01-26-2011 11:30 AM - edited 03-04-2019 11:13 AM
Hi All,
I'm having issues configuring my 1841 router for internet access and I thought I'd come here for some advice.
Here's what I would like to do:
On interface fa 0/0 I would like it facing the cable modem to internet, I have a static IP address with my ISP.
On interface 0/1 I would like this to face my internal network and connect it to an unmanaged switch with all the internal servers having 10.10.10.0 I.P's
I would like to allow ALL traffic to pass through the router both incoming and outgoing, I don't need to use ACL's because I will use a firewall on certain servers as needed.
I should mention I followed some tutorials on the internet of how to configure the router using NAT, I was able to connect out to the internet but wasn't able to connect back to any servers in my network (web, mail etc) so I reset the router back to factory set and would like to start from scratch.
Can anyone give me an idea of how to configure the router for this?
Thanks!
01-26-2011 06:38 PM
Hi,
For example your f0/0 is the ISP facing interface and f0/1 the LAN interface:
interface fa0/0
ip add x.x.x.x 255.255.255.252
no shut
interface f0/1
ip add y.y.y.y 255.255.255.0
no shut
The router should have a default gateway to the ISP:
ip route 0.0.0.0 0.0.0.0 x.x.x.1 --> IP of the next-hop
The local LAN (servers behind the unmanaged switch) should have a default gateway pointing to the LAN interface of the router (y.y.y.y)
The NAT configuration is as follows:
ip access-list extended NAT
permit ip y.y.y.0 255.255.255.0 any
ip nat inside source list NAT interface f0/0 overload
ip nat inside source static tcp y.y.y.y 80 x.x.x.5 80
ip nat inside source static tcp y.y.y.y 25 x.x.x.6 25
The above NAT configuration is to give internet access to the servers and to allow inbound web and smtp traffic to the internal servers.
Then apply the NAT to the interfaces:
interface f0/0
ip nat outside
interface f0/1
ip nat inside
Hope it helps.
Federico.
01-26-2011 08:03 PM
Nathan
From your description I believe that you ran into an issue that is very common as people begin to learn about configuring address translation. Probably you configured a dynamic PAT for the Address Translation on your router. (It might look something like ip nat inside source list NAT interface f0/0 overload).
This works very well for translating traffic that originates within your network and is going out to the Internet. But it does not provide any translation for traffic that originates in the Internet and attempts to reach servers in your network. To support servers in your network that need to be reachable from the Internet you need a static translation. The example given by Federico is one way to do this:
ip nat inside source static tcp y.y.y.y 80 x.x.x.5 80
ip nat inside source static tcp y.y.y.y 25 x.x.x.6 25
HTH
Rick
01-27-2011 10:21 AM
Thanks Guys.
That in the first example he put (ip nat inside source list NAT interface f0/0 overload) as well how does this differ from what your said about PAT?
01-27-2011 05:48 PM
Hi Guys,
I tried the above confirguartion and I still can't connect out to the internet unless PAT is enabled.
What am I missing?
Thanks
01-27-2011 06:38 PM
Nathan,
ip nat inside source list NAT interface f0/0 overload = PAT
So, the above command actually performs PAT (Port Address Translation) using the IP of f0/0.
Are you saying, internet works with PAT now or it doesn't?
Check the translations with show ip nat translations
Federico.
01-28-2011 06:26 AM
Nathan
What I was trying to explain in my previous post was that PAT performs dynamic translation and supports connections initiated from inside your network to the Internet.
For your hosts in your network to access the Internet some kind of address translation is needed. There are multiple options for what kind of translation you can use. The most simple is PAT but other options include dynamic NAT, and include static translations. If you do not perform some type of translation your hosts will not be able to access the Internet.
If you do PAT then it would allow connections initiated from your hosts to the Internet. But PAT does not work for hosts in the Internet that need to initiate connections to hosts in your network. It is not clear whether you require Internet access to your hosts. I gathered from your post that perhaps you did need this. To support access by Internet hosts to hosts in your network you need to configure some kind of static translation.
HTH
Rick
01-28-2011 08:52 PM
Hi Federico,
I can only access if the internet if I use the following command:
ip nat inside source list 1 interface FastEthernet0/0 overload
I tried to use the command you provided but the router still wouldn't let me access the internet. I have pasted my configuration below.
What am I missing?
Thanks!
-------------------------------------------------------------
Current configuration : 1302 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IDM-EDM-CORE
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$qjT9$CspK9pWE1nAJmBlz./Uso0
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 64.59.184.13
ip name-server 64.59.184.15
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address *ISP Provided Static IP* 255.255.252.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 68.148.224.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.15 80 *ISP Provided IP* 80 extendable
!
ip access-list extended NAT
permit ip 0.0.0.0 255.255.255.0 any
!
!
!
!
!
control-plane
!
!
banner motd ^C
******************************************
* Unauthorized Access Prohibited *
* Iridium Networks Inc *
******************************************
^C
!
line con 0
password *********
login
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
01-28-2011 10:13 PM
The ACL you have it incorrect.
You need to change:
ip access-list extended NAT
permit ip 0.0.0.0 255.255.255.0 any
To
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
Federico.
01-29-2011 08:38 PM
Thank you so much this worked!
I have one question through I can connect to my services outside my network but when I try to download mail internally from my network (mail.iridiumnetworks.com - internal IP of the server is 192.168.1.40) or try to connect to the website from the internally on the network (www.iridiumnetworks.com - internal ip of the server 192.168.1.15) I cannot connect to it, it just works from the outside into the network.
I can connect to the website through the IP but not the domain name itself from the internal network.
How can I correct this?
Thanks
01-29-2011 08:46 PM
Nathan,
Kindly rate helpful posts ;p
Now, back to the problem...
The problem most likely being that when the host performs a DNS lookup for mail.iridiumnetworks.com or www.iridiumnetworks.com, the response
it gets is the public (outside) IP.
So, when the hosts attempts to reach the outside IP, the router will forward that packet to the outside (instead than sending the packet
to the inside server as it should).
When using ASAs there's a function called dns-doctoring, so the ASA will rewrite the DNS to send the packet to the inside server.
When using IOS is a bit different, please refer to this document to fix the problem:
https://supportforums.cisco.com/docs/DOC-8936
Hope it helps.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide