How to setup NVI?

techfactor13 · ‎12-10-2012

Was wondering if someone could look at my current config and help me enable and setup NVI on a cisco 1941 router.

i think it would fix my issue but i'm unclear on how to implement it to test.

i would like to be able to access an internal server from an outside address.

i appreciate any help, thanks

cadet alain · ‎12-10-2012

Hi,

replace ip nat inside and ip nat outside on interfaces by:

ip nat enable

no ip redirect

Then replace your NAT inside statements by deleting the inside keyword and it should work.

Regards.

Alain

Don't forget to rate helpful posts.

techfactor13 · ‎12-10-2012

thanks, any chance you could look at my config and give some pointers on NAT statements?

cadet alain · ‎12-10-2012

Hi,

you can post your config indeed.

Regards.

Alain

Don't forget to rate helpful posts.

techfactor13 · ‎12-10-2012

k, thanks again for your help

here it is,

!

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service sequence-numbers

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

service-module wlan-ap 0 bootimage autonomous

!

no ipv6 cef

no ip source-route

ip cef

!

no ip bootp server

ip domain name company.com

ip name-server 111.111.111.222

ip name-server 10.10.20.2

!

multilink bundle-name authenticated

!

redundancy

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$$ETH-LAN$

ip address 10.10.20.1 255.255.255.0

ip helper-address 10.10.20.2

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered GigabitEthernet0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

no mop enabled

no mop sysid

!

interface GigabitEthernet0/1

description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$

ip address 111.111.111.111 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

crypto map SDM_CMAP_1

!

interface Wlan-GigabitEthernet0/0

description Internal switch interface connecting to the embedded AP

no ip address

!

interface Vlan1

ip address 10.10.21.1 255.255.255.0

ip helper-address 10.10.20.2

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-export destination 10.10.20.32 2055

!

ip nat inside source static tcp 10.10.20.7 25 interface GigabitEthernet0/1 25

ip nat inside source static tcp 10.10.20.7 443 interface GigabitEthernet0/1 443

ip nat inside source static tcp 10.10.20.7 3101 interface GigabitEthernet0/1 3101

ip nat inside source static tcp 10.10.20.7 53 interface GigabitEthernet0/1 53

ip nat inside source static udp 10.10.20.2 123 interface GigabitEthernet0/1 123

ip nat inside source static tcp 10.10.20.7 80 interface GigabitEthernet0/1 80

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload

ip nat inside source static tcp 10.10.20.5 80 111.111.111.112 80 extendable

ip nat inside source static tcp 10.10.20.5 443 111.111.111.112 443 extendable

ip route 0.0.0.0 0.0.0.0 111.111.111.110 254

!

logging trap debugging

access-list 1 remark INSIDE_IF=GigabitEthernet0/0

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.20.0 0.0.0.255

access-list 1 permit 10.10.21.0 0.0.0.255

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 1 permit 192.168.20.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 111.111.111.109 0.0.0.7 192.168.10.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 permit tcp 10.10.20.0 0.0.0.255 eq 443 host 000.000.000.000 eq 443

access-list 103 remark CCP_ACL Category=2

access-list 103 remark IPSec Rule

access-list 103 deny ip 10.10.20.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 103 permit ip 10.10.21.0 0.0.0.255 any

access-list 103 remark P-Internal

access-list 103 permit ip 10.10.20.0 0.0.0.255 any

access-list 103 permit ip 192.168.10.0 0.0.0.255 any

access-list 103 permit ip 192.168.20.0 0.0.0.255 any

access-list 104 remark CCP_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.10.20.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 106 remark CCP_ACL Category=4

access-list 106 remark IPSec Rule

access-list 106 permit ip 10.10.20.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 107 remark CCP_ACL Category=4

access-list 107 remark IPSec Rule

access-list 107 permit ip 10.10.20.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 108 remark CCP_ACL Category=4

access-list 108 remark IPSec Rule

access-list 108 permit ip 10.10.20.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 115 remark 443

access-list 115 remark CCP_ACL Category=16

access-list 115 permit tcp any eq 443 any eq 443

!

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 103

!

control-plane

!

end