Re: Configuring 1841

iridiumnetworks · ‎01-26-2011

Hi All,

I'm having issues configuring my 1841 router for internet access and I thought I'd come here for some advice.

Here's what I would like to do:

On interface fa 0/0 I would like it facing the cable modem to internet, I have a static IP address with my ISP.

On interface 0/1 I would like this to face my internal network and connect it to an unmanaged switch with all the internal servers having 10.10.10.0 I.P's

I would like to allow ALL traffic to pass through the router both incoming and outgoing, I don't need to use ACL's because I will use a firewall on certain servers as needed.

I should mention I followed some tutorials on the internet of how to configure the router using NAT, I was able to connect out to the internet but wasn't able to connect back to any servers in my network (web, mail etc) so I reset the router back to factory set and would like to start from scratch.

Can anyone give me an idea of how to configure the router for this?

Thanks!

Federico Coto Fajardo · ‎01-26-2011

Hi,

For example your f0/0 is the ISP facing interface and f0/1 the LAN interface:

interface fa0/0

ip add x.x.x.x 255.255.255.252

no shut

interface f0/1

ip add y.y.y.y 255.255.255.0

no shut

The router should have a default gateway to the ISP:

ip route 0.0.0.0 0.0.0.0 x.x.x.1 --> IP of the next-hop

The local LAN (servers behind the unmanaged switch) should have a default gateway pointing to the LAN interface of the router (y.y.y.y)

The NAT configuration is as follows:

ip access-list extended NAT

permit ip y.y.y.0 255.255.255.0 any

ip nat inside source list NAT interface f0/0 overload

ip nat inside source static tcp y.y.y.y 80 x.x.x.5 80

ip nat inside source static tcp y.y.y.y 25 x.x.x.6 25

The above NAT configuration is to give internet access to the servers and to allow inbound web and smtp traffic to the internal servers.

Then apply the NAT to the interfaces:

interface f0/0

ip nat outside

interface f0/1

ip nat inside

Hope it helps.

Federico.

Richard Burts · ‎01-26-2011

Nathan

From your description I believe that you ran into an issue that is very common as people begin to learn about configuring address translation. Probably you configured a dynamic PAT for the Address Translation on your router. (It might look something like ip nat inside source list NAT interface f0/0 overload).

This works very well for translating traffic that originates within your network and is going out to the Internet. But it does not provide any translation for traffic that originates in the Internet and attempts to reach servers in your network. To support servers in your network that need to be reachable from the Internet you need a static translation. The example given by Federico is one way to do this:

ip nat inside source static tcp y.y.y.y 80 x.x.x.5 80

ip nat inside source static tcp y.y.y.y 25 x.x.x.6 25

HTH

Rick

HTH

Rick

iridiumnetworks · ‎01-27-2011

Thanks Guys.

That in the first example he put (ip nat inside source list NAT interface f0/0 overload) as well how does this differ from what your said about PAT?

iridiumnetworks · ‎01-27-2011

Hi Guys,

I tried the above confirguartion and I still can't connect out to the internet unless PAT is enabled.

What am I missing?

Thanks

Federico Coto Fajardo · ‎01-27-2011

Nathan,

ip nat inside source list NAT interface f0/0 overload = PAT

So, the above command actually performs PAT (Port Address Translation) using the IP of f0/0.

Are you saying, internet works with PAT now or it doesn't?

Check the translations with show ip nat translations

Federico.

Richard Burts · ‎01-28-2011

Nathan

What I was trying to explain in my previous post was that PAT performs dynamic translation and supports connections initiated from inside your network to the Internet.

For your hosts in your network to access the Internet some kind of address translation is needed. There are multiple options for what kind of translation you can use. The most simple is PAT but other options include dynamic NAT, and include static translations. If you do not perform some type of translation your hosts will not be able to access the Internet.

If you do PAT then it would allow connections initiated from your hosts to the Internet. But PAT does not work for hosts in the Internet that need to initiate connections to hosts in your network. It is not clear whether you require Internet access to your hosts. I gathered from your post that perhaps you did need this. To support access by Internet hosts to hosts in your network you need to configure some kind of static translation.

HTH

Rick

HTH

Rick

iridiumnetworks · ‎01-28-2011

Hi Federico,

I can only access if the internet if I use the following command:

ip nat inside source list 1 interface FastEthernet0/0 overload

I tried to use the command you provided but the router still wouldn't let me access the internet. I have pasted my configuration below.

What am I missing?

Thanks!

-------------------------------------------------------------

Current configuration : 1302 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname IDM-EDM-CORE
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$qjT9$CspK9pWE1nAJmBlz./Uso0
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 64.59.184.13
ip name-server 64.59.184.15
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address *ISP Provided Static IP* 255.255.252.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
ip route 0.0.0.0 0.0.0.0 68.148.224.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.15 80 *ISP Provided IP* 80 extendable
!
ip access-list extended NAT
permit ip 0.0.0.0 255.255.255.0 any
!
!
!
!
!
control-plane
!
!
banner motd ^C
******************************************
* Unauthorized Access Prohibited *
* Iridium Networks Inc *
******************************************
^C
!
line con 0
password *********
login
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end

Federico Coto Fajardo · ‎01-28-2011

The ACL you have it incorrect.

You need to change:

ip access-list extended NAT
permit ip 0.0.0.0 255.255.255.0 any

To

ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any

Federico.

iridiumnetworks · ‎01-29-2011

Thank you so much this worked!

I have one question through I can connect to my services outside my network but when I try to download mail internally from my network (mail.iridiumnetworks.com - internal IP of the server is 192.168.1.40) or try to connect to the website from the internally on the network (www.iridiumnetworks.com - internal ip of the server 192.168.1.15) I cannot connect to it, it just works from the outside into the network.

I can connect to the website through the IP but not the domain name itself from the internal network.

How can I correct this?

Thanks

Federico Coto Fajardo · ‎01-29-2011

Nathan,

Kindly rate helpful posts ;p

Now, back to the problem...

The problem most likely being that when the host performs a DNS lookup for mail.iridiumnetworks.com or www.iridiumnetworks.com, the response
it gets is the public (outside) IP.

So, when the hosts attempts to reach the outside IP, the router will forward that packet to the outside (instead than sending the packet
to the inside server as it should).

When using ASAs there's a function called dns-doctoring, so the ASA will rewrite the DNS to send the packet to the inside server.

When using IOS is a bit different, please refer to this document to fix the problem:
https://supportforums.cisco.com/docs/DOC-8936

Hope it helps.

Federico.