Hi
I have a 2610 series router with a single ethernet interface. I've created a virtual interface called Loopback0 and used policy-based routing to perform NAT on a single physical interface. Cisco refers to this set-up as 'NAT on a stick'.
Here is my current config:
2610#show run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2610
!
enable secret 5 $1$AI/n$orcwq6w6GWCFizKtvRetI/
enable password ccnp
!
ip subnet-zero
no ip source-route
ip name-server 213.210.6.6
ip name-server 213.210.6.7
!
interface Loopback0
ip address 10.0.1.1 255.255.255.252
no ip directed-broadcast
ip nat outside
!
interface Ethernet0/0
ip address 10.0.0.1 255.255.255.0 secondary
ip address 194.X.X.X 255.255.255.240
no ip directed-broadcast
ip nat inside
ip policy route-map Nat-loop
!
interface Serial0/0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
!
router rip
redistribute connected
network 194.X.X.X
!
ip nat pool external 194.X.X.X 194.X.X.X netmask 255.255.255.240
ip nat inside source list 10 pool external overload
ip nat inside source static tcp 10.0.0.2 3389 194.X.X.X 3389 extendable
ip nat inside source static udp 10.0.0.2 3389 194.X.X.X 3389 extendable
ip nat inside source static 10.0.0.2 194.X.X.X
ip classless
ip route 0.0.0.0 0.0.0.0 194.X.X.X
!
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 permit ip any 194.X.X.X 0.0.0.255
access-list 177 permit icmp any any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
route-map Nat-loop permit 10
match ip address 102
set ip next-hop 10.0.1.1
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password xxxx
login
!
end
I've tested the config from inside and outside the network and it works fine, but my problem is connecting to a Win2k server on the private network using terminal services on port 3389. I can ping the server private address, which is 10.0.0.2 from the router and from its public address, which is 194.x.x.x, which is mapped to 10.0.0.2. I don't know if i need to add anymore NAT statements to the router config or if need to amend my ACL's? Can anyone identify why i can't connect to 10.0.0.2 on port 3389?
Thanks
Max
I have a 2610 series router with a single ethernet interface. I've created a virtual interface called Loopback0 and used policy-based routing to perform NAT on a single physical interface. Cisco refers to this set-up as 'NAT on a stick'.
Here is my current config:
2610#show run
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname 2610
!
enable secret 5 $1$AI/n$orcwq6w6GWCFizKtvRetI/
enable password ccnp
!
ip subnet-zero
no ip source-route
ip name-server 213.210.6.6
ip name-server 213.210.6.7
!
interface Loopback0
ip address 10.0.1.1 255.255.255.252
no ip directed-broadcast
ip nat outside
!
interface Ethernet0/0
ip address 10.0.0.1 255.255.255.0 secondary
ip address 194.X.X.X 255.255.255.240
no ip directed-broadcast
ip nat inside
ip policy route-map Nat-loop
!
interface Serial0/0
no ip address
no ip directed-broadcast
no ip mroute-cache
shutdown
!
router rip
redistribute connected
network 194.X.X.X
!
ip nat pool external 194.X.X.X 194.X.X.X netmask 255.255.255.240
ip nat inside source list 10 pool external overload
ip nat inside source static tcp 10.0.0.2 3389 194.X.X.X 3389 extendable
ip nat inside source static udp 10.0.0.2 3389 194.X.X.X 3389 extendable
ip nat inside source static 10.0.0.2 194.X.X.X
ip classless
ip route 0.0.0.0 0.0.0.0 194.X.X.X
!
access-list 10 permit 10.0.0.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255 any
access-list 102 permit ip any 194.X.X.X 0.0.0.255
access-list 177 permit icmp any any
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
route-map Nat-loop permit 10
match ip address 102
set ip next-hop 10.0.1.1
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password xxxx
login
!
end
I've tested the config from inside and outside the network and it works fine, but my problem is connecting to a Win2k server on the private network using terminal services on port 3389. I can ping the server private address, which is 10.0.0.2 from the router and from its public address, which is 194.x.x.x, which is mapped to 10.0.0.2. I don't know if i need to add anymore NAT statements to the router config or if need to amend my ACL's? Can anyone identify why i can't connect to 10.0.0.2 on port 3389?
Thanks
Max
