CISCO 861 NAT issues
Hello
I have a CISCO router 861, and here is the scenario that I want to achieve (in regard to the ISPS and NAT)
4 FastEthernet
Assign IP 89.45.204.117 255.255.255.248 (IP x.x.x.x-x.x.x.x)
Assign IP 89.45.202.117 255.255.255.240 (secondary x.x.x.x-x.x.x.x ip address)
VLan1 (dhcp server) 10.11.12.0 255.255.255.0 (fact)
I want to reach 2 tipes of NAT, as follows:
- translation of the external internship (if I'm using different IP addresses, I have)
- translation of external to internal-(donc je peux accéder à deles de machines privées locales dele de monde extérieur)
In CentOS iptables, (1) is something like this:
iptables-t nat - a POSTROUTING-s 10.11.12.20 o $EXTIF-j SNAT - 89.45.204.118 at the source
In CentOS iptables, (2) is something like this:
iptables-t nat - a PREROUTING Pei TCP d 89.45.204.117 - dport 80-j DNAT - to 10.11.12.70:80
As far as I understood, on a Cisco IOS, (2) is something like this:
IP nat inside source static tcp 10.11.12.70 80 89.45.204.117 80 extensible
I do not understand how to configure the number (1)...
The public IP address of FastEthernet 4 PS are setup with IP and ip address secodnary.
Thank you very much.
Hello Sebastian,.
Let me explain such NAT only implemented on Cisco devices from a different perspective - maybe that will clarify things.
All the translations that you must configure will be configured with the ip nat inside source command, regardless if the connection is initiated from inside or outside your network.
The ip nat inside source command is used to define a multitude of different behaviors of NAT:
- A static 1:1 mapping between the internal and external IP address (no ports). In this way, you essentially expose the entire station with the internal IP to the outside world using the external address configured. At any time, a connection can be started from the inside IP address (and it will be translated to the address that is configured on the outside), or a connection may be initiated at the external IP address (and it will be translated to the address configured on the inside). The map is 1:1 meaning that a single internal IP address must be mapped to a single outside IP address and an external IP address must be mapped to an internal IP address. In other words, you need as many outside IP addresses as internal IP addresses that you want to expose in this way. The syntax of the command is ip nat inside source static I.I.I.I O.O.O.O where I.I.I.I is inside O.O.O.O IP address is the external IP address.
- A static 1:1 mapping between an individual internal and external IP and port transport. The behavior is identical to that described in the previous type, with the significant difference that the translation only applies to traffic coming from the individual inside the IP/port combination, or for traffic destined to the individual outside the IP/port combination. This type of translation is configured using the ip nat inside source static {tcp | udp} I.I.I.I p O.O.O.O P where I.I.I.I and O.O.O.O are inside/outside of the IP addresses, p is inside the port and P is the external port. You can use the I.I.I.I and the O.O.O.O as long the translations are unique, i.e. the particular combination of p, or O.O.O.O, I.I.I.I, and P must never be used twice.
- A 1:1 mapping dynamic between a set of internal IP addresses and a pool of the same size (or larger) of the external IP addresses. What is this configuration is assigning each inside a particular outside the IP address IP address each time that a connection is initiated from the inside IP address. This mapping exists for a limited period of time and expires at the end of the inside address IP interrupts the communication with the outside world. Therefore, for a long period of time, one inside the IP may get translated addresses to different outside intellectual property, there is therefore no mapping 1:1 fixed between inside and outside addresses. The mapping is only temporary and changes over time. Connections to the external IP address only succeed if there is that a mapping created for this outside the IP, otherwise they do not. I don't know if you want to set up this kind of behavior NAT, so I'm not including an example configuration now. If you want that your NAT is behaving this way, let me know.
- A M:1 dynamic mapping between a set of internal IP addresses and a smaller pool of external IP addresses. It is basically the type of NAT Linux behaviour typical SNAT-j when to hide multiple internal IP addresses under one outside the IP address using the address and the port of rewriting. A special case of this configuration is NATting to the external IP address configured on an interface, similar to the MASQUERADE target in Linux.
Types 1. and 2. in this description do not apply to ACLs because they are static, meaning that they perfectly define the inside and the outside address already. However, the dynamic mappings in step 3. and 4. above must use an ACL to specify which traffic should be translated. If, therefore, using maps dynamic, it is mandatory to create an ACL that selects the traffic to be handled by the dynamic NAT, and Moreover, this ACL must exempt explicitly traffic already managed by static to be also managed by this dynamic otherwise NAT. NAT entries, this traffic could in circumstances poorly translated.
What you have said, I think you want to go with the types of NAT 1 configuration. and 2. as described earlier in this post. Would this be what you're looking for?
Best regards
Peter
Tags: Cisco Network
Similar Questions
-
Cisco 861 DHCP + public static IPs + NAT/DNAT. Help.
Hello
I used to use a server of self-made CentOS for intranet for my small office, but I have bouth a few days ago a router Cisco 861 to replace the linux machine.
My needs:
1. I have 2 public classes of IP from my ISP. 1 class is limitted 80mbit upload, the other to 30mbit upload. So I need some sort of DNAT to be able to know exactly what intranet computer uses internet great and including a single internet limitted.
2. I need DHCP server with static IP addresses (a computer must always have the same IP address, etc)... I have my needs for this.
3. also I need external access to certain servers on the inside (web, ftp, etc.)
Parameters:
(Dhcp) intranet: 10.11.12.x 255.255.255.0)
1 public Internet: 89.45.204.118 255.255.255.248 (89.45.204.117 as gateway)
Public Internet 2: some other class in the same IP (assume 89.45.204.58/24 for example)
DNS: 89.45.200.1
So far so good, everything seems simple and I can do this in 2 hours on a centos linux box (correct roads, active ip Routing and some rules for NAT/SNAT/DNAT iptables).
But on this new router of Centos... Well, I am not yet able to ping the outside world, nor inside world I'm tired reading the forums, documentation... I want (at the beginning) to a simple scenario: vlan + dhcp, SEA4 with 1 public ip address and ACCESS to the real world. I was not able to reach even not that much.
OK, first of all, here is a copy of the running configuration:
Building configuration...
Current configuration: 5826 bytes
version 15.1
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname cisco861
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 [out-of-context]
activate the password [out-of-context]
!
No aaa new-model
iomem 10 memory size
Crypto pki token removal timeout default 0
!
Crypto pki trustpoint TP-self-signed-2459631067
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2459631067
revocation checking no
rsakeypair TP-self-signed-2459631067
!
!
TP-self-signed-2459631067 crypto pki certificate chain
certificate self-signed 01
[deleted-of-context]
quit smoking
IP source-route
!
!
DHCP excluded-address IP 10.11.12.1
DHCP excluded-address IP 10.11.12.251 10.11.12.254
!
IP dhcp pool cisco861-iasi
import all
Network 10.11.12.0 255.255.255.0
domain cisco861.iasi
DNS-server 10.11.12.1 89.45.200.1
router by default - 10.11.12.1
-NetBIOS 10.11.12.2 name server 10.11.12.3
!
IP dhcp pool testPC
the host 10.11.12.111 255.255.255.0
0100.c030.1012.09 client identifier
testpc-01 customer name
!
!
IP cef
IP domain name cisco861.iasi
name of the IP-server 89.45.200.1
!
!
license udi pid CISCO861-K9 sn [out-of-context]
!
!
username admin secret of privilege 15 4 [removed-of-context]
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
external description $ ETH - LAN$
IP 89.45.204.118 255.255.255.248
NAT outside IP
IP virtual-reassembly in
full duplex
automatic speed
!
interface Vlan1
Description $ETH - SW - LAUNCH, INTF-INFO-HWIC $$ $4ESW
10.11.12.1 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
overload of IP nat inside source list 23 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 89.45.204.117
!
access-list 23 permit 10.11.12.0 0.0.0.255
Dialer-list 1 ip protocol allow
SNMP-Server RO community cisco861.Iasi
!
Line con 0
local connection
line to 0
line vty 0 4
access-class 23 in
privilege level 15
password [out-of-context]
local connection
transport input telnet ssh
!
end
(I couldn't find any CODE or a QUOTE as on other forums... so I tried to indent the config for you guys)
In addition, here are a few troubleshooting commands I used, maybe they can help some of know you what is the problem
cisco861 #show ip interface brief
Interface IP-Address OK? Method status Prot
Commissioner of official languages
FastEthernet0 unassigned YES unset upward, upward
FastEthernet1 unassigned YES unset down down
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset down down
FastEthernet4 89.45.204.118 YES manual up up
NVI0 89.45.204.118 YES unset upward, upward
Vlan1 10.11.12.1 YES manual up up
cisco861 #show mac-address-table
Port of destination address Destination address Type VLAN
------------------- ------------ ---- --------------------
dynamic xxxx.xxxx.xxxx 1 FastEthernet0
XXXX.xxxx.xxxx Self 1 Vlan1
ODD: it has no mac address for the connected FastEthernet 4. How comes? I changed 3 cables. All cables are OK.
cisco861 #show ip route
Code: L - local, C - connected, S - static, mobile R - RIP, M-, B - BGP
D - EIGRP, OSPF, IA - external EIGRP, O - EX - OSPF inter zone
N1 - type external OSPF NSSA 1, N2 - type external OSPF NSSA 2
E1 - OSPF external type 1, E2 - external OSPF of type 2
i - IS - Su - summary IS, L1 - IS - IS level 1, L2 - IS level - 2
-IS inter area, * - candidate failure, U - static route by user
o - ODR, P - periodic downloaded route static, H - PNDH, l - LISP
+ - replicated road, % - next hop override
Gateway of last resort is 89.45.204.117 to network 0.0.0.0
S * 0.0.0.0/0 [1/0] via 89.45.204.117
10.0.0.0/8 is variably divided into subnets, 2 subnets, 2 masks
C 10.11.12.0/24 is directly connected, Vlan1
L 10.11.12.1/32 is directly connected, Vlan1
89.0.0.0/8 is variably divided into subnets, 2 subnets, 2 masks
C 89.45.204.117/29 is directly connected, FastEthernet4
L 89.45.204.118/32 is directly connected, FastEthernet4
#show FastEthernet 4 router interfaces
FastEthernet4 is up, line protocol is up
Material is PQII_PRO_UEC, the address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
Description: external$ ETH - LAN$
The Internet address is 89.45.204.118/29
MTU 1500 bytes, BW 100000 Kbit/s, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
KeepAlive set (10 sec)
Full-duplex, 100 MB/s, 100BaseTX/FX
Type of the ARP: ARPA, ARP Timeout 04:00
Last entry at 00:02:54, 00:00:00 exit, exit hang never
Final cleaning of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0
Strategy of queues: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bps, 0 packets/s
5 minute output rate 0 bps, 0 packets/s
28 sachets of entrance, 3909 bytes
Received 14 emissions (0 of IP multicasts)
0 Runts, 0 giants, 0 shifters
entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored
Guard Dog 0
entry packets 0 with condition of dribble detected
output of 110 packages, 25366 bytes, 0 underruns
0 output errors, 0 collisions, 3 interface resets
unknown protocol 0 drops
0 babbles, collision end 0, 0 deferred
1 lost carrier, 0 no carrier
output buffer, the output buffers 0 permuted 0 failures
interfaces of router #show vlan 1
Vlan1 is up, line protocol is up
Material is EtherSVI, the address is xxxx.xxxx.xxxx (bia xxxx.xxxx.xxxx)
Description: $ETH - SW - LAUNCH$ $INTF - INFO - HWIC-$4ESW
The Internet address is 10.11.12.1/24
MTU 1500 bytes, BW 100000 Kbit/s, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
KeepAlive not supported
Type of the ARP: ARPA, ARP Timeout 04:00
Last entry of 00:00:06, output ever, blocking exit ever
Final cleaning of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/dumps); Total output drops: 0
Strategy of queues: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bps, 0 packets/s
5 minute output rate 0 bps, 0 packets/s
packets of 512, 53381 bytes, 0 no buffer entry
Received 185 broadcasts (0 of IP multicasts)
0 Runts, 0 giants, 0 shifters
entry 0, 0 CRC errors, frame 0, saturation 0, 0 ignored
exit 180 packages, 13248 bytes, 0 underruns
output 0 error, 1 interface resets
unknown protocol 0 drops
output buffer, the output buffers 0 permuted 0 failures
Also, I tried other combinations, as follows
- IP route static inter-vfr
- IP default-gateway 89.45.204.117 (ofc combined with no ip Routing). I can ping 8.8.8.8 in this scenario, but not other IP addresses. WTF?
- network default IP 89.45.204.117 (the bridge) - nothing
- 89.45.204.118 default IP network - bothing
- IP route 0.0.0.0 0.0.0.0 FastEthernet 4 (with or without 89.45.204.117, with or without permanent keyword)
Please, have mercy and help me.
P.S. I've also attached the configuration and troubleshooting files if it will be easier for you to follow this path.
A big thank you and God bless you!
Hello
IP nat inside source static 10.11.12.33 89.45.204.120 (host - to - host)
IP nat inside source static tcp 10.11.12.33 80 89.45.204.120 80 (port translation host-to - host)
RES
Paul
Please don't forget to rate this post if it has been helpful.
-
Cisco 861 ezVPN license remote problem
I bought a new Cisco 861 SRI with safety advanced on this subject.
When I look in the Dashboad license in Cisco Configuration professional it tells me I have advsecurity licenses with deployment status 'Deployed' function and the State 'active, in use '.
But when I want to configure any type of VPN I get the following error message:
License of technology (advsecurity) associated with this feature is not deployed on this router. Use the link below to deploy the technology license.
When I click the link I find myself in the dashboard to license again.
I Don t have another file license and advanced security features should be sufficient for VPN. At least that's what
http://www.Cisco.com/en/us/prod/collateral/routers/ps380/data_sheet_c78_461543.html said.
What should I do to be able to configure the VPN?
Thankx a lot for any help
Dirk
What version of CCP do you use? I see a few other customer cases with this error and it looks like there may be a problem with CCP 2.5. Customers who use 2.3 CCP do not see this error when applying the license through the user interface.
Todd
-
Static Nat issue unable to resolve everything tried.
Hello
I have a cisco asa 5515 with asa worm 9.4.1 and asdm 7.4
I have problem with configuring static nat, I have a server inside which ip is 172.16.1.85 and
my external interface is configured with a static ip address.
Internet works fine but cannot configure static nat...
Here's my config running if please check and let me know what Miss me...
Thank you
ASA release 9.4 (1)
!
ciscoasa hostnamenames of
!
interface GigabitEthernet0/0
nameif outside
security-level 0
IP 151.253.97.182 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/3
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/4
Shutdown
No nameif
no level of security
no ip address
!
interface GigabitEthernet0/5
Shutdown
No nameif
no level of security
no ip address
!
interface Management0/0
management only
nameif management
security-level 100
IP 192.168.1.1 255.255.255.0
!
boot system Disk0: / asa941-smp - k8.bin
passive FTP mode
object remote desktop service
source eq 3389 destination eq 3389 tcp service
Description remote desktop
network of the RDP_SERVER object
Home 172.16.1.85
outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER
pager lines 24
asdm of logging of information
Outside 1500 MTU
Within 1500 MTU
management of MTU 1500
no failover
no monitor-service-interface module of
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 743.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
!
network of the RDP_SERVER object
NAT (inside, outside) interface static service tcp 3389 3389
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in in interface outside
Route outside 0.0.0.0 0.0.0.0 151.253.97.177 1
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
identity of the user by default-domain LOCAL
Enable http server
http server idle-timeout 50
http 192.168.1.0 255.255.255.0 managementTelnet 192.168.1.0 255.255.255.0 management
Telnet timeout 5
SSH stricthostkeycheck
SSH 192.168.1.0 255.255.255.0 management
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0
VPDN username bricks12 password * local store
management of 192.168.1.2 - dhcpd address 192.168.1.254
enable dhcpd management
!
