Cisco 3640 Router 2

[3t0n1c]

Hi,

Can please someone help me with the following:

I have a 3640 router with 4 fast eth ports on the rear.
I will be using just 2 of them for now to do routing and maybe NAT-ing.
I have a /29 block from my upsteam provider and I have several servers sitting behind this. Several of them need to run services to the outside world.
In other words I need to open ports to certain machines that are being NAT-ed.
The other thing I need to do is specify which machine gets access to which external IP address (out to the Internet) that is.

For example lets say I have 192.168.1.1 as the internal ip on the router, and then 192.168.1.2 - 192.168.1.10 are my servers.
My external subnet is 1.2.3.233 - 1.2.3.237 with default route 1.2.3.238
Lets say I need 192.168.1.3 to go out via 1.2.3.233 and have incomming ports open on that same route and then 192.168.1.5 to go out via 1.2.3.234, etc.
Now, if I need to NAT the entire 192.168.1/24 and poke holes and do port forwarding to some of my internal servers, what's the config? Examples would be awesome, I can easily take it from there.

Also, is there a specific IOS I need to load or just use the latest one I could get my hands on? What's the best one out there for what I need to do?

What kind of throughput should I expect assuming I will be on 100Mbps full duplex?

What are the benefits of adding a flash card of say 128MB to the router? Will it improve anything for my needs?

Any help is greatly appreciated.

 

[QuinceOcha]

Your best bet is to have static Nat translations (ip nat inside source static "local address" "outside address") for your servers to specify which real address is used by which inside local address. You can then use an access list to open specific ports for specific servers.

 

[Quadratic]

Here's an example config. Since you mention both port-forwarding and one-to-one NATing for servers, I included an example of both. One example forwards port 80 to a web server at 192.168.1.2 through the main public IP shared by regular hosts, and other examples are static one-to-one mappings for internal to external IPs. I also made an access list to match all but the 192.168.1.1-10 address range, so there's no conflict between the generic NAT and any specific server addresses you need to NAT for separately.

This should at least be a starting point for you.

!
interface FastEthernet0/0
ip address 1.2.3.1 255.255.255.0
ip nat outside
no shutdown
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no shutdown
!
ip nat pool non_server_pool 1.2.3.235 1.2.3.235 netmask 255.255.255.0
ip nat inside source static tcp 192.168.1.2 80 1.2.3.235 80
ip nat inside source list 100 pool non_server_pool
ip nat inside source static 192.168.1.3 1.2.3.233
ip nat inside source static 192.168.1.4 1.2.3.234
!
!
access-list 100 remark non_server_nat
access-list 100 deny ip 192.168.1.0 0.0.0.7 any
access-list 100 deny ip host 192.168.1.8 any
access-list 100 deny ip host 192.168.1.9 any
access-list 100 deny ip host 192.168.1.10 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!

CCNP, CCDP

 

[3t0n1c]

First of all, thank you both QuinceOcha and Quadratic for replying so fast.

Of course, now I have a couple of questions regaring the configuration file.

Can someone clarify for me what each of the following lines do or mean exactly. I need to know what I'm doing.
Also, does the order matter?
Here we go:

Do I need to specify my default gateway anywhere?

- What does the exclamation mark mean or do? (I figure it is just a delimiter).
- What does "no shutdown" do?
- What does "ip nat pool non_server_pool 1.2.3.235 1.2.3.235 netmask 255.255.255.0" do exactly?
- What about "ip nat inside source list 100 pool non_server_pool " ?

Also what does the "100", "pool", and "non_server_pool" mean that is found in several lines?

What happens if the access-list lines go in ahead of the ip nat lines ?

Can somebody explain the access-list lines? I need to know exactly what happens at each line. I sort of get a broad picture at this point.

Thank you all sooo much!

 

[Quadratic]

Ok, I'll break it up a little for you. The lines that start with "access-list 100" create access list #100. Unlike the rest of the configuration, the order you enter these lines in is very important. This access list is going to be used to define what traffic is "permitted" to be a part of your "non-server" NATing. It denies anything in the 192.168.1.1-10 range, and permits everything else in the 192.168.1.0/24 subnet. I grouped 192.168.1.1-7 together with a wildcard mask, but if it's simpler you could just do a whole bunch of "access list 100 deny ip host 192.168.1.x any" statements to deny each separately.

That config is meant specifically to set up NATing, so I didn't add any routing config but yes you should either set up a routing protocol or define a default gateway. If you have a separate DHCP server you should define an IP Helper (DHCP relay) to direct traffic since broadcasts aren't forwarded by default. If this router *is* your DHCP server, you'll need to configure it.

The exclamation mark appears on its own in the configuration file. They don't need to be entered from the command line (I just copy&pasted a configuration file that I set up, hence they appear there). They can be used for comments, and act as a delimiter, but they're automatic.

"no shutdown" enables the interface. By default, a router's interfaces are in a "shutdown" state, while a switch's interfaces are in a "no shutdown" state. When configuring a router, "no shutdown" is required for the interface to work.

The line "ip nat pool non_server_pool 1.2.3.235 1.2.3.235 netmask 255.255.255.0" defines a pool of public IP addresses to be used by your main, non-server computers. In this case, I defined a pool with a single IP address, and a /24 subnet mask. I could have changed it to point to the outside interface rather than defining a pool but I wanted to specify which IP in that greater subnet should be used for this.

The line "ip nat inside source list 100 pool non_server_pool" bings all the 192.168.1.11-254 host addresses to be NATed into that pool I defined in the earlier statement. Also, you should add "overload" to the end of that command, so "ip nat inside source list 100 pool non_server_pool overload", so they'll aggregate into the same public IP (the first entry was a typo, I typed it out quick).

It doesn't matter if you enter your NATing lines before the ACL, or vice-versa. The only place where order is important is the ACL lines themselves. If you add the permit statement first, for example, those specific denys won't work.

I hope that clarifies a bit.

CCNP, CCDP

 

[3t0n1c]

Wow Quadratic, that clears a lot of the fog. Thank you so much!

Now I need to sort of play with it a little bit and get some hands on time with this thing.

One more thing though:

If I need to start from scratch, reset the router to factory default and start fresh, is there a good way or bad way to do that?
Once reset, will it prompt me for initial config? Is it easier to copy/paste the config file or tftp it? If so, where should the config file be sent to (path wise)?
How do I write the config file and make sure I get the correct syntax and not screw up the router? Is there a piece of software that would help you?
I am sorry, I don't mean to sound stupid but I have only used Linux based routers for everything in the past 12 years and never, ever worked with Cisco.

One last thing, how do I define the default gateway?
And no, my router won't be running any DHCP, I would be using all static IP's for all workstations and servers.

Thanks again for all your help! It is much appreciated.

 

[3t0n1c]

Are there any quick, down and dirty, step-by-step how to's for Cisco that you guys recommend? I need something that would help me get the wheels rolling...

Links, PDFs, are all great. I just don't have the time to go read a 400 page Cisco book right now. I will very soon, because I know I need to, but I don't have the time right now.

Any other info that you guys think could help me, please post it! I am just getting started with Cisco so please consider the fact that I don't know the first thing about it.

Thank you all!

 

[Quadratic]

Assuming you have admin rights to the router, the easiest way to restore it to factory defaults is to do "write erase" followed by "reload". That will wipe the config file, and you'll be prompted to either enter a setup wizard or enter a new configuration manually.

There are a few ways to copy over an existing configuration file, but since you'll have to type it out at some point anyway it's probably easiest to just create the config file in the router itself.

I'd say Cisco IOS is fairly intuitive, as long as you've got your modes straight. You'll only need to be in three modes to do this work anyway (privileged exec mode, by typing "enable", then global config mode, by typing "configure terminal" from privilege-exec, and interface config mode, by typing "interface fa0/0", for example, from global config mode).

You can set up a default gateway with the "ip route 0.0.0.0 0.0.0.0 {insert IP of your default gateway here}" command from global config mode.

For the syntax question, if a command isn't valid the router will give you an error, which is another reason I think it's best in this case for you to do this in the router itself rather than creating the config file separately. It will make the file in the proper syntax for you.

CCNP, CCDP

 

[Quadratic]

The CCNA portable command guide has a lot of good how-to's for many general scenarios. It comes in paperback but it looks like Google has a PDF verson here:

http://books.google.ca/books?id=P53...&resnum=1&ved=0CBoQ6AEwAA#v=onepage&q&f=false

CCNP, CCDP

 

[3t0n1c]

Quadratic, you're the best!

Great stuff. If you're ever in Philly, I'll take you out for beer! (c1n0t3@gmail.com)

I may come back with more questions soon.

 

[3t0n1c]

Quick question, it may be very stupid but hence my given router has 4 fast ethernet ports how do I know which physical port on the rear of the unit belongs to which port in the configuration file? ;P

Thanks in advance!

 

[Quadratic]

From left to right, 0 through 3. If they're switchports, it would be 1 through 4.

CCNP, CCDP

 

[3t0n1c]

Hi all,

I'm in the middle of configuring the router.

Going through it step by step and trying to learn at the same time, got me stuck and wondering in a couple of places.

1. This line seems to be giving me an "Invalid input detected at '^' marker.
ip nat pool non_server_pool 1.2.3.235 1.2.3.235 netmask 255.255.255.0
Any thoughts on why?

2. Couple of issues with ACL's now...
I don't really want to separate workstations from servers. The only thing I want is to provide NAT to my entire 192.168.1.0/24 network, that also happens to include 10 servers. I want each servers to use a different external IP address from my ISP assigned /29 pool.
So can someone help me rewrite the access-lists to reflect the above?

3. How do I assign multiple IP's to my external interface? Do I even need to do that to be able to route/nat for all of them? Or is it all done automatically since my external netmask is .248 ?

Thanks in advance!

 

[3t0n1c]

More trouble guys...

Please explain to me what's wrong. I am getting the following issues:

-From router I can ping both internal and external networks, including all Internet IP's ok.
-It seems that the router is not NAT-ing any machine from behind it. I cannot ping external (internet) IP's from any machine behind the router.

Any ideas what I can try?

Thanks

 

[unclerico]

post your scrubbed config

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

Here is the relevant part:


interface FastEthernet0/0
ip address 1.2.3.233 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
speed auto
full-duplex
!
interface FastEthernet1/0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
duplex auto
speed auto
!
ip default-gateway 1.2.3.238
ip nat inside source static tcp 192.168.1.70 80 1.2.3.233 80 extendable
ip nat inside source static tcp 192.168.1.70 443 1.2.3.233 443 extendable
ip nat inside source static tcp 192.168.1.70 25 1.2.3.233 25 extendable
ip nat inside source static tcp 192.168.1.70 22 1.2.3.233 11111 extendable
ip nat inside source static tcp 192.168.1.70 110 1.2.3.233 110 extendable
ip nat inside source static tcp 192.168.1.70 53 1.2.3.233 53 extendable
ip nat inside source static udp 192.168.1.70 53 1.2.3.233 53 extendable
ip nat inside source static udp 192.168.1.112 53 1.2.3.234 53 extendable
ip nat inside source static tcp 192.168.1.112 53 1.2.3.234 53 extendable
ip nat inside source static tcp 192.168.1.112 25 1.2.3.234 25 extendable
ip nat inside source static tcp 192.168.1.113 25 1.2.3.235 80 extendable
ip nat inside source static tcp 192.168.1.113 443 1.2.3.235 443 extendable
ip nat inside source static tcp 192.168.1.113 80 1.2.3.235 80 extendable
ip nat inside source static tcp 192.168.1.113 45555 1.2.3.235 45555 extendable
ip nat inside source static tcp 192.168.1.113 47777 1.2.3.235 47777 extendable
ip nat inside source static tcp 192.168.1.113 22 1.2.3.235 11111 extendable
ip nat inside source static tcp 192.168.1.112 22 1.2.3.234 11111 extendable
ip nat inside source static 192.168.1.70 1.2.3.233
ip nat inside source static 192.168.1.112 1.2.3.234
ip nat inside source static 192.168.1.113 1.2.3.235
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.238
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255

 

[unclerico]

try adding ip nat inside source list 1 int f0/0 overload

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

Thanks for your reply, but that did not help. I had already tried that with no success.

If anyone can help me out, please reply.

Here's my current config:

!
ip subnet-zero
no ip routing
!
!
no ip domain-lookup
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 1.2.3.233 255.255.255.248
ip nat outside
no ip route-cache
no ip mroute-cache
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.1.4 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
speed auto
full-duplex
!
interface FastEthernet1/0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet1/1
no ip address
no ip route-cache
no ip mroute-cache
shutdown
duplex auto
speed auto
!
ip default-gateway 1.2.3.238
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.70 80 1.2.3.233 80 extendable
ip nat inside source static tcp 192.168.1.70 443 1.2.3.233 443 extendable
ip nat inside source static tcp 192.168.1.70 25 1.2.3.233 25 extendable
ip nat inside source static tcp 192.168.1.70 22 1.2.3.233 11111 extendable
ip nat inside source static tcp 192.168.1.70 110 1.2.3.233 110 extendable
ip nat inside source static tcp 192.168.1.70 53 1.2.3.233 53 extendable
ip nat inside source static udp 192.168.1.70 53 1.2.3.233 53 extendable
ip nat inside source static udp 192.168.1.112 53 1.2.3.234 53 extendable
ip nat inside source static tcp 192.168.1.112 53 1.2.3.234 53 extendable
ip nat inside source static tcp 192.168.1.112 25 1.2.3.234 25 extendable
ip nat inside source static tcp 192.168.1.113 25 1.2.3.235 80 extendable
ip nat inside source static tcp 192.168.1.113 443 1.2.3.235 443 extendable
ip nat inside source static tcp 192.168.1.113 80 1.2.3.235 80 extendable
ip nat inside source static tcp 192.168.1.113 45555 1.2.3.235 45555 extendable
ip nat inside source static tcp 192.168.1.113 47777 1.2.3.235 47777 extendable
ip nat inside source static tcp 192.168.1.113 22 1.2.3.235 11111 extendable
ip nat inside source static tcp 192.168.1.112 22 1.2.3.234 11111 extendable
ip nat inside source static 192.168.1.70 1.2.3.233
ip nat inside source static 192.168.1.112 1.2.3.234
ip nat inside source static 192.168.1.113 1.2.3.235
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.3.238
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
!
access-list 1 permit 192.168.1.0 0.0.0.255

 

[unclerico]

no ip routing
there's your issue. enter ip routing

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[3t0n1c]

Here's the funny thing. If I do that, I can't even ping anything on the wan side from the router itself. If I go with no ip routing, then I can at least ping ip's on the wan side from the router itself.

Any thoughts?

I will do another run, just to re-test everything once again.

Thanks for your input!