Newbie Questions

[Barnacle]

Hi, I am trying to change a Cisco 1720 configuration to allow access for an outside vendor to an application server that I just setup as a member server. The main server is Windows 2000 Standard. The router is running NAT. The vendor needs to connect from their IP of 62.91.27.100 (fake) to our ip of 209.145.11.9. They also need ports 1433 & 3389 open so they can do changes.

What lines do I need to add to the router configuration to make this happen? Also, do I need to do this at night when no one is on the internet at the company?

Thanks for your help!

 

[routerman]

You would need to post a configuration, there are several ways this could be set up The solution will depend on the current configuration.

 

[chenchuk77]

looks like the 1720 have an access-list on its outside interface isnt it ?
if yep u have 2 add :

if 209.145.11.9 is your ip when going out ( if u see it on

http://www.whatismyip.com

) u should make another static NAT for this server lets say 209.145.11.8
i think its ( not sure )

ip nat inside source static .... 209.145.11.8

and after u should add permission in the access-list (this is sure ):

access-list xxx permit tcp host 62.91.27.100 host 209.145.11.8 eq 1433
access-list xxx permit tcp host 62.91.27.100 host 209.145.11.8 eq 1433

 

[Barnacle]

Here is the config with the real ip's x'd out. The internal network uses the 192.68.10.xx ip's and a remote location is setup using 192.68.15.xx ip's. I didn't setup this network. I don't know why they didn't use the more common 192.168... Oh well!

*Running Config*

memory-size iomem 25
ip subnet-zero
no ip source-route
no ip domain-lookup
!
!
!
!
interface Serial0
description Serial 0
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial0.1 point-to-point
description connected to Internet
ip address 209.240.xx.xxx 255.255.255.252 secondary
ip address 10.255.x.x 255.255.255.252
no ip directed-broadcast
ip nat outside
no arp frame-relay
frame-relay interface-dlci 16 IETF
!
interface FastEthernet0
description connected to EthernetLAN
ip address 10.1.x.x 255.255.255.0 secondary
ip address 192.68.7.254 255.255.255.0
no ip directed-broadcast
ip nat inside
!
router rip
version 2
passive-interface Serial0.1
network 192.68.7.0
no auto-summary
!
ip nat pool companyname 10.x.x.x 10.x.x.254 netmask 255.255.255.0
ip nat inside source list 1 pool companyname overload
ip nat inside source static tcp 192.68.7.5 25 209.xxx.xx.xxx 25 extendable no-al
ias
ip nat inside source static tcp 192.68.7.5 110 209.xxx.xx.xxx 110 extendable no-
alias
ip classless
ip route 0.0.0.0 0.0.0.0 10.255.1.5
ip route 192.68.10.0 255.255.255.0 192.68.7.1
ip route 192.68.15.0 255.255.255.0 192.68.7.1
no ip http server
!
access-list 1 permit 192.68.7.0 0.0.0.255
access-list 1 permit 192.68.15.0 0.0.0.255
access-list 1 permit 192.68.10.0 0.0.0.255
access-list 11 permit 192.68.7.0 0.0.0.255
snmp-server engineID local 0000000902000050730xxxxx
snmp-server community public RO
!
line con 0
exec-timeout 0 0
password 7 xxxxxxxxxxxxx
login
transport input none
line aux 0
line vty 0 4
access-class 11 in
password 7 xxxxxxxxxxxxxxxxxxx
login
!
end

Thanks for your help!

 

[Barnacle]

I'm confused as to why I would need another static NAT? Would I need to get another static ip from the ISP to do this? Couldn't I just use the existing outside ip?