Solved: how to config cisco 857 as a public gateway?

scorpion1118 · ‎05-26-2012

i have a set of public ip(/29) using adsl2+, is it possible to config cisco 857 as a public gateway so i can assign public ips to my computers?? before i upgrade to adsl2+ i was using cisco 678, it can be config as a public gateway without problem, but now i have ot use adsl2+, can't use cisco 678 anymore.. thank you for your help experts.....

Jennifer Halim · ‎05-27-2012

Here you go:

ip nat inside source static 192.168.0.2 x.x.x.73

ip nat inside source static 192.168.0.3 x.x.x.75

And you will need to remove the following first:

ip nat inside source static tcp 192.168.0.2 80 x.x.x.73 80 extendable

ip nat inside source static tcp 192.168.0.2 1982 x.x.x.73 1982 extendable

ip nat inside source static tcp 192.168.0.2 1983 x.x.x.73 1983 extendable

ip nat inside source static tcp 192.168.0.2 1984 x.x.x.73 1984 extendable

ip nat inside source static tcp 192.168.0.2 8443 x.x.x.73 8443 extendable

ip nat inside source static tcp 192.168.0.3 3389 x.x.x.75 3389 extendable

Then after the above changes, please clear the existing translation table: clear ip nat trans *

The computer with 192.168.0.2 when they try to access a URL will be NATed to x.x.x.73

View solution in original post

Jennifer Halim · ‎05-27-2012

You can configure NAT for those public ip (/29) that you have on cisco 857. Just have to make sure that the /29 public ip range is being routed towards your 857 WAN/Internet facing interface.

scorpion1118 · ‎05-27-2012

thank you for your reply....

i am doing nat now, but can i assign public ip for my computer,, so i don't need to configure nat for each port on each public ip??? and my lan can also access the server directly using the public ip or domain.

Jennifer Halim · ‎05-27-2012

If you are assigning it directly to your computer, you would need to create VLAN and use one of the public ip on the router for your computer's default gateway.

scorpion1118 · ‎05-27-2012

i have a vlan now uses 192.168.0.1，i have set static ip on adsl interface using x.x.x.78/29. so the router is using x.x.x.78 now.... i had tried to set vlan using the public ip too, but it won't let me, the ip is conflicted with the adsl interface address set....

Jennifer Halim · ‎05-27-2012

Yes, if you already assign that IP to the ADSL interface, then you won't be able to use it on another vlan/interface.

Why don't you configure static NAT instead of static PAT on the router, so you just configure 1:1 NATing for each computer which is achieving the same thing as assigning the public IP to the computer.

You can share your configuration and I can advise how to configure it. Just let me know which public ip to assign to which private ip.

scorpion1118 · ‎05-27-2012

ok,,here is my configuration...

Building configuration...

Current configuration : 11709 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Cisco857

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 $1$NAWc$CH1VUmksNXMkkat90KfbB1

!

no aaa new-model

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-2303996204

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2303996204

revocation-check none

rsakeypair TP-self-signed-2303996204

!

crypto pki certificate chain TP-self-signed-2303996204

certificate self-signed 01

30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32333033 39393632 3034301E 170D3132 30353236 30333433

32345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33303339

39363230 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100BF21 6828CD85 E210711C 803B25AB A8925091 A9857FFD 27F41EDF 5B3AF02C

2091C97B 5AE61741 54A5C59B CD67BBB5 BADC622C 72C66DB3 3C6EFB63 D26AD1E8

55E8359B 20537D4E 921BF325 BF0189D1 F239F6C6 5A25A749 8F4FADF2 6C221038

59B2E779 020BEA00 74E630F0 EB63F7A4 A27447A0 8A344173 BC8D3A49 42A0401B

9E030203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603

551D1104 0C300A82 08436973 636F3835 37301F06 03551D23 04183016 80147DC7

C0A62275 777DE818 ED11203D 6AF0A21A 974F301D 0603551D 0E041604 147DC7C0

A6227577 7DE818ED 11203D6A F0A21A97 4F300D06 092A8648 86F70D01 01040500

03818100 0611714C D40109C7 5679E67E 79E22FC4 58EC1319 B19FDE21 636DC31D

E27333C5 7465A13C C841011A 0129F475 7C2F4B58 D45554CC 00B81B28 58E0A9B2

94477CBA 8CF21107 E3CB9983 10A0C225 A24CD3D8 B4BE5741 7AB4217C 4B239485

7ACBB5DB C836AD8B 44D14068 0B7B5D3B D6FEFAA3 02AFC77E 2310C0D8 83E84473 7E485DA3

quit

dot11 syslog

no ip source-route

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.1 192.168.0.99

!

ip dhcp pool ccp-pool1

import all

network 192.168.0.0 255.255.255.0

default-router 192.168.0.1

dns-server 192.168.0.2 205.171.2.65

!

ip dhcp pool Server1

hardware-address 0027.0e0a.9339

client-name Intel-i5

!

ip cef

ip inspect name CCP_LOW cuseeme

ip inspect name CCP_LOW dns

ip inspect name CCP_LOW ftp

ip inspect name CCP_LOW h323

ip inspect name CCP_LOW sip

ip inspect name CCP_LOW https

ip inspect name CCP_LOW icmp

ip inspect name CCP_LOW imap

ip inspect name CCP_LOW pop3

ip inspect name CCP_LOW rcmd

ip inspect name CCP_LOW realaudio

ip inspect name CCP_LOW rtsp

ip inspect name CCP_LOW esmtp

ip inspect name CCP_LOW sqlnet

ip inspect name CCP_LOW streamworks

ip inspect name CCP_LOW tftp

ip inspect name CCP_LOW tcp

ip inspect name CCP_LOW udp

ip inspect name CCP_LOW vdolive

no ip bootp server

ip name-server 205.171.3.65

ip name-server 205.171.2.65

!

username admin privilege 15 secret 5 $1$b8Ew$IT41ysH8Q0vre4RtpnVz2.

!

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $FW_OUTSIDE$$ES_WAN$

pvc 0/32

pppoe-client dial-pool-number 1

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1412

!

interface Dialer0

description $FW_OUTSIDE$

ip address x.x.x.78 255.255.255.248

ip access-group 104 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip inspect CCP_LOW out

ip nat outside

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxxxxx@xxxx.net

ppp chap password 7 096156184F0D1C031E

ppp pap sent-username xxxxxx@xxxx.net password 7 11240114411A001D11

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http access-class 3

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.2 80 x.x.x.73 80 extendable

ip nat inside source static tcp 192.168.0.2 1982 x.x.x.73 1982 extendable

ip nat inside source static tcp 192.168.0.2 1983 x.x.x.73 1983 extendable

ip nat inside source static tcp 192.168.0.2 1984 x.x.x.73 1984 extendable

ip nat inside source static tcp 192.168.0.2 8443 x.x.x.73 8443 extendable

ip nat inside source static tcp 192.168.0.3 3389 x.x.x.75 3389 extendable

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 192.168.254.0 0.0.0.255

access-list 3 permit xx.xx.xx.232

access-list 3 remark Auto generated by SDM Management Access feature

access-list 3 remark CCP_ACL Category=1

access-list 3 permit 192.168.0.0 0.0.0.255

access-list 100 remark Auto generated by SDM Management Access feature

access-list 100 remark CCP_ACL Category=1

access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq telnet

access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq 22

access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq www

access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq 443

access-list 100 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq cmd

access-list 100 permit udp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq snmp

access-list 100 deny tcp any host 192.168.0.1 eq telnet

access-list 100 deny tcp any host 192.168.0.1 eq 22

access-list 100 deny tcp any host 192.168.0.1 eq www

access-list 100 deny tcp any host 192.168.0.1 eq 443

access-list 100 deny tcp any host 192.168.0.1 eq cmd

access-list 100 deny udp any host 192.168.0.1 eq snmp

access-list 100 permit ip any any

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark CCP_ACL Category=1

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 permit ip host xx.xx.xx.232 any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark CCP_ACL Category=1

access-list 102 permit tcp host xx.xx.xx.232 host x.x.x.78 eq telnet

access-list 102 permit tcp host xx.xx.xx.232 host x.x.x.78 eq 22

access-list 102 permit tcp host xx.xx.xx.232 host x.x.x.78 eq www

access-list 102 permit tcp host xx.xx.xx.232 host x.x.x.78 eq 443

access-list 102 permit tcp host xx.xx.xx.232 host x.x.x.78 eq cmd

access-list 102 deny tcp any host x.x.x.78 eq telnet

access-list 102 deny tcp any host x.x.x.78 eq 22

access-list 102 deny tcp any host x.x.x.78 eq www

access-list 102 deny tcp any host x.x.x.78 eq 443

access-list 102 deny tcp any host x.x.x.78 eq cmd

access-list 102 deny udp any host x.x.x.78 eq snmp

access-list 102 permit ip any any

access-list 103 remark auto generated by CCP firewall configuration

access-list 103 remark CCP_ACL Category=1

access-list 103 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq telnet

access-list 103 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq 22

access-list 103 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq www

access-list 103 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq 443

access-list 103 permit tcp 192.168.0.0 0.0.0.255 host 192.168.0.1 eq cmd

access-list 103 deny tcp any host 192.168.0.1 eq telnet

access-list 103 deny tcp any host 192.168.0.1 eq 22

access-list 103 deny tcp any host 192.168.0.1 eq www

access-list 103 deny tcp any host 192.168.0.1 eq 443

access-list 103 deny tcp any host 192.168.0.1 eq cmd

access-list 103 deny udp any host 192.168.0.1 eq snmp

access-list 103 deny ip x.x.x.72 0.0.0.7 any

access-list 103 deny ip host 255.255.255.255 any

access-list 103 deny ip 127.0.0.0 0.255.255.255 any

access-list 103 permit ip any any

access-list 104 remark auto generated by CCP firewall configuration

access-list 104 remark CCP_ACL Category=1

access-list 104 permit tcp host xx.xx.xx.232 host x.x.x.78 eq telnet

access-list 104 permit tcp host xx.xx.xx.232 host x.x.x.78 eq 22

access-list 104 permit tcp host xx.xx.xx.232 host x.x.x.78 eq www

access-list 104 permit tcp host xx.xx.xx.232 host x.x.x.78 eq 443

access-list 104 permit tcp host xx.xx.xx.232 host x.x.x.78 eq cmd

access-list 104 deny udp any host x.x.x.78 eq snmp

access-list 104 remark Custom Terminals

access-list 104 permit tcp any host x.x.x.73 range 1982 1984

access-list 104 remark Allow WebServer

access-list 104 permit tcp any host x.x.x.73 eq www

access-list 104 remark SVN Server

access-list 104 permit tcp any host x.x.x.73 eq 8443

access-list 104 remark From Rest To I7 All Port

access-list 104 permit ip host xx.xx.xx.232 host x.x.x.75

access-list 104 permit udp host 205.171.2.65 eq domain host x.x.x.78

access-list 104 permit udp host 205.171.3.65 eq domain host x.x.x.78

access-list 104 deny ip 192.168.0.0 0.0.0.255 any

access-list 104 permit icmp any host x.x.x.78 echo-reply

access-list 104 permit icmp any host x.x.x.78 time-exceeded

access-list 104 permit icmp any host x.x.x.78 unreachable

access-list 104 permit tcp 192.168.0.0 0.0.0.255 host x.x.x.78 eq 4443

access-list 104 deny ip 10.0.0.0 0.255.255.255 any

access-list 104 deny ip 172.16.0.0 0.15.255.255 any

access-list 104 deny ip 192.168.0.0 0.0.255.255 any

access-list 104 deny ip 127.0.0.0 0.255.255.255 any

access-list 104 deny ip host 255.255.255.255 any

access-list 104 deny ip host 0.0.0.0 any

access-list 104 deny ip any any log

dialer-list 1 protocol ip permit

no cdp run

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

access-class 101 in

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

how to make a static NAT from x.x.x.73 to 192.168.0.2??

and if the computer with 192.168.0.2 access a URL what ip will the URL gets?? the x.x.x.73 or the ip with the router??

thank you very much!!

Jennifer Halim · ‎05-27-2012