tcp host 65.170.13.91 eq ftp any

route outside 0.0.0.0 0.0.0.0 65.170.13.94 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community grevnoc

no snmp-server enable traps

floodguard enable

isakmp identity hostname

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

terminal width 80

Cryptochecksum:xxxx

Thanks,

Brian

b.eman · ‎12-29-2004

Enter the folloing

pix#config t

pix(config)#static (inside,outside) tcp 65.170.13.91 smtp 192.168.1.252 smtp netmask 255.255.255.255 0 0

pix(config)#exit

pix#copy running-config startup-config

That should do it.

Blake

joneschw1 · ‎12-30-2004

What Blake told you is correct from a command standpoint, but it won't work for you b/c you already have this statement:

static (inside,outside) 65.170.x.x.x.1.254 netmask 255.255.255.255 0 0

&

conduit permit tcp host 65.x.x.91 eq smtp any

These statements say all allowed traffic for 65.170.13.91 goes to 192.168.1.254 (this is the static). As a result, the PIX can ONLY forward smtp hitting 65.170.13.91 to 192.168.1.254 (conduit)

You will either need to remove those statements or get another IP address. OR you could utilize one of your other static ips that is not already getting smtp traffic (i.e. 65.170.13.92). To do this you would do port redirection on the ip 65.170.13.92. To do this you would need to enter enable mode and then remove the static entry by doing:

logging into pix

type "en"

enter your enable password

You know you are in enable mode when you have a "#" in the line. Then:

conf t

no static (inside,outside) 65.x.x.x.168.1.168 netmask 255.255.255.255 0 0

write me

THEN

static (inside,outside) tcp 65.x.x.92 1494 192.168.1.168 1494

static (inside,outside) tcp 65.x.x.92 25 192.168.1.252 25

conduit permit tcp host 65.170.13.92 eq smtp any

write me

clear xlate

As a side note, you may also want to do the following in enable mode:

conf t

no fixup protocol smtp 25

write me

exit

When fixup is enabled, wierd things happen with e-mail.