Using a 2621 for a NAT router - questions

paulcahill · ‎01-21-2008

Thanks for reading my post. I'm new to Cisco admin'ing and need some help. We currently have a T1 that comes into our offices for servers and an internet connection. Its running off a 4000 cisco series as the outside router and then a 4500 series connects that to handle the "division of labor" for our servers. We currently use a Linksys WRT54GL upgraded to DD-WRT firmware for our NAT router.

I've been asked to configure a spare 2621 to handle the job instead. It will be on the same /24 as one of our networks doing this job. I will post the configuration at the end of thise for comments/clarification. Basically, I have this router sitting on the <<masked by moderator>>0/24 network with the <<masked by moderator>>10 ip address on fastEth0. The fastEth0/1 is on our internal network, 192.168.254.0/24. We are using static routes for routing. This router will eventually be a DHCP server for our internal network, but thats another project for another day.

version 12.1

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

no service dhcp

!

hostname kyNatRouter

!

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxx

enable password xxxxxxxxxxx1

!

ip subnet-zero

no ip source-route

ip domain-name car-part.com

ip name-server <<masked by moderator>>

!

interface Null0

no ip unreachables

!

interface FastEthernet0/0

ip address <<masked by moderator>>10 255.255.255.0

ip nat outside

no ip mroute-cache

speed auto

half-duplex

no cdp enable

!

interface Serial0/0

bandwidth 1536

no ip address

encapsulation frame-relay IETF

shutdown

no fair-queue

frame-relay lmi-type ansi

!

interface Serial0/0.1 point-to-point

bandwidth 1536

shutdown

no cdp enable

frame-relay interface-dlci 500 IETF

!

interface FastEthernet0/1

ip address 192.168.254.1 255.255.255.0

ip access-group in_to_out in

ip nat inside

no ip mroute-cache

speed auto

half-duplex

no cdp enable

!

interface Serial0/1

no ip address

shutdown

no cdp enable

!

ip nat inside source static tcp <<masked by moderator>>10 21 192.168.254.232 21 extendable

ip nat inside source static tcp <<masked by moderator>>10 2110 192.168.254.67 2110 extendable

ip nat inside source static tcp <<masked by moderator>>10 80 192.168.254.68 80 extendable

ip nat inside source static tcp <<masked by moderator>>10 5942 192.168.254.6 5942 extendable

ip nat inside source static tcp <<masked by moderator>>10 2098 192.168.254.120 2098 extendable

ip nat inside source static tcp <<masked by moderator>>10 2097 192.168.254.120 2097 extendable

ip nat inside source static tcp <<masked by moderator>>10 2096 192.168.254.120 2096 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 <<masked by moderator>>1

ip route <<masked by moderator>>0 255.255.255.0 <<masked by moderator>>1

no ip http server

!

ip access-list extended in_to_out

permit ip any 192.168.254.0 0.0.0.255

logging facility local4

logging 192.168.104.254

access-list 1 permit 0.0.0.0 255.255.255.0

no cdp run

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

password !firststep

login

transport input none

!

scheduler allocate 4000 1000

end

Edison Ortiz · ‎01-21-2008

1)

ip nat inside source static should have the internal IP address first and the external IP address second. For instance:

ip nat inside source static tcp 22.22.22.10 21 192.168.254.232 21 extendable

should be:

ip nat inside source static tcp 192.168.254.232 21 22.22.22.10 21 extendable

2) Your ACL

ip access-list extended in_to_out

permit ip any 192.168.254.0 0.0.0.255

has no merit, what's the point of it?

The rest looks fine.

HTH,

__

Edison.