Cisco 1841 noob NAT question

[amj67]

Hello gang.
I just bought a Cisco 1841, I not a total noob to routers, but i am when it comes to Cisco so I hope you can help me.

I am hosting websites, and I need to NAT an outside IP address to an inside IP address which is designated to one of my websites, I need to NAT both port 80 and port 443.

If you could give me the step-by-step how to do this I would appreciate it very much.

I do know how to login to the router and thats about it

My outside ip: 213.176.147.123
Inside IP: 192.168.1.127
ports: 80 and 443

ps.. is there some software for a noob like me that I could use for easier configuration of the router?

 

[octavian10]

SDM is what you are looking for.
Check this out.

http://www.cisco.com/en/US/products/sw/secursw/ps5318/index.html

I am not sure if the 1841 is a supported platform, but being that it is newer, SDM should work.

Post back if you still need to do forwarding through IOS.



"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)

 

[KiscoKid]

I believe SDM is supported on this platform just not sure you can use it to configure a PAT rule (never use it myself).

However from the CLI, you want something like the following:

ip nat inside source static tcp 192.168.1.127
80 interface xxx 80 extendable

ip nat inside source static tcp 192.168.1.127
443 interface xxx 443 extendable

where xxx is the interface indentifier that faces the Internet, e.g. Dialer1 etc.

Also your particular IOS software may not support the extendable keyword. If it does - great, if not try the command without it.

Hope this helps

 

[amj67]

hi gang..

I installed the Cisco SDM, it asks me to enter username and password, but I have no username.. ? I only enter a password when I Telnet to the router..

KiscoKid you say "where xxx is the interface indentifier that faces the Internet, e.g. Dialer1 etc."..

how do I find this identifier?

after I enter these information, do I save it somehow to the router?

 

[KiscoKid]

Use the 'show ip int brief' command and look for the interface that has the external IP address. This is the interface identifier.

Once you've made a change, you can save with the 'write mem' command at the hash (#) prompt.

 

[amj67]

Now I fell like a dork... is it the FastEthernet0/1 ?

Interface IP-Address OK? Method Status Prot
ocol
FastEthernet0/0 192.168.1.1 YES NVRAM up up

FastEthernet0/1 unassigned YES NVRAM administratively down down

ATM0/0/0 unassigned YES NVRAM up up

ATM0/0/0.35 171.16.107.114 YES NVRAM up up

NVI0 unassigned YES unset up up

Loopback0 194.144.19.120 YES NVRAM up up

Loopback21 213.176.147.121 YES NVRAM up up

Loopback22 213.176.147.122 YES NVRAM up up

Loopback24 213.176.147.124 YES NVRAM up up

Loopback25 213.176.147.125 YES NVRAM up up

Loopback30 unassigned YES NVRAM up up

 

[SQL2KDBA69]

no like this :

ip nat inside source static tcp 192.168.1.127
80 interface ATM0/0/0.35 80 extendable

ip nat inside source static tcp 192.168.1.127
443 interface ATM0/0/0.35 443 extendable

 

[amj67]

isnt something missing? what about the outside ip address?

 

[KiscoKid]

Strangely the address you originally mentioned as your external IP is not in that list. It's not the fa0/1 interface but I do suspect it's the ATM0/0/0.35 interface. Can you post your full config (show run) so I can be sure.

Ta

 

[SQL2KDBA69]

yeah you will need this :

ip nat inside source list 1 interface ATM0/0/0.35 overload

access-list 1 permit 192.168.1.0 0.0.0.255

on the ATM0/0/0.35 interface :

ip nat outside

and on the fastethernet0/0 :

ip nat inside

 

[amj67]

Current configuration : 3732 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
enable password xxx
!
no aaa new-model
!
resource policy
!
memory-size iomem 25
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
no ip dhcp use vrf connected
!
!
no ip domain lookup
!
username xxx privilege 15 password 0 xxx
!
!
controller DSL 0/0/0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate 2304
!
!
interface Loopback0
description NAT
ip address 194.144.19.120 255.255.255.255
!
interface Loopback21
description NAT fyrir .120
ip address 213.176.147.121 255.255.255.255
!
interface Loopback22
description NAT fyrir .122
ip address 213.176.147.122 255.255.255.255
!
interface Loopback24
description NAT fyrir .201
ip address 213.176.147.124 255.255.255.255
!
interface Loopback25
description NAT fyrir .213
ip address 213.176.147.125 255.255.255.255
!
interface Loopback30
no ip address
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$
ip address 192.168.1.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
shutdown
duplex auto
speed auto
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.35 point-to-point
ip address xxx.16.9.114 255.255.255.252
ip nat outside
pvc 0/35
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 xxx.16.9.113
!
no ip http server
ip nat inside source list 21 interface Loopback21 overload
ip nat inside source list 22 interface Loopback22 overload
ip nat inside source list 24 interface Loopback24 overload
ip nat inside source list 25 interface Loopback25 overload
ip nat inside source list 30 interface Loopback0 overload
ip nat inside source static tcp 192.168.1.127 80 interface ATM0/0/0.35 80
ip nat inside source static 192.168.1.200 194.144.19.120 extendable
ip nat inside source static 192.168.1.120 213.176.147.121 extendable
ip nat inside source static 192.168.1.122 213.176.147.122 extendable
ip nat inside source static 192.168.1.201 213.176.147.124 extendable
ip nat inside source static 192.168.1.126 213.176.147.125 extendable
ip nat inside source static 192.168.1.85 213.176.147.126 extendable
ip nat inside source static 192.168.1.139 213.176.147.127 extendable
ip nat inside source static 192.168.1.202 213.176.159.185 extendable
ip nat inside source static 192.168.1.113 213.176.159.188 extendable
ip nat inside source static 192.168.1.167 213.176.159.189 extendable
ip nat inside source static 192.168.1.190 213.176.159.190 extendable
!
ip access-list standard CNTL/Z
!
access-list 21 permit 192.168.1.120
access-list 22 permit 192.168.1.122
access-list 24 permit 192.168.1.201
access-list 25 permit 192.168.1.213
access-list 30 permit 192.168.1.0 0.0.0.255
access-list 89 remark SNMPc
access-list 89 permit 213.213.158.118
access-list 90 permit 213.213.158.0 0.0.0.127
access-list 90 permit 213.213.135.128 0.0.0.15
access-list 90 permit 172.16.9.112 0.0.0.3
access-list 90 permit 213.176.138.64 0.0.0.31
access-list 90 permit 192.168.1.0 0.0.0.255
snmp-server community public RO CNTL/Z
snmp-server community private RW
snmp-server community xcom RO
snmp-server community rerere RW 89
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server host xxx.xxx.158.118 version 2c rerere
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class 90 in
password xxxxxx
login
line vty 5 15
access-class 90 in
privilege level 15
password xxxxxxx
login
!
end

 

[SQL2KDBA69]

you dont need an outside ip address when you have this "ATM0/0/0.35" which represents the outside ip address.

 

[amj67]

I have a few ip addresses in the router, translating to various websites.

In my understanding, I have to insert the outsaide IP, and then connecting it to the inside IP..

 

[SQL2KDBA69]

What i mean is that both:

ip nat inside source static tcp 192.168.1.127 80 interface ATM0/0/0.35 80 extendable

and


ip nat inside source static tcp 192.168.1.127 80 171.16.107.114 80 extendable

Does the same thing.