Solved: 891 router NAT setup - Page 2

evil_root · ‎11-16-2011

Hello.

I've got working PAT, but absolutely not sure how to perform additional task.

ip cef

no ip bootp server

no ipv6 cef

interface FastEthernet8

ip address 192.168.1.141 255.255.255.0

duplex auto

speed auto

!

interface GigabitEthernet0

ip address 194.56.32.5 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 10 interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 194.56.32.25

access-list 10 permit 10.10.10.0 0.0.0.255

no cdp run

Network diagram attached.

Is there a way to route Vlan1 (bypassing PAT) to a server in 192.168.1.0/24 network via Fa8 (let's say,

192.168.1.41)?

Thank you.

evil_root · ‎11-18-2011

Thanks. This helped a lot.

But is there any chance to limit the IP range or allow some desination IPs only on Fa8 (like ip pool on dynamic nat)?

Thotsaphon Lueangwattanaphong · ‎11-18-2011

Hi,

Please explain a bit more about your question. Do you want to do "source routing" to redirect traffic out of Fa8 with NAT?

Toshi

evil_root · ‎11-18-2011

I need to restrict access via Fa8 to 2 IPs only.

I.e , Vlan1 should be NATed to 192.168.0.2 and 192.168.0.3 only.

Other traffic should be dropped.

I'm trying to get it using 'match ip address' and acls, but had no luck yet.

Thotsaphon Lueangwattanaphong · ‎11-18-2011

Hi,

Please post the current configuration and detailed requirements.

Toshi

evil_root · ‎11-18-2011

Requrement is to allow nat to 192.168.0.2 and 192.168.0.3 only.

interface FastEthernet8

ip address 192.168.0.41 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0

ip address 194.56.86.5 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$

ip address 10.20.11.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip nat inside source route-map map-lan interface FastEthernet8 overload

ip nat inside source route-map map-world interface GigabitEthernet0 overload

access-list 10 permit 10.20.11.0 0.0.0.255

access-list 11 permit 192.168.0.2

access-list 11 permit 192.168.0.3

route-map map-lan permit 10

match ip address 10 11

match interface FastEthernet8

!

route-map map-world permit 10

match ip address 10

match interface GigabitEthernet0

!

Thotsaphon Lueangwattanaphong · ‎11-18-2011

Hi,

Jus try this for testing

!

no access-list 10 permit 10.10.10.0 0.0.0.255

no access-list 11 permit 192.168.0.2

no access-list 11 permit 192.168.0.3

access-list 101 deny 10.10.10.0. 0.0.0.255 host 192.168.0.2

access-list 101 deny 10.10.10.0. 0.0.0.255 host 192.168.0.3

access-list 101 permit 10.10.10.0. 0.0.0.255 any

access-list 102 permit 10.10.10.0. 0.0.0.255 host 192.168.0.2

access-list 102 permit 10.10.10.0. 0.0.0.255 host 192.168.0.3

route-map map-lan permit 10

match ip address 102

match interface FastEthernet8

!

route-map map-world permit 10

match ip address 101

match interface GigabitEthernet0

!

Hope I understand you correct

HTH,

Toshi

evil_root · ‎11-18-2011

Sorry for my english...

I's vice-versa.

route-map map-lan should allow connects to these hosts only:

192.168.0.2

192.168.0.3

Other should be blocked.

evil_root · ‎11-18-2011

Got it with

ip access-list extended acl-lan

permit ip 10.20.11.0 0.0.0.255 host 192.168.0.13

permit ip 10.20.11.0 0.0.0.255 host 192.168.0.3

permit ip 10.20.11.0 0.0.0.255 host 192.168.0.10

permit ip 10.20.11.0 0.0.0.255 host 192.168.0.20

permit ip 10.20.11.0 0.0.0.255 host 192.168.0.22

Thank you!