Hello everyone,
I'm a newbie at 3Com routers, and I'm having some complications configuring NAT on the router I have at hand.
What I'm trying to accomplish is to have the router perform static NATing from a public IP that the company owns to an internal host.
Now, the WAN interface already has an IP assigned to it, and I'm trying to use another IP in the same block, that's not assigned to an interface, and dedicate it to the aforementioned host.
Problem is, it's not working. The IP I'm trying to perform NAT is in the first line of the nat server configuration (70.70.70.71). I actually performed a ping from the internal device to an external Cisco router and ran a debug and it showed the pings are coming from the external interface's IP and not the one I'm trying to NAT. I also can't ping that public IP or anything.
Below is the config I have:
#3Com Router Software Extended_V2.11.0.11
#
sysname cdh-az-rtr
#
FTP server enable
#
domain default enable system
#
qos pql 1 queue top queue-length 100
qos pql 1 protocol ip acl 3700 queue top
qos pql 1 protocol ip udp 2093 queue top
qos pql 1 protocol ip udp 2094 queue top
qos pql 1 protocol ip udp 2095 queue top
qos pql 1 protocol ip udp 2096 queue top
qos pql 1 protocol ip tcp 1040 queue top
#
multicast routing-enable
#
radius scheme system
server-type extendedtype
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
#
domain system
access-limit disable
state active
#
traffic classifier gre operator and
if-match acl 3003
#
traffic behavior ratelimit
queue ef bandwidth 640 cbs 1024
#
qos policy voippol1
classifier gre behavior ratelimit
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0
ip address 10.10.2.100 255.255.255.0
qos pq pql 1
#
interface Ethernet2/0
qmtoken 1
ip address 70.70.70.70 255.255.255.248
nat outbound 3002
nat server protocol tcp global 70.70.70.71 any inside 10.10.2.250 any
nat server protocol tcp global 70.70.70.70 443 inside 10.10.2.252 443
nat server protocol tcp global 70.70.70.70 3389 inside 10.10.2.251 3389
nat server protocol tcp global 70.70.70.70 10.10.2.252 www
nat server protocol tcp global 70.70.70.70 5900 inside 10.10.2.62 5900
nat server protocol tcp global 70.70.70.70 143 inside 10.10.2.251 143
nat server protocol tcp global 70.70.70.70 81 inside 10.10.2.251 81
nat server protocol tcp global 70.70.70.70 1494 inside 10.10.2.240 1494
nat server protocol tcp global 70.70.70.70 3330 inside 10.10.2.61 3389
nat server protocol tcp global 70.70.70.70 3331 inside 10.10.2.84 3389
nat server protocol tcp global 70.70.70.70 smtp inside 10.10.2.245 smtp
nat server protocol tcp global 70.70.70.70 8000 inside 10.10.2.245 8000
qos apply policy voippol1 outbound
#
interface Serial0/0
clock DTECLK1
link-protocol ppp
ip address ppp-negotiate
#
interface Serial3/0
link-protocol fr
fr dlci 800
qmtoken 1
ft1 timeslot-list 1-12
ip address 172.16.1.2 255.255.255.252
undo ip fast-forwarding
qos pq pql 1
#
interface NULL0
#
acl number 3002
rule 0 deny ip source 10.10.2.0 0.0.0.255 destination 10.10.1.0 0.0.0.255
rule 1 deny ip source 10.10.1.0 0.0.0.255 destination 10.10.2.0 0.0.0.255
rule 2 deny ip source 10.10.2.250 0
rule 3 permit ip source 10.10.2.0 0.0.0.255
acl number 3100
description Firewall rules inbound E2/0
rule 0 permit tcp established
rule 1 permit 50
rule 2 permit udp source-port eq 500 destination-port eq 500
rule 3 permit ip source 10.10.1.0 0.0.0.255 destination 10.10.2.0 0.0.0.255
rule 4 permit tcp destination-port eq 3389
rule 5 permit tcp destination 68.53.126.229 0 destination-port eq telnet
rule 6 permit icmp
rule 20 deny ip logging
acl number 3700
rule 0 permit icmp source 10.10.2.251 0 destination 10.10.1.241 0
rule 1 permit icmp source 10.10.1.241 0 destination 10.10.2.251 0
rule 2 permit icmp source 10.10.1.241 0 destination 10.10.2.61 0
rule 3 permit icmp source 10.10.2.61 0 destination 10.10.1.241 0
#
ip route-static 0.0.0.0 0.0.0.0 70.70.70.80 preference 60
ip route-static 10.10.1.0 255.255.255.0 172.16.1.1 preference 5
#
snmp-agent
snmp-agent local-engineid 0000002B7F0000010000682B
snmp-agent community read cdh1ets
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 10.10.2.251
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
idle-timeout 30 0
#
I'd greatly appreciate any assistance.
-Al
I'm a newbie at 3Com routers, and I'm having some complications configuring NAT on the router I have at hand.
What I'm trying to accomplish is to have the router perform static NATing from a public IP that the company owns to an internal host.
Now, the WAN interface already has an IP assigned to it, and I'm trying to use another IP in the same block, that's not assigned to an interface, and dedicate it to the aforementioned host.
Problem is, it's not working. The IP I'm trying to perform NAT is in the first line of the nat server configuration (70.70.70.71). I actually performed a ping from the internal device to an external Cisco router and ran a debug and it showed the pings are coming from the external interface's IP and not the one I'm trying to NAT. I also can't ping that public IP or anything.
Below is the config I have:
#3Com Router Software Extended_V2.11.0.11
#
sysname cdh-az-rtr
#
FTP server enable
#
domain default enable system
#
qos pql 1 queue top queue-length 100
qos pql 1 protocol ip acl 3700 queue top
qos pql 1 protocol ip udp 2093 queue top
qos pql 1 protocol ip udp 2094 queue top
qos pql 1 protocol ip udp 2095 queue top
qos pql 1 protocol ip udp 2096 queue top
qos pql 1 protocol ip tcp 1040 queue top
#
multicast routing-enable
#
radius scheme system
server-type extendedtype
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
#
domain system
access-limit disable
state active
#
traffic classifier gre operator and
if-match acl 3003
#
traffic behavior ratelimit
queue ef bandwidth 640 cbs 1024
#
qos policy voippol1
classifier gre behavior ratelimit
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Ethernet0/0
ip address 10.10.2.100 255.255.255.0
qos pq pql 1
#
interface Ethernet2/0
qmtoken 1
ip address 70.70.70.70 255.255.255.248
nat outbound 3002
nat server protocol tcp global 70.70.70.71 any inside 10.10.2.250 any
nat server protocol tcp global 70.70.70.70 443 inside 10.10.2.252 443
nat server protocol tcp global 70.70.70.70 3389 inside 10.10.2.251 3389
nat server protocol tcp global 70.70.70.70 10.10.2.252 www
nat server protocol tcp global 70.70.70.70 5900 inside 10.10.2.62 5900
nat server protocol tcp global 70.70.70.70 143 inside 10.10.2.251 143
nat server protocol tcp global 70.70.70.70 81 inside 10.10.2.251 81
nat server protocol tcp global 70.70.70.70 1494 inside 10.10.2.240 1494
nat server protocol tcp global 70.70.70.70 3330 inside 10.10.2.61 3389
nat server protocol tcp global 70.70.70.70 3331 inside 10.10.2.84 3389
nat server protocol tcp global 70.70.70.70 smtp inside 10.10.2.245 smtp
nat server protocol tcp global 70.70.70.70 8000 inside 10.10.2.245 8000
qos apply policy voippol1 outbound
#
interface Serial0/0
clock DTECLK1
link-protocol ppp
ip address ppp-negotiate
#
interface Serial3/0
link-protocol fr
fr dlci 800
qmtoken 1
ft1 timeslot-list 1-12
ip address 172.16.1.2 255.255.255.252
undo ip fast-forwarding
qos pq pql 1
#
interface NULL0
#
acl number 3002
rule 0 deny ip source 10.10.2.0 0.0.0.255 destination 10.10.1.0 0.0.0.255
rule 1 deny ip source 10.10.1.0 0.0.0.255 destination 10.10.2.0 0.0.0.255
rule 2 deny ip source 10.10.2.250 0
rule 3 permit ip source 10.10.2.0 0.0.0.255
acl number 3100
description Firewall rules inbound E2/0
rule 0 permit tcp established
rule 1 permit 50
rule 2 permit udp source-port eq 500 destination-port eq 500
rule 3 permit ip source 10.10.1.0 0.0.0.255 destination 10.10.2.0 0.0.0.255
rule 4 permit tcp destination-port eq 3389
rule 5 permit tcp destination 68.53.126.229 0 destination-port eq telnet
rule 6 permit icmp
rule 20 deny ip logging
acl number 3700
rule 0 permit icmp source 10.10.2.251 0 destination 10.10.1.241 0
rule 1 permit icmp source 10.10.1.241 0 destination 10.10.2.251 0
rule 2 permit icmp source 10.10.1.241 0 destination 10.10.2.61 0
rule 3 permit icmp source 10.10.2.61 0 destination 10.10.1.241 0
#
ip route-static 0.0.0.0 0.0.0.0 70.70.70.80 preference 60
ip route-static 10.10.1.0 255.255.255.0 172.16.1.1 preference 5
#
snmp-agent
snmp-agent local-engineid 0000002B7F0000010000682B
snmp-agent community read cdh1ets
snmp-agent sys-info version all
snmp-agent target-host trap address udp-domain 10.10.2.251
#
user-interface con 0
user-interface aux 0
user-interface vty 0 4
authentication-mode scheme
idle-timeout 30 0
#
I'd greatly appreciate any assistance.
-Al