Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1187
Views
0
Helpful
6
Replies

NAT Nightmare

claudeesquirol
Level 1
Level 1

‎12-01-2011 10:43 AM

Hi all,

I am very new in network administration ! so please be kind with me.

We have bought a CISCO 892 to replace to ADSL modem Router ( netgear ).

Both of the modems where connected to our network and where doing different Port forwarding on our servers ( FTP , SSH , HTTPS .... ).

I try to configure the 892 to get the same result and it become a nightmare !! mainly because of my lak of knowledge .

FastEthernet8 connection has an ADSL modem with DHCP auto configuration , GigabitEthernet0 has also an ADSL modem with DHCP

Vlan1 is connected on our network and got IP 192.168.1.0 to 192.168.1.255 connected to it.

A CISCO dealer told me that the best to configure is CISCO Configuration Professional software but when i look on forum everything is explained in console mode !

After a quick configuration i have been able to configure Internet on both interfaces but when i tried to configure NAT the Headake start .

I need to configure

  FastEthernet to translate ports from internet  8081 to 443 , 22 to 22 , 3306 to 3306 , 8082 to 8080 on IP 192.168.1.30

  GigaEthernet to translate ports from internet  80 to 80 , 8080 to 8080 on IP 192.168.1.13

So far i have been able to configure only one each time (sometimes it works sometimes) but never both !! .

Can someone give a clue of what i have to do ? Is this configuration possible ?

Thank very much

network.png

Labels:
0 Helpful
6 Replies 6

cadet alain
VIP Alumni
VIP Alumni

‎12-01-2011 02:25 PM

Hi,

can you post your config.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

claudeesquirol
Level 1
Level 1
In response to cadet alain

‎12-02-2011 12:13 AM

Hi Alain,

Here is my config

Best regards

Building configuration...

Current configuration : 6032 bytes

!

! Last configuration change at 09:01:51 PCTime Fri Dec 2 2011 by devlyx

!

version 15.0

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname devlyxcisco

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$4xD7$y5V.j9ini0/KXnvLkXmVS.

!

no aaa new-model

!

!

!

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

!

crypto pki trustpoint TP-self-signed-2908942045

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2908942045

revocation-check none

rsakeypair TP-self-signed-2908942045

!

!

crypto pki certificate chain TP-self-signed-2908942045

certificate self-signed 01

  30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32393038 39343230 3435301E 170D3131 31323031 30393236

  32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39303839

  34323034 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B053 30A0B6DA 343B8340 33CC237F 86054A27 94C4C394 61096614 7286FDB9

  2BD745CB 59781B02 45A10740 E784711F ED1923B2 DA1B91A3 5DDD5777 576B7A8E

  BAF25564 3FD96B9E 95666B25 E83451AD 28FE031D 628AE7D9 AF4D3C69 9104333A

  CC25A912 396E3A2A CC35C09A 49BE11A8 AF8395AB ED646D9D 3A342883 5C2F05F3

  94910203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603

  551D1104 1E301C82 1A646576 6C797863 6973636F 2E796F75 72646F6D 61696E2E

  636F6D30 1F060355 1D230418 30168014 6AFAD528 8DE5B6CD 9F09D7D8 02A635CA

  2E3D319A 301D0603 551D0E04 1604146A FAD5288D E5B6CD9F 09D7D802 A635CA2E

  3D319A30 0D06092A 864886F7 0D010104 05000381 8100AF71 1D900608 BDBAA4F3

  C80545FF 94F7BB0E 37FA41A1 E55B7B30 65FA7B92 9D1B5FC9 4B3A9973 0702AA8D

  BD059D16 FE3BFFD6 6D67B6AB 2B51D822 E190CDF8 30E5363F 3F377337 C2E5F0B3

  D5DD425B C136CE5A 2FAA7B1C 03FA2EC4 ED63CD0B 71701545 7654CAD6 ABBD12F8

  5645039B FC29428A 9F699ED6 D13286CF 589A511E CF45

      quit

ip source-route

!

!

ip dhcp excluded-address 192.168.1.7

!

ip dhcp pool ccp-pool1

   import all

   network 192.168.1.0 255.255.255.0

   dns-server 81.253.149.9 80.10.246.132

   default-router 192.168.1.7

!

!

ip cef

ip domain name yourdomain.com

ip name-server 81.253.149.9

ip name-server 80.10.246.132

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO892-K9 sn FCZ154692X6

!

!

username devlyx privilege 15 secret 5 $1$Eics$R4eU/Bqzc.I753e6kUcvX1

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

!

!

!

!

interface BRI0

no ip address

ip flow ingress

encapsulation hdlc

shutdown

isdn termination multidrop

!

!

interface FastEthernet0

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

description $ES_WAN$$FW_OUTSIDE$

ip address dhcp client-id FastEthernet8

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface GigabitEthernet0

description $ETH-WAN$

ip address dhcp client-id GigabitEthernet0

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.250 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source static tcp 192.168.1.13 8080 interface GigabitEthernet0 8080

ip nat inside source static tcp 192.168.1.13 80 interface GigabitEthernet0 80

ip nat inside source list 4 interface FastEthernet8 overload

!

ip access-list extended NAS_Support

remark CCP_ACL Category=2

permit ip host 80.14.126.154 host 192.168.1.13

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 3 remark CCP_ACL Category=2

access-list 3 permit 192.168.1.0 0.0.0.255

access-list 4 remark CCP_ACL Category=2

access-list 4 permit 192.168.1.0 0.0.0.255

no cdp run

!

!

!

!

!

!

control-plane

!

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

line vty 5 15

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

0 Helpful

lgijssel
Level 9
Level 9
In response to claudeesquirol

‎12-02-2011 10:56 AM

The nat statements for gigabit port are already there. Please add the following for Fa8:

ip nat inside source static tcp 192.168.1.30 443 interface FastEthernet8 8081

ip nat inside source static tcp 192.168.1.30 22 interface FastEthernet8 22

ip nat inside source static tcp 192.168.1.30 3306 interface FastEthernet8 3306

ip nat inside source static tcp 192.168.1.30 8080 interface FastEthernet8 8082

I hope I got all directions right, for example port 443 is to be at the server-side yes?

Otherwise you should flip the numbers.

regards,

Leo

0 Helpful

claudeesquirol
Level 1
Level 1
In response to lgijssel

‎12-02-2011 11:46 AM

Hi tanks

I haven't configure the fastethernet because the gigabit was not working !

I have done several other test , once i activate both interface internet access doesn't work anymore !

Sent from Cisco Technical Support iPad App

0 Helpful

lgijssel
Level 9
Level 9
In response to claudeesquirol

‎12-03-2011 06:23 AM 

Claude ESQUIROL wrote:
Hi tanks 
I haven't configure the fastethernet because the gigabit was not working !
I have done several other test , once i activate both interface internet access doesn't work anymore !
Sent from Cisco Technical Support iPad App

You have not set a default route. That's the most likely explanation.

For this setup, you will need policy routing (look this up at Cisco)

Host 192.168.1.30 should be routed to fa8, the other one to the gig port.

If there are more hosts, they will need the default route or you may use policy routing to divide them between the two links.

regards,

Leo

0 Helpful

claudeesquirol
Level 1
Level 1
In response to lgijssel

‎12-05-2011 11:16 PM

Hi,

Thank you all it is now working well.

Next step will be the VPN !

Sent from Cisco Technical Support iPad App

0 Helpful
Customers Also Viewed These Support Documents