Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Need help setting up NAT....asap!

Status
Not open for further replies.
beatdown

beatdown

Technical User
Feb 27, 2005
85
US
My company has an Adtran router (very limited in functionality, won't do NAT) and a Watchguard Firewall, which performs NAT.

The Firewall broke today and it will take watchguard a day or more to get us a new one. SO in the meantime, I want to set up my personal Cisco 1720 router from home (I just bought to study for CCNA), on the network at the office, to sort of replace the Firewall. I figured I would just need to connect the 1720 to the Adtran with a crossover cable, give the Fast ethernet, and WIC-1NET interfaces the same IP's that my Watchguard unit has, then set up access lists, to allow access to my SMTP and HTTPS servers, and then set up NAT. FYI... I can't use only the 1720, because it has no T1 WIC, so I still need the Adtran router in the loop.

I know how to set up the access lists (at least I think I do), but I don't have a clue how to do NAT. I need to set up NAT so all the internal users (about 50) can surf the web, send email, etc (I think this is NAT overload, or something like that?). I also need NAT to translate between the public and private IP addresses of my SMTP and HTTPS server, so we can receive email and people can get to our web server.

I'm just starting to learn cisco, and basically don't have time to mess around trying to research and learn this on my own...so I was hopeing somebody could bail me out and give me a config example on how to do this?

Thanks Soooo much!
 
Sort by date Sort by votes
Was that document enought? Do you need further help? If so, please detail more or less the arquitecture of your network (is there a DMZ or not, wich services must be accesible from Internet, wich kind of aplications do you want your users to reach at Internet, and so on) and we will try to give you more help.

Regards.
 
Upvote 0 Downvote
This document, and others I found online have been a help, but I'm still not 100% sure how to set up my config.

It's a stub network...just one router going out to the internet via a T1 line.

Users inside my network can have unrestricted outgoing access to anything on the internet.

I have one server on my network which I need public access to through the router...this is an email server which uses SMTP & POP3, and HTTPS for web-mail access. This server is not part of a DMZ.

On my old Watchguard firewall, I had NAT set up so the public IP (external interface) on the firewall was Natted to the private IP of this email server. My MX record in DNS is set up for this IP.

So as far as I can tell, Cisco has a couple different flavors of NAT, and I need to set up a config that is a combination of two types:

1) Overload NAT, so all the users on my network with private IP addresses can surf the web, etc...and be Natted to the one main public IP on the external interface of the router.

2) Static NAT, so the public IP of our server is natted to the internal IP of the server.

Thanks very much for your help!
 
Upvote 0 Downvote
Beatdown -

Ok, so basically, as I understand it - your Cisco router (minus the Adtran) is doing your NAT and ACL's, and you have one server that needs to appear public to the internet? Going from that assumption:


Here's how our NAT setup is setup. We have ONE public IP address, and we use PAT(Port Address Translation), also known as Overloading.



(This is the Dynamic NAT, for your 'internet users.')
-------------------------------------------------------------
ip nat pool warriors xx.xx.197.162 xx.xx.197.162 netmask 255.255.255.252
ip nat inside source list 8 pool warriors overload
!
!
access-list 8 permit 192.168.7.0 0.0.0.255
!
!


'source list 8' Means that it uses Access List 8 for it's pool of addresses to translate.

'warriors' is the name of the address pool (public IP's) to translate TO.



This is how you would do a Static Mapping (or Static NAT) to redirect (or pass-through/pipe) all outside requests on ports 25 (SMTP), 110 (POP3), and 443 (HTTPS) to your internal server, which is 192.168.7.6 in this example.

(Static NAT mappings)
-----------------------------------------------------------
ip nat inside source static tcp 192.168.7.6 25 interface e0/0 25 extendable
ip nat inside source static tcp 192.168.7.6 110 interface e0/0 110 extendable
ip nat inside source static tcp 192.168.7.6 443 interface e0/0 443 extendable

'ip nat inside source static tcp' takes any request/connection hitting Interface E1/0 (your web-facing interface) on ports 25, 110 and 443, and shoots them straight to your INTERNAL server on 192.168.7.6, on the same ports that they arrived in.

I hope this helps some - I personally had a hell of a time getting a static NAT to work for an internal web server myself, and I know what a pain it is.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
206
Jared R
Jared R
WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
153
BIS
BIS
bfordz
  • Locked
  • Question
new help on setting up third party VoIP phones through Catalyst 2960x switch
Replies
0
Views
103
bfordz
bfordz
DigiByte34
  • Locked
  • Question
Need Help Cisco AAA to any RADIUS Software
Replies
9
Views
205
DigiByte34
DigiByte34
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
67
quazimotto
quazimotto

Part and Inventory Search

Sponsor

Back
Top