OK this should be simple 1

[MChrisM]

Ok --
I have two 1720's and a metro private line i can ping between the two 1720's just fine however I would like to nat som ips to internal ip's @ location 2 ==
What I mean is I want to set up a static nat so I can connect to servers at location 2 from location 1.
both location 1 and 2 have private ips--

 

[MChrisM]

OK I forgot this can be a static route to one server ---
in other words lets say my inside on eth1 router1 is 206.187.186.xxx and the outside (Serial1) is 67.64.194.xxx and on the other router the outside is 63.208.48.xxx (serial2) and the inside (ether2) 172.17.170.xxx I really only want to allow any traffic to flow from 206.187. to the server ip at 172.17.170.250
I hope this helps.

 

[TravisM]

Why would you need NAT for this? If the routers are routing then devices on either network should have access to devices on the other with no need for NAT.

Instead I'd create an ACL that says clients from the other side can't have access to anything except the server at 172.17.170.250 like

access-list 101 permit any host 172.17.170.250
access-list 101 deny any any

Then on 63.208.48.xxx (serial2)

ip access-group 101 in

Am I missing something here? Are the devices not currently able to talk to each other? If not I'd add static routes on both

ip route 0.0.0.0 0.0.0.0 (external int)

and turn on ip routing

ip routing

and that should clean it all up.

 

[MChrisM]

OK --- Just bear with me here is my config for router 1
(this is on a private T1)
!
version 12.1
service config
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname DRX001
!
enable secret 5 xxxxxxxxxxxxxxxxxxx
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Serial0
description connected to CorporateNetwork
ip address 67.64.194.120 255.255.255.240
service-module t1 remote-alarm-enable
!
interface FastEthernet0
description connected to EthernetLAN
ip address 206.187.186.36 255.255.255.0
speed auto
full-duplex
!
router rip
version 2
passive-interface Serial0
network 206.187.186.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 172.17.170.0 255.255.255.0 FastEthernet0
no ip http server
!
snmp-server community xxxxx RO
snmp-server community xxxxxx RW
snmp-server location Home Office
snmp-server contact xxxxx,xxxxx,xxx
banner motd ^CWelcome to DRX001^C
!
line con 0
exec-timeout 0 0
password xxxxxx
login
line aux 0
line vty 0 4
password xxxxxx
login
!
no scheduler allocate
end


And here is my config for Router 2

!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname DRX002
!
enable password 7 xxxxxxxxxxxx
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip finger
no ip domain-lookup
!
!
!
!
interface Serial0
description connected to CorporateNetwork
ip address 63.208.48.121 255.255.255.128
service-module t1 remote-alarm-enable
!
interface FastEthernet0
description connected to EthernetLAN
ip address 172.17.170.36 255.255.0.0
speed auto
!
router rip
version 2
passive-interface Serial0
network 172.17.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
ip route 172.17.170.0 255.255.255.0 FastEthernet0
no ip http server
!
snmp-server community xxxxxxxxx
snmp-server community xxxxxxxx
snmp-server location xxxxxxx
snmp-server contact xxxxxxxxxx
!
line con 0
exec-timeout 0 0
password 7 121D54050A5A5C0A
login
transport input none
line aux 0
line vty 0 4
password 7 121D54050A5A5C0A
login
!
no scheduler allocate
end

So you are saying on router 2 to create an ACL
access-list 101 permit any host 172.12.170.250
access-list 101 deny any any

could I for simply just do a

access-list 101 permit any any

(I know this would allow access to all of the hosts)

then on router 2 serial 2

ip access-group 101 in

do I need to have an

ip access-group 101 out as well if I want two way communication?? or should I just duplicate my efforts on router 1??
and then the only static route I need on both routers is

ip route 0.0.0.0.0.0.0.0 (external int)

and I should be good to then come from 206.187.186.xxx
and route directly to 172.17.170.250 or another host with out NATing the addresses???

Thanks for the help ---

 

[TravisM]

Can you currently ping hosts on the 206.187.186.0 network from the 172.17.170.0 network? From your config it looks like you should be able to, so; if your goal is to make it so hosts on the 206.187.186.0 network only have access to 172.17.170.250 then all you need is to log into the second router and config an access list with

access-list 101 permit ip any host 172.17.170.250
access-list 101 deny ip any any

Then go into the serial0 int and add

ip access-group 101 in

That should do it, if I'm understanding your desire correctly.

That's all you'll really need. You already have your default routes set for the serial interfaces, unless you're looking to limit access from 172.17.170.0 to the other network I wouldn't worry about any additional access lists

 

[MChrisM]

I think what I am looking to do is really allow the
network from 206.187.186.xxx /255.255.255.0 access the network @ 172.17.170.xx / 255.255.0.0 with any service and visa versa

 

[MChrisM]

Ok --
Here is what I did

added the access-list 101

and permited the access group in on the serial 0
However I cannot ping the 206 network form the 172 network (from the router) do I need to set up the ICMP group on the 206 network to see the ping response back.

 

[MChrisM]

OK I did this and i think i am on tracj however when I trace route i get

C:\Program Files\Windows Resource Kits\Tools>tracert 172.17.170.25

Tracing route to 172.17.170.250 over a maximum of 30 hops

1 <1 ms <1 ms <1 ms 206.187.186.36
2 63.208.48.121 reports: Destination net unreachable.

Trace complete.

C:\Program Files\Windows Resource Kits\Tools>

 

[TravisM]

Adding this to the top off the access list will allow ping traversal

permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any source-quench
permit icmp any any packet-too-big
permit icmp any any time-exceeded
deny icmp any any

But to be totally honest if you're just looking to hook the two sites together with no restriction, get rid of the access lists all together because your original config is all you needed.

 

[MChrisM]

Ok -- I really just want to connect via ftp and a sync utiliy to any server on the 172 network and I was unable to get there using my orginal config (again i appreciate the help) I was apparently missing something --- how could I just open it up to all tcp and ftp traffic at any port 0-65535
it is only a dedicated line so security is not really an issue

 

[TravisM]

Oh wow, okay we've been all over the board with this but now at least you've had some fun configuring an ACL, but just forget about all of that now.

I'm sorry, I thought you were asking something that you were not asking. For one your config's are off, you have this line

ip route 172.17.170.0 255.255.255.0 FastEthernet0

On both configs, and it's not true on either router. Just take it out.

Take out all the access lists and all the access groups, and on each router type

ip routing

Then you should be able to get services across the link without problems.

 

[MChrisM]

Ok --
I can ping to the inside adapter on router 2 from router 1
however I cannot ping nor connect via ftp etc etc to any ip behind router 2

Config for router 1

Welcome to DRX001

User Access Verification

Password:
Password:
DRX001>ping 172.17.170.205

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.170.205, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
DRX001>show running-config
^
% Invalid input detected at '^' marker.

DRX001>en
Password:
DRX001#show running-config
Building configuration...

Current configuration : 1028 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname DRX001
!
enable secret 5 $1$UrRb$uUPuvU02kAY4nIQPA96yG1
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip domain-lookup
!
!
!
!
interface Serial0
description connected to CorporateNetwork
ip address 67.64.194.120 255.255.255.240
service-module t1 remote-alarm-enable
!
interface FastEthernet0
description connected to EthernetLAN
ip address 206.187.186.36 255.255.255.0
speed auto
full-duplex
!
router rip
version 2
passive-interface Serial0
network 206.187.186.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
snmp-server community dirxion RO
snmp-server community dirxion! RW
snmp-server location Home Office
snmp-server contact xxxx,xxx,chrism@dirxion.com
banner motd ^CWelcome to DRX001^C
!
line con 0
exec-timeout 0 0
password d1rx10n
login
line aux 0
line vty 0 4
password d1rx10n
login
!
end

DRX001#


Config for Router 2



User Access Verification


Building configuration...

Current configuration : 982 bytes
!
version 12.1
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname DRX002
!
enable password 7 15165A1E1C7B7B2A69
!
!
!
!
!
memory-size iomem 25
ip subnet-zero
no ip finger
no ip domain-lookup
!
!
!
!
interface Serial0
description connected to CorporateNetwork
ip address 63.208.48.121 255.255.255.240
service-module t1 remote-alarm-enable
!
interface FastEthernet0
description connected to EthernetLAN
ip address 172.17.170.36 255.255.0.0
speed auto
!
router rip
version 2
passive-interface Serial0
network 172.17.0.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0
no ip http server
!
snmp-server community dirxion RO
snmp-server community dirxion! RW
snmp-server location
snmp-server contact Chris
!
line con 0
exec-timeout 0 0
password 7 121D54050A5A5C0A
login
transport input none
line aux 0
line vty 0 4
password 7 121D54050A5A5C0A
login
!
end

Any ideas ??

 

[TravisM]

I have your routes totally backwards, I'm sorry - having a real hard time for some reason today. Change the default route as such

router 1 to

ip route 0.0.0.0 0.0.0.0 67.64.194.121

And router 2 to

ip route 0.0.0.0 0.0.0.0 67.64.194.120

Take the old default route out, proceed to laugh at me for taking you around the world and giving bad advice.

 

[MChrisM]

Ok just so I have it straight

router 1

ip route 0.0.0.0 0.0.0.0 outside adapter of router 2

router 2

ip route 0.0.0.0 0.0.0.0 outside adapter of router 1

???? hey thanks for the help I am really rusty ?????