08-10-2010 03:46 PM - edited 03-04-2019 09:22 AM
Hi, I have an Apple Time Capsule gateway and port mapping is configured. However, I have to replace the Time Capsule with a Cisco 1841 router. I am stuck with how to transfer the current port mappings on the Time Capsule to the Cisco router.
At the moment, my current ACL & PAT configuration on the router are as below:
ip nat pool office 212.xxx.xxx.2x0 212.xxx.xxx.2x0 netmask 255.255.255.252
access-list 10 permit 10.0.1.0 0.0.0.255
access-list 10 permit 172.16.1.0 0.0.0.255
access-list 10 permit 192.168.2.0 0.0.0.255
ip nat inside source list 10 interface fa0/0
!!int fa0/0 is configured with 212.xxx.xxx.2x0
Grateful for any response.
Regards,
Solved! Go to Solution.
08-16-2010 12:59 AM
Hello Boniface,
What you want to do is establishing a static mapping between an outside IP address/port and its internal counterpart. This configuration does not need to use ACLs, and can be performed, according to your input, as follows:
ip nat inside source static tcp 10.0.1.103 139 212.xxx.xxx.xxx 139
ip nat inside source static udp 10.0.1.103 137 212.xxx.xxx.xxx 137
ip nat inside source static udp 10.0.1.103 138 212.xxx.xxx.xxx 138
Note that for today's Windows filesharing services, you should also map the TCP port 445:
ip nat inside source static tcp 10.0.1.103 445 212.xxx.xxx.xxx 445
You will still need to designate your interfaces with ip nat inside and ip nat outside but you do not need other NAT commands for these translations to work. Of course, if you want to perform other NAT/PAT, you can add the commands in addition to these here. I assume that you will want to perform an ordinary PAT on the entire internal network 10.0.1.0/24 (?). In this case, you have to pay attention to explicitely exclude the already statically set translations from the PAT. The configuration would be as follows:
access-list 100 deny tcp host 10.0.1.103 eq 139 any eq 139
access-list 100 deny udp host 10.0.1.103 eq 137 any eq 137
access-list 100 deny udp host 10.0.1.103 eq 138 any eq 138
access-list 100 deny tcp host 10.0.1.103 eq 445 any eq 445
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
ip nat pool NATPOOL 212.xxx.xxx.xxx 212.xxx.xxx.xxx netmask 255.255.255.0
ip nat inside source list 100 pool NATPOOL overload
Instead of the NAT pool, you could also use the outgoing interface's address - I assume you know how to do that but in case you are not familiar with that, feel free to ask further.
Best regards,
Peter
08-17-2010 04:51 AM
Hi Boniface,
I will make the backup of the current config and try out the modified configuration.
Looking forward to hearing whether it worked!
Regarding the DNS, I have an external DNS server address (given by the ISP) as noted in my config. Will the router point to it after activating caching on it and this information transfer to the clients on the different vlans whose gateway is the respective router interfaces?
Correctly. The router starts behaving as a DNS proxy. Clients ask the router to make a DNS lookup, the router either answers from its cache (if the lookup has been performed before) or asks the preconfigured the DNS servers and passes the original client the reply.
I have a Server 2008 Standard with DHCP for the 10.0.1.0 network. It is still currently disabled but when I activate it, won't it affect the routing on the other interfaces?
The router itself will not be affected by any DHCP server because it does not make use of any DHCP server in its current configuration. Also, a DHCP server will not affect your router's routing table. However, depending on information the DHCP server provides to clients, the clients may have problems using the default gateway (if the DHCP server assigns incorrect default gateway IP address) or talking to DNS server (if the DHCP assigns an incorrect DNS server). Make sure you assign correct IP configuration to clients via the DHCP.
Best regards,
Peter
08-18-2010 01:26 AM
Hello Boniface,
A few comments to your config.
Your interface VLAN10 is currently configured with the IP address 172.168.1.1/24. That is probably an error: correctly, it should be 172.16.1.1/24.
As the NAT configuration refers directly to the outgoing Fa0/0 interface, you do not need the NAT pool created with the ip nat pool office command. It can be removed, as it is currently unused.
The NAT, however, will need to be configured using a single ACL. In your case, you are combining static NAT translations with dynamic PAT. In the ACL, the static translations will need to be exempted so that they do not conflict with the dynamic PAT. You have basically done that with the ACL 100 and the second ip nat inside source list 100 command. We will continue using the ACL 100, and the ACL 10 should be removed together with the ip nat inside source list 10 command that refers to it.
The ACL 100 needs a slight correction, however. You have correctly indicated the source ports in the ACL but the external ports refer to the TCP/UDP ports on clients that are connecting to the server ports 137-139, 445 and 3389 on 10.0.1.100. They can be arbitrary so the ACL should not specify them. Also, the ACL 100 should permit all internal networks to be translated.
The correct form of the ACL 100 would be as follows:
access-list 100 deny tcp host 10.0.1.100 eq 139 any
access-list 100 deny udp host 10.0.1.100 eq 137 any
access-list 100 deny udp host 10.0.1.100 eq 138 any
access-list 100 deny tcp host 10.0.1.100 eq 445 any
access-list 100 deny tcp host 10.0.1.100 eq 3389 any
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip 172.16.1.0 0.0.0.255 anyaccess-list 100 permit ip 192.168.1.0 0.0.0.255 any
You have the RIPv2 routing protocol running. Are there any other routers connected to your router? If not then it makes no sense to run a routing protocol because you do not have any peer to exchange the routing tables with. In that case, remove the RIP protocol by simply writing no router rip
Also, you have currently allowed only the directly connected networks to access the Internet thanks to NAT/PAT. Are there perhaps other networks aside from 10.0.1.0/24, 172.16.1.0/24 and 192.168.1.0/24 that will also be accessing the internet through your router? If yes then the ACL 100 will need to permit those networks as well.
Otherwise, the config looks fine.
Best regards,
Peter
08-14-2010 06:40 PM
Hello,
Please be specific as to how your static mappings should look like, i.e. what internal IP and port should be mapped to which external IP and port. This information is necessary to help you further.
Best regards,
Peter
08-15-2010 11:03 PM
Hi Peter,
Thanks alot for the reply.
I like to use Windows Sharing service. Details below:
External ip address is 212.xxx.xxx.xxx
TCP: 139
UDP: 137 - 138
Internal ip address is 10.0.1.103
TCP: 139
UDP: 137-138
How I can I write an acl on the cisco router that would permit this?
Regards,
Boniface
08-16-2010 12:59 AM
Hello Boniface,
What you want to do is establishing a static mapping between an outside IP address/port and its internal counterpart. This configuration does not need to use ACLs, and can be performed, according to your input, as follows:
ip nat inside source static tcp 10.0.1.103 139 212.xxx.xxx.xxx 139
ip nat inside source static udp 10.0.1.103 137 212.xxx.xxx.xxx 137
ip nat inside source static udp 10.0.1.103 138 212.xxx.xxx.xxx 138
Note that for today's Windows filesharing services, you should also map the TCP port 445:
ip nat inside source static tcp 10.0.1.103 445 212.xxx.xxx.xxx 445
You will still need to designate your interfaces with ip nat inside and ip nat outside but you do not need other NAT commands for these translations to work. Of course, if you want to perform other NAT/PAT, you can add the commands in addition to these here. I assume that you will want to perform an ordinary PAT on the entire internal network 10.0.1.0/24 (?). In this case, you have to pay attention to explicitely exclude the already statically set translations from the PAT. The configuration would be as follows:
access-list 100 deny tcp host 10.0.1.103 eq 139 any eq 139
access-list 100 deny udp host 10.0.1.103 eq 137 any eq 137
access-list 100 deny udp host 10.0.1.103 eq 138 any eq 138
access-list 100 deny tcp host 10.0.1.103 eq 445 any eq 445
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
ip nat pool NATPOOL 212.xxx.xxx.xxx 212.xxx.xxx.xxx netmask 255.255.255.0
ip nat inside source list 100 pool NATPOOL overload
Instead of the NAT pool, you could also use the outgoing interface's address - I assume you know how to do that but in case you are not familiar with that, feel free to ask further.
Best regards,
Peter
08-16-2010 03:20 AM
Hi Peter,
Thanks for the tips. I will modify the current config, test and update you.
In the meantime, I thought you could look at my current running config and advice (attached).
I also had problem with the DNS. I point the router interface as the client's dns address, it wouldn't work yet I have defined a name server on the router and PAT is active.
Note that I have 4 active interfaces and yet the 1841 has only 2 L3 ports so I added an HWIC-4ESW and worked with vlans. I set one port on the HWIC as a trunk and looped a cable to one of the in-built L3 ports, with sub-interfaces.
Kind regards,
Boniface
08-16-2010 06:49 AM
Hello Boniface,
I have had a look on your configuration.
Regarding the DNS functionality, the Cisco router does not provide a caching DNS server by default. In order to make the Cisco router also work as a caching DNS server, you need to add these commands to the running-config:
ip dns server ! Activates the DNS caching server
no ip domain lookup nsap ! Deactivates lookups for ISO CLNS addresses
Regarding your solution with the interconnection of the trunk Fa0/0/3 with the built-in interface Fa0/1 - it's very original! However, it is not how things are done. The HWIC-4ESW carries data through internal bus to the router and no external interconnections like you did are necessary. The correct configuration, in your case, would be as follows:
no interface Fa0/1.10
no interface Fa0/1.20
no interface Fa0/1.30
interface FastEthernet 0/1
! Unused, can be deactivated
shutdown
interface FastEthernet 0/0/0
switchport mode access
switchport access vlan 10
interface FastEthernet 0/0/1
switchport mode access
switchport access vlan 20
interface FastEthernet 0/0/2
switchport mode access
switchport access vlan 30
interface FastEthernet 0/0/3
! Unused, can be put to default config and deactivated
switchport mode access
switchport access vlan 1
shutdown
interface Vlan1
! Unused, can be deactivated
shutdown
interface Vlan10
description ***RESIDENCES & STTA***
ip address 172.16.1.1 255.255.255.0
ip nat inside
interface Vlan20
description ***WAN TO SUB-OFFICES***
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface Vlan30
description ***MAIN LAN***
ip address 10.0.1.1 255.255.255.0
ip nat inside
After entering these commands, you can completely remove the interconnection between Fa0/0/3 and Fa0/1. This configuration removes all subinterfaces from Fa0/1, shuts down Fa0/0/3 and Fa0/1 and creates virtual interfaces of the router into VLANs 10, 20 and 30. The interfaces Vlan10, Vlan20 and Vlan30 are virtual interfaces that the router uses to talk to individual VLANs created on the HWIC module. Back up your current configuration and give this a try!
Otherwise, your config looks good.
Best regards,
Peter
08-16-2010 02:31 PM
Hi Peter,
Thanks alot for opening up further my understanding.
I will make the backup of the current config and try out the modified configuration.
Regarding the DNS, I have an external DNS server address (given by the ISP) as noted in my config. Will the router point to it after activating caching on it and this information transfer to the clients on the different vlans whose gateway is the respective router interfaces?
I have a Server 2008 Standard with DHCP for the 10.0.1.0 network. It is still currently disabled but when I activate it, won't it affect the routing on the other interfaces?
Will keep you posted.
Regards,
Boniface
08-17-2010 04:51 AM
Hi Boniface,
I will make the backup of the current config and try out the modified configuration.
Looking forward to hearing whether it worked!
Regarding the DNS, I have an external DNS server address (given by the ISP) as noted in my config. Will the router point to it after activating caching on it and this information transfer to the clients on the different vlans whose gateway is the respective router interfaces?
Correctly. The router starts behaving as a DNS proxy. Clients ask the router to make a DNS lookup, the router either answers from its cache (if the lookup has been performed before) or asks the preconfigured the DNS servers and passes the original client the reply.
I have a Server 2008 Standard with DHCP for the 10.0.1.0 network. It is still currently disabled but when I activate it, won't it affect the routing on the other interfaces?
The router itself will not be affected by any DHCP server because it does not make use of any DHCP server in its current configuration. Also, a DHCP server will not affect your router's routing table. However, depending on information the DHCP server provides to clients, the clients may have problems using the default gateway (if the DHCP server assigns incorrect default gateway IP address) or talking to DNS server (if the DHCP assigns an incorrect DNS server). Make sure you assign correct IP configuration to clients via the DHCP.
Best regards,
Peter
08-17-2010 02:02 PM
Hi Peter,
Thanks alot for the help with configuring my router.
I have made the writeup but haven't put it on the router. Please find it attached.
Looking forward to your comments. Users in the 192.168.1.0 and 172.16.1.0 networks have to access the 10.0.1.100 host as well and I was wondering if the acl (100) won't block them.
Also, is it okay to have both standard and extended acls in the same config? As in the sample config, does the order matter as well?
When adding the DHCP role on the server, should I enter the DNS address as that on the router's interface - 10.0.1.1 or the address(es) given by my ISP?, which will then be distributed to the clients in the 10.0.1.0 network.
Grateful for your help.
Kind regards,
Boniface
08-18-2010 01:26 AM
Hello Boniface,
A few comments to your config.
Your interface VLAN10 is currently configured with the IP address 172.168.1.1/24. That is probably an error: correctly, it should be 172.16.1.1/24.
As the NAT configuration refers directly to the outgoing Fa0/0 interface, you do not need the NAT pool created with the ip nat pool office command. It can be removed, as it is currently unused.
The NAT, however, will need to be configured using a single ACL. In your case, you are combining static NAT translations with dynamic PAT. In the ACL, the static translations will need to be exempted so that they do not conflict with the dynamic PAT. You have basically done that with the ACL 100 and the second ip nat inside source list 100 command. We will continue using the ACL 100, and the ACL 10 should be removed together with the ip nat inside source list 10 command that refers to it.
The ACL 100 needs a slight correction, however. You have correctly indicated the source ports in the ACL but the external ports refer to the TCP/UDP ports on clients that are connecting to the server ports 137-139, 445 and 3389 on 10.0.1.100. They can be arbitrary so the ACL should not specify them. Also, the ACL 100 should permit all internal networks to be translated.
The correct form of the ACL 100 would be as follows:
access-list 100 deny tcp host 10.0.1.100 eq 139 any
access-list 100 deny udp host 10.0.1.100 eq 137 any
access-list 100 deny udp host 10.0.1.100 eq 138 any
access-list 100 deny tcp host 10.0.1.100 eq 445 any
access-list 100 deny tcp host 10.0.1.100 eq 3389 any
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 permit ip 172.16.1.0 0.0.0.255 anyaccess-list 100 permit ip 192.168.1.0 0.0.0.255 any
You have the RIPv2 routing protocol running. Are there any other routers connected to your router? If not then it makes no sense to run a routing protocol because you do not have any peer to exchange the routing tables with. In that case, remove the RIP protocol by simply writing no router rip
Also, you have currently allowed only the directly connected networks to access the Internet thanks to NAT/PAT. Are there perhaps other networks aside from 10.0.1.0/24, 172.16.1.0/24 and 192.168.1.0/24 that will also be accessing the internet through your router? If yes then the ACL 100 will need to permit those networks as well.
Otherwise, the config looks fine.
Best regards,
Peter
02-02-2017 09:03 AM
Hi Peter, how are you? My port forwarding it doesn't working and i don't know why.
Can you help me please?
I have a LAN connected to FastEthernet0/1 with NAT. In that interface have a public address configured. I'm forwarding everything that comes to muy address 190.XXX.XX.XXX/29 -> 192.168.0.11/24 using "ip nat inside source static 192.168.0.11 3389 190.XXX.XX.XXX/29 extendable" but it doesn't work.
Here's the configuration on my Router Cisco 1841.
!
!
ip name-server 200.44.32.12
ip name-server 200.109.78.12
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet 0/0
no ip address
speed 100
full-duplex
!
interface FastEthernet 0/0.XXX
description WAN_PORT
encapsulation dot1Q XXX
ip address 201.249.XXX.XXX 255.255.255.252
ip nat outside
ip virtual-reassembly
!
interface FastEthernet 0/1
description LAN_PORT
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
no fair-queue
clock rate 2000000
!
ip default-gateway 201.249.XXX.XXX
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 201.249.XXX.XXX
ip route 192.168.0.0 255.255.255.0 FastEthernet0/1
!
!
ip http server
ip http secure-server
ip dns server
ip nat pool NAT_IP_PUBLICA 201.249.XXX.XXX 201.249.XXX.XXX netmask 255.255.255.252
ip nat inside source route-map NAT_ISP_1 pool NAT_IP_PUBLICA overload
ip nat inside source static tcp 192.168.0.11 3389 190.XXX.XX.XXX 3389 extendable
!
ip access-list extended NAT_ACL
permit ip 192.168.0.0 0.0.0.255 any
!
!
!
!
route-map NAT_ISP_1 permit 10
match ip address NAT_ACL
match interface FastEthernet 0/0.XXX
!
!
!
Thank you. Hope your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide