Solved: Re: Newbie: Activating NAT

an_ho · ‎05-14-2021

Hi everyone,

I am very new to Cisco Routing, so please don't mind if this is a trivial question:

On my router, the interface gig0/0/1 is the WAN interface and gets an IP address via DHCP from my ISP. I have created a DHCP pool (192.168.1.0/24 with 192.168.1.1 as default gateway) and assigned 192.168.1.1 to gig0/1/0. Now, the initial configuration wizard on IOS XE asked my to activate NAT on the WAN interface which I did - but if I do this, I do not get an IP address from my ISP (works fine if NAT is deactivated). Since I simply want to enable internet access to all clients in the 192.168.1.0/24 subnet, how can I configure NAT for them?

Any help is greatly appreciated!!!

Thanks,

Andrew

Georg Pauwen · ‎05-15-2021

Hello,

you can add an access list to the WAN interface as configured below:

ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 4.4.4.2
!
interface GigabitEthernet0/0/1
description WAN Interface
ip address dhcp
--> ip access-group DENY_SSH_HTTP_HTTPS in
ip nat outside
!
interface GigabitEthernet0/1/0
description LAN Interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 dhcp
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
--> ip access-list extended DENY_SSH_HTTP_HTTPS
--> deny tcp any host WAN_IP eq 22
--> deny tcp any host WAN_IP eq 80
--> deny tcp any host WAN_IP eq 443
--> permit ip any any

View solution in original post

Georg Pauwen · ‎05-14-2021

Hello,

not sure what exactly the configuration wizzard actually adds to the config, but if you can, try and get to the command line (CLI) and make sure your configuration looks like below:

ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 4.4.4.2
!
interface GigabitEthernet0/0/1
description WAN Interface
ip address dhcp
ip nat outside
!
interface GigabitEthernet0/1/0
description LAN Interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 dhcp
!
access-list 1 permit 192.168.1.0 0.0.0.255

an_ho · ‎05-15-2021

Thank you! That was really helpful!!!

However, I realized that ssh/http/https for configuration are accessible on the WAN interface from the outside world. How can I prevent that?

Thanks,

Andrew

Georg Pauwen · ‎05-15-2021

Hello,

you can add an access list to the WAN interface as configured below:

ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 4.4.4.2
!
interface GigabitEthernet0/0/1
description WAN Interface
ip address dhcp
--> ip access-group DENY_SSH_HTTP_HTTPS in
ip nat outside
!
interface GigabitEthernet0/1/0
description LAN Interface
ip address 192.168.1.1 255.255.255.0
ip nat inside
!
ip nat inside source list 1 interface GigabitEthernet0/0/1 overload
!
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0/1 dhcp
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
--> ip access-list extended DENY_SSH_HTTP_HTTPS
--> deny tcp any host WAN_IP eq 22
--> deny tcp any host WAN_IP eq 80
--> deny tcp any host WAN_IP eq 443
--> permit ip any any

an_ho · ‎05-15-2021

Thanks again! Unfortunately, when I use "ip access-group" it gives me an "invalid input" error message. Also, my WAN IP is set via DHCP from the ISP...or is WAN_IP a dynamic placeholder?

Thanks,

Andrew

Georg Pauwen · ‎05-15-2021

Hello,

what router model do you have exactly ? You might be better off configuring a zone based firewall. Post the full config of your router (sh run) so I can fill in the bits and pieces...

an_ho · ‎05-16-2021

Hi,

I own a C1111X-8P with an ip base license. Do I need a specific license to activate ip access-groups?

To be honest, for a newby like myself, the Cisco licensing model is really (!) hard to understand. Is there a table somewhere that lists in detail what features are available with a specific license? For example, would it be possible to run snort IPS on this router (given the right license)?

Thanks,

Andrew

paul driver · ‎05-16-2021

Hello
Regard your the nat without looking at the configuration it would be hard to see how your rtr is setup- however for a simple port address translation it shouldn’t be to hard to figure out if you can share this

As for you ssh/telnet access to the rtr another way would be to negate with a access-list appended to the vty lines using an access class as such no need to for the acl on the physical interface.

example:

access-list 1 permit 192.168.2.0 0.0.0.255

line vty 0-4

access-class 1 in
access-class 1 out

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul