12-11-2013 06:05 AM - edited 03-04-2019 09:50 PM
Hello,
Recently I have obtained used Cisco 861 router and I would like to use it in our network. I'm completely green if it goes about professional routers by CISCO...
Anyway: It will connect the ISP to our 24 ports switch. It needs to have static IP for itself and also should give static, predefined IPs to the machines (or rather accept IPs from the computers connected to it with custom IPs form the 192.168.2.xxx pool) For certain IPs I also need to forward ports from outside ports (the ISP) to the inside ports (on the lan side, I presume it is the NAT thing, right?). How should I program the router using console or CCP? Which is simpler?
I enclose my initial config which works with the University DHCP-provided IP and DNS (this will be changed later during the router deployment)
Current configuration : 3647 bytes
!
! Last configuration change at 08:28:51 UTC Tue Dec 10 2013 by MH
!
version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Shorelab
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3919389865
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3919389865
revocation-check none
rsakeypair TP-self-signed-3919389865
!
!
crypto pki certificate chain TP-self-signed-3919389865
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393139 33383938 3635301E 170D3133 31323039 31353339
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39313933
38393836 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100884B B1631357 0DC4D587 21EB6A12 C717548F 1E6460BA 4155CBE5 8247DE66
5D7DF8E6 89138AFD F007134D 52A0D604 419F6C12 648FA058 F32E402F B18ED9A3
C4CEBE0B 0E8C493E 91D68A6B 668BDFE6 B0D453FF 4E7101FE 58907C5F 4C3A17B6
55539A65 BD1348E9 36D19BDF 5DE6D21D 7BA15F8B 7868E789 F7CC43C1 39B0CD5B
B3570203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1421B129 A6C80A6D 88FD2EE9 27507F99 152EB8B1 7C301D06
03551D0E 04160414 21B129A6 C80A6D88 FD2EE927 507F9915 2EB8B17C 300D0609
2A864886 F70D0101 05050003 8181006B A2FF36A0 8785AC1C CD1DB1B2 219EB4A2
0ABE5BDE 160652F1 FDA5ED97 E2FCDD5A 35F67303 2CE01FB6 501B765D 2AD08119
2F449FA7 F2BFAF3C 3850CD91 9EC252FD CA21714F 95175961 5D95E65F 3DFFC55E
3241E757 6551B04E 62145ADD 72D90A98 6415748D 9C35F3B2 81058E06 B816ECEF
0597DB09 01586F59 C7B9154B EA185A
quit
!
!
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool INSIDE
network 192.168.2.0 255.255.255.0
default-router 192.168.2.254
dns-server xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy
!
!
!
!
ip domain name nuigalway.ie
ip name-server xxx.xxx.xxx.xxx
ip name-server yyy.yyy.yyy.yyy
ip cef
no ipv6 cef
!
!
license udi pid CISCO861-K9 sn XXXXXXXXXXX
!
!
username xxxxxx
!
no cdp run
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description OUTSIDE
ip address dhcp hostname Shorelab
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Vlan1
description INSIDE
ip address 192.168.2.254 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 199 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip route 0.0.0.0 0.0.0.0 Vlan1
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 1 permit 182.168.2.0 0.0.0.255
access-list 23 permit 192.168.2.0 0.0.0.255
access-list 199 permit ip any any
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
!
!
end
Are there any unnecesary entries BTW?
Thanks in advance!
Solved! Go to Solution.
12-11-2013 08:55 AM
Jakub,
To add a static address, you need to go under the interface:
interface FastEthernet4
description OUTSIDE
ip address dhcp hostname Shorelab
Change this to:
int fa4
ip address
Your nat statement for access-list 1 is good, but remove 199 because it's not needed:
no ip nat inside source list 199 interface FastEthernet4 overload
You don't need the following lines:
ip route 0.0.0.0 0.0.0.0 Vlan1
ip route 0.0.0.0 0.0.0.0 dhcp
Access-list 1 is incorrect for the nat statement that references it:
access-list 1 permit 182.168.2.0 0.0.0.255
It should be:
access-list 1 permit 192.168.2.0 0.0.0.255
If you have the default gateway's ip address from the provider, I would use that instead of the physical interface. "ip route 0.0.0.0 0.0.0.0 fa4"
If you can get the address, you would change this with:
no ip route 0.0.0.0 0.0.0.0 fa4
and fix with:
ip route 0.0.0.0 0.0.0.0
HTH,
John
*** Please rate all useful posts ***
12-11-2013 03:11 PM
Jakub,
You can statically set your computers if you want. If so, you can remove the dhcp pool that you have configured on the router:
no ip dhcp pool INSIDE
To do natting inbound, you would do something like the following:
ip nat inside source static tcp 192.168.2.110 22 interface fa4 8670
ip nat inside source static tcp 192.168.2.111 22 interface fa4 8680
ip nat inside source static tcp 192.168.2.12 750 interface fa4 8690
You can replace "interface fa4" with a real public static address if you want to. Currently, since we don't know what that address is, you can have the external interface assume that role.
HTH,
John
*** Please rate all useful posts ***
12-11-2013 08:55 AM
Jakub,
To add a static address, you need to go under the interface:
interface FastEthernet4
description OUTSIDE
ip address dhcp hostname Shorelab
Change this to:
int fa4
ip address
Your nat statement for access-list 1 is good, but remove 199 because it's not needed:
no ip nat inside source list 199 interface FastEthernet4 overload
You don't need the following lines:
ip route 0.0.0.0 0.0.0.0 Vlan1
ip route 0.0.0.0 0.0.0.0 dhcp
Access-list 1 is incorrect for the nat statement that references it:
access-list 1 permit 182.168.2.0 0.0.0.255
It should be:
access-list 1 permit 192.168.2.0 0.0.0.255
If you have the default gateway's ip address from the provider, I would use that instead of the physical interface. "ip route 0.0.0.0 0.0.0.0 fa4"
If you can get the address, you would change this with:
no ip route 0.0.0.0 0.0.0.0 fa4
and fix with:
ip route 0.0.0.0 0.0.0.0
HTH,
John
*** Please rate all useful posts ***
12-11-2013 01:32 PM
Thank you. What about port forwarding? Say, I have 3 computers connected to the switch which will be connected to one of the Vlan1 ports with ip 192.168.2.254 (which are ports fa0-fa3).
192.168.2.110 Internal port 22 external port 8670
192.168.2.111 Internal port 22 external port 8680
192.168.2.112 Internal port 750 external port 8690
How to set up NAT for this to work? Only those computers will require port forwarding.
And also: I don't want to use internal DHCP. I want for any computer connected to the switch with IP configured by the user (under condition that it will be from the 192.168.2.0 pool) to be able to connect through to the internet.
Thanks again!
12-11-2013 03:11 PM
Jakub,
You can statically set your computers if you want. If so, you can remove the dhcp pool that you have configured on the router:
no ip dhcp pool INSIDE
To do natting inbound, you would do something like the following:
ip nat inside source static tcp 192.168.2.110 22 interface fa4 8670
ip nat inside source static tcp 192.168.2.111 22 interface fa4 8680
ip nat inside source static tcp 192.168.2.12 750 interface fa4 8690
You can replace "interface fa4" with a real public static address if you want to. Currently, since we don't know what that address is, you can have the external interface assume that role.
HTH,
John
*** Please rate all useful posts ***
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide