Basic config w/ NAT/PAT

kfriend · ‎11-26-2013

Hey folks,

I once held a CCNA many years ago, but I don't deal with the networking side of things all too often so I never kept up with stuff. I've always managed to stumble through configuring equipment when the need arises. And I now have a need. Not looking for anyone to write out an entire config for me, just want to make sure that I'm on the right track:

running a cisco router and switch. Will be nat'ing to 192.168.10.x

have a handful of servers that need to be reachable via public ip on various ports.

I used this to build the nat: http://www.cisco.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml and basically repeated the command: ip nat inside source static tcp 192.168.0.5 80 171.68.1.1 80 extendable
For each host / port that I needed available on the public interface. Substituting the appropriate public IP address and port where it coincides to the private address / port. Does this sound reasonable?

I'd imagine that I'm also going to have to establish a VLAN on the switch that includes the port that is uplinked to the router.

Anything else that I'm missing?

Jon Marshall · ‎11-26-2013

Kenneth

Will be nat'ing to 192.168.10.x

What do you mean by this ? Do you mean you will be natting internal clients to 192.168.10.x addresses ? If so that's a little confusing because for your servers you have public IPs so i would have thought you would be using one of those (or the router WAN interface if it is using a 171.68.1.x address).

Can you clarify ?

Jon

kfriend · ‎11-26-2013

Forgive me. I was trying to use the correct terminology per Cisco. I think they call it a nat overload.

I'm shooting for what I'd think of as pat.

My buddy has a hodgepodge of SOHO routers and 3 servers that are reachable from the internet. Trying to consolidate all of his routers onto a single device that's a little more industrial grade.

So public up address:80 translates to 192.168.10.10:80

That's what I'm shooting for. I consulted with the Cisco expert I work with and he says to stay away from that bridge group BVI1 that the article recommends.

Jon Marshall · ‎11-26-2013

Okay that sounds more sensible. You are on the right track in terms of NAT and i assume that you have a L2 switch connected to the inside interface of the router ? If so yes you just need one vlan that the servers/clients and router connection are in.

You need at a minimum to have an acl applied inbound on the outside interface of the router for security. Ideally if your router supported it you could run the firewall feature set but you would may not have the right license or router. If not you could look into reflexive acls to allow traffic back in after he has connected to server on the internet.

Jon

kfriend · ‎11-26-2013

Mr. Marshall,

thank you for taking the time to reply. In regards to your question regarding the inside interface of the router, I had a chance to play around with something I've never done before so I'm running SFP multimode transceivers on the switch and the router. The router's SFP GigabitEthernet0/1 is connected to GigabitEthernet0/1 on the switch and once I finally put in matching SFP's I got a link.

I figure that I'll just have to include all of the ports on the switch in a single VLAN that also includes the GigabitEthernet0/1 port in order for it to "talk" to the router.

The config on these two devices should be pretty straight-forward, again, I just don't have to configure these all too often so I have to re-learn everything...I do quite enjoy getting the stuff running. It's usually a set-it-and-forget it type of thing in small environments. I've got an 1841 at home with an HWIC modem and the thing is bulletproof. The only time it messes up is when the ISP decides to drop the mac of the modem on their end which has happened 2-3 times over the past 4 years. No reboots, no dropped connections...bulletproof.

Jon Marshall · ‎11-26-2013

I figure that I'll just have to include all of the ports on the switch in a single VLAN that also includes the GigabitEthernet0/1 port in order for it to "talk" to the router.

Exactly. Hope it works and if you still have problems just come back to the forums. If you do it will help if you specifiy the models of switch/router you are using.

Jon