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
dynamic-access-policy-registration DfltAccessPolicy
username, password imran guVrfhrJftPA/rQZ encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
anonymous reporting remote callciscoasa #.
Hello
Change this ACL: -.
outside_access_in list extended access allow desktop remotely any4 object RDP_SERVER
TO
outside_access_in list extended access allowed object RDP_SERVER eq any4 tcp 3389
Thank you and best regards,
Maryse Amrodia
-
I am trying to configure a cisco 850 router but I can't do a ping to the outside world of Vlan1.
show running-config
Looks followCurrent configuration : 5563 bytes!! Last configuration change at 15:33:02 UTC Sat Aug 13 2016 by ciscoversion 15.2no service padservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname fw2.myfw.tld!boot-start-markerboot-end-marker!!logging buffered 51200 warnings!aaa new-model!!!!!!!aaa session-id commonwan mode ethernet!!!ip dhcp excluded-address 10.10.10.1ip dhcp excluded-address 192.168.1.1ip dhcp excluded-address 129.x.x.5!ip dhcp pool ccp-pool import all network 192.168.1.0 255.255.255.0 dns-server 8.8.8.8 8.8.4.4 default-router 192.168.1.1 lease 0 2! ! ! ip domain name mydomain.tldip name-server 8.8.8.8ip name-server 8.8.4.4ip cef no ipv6 cef! ! ! ! crypto pki trustpoint TP-self-signed-1017650632 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1017650632 revocation-check none rsakeypair TP-self-signed-1017650632! ! crypto pki certificate chain TP-self-signed-1017650632 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31303137 36353036 3332301E 170D3135 30343037 31303536 30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30313736 35303633 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 81008B15 A50BCE53 C1A10611 78247737 97E31A5D 653AF401 024B244B F96B48E0 0A1B41EE 16FBFDD1 46F2E1E2 1329D2C6 EEFBCF5B 217DE650 7D2729B0 266008F3 AC4565EA 53D7FA5B 35761F14 6FBDCFAC 24994667 CB0311A9 7FE25580 7D9564C3 BFE10A4A F5F57C4F C4E18EC9 19874BCA 03127F56 252D04B8 9465A23F FBB9045B D9EF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 146EAE54 B0C95DC2 0561F596 BC47E94B EF80617E F9301D06 03551D0E 04160414 6EAE54B0 C95DC205 61F596BC 47E94BEF 80617EF9 300D0609 2A864886 F70D0101 05050003 81810014 F5B63E51 AD80D4A0 3230E94D 3D1BE457 5D7CF78D 3C911F32 C7238D24 4A8C84D5 D5D4F744 EA2FFD5C 4A40E7A1 A517BFE3 10CC6078 5F446A15 F60EA41E 08C688AF A7834485 0991C739 F3CA38FE CFAA31E2 C72031C1 BAEFA756 719E4903 705C98A7 E20CB004 6FC82D22 D4E62E0C DBA54481 F6A68B3D AA905352 DD76B19F CD4190 quit! ! username cisco password 0 somepasswordusername admin privilege 15 secret 5 $1$JJZR$kw8yTTHkjUGKIfB8sQiyJ0! ! controller VDSL 0 shutdown ! ip telnet source-interface Vlan1ip ssh port 2222 rotary 1ip ssh source-interface Vlan1ip ssh rsa keypair-name 1024! ! ! ! ! ! ! ! ! ! ! ! interface ATM0 no ip address shutdown no atm ilmi-keepalive! interface Ethernet0 no ip address shutdown ! interface FastEthernet0 no ip address! interface FastEthernet1 no ip address! interface FastEthernet2 no ip address! interface FastEthernet3 no ip address! interface GigabitEthernet0 no ip address! interface GigabitEthernet1 description PrimaryWANDesc_WAN interface ip address 129.x.x.5 255.255.255.0 duplex auto speed auto! interface Vlan1 description $ETH_LAN$ ip address 192.168.1.1 255.255.255.0 ip helper-address 192.168.1.254 ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1412! ip forward-protocol ndip http serverip http access-class 23ip http authentication localip http secure-serverip http timeout-policy idle 60 life 86400 requests 10000! ! ip dns serverip nat inside source list nat-list interface GigabitEthernet1 overloadip route 0.0.0.0 0.0.0.0 GigabitEthernet1! mac-address-table aging-time 15no cdp run! ! ! banner exec ^C% Password expiration warning.----------------------------------------------------------------------- Cisco Configuration Professional (Cisco CP) is installed on this device and it provides the default username "cisco" for one-time use. If you have already used the username "cisco" to login to the router and your IOS image supports the "one-time" user option, then this username has already expired. You will not be able to login to the router with this username after you exit this session. It is strongly suggested that you create a new username with a privilege level of 15 using the following command. username <myuser> privilege 15 secret 0 <mypassword> Replace <myuser> and <mypassword> with the username and password you want to use. -----------------------------------------------------------------------^C banner login ^C-----------------------------------------------------------------------Cisco Configuration Professional (Cisco CP) is installed on this device. This feature requires the one-time use of the username "cisco" with the password "cisco". These default credentials have a privilege level of 15. YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN CREDENTIALS Here are the Cisco IOS commands. username <myuser> privilege 15 secret 0 <mypassword>no username cisco Replace <myuser> and <mypassword> with the username and password you want to use. IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF. For more information about Cisco CP please follow the instructions in the QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp -----------------------------------------------------------------------^C ! line con 0 no modem enableline aux 0line vty 0 4 access-class 23 in privilege level 15 transport input telnet ssh! scheduler allocate 60000 1000! end
I am connected via the port console of the router and can ping the outside world only from port GigaEthernet1 whose IP address
129.x.x.5
Clients that connect on VLan1 get IP addresses in the range of
192.168.1.0/24
and these clients can ping each other, the gateway that is192.168.1.1
and the GigaEthernet1 that has the intellectual property129.x.x.5
What's not in this case? Any suggestion is appreciated the most.
@[email protected] / * /;
Thanks for your post. I had a look at your configuration, and it is great that you are a few short steps on your NAT is why it does not work. Please follow the steps below in order to get this work properly.
1. first of all, let us remove the old configuration NAT then back to a clean slate with the following commands.
no ip nat inside source list nat-list interface GigabitEthernet1 overloadclear ip nat translation *
2. now, we will create a list of access control allows for NAT traffic and create the new NAT statement for that tie together. * NOTE: If the version of IOS, you are running requires mask rather than generic then change 0.0.0.255 to 255.255.255.0.
access-list 100 permit ip 192.168.1.0 0.0.0.255 anyip nat inside source list 100 interface GigabitEthernet1 overload
3. the next step is to specify the logical role of the interfaces in question, whether they are 'inside' or ' outside'.
interface vlan1 ip nat inside exitinterface GigabitEthernet1 ip nat outside exit
4. Finally, save us the configuration and reload.
copy run startreload
After the unit is returned as a result of charging, please try again. In some cases - depending on the version of the IOS, you have to ping the outside world from a computer on the local network rather than just sourcing of the interface VLAN. Try this back and forth, and let me know how get you there. I can't wait to hear back.
Kind regards
Luke Oxley
Please evaluate the useful messages and mark the correct answers.
-
Cisco 892 NAT or routing support for VoIP
I have some experience with Cisco switches, but not with routers. I'm trying to connect to a network of small intrenal at the port of FastEthernet8 and the WAN connected to Gigabit 0. I was able to configure DHCP for the internal network, but have been several days trying to find a way so that it can route all traffic through the WAN interface. I enclose below my current setup. Any help would be greatly appeciated.
Current configuration: 1542 bytes
!
! Last modification of the configuration to 00:15:51 UTC Sunday, August 24, 2014
!
version 15.0
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname sgivoip
!
boot-start-marker
boot-end-marker
!!
No aaa new-model
!
!
!
!
!
IP source-route
!
!
DHCP excluded-address IP 192.168.11.1 192.168.11.30
!
IP dhcp pool insideDHCP
network 192.168.11.0 255.255.255.0
router by default - 192.168.54.202
DNS-server 167.206.112.138 167.206.7.4
!
!
IP cef
No ipv6 cef
!
!
Authenticated MultiLink bundle-name Panel
license udi pid CISCO892-K9 sn FGL1710231R
!
!
!
!
!
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
Multidrop ISDN endpoint
ISDN point - to point-setup
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
Shutdown
!
!
interface FastEthernet3
Shutdown
!
!
interface FastEthernet4
Shutdown
!
!
interface FastEthernet5
Shutdown
!
!
FastEthernet6 interface
Shutdown
!
!
interface FastEthernet7
Shutdown
!
!
interface FastEthernet8
192.168.11.1 IP address 255.255.255.0
full duplex
automatic speed
!
!
interface GigabitEthernet0
DHCP IP address
automatic duplex
automatic speed
!
!
interface Vlan1
no ip address
Shutdown
!
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
!
Dialer-list 1 ip protocol allow
!
!
!
!
!
!
control plan
!
!
!
Line con 0
line to 0
line vty 0 4
password *.
opening of session
!
max-task-time 5000 Planner
endI'm trying to figure out what makes the default entry of the 192.168.54.202 router in your DHCP pool? It usually comes to 192.168.11.1 or whatever you want your router to be. You need to add the following commands:
interface F8
IP nat inside
interface G0
NAT outside IP
IP access-list standard NAT
permit 192.168.11.0 0.0.0.255IP nat inside source list NAT interface G0 overload
That should do it. If you have any other questions, I would recommend turning off your modem cable for a few minutes and then turn power on and then turn your router. To see if you have received an IP address, you can run a show ip interface brief and next to G0, you should see an external IP address.
-
Just upgraded my ASA 5510 of 8.2 (1) 8.4 (4) 1. Well, everything seems to work with one big exception.
NAT statements I had previously remained in force and even seem to reproduce in some cases.
Now, my question is I've set up a DMZ (security 50) interface and requiring a few servers to connect to the inside interface (Security 100). I created the necessary NAT statements within the ASDM to allow the DMZ servers to connect to a single inside the server. However, all the servers in the DMZ can still ping and connect to ALL inside servers.
An easy way to limit it? I try to limit the number of servers on the internal network that can access the demilitarized zone, but it seems that the DMZ has free rein at the present time.
Am happy to post my configs. I opened a case of TAC, but this firewall is still so new, the assistance contract has not yet been addressed by Cisco.
Thanks in advance.
I'll look when get home, but it is a quick answer.
If 192.168.1.0/24 is DNZ and 10.1.1.0/24 is inside
! - can only accommodate 192.168.1.40 DMZ host centimeters inside the network 10.1.1.25
dmz_access_in ip 192.168.1.40 host access list permit 10.1.1.25
! - deny everthing else inside the network
dmz_access_in list access deny ip 192.168.1.0 255.255.255.255 10.1.1.0 255.255.255.0
! - allow access to internet of the DNZ
dmz_access_in 192.168.1.0 ip access list allow 255.255.255.255 anySamuel Petrescu
-
Hello
I have a VPN link side hub (3660 router) beside remote (2651 router). This link is in place, and works very well. On the side of the hub, I have a few available public ip addresses which I would like to map to remote servers side behind the 2651 router. Is it possible to do it and how? Thanks in advance.
Hello
Yes it is possible.
If you want servers on the side of 2651 to serve customers on internet, you will first need to certainly do one of two things:
(1) on the remote site servers must have a default route that goes through the VPN to the side of hub
(2) or you can use bidirectional NAT to allow customers to the internet seem to come from a routable specified segment that is then routed from the remote on the hub.
It is easier to use option 1), but cannot change the default route to use VPN, you use the option 2) with its potential drawbacks.
Here is a link to the NAT of CDC support page which has many examples:
http://www.Cisco.com/en/us/Tech/tk648/tk361/tk438/tsd_technology_support_sub-protocol_home.html
Here is a link to a 'beginners guide' for NAT:
http://www.Cisco.com/en/us/Tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic6
Bidirectional NAT is to use an inside address global pool (your available public addresses) and an outdoor pool local (the pool of addresses that all clients on the internet would be hidden behind) like this:
On the side of the hub:
! Configure the NAT outside (inet-clients to a routable subnet mapping)
INET-customers of pool nat IP 192.168.0.1 192.168.127.255 netmask 255.255.128.0
the IP nat outside source 1 nat pool inet-clients list
access-list 1 permit one
! The Interior of the configuration NAT (mapping of the public to the internal IP address)
IP nat inside source 10.10.10.1 static 192.0.2.1
IP nat inside source 10.10.10.2 static 192.0.2.2
IP nat inside source static 10.10.10.3 192.0.2.3
Where the 10.10.10.x network is your remote control-side and 192.0.2.x addresses are your public IP addresses. I used half of the block 192.168.0.0/16 inet-clients, but you can change it at will of course...
On the remote site:
!
Route IP 192.168.0.0 255.255.128.0 x.x.x.x
!
Where the x.x.x.x is the jump after VPN tunnel, or you need to use an ACL if you use split tunnel, or something else... :)
Did she help?
-
My XBOX 360 Live connection was working fine a few days ago. Now, I can't join parties or cats. I was told that this is a NAT problem. No one knows how to fix? I have a WRT54G.
Who is your Internet service provider... ?
Try to reduce the MTU to 1365 and click on the 'Administration' tab and disable the UPnP option and click on save settings... Now, check the connection.
If this does not resolve the problem then try to update firmware of the router.
-
GANYMEDE + with 3560 cisco switch configuration issue
Hi Forum,
Here's my setup GANYMEDE + on my cisco 3560 switch and my question is, how can I configure the switch, if I would not type enable after I put the user name and password? with configs below, users will need to type activate whenever they connect to the switch in order to enter the user exec mode. Please let me know if there is something missing in my configs to help me avoid typing 'enable '.
Thanks in advance,
MacBookAir: ~ MacBook$ ssh [email protected]/ * /.
Password:
Switch > en
Switch #show run | include the aaa
AAA new-model
AAA server Ganymede group + mpcc
AAA authentication login default group Ganymede + local
activate the default AAA authentication no
AAA authorization exec default group Ganymede + authenticated if
AAA authorization commands 1 default group Ganymede + authenticated if
AAA authorization commands 15 default group Ganymede + authenticated if
start-stop radius group AAA accounting dot1x default
AAA accounting exec default start-stop Ganymede group.
orders accounting AAA 1 by default start-stop Ganymede group.
orders accounting AAA 15 by default start-stop Ganymede group.
AAA accounting system default start-stop Ganymede group.
AAA server RADIUS Dynamics-author
AAA - the id of the joint session
Switch #.
Hello
Add the level of privilege 15 control VTY line configuration.
line vty 0 4 [..] privilege level 15 !
Concerning
-
Cisco vWLC and issue of ISE Central Web Authetication
Hello!
I have a problem with a central Web authentication wireless. CWA woking fine wired.
My APs woking FlexConnect mode with local switching. When I connect to the WLAN with CWA, web page with the portal asked to not open, but I see, this redirection works...
When I try to ping ISE and have an odd result:
[email protected]/ * /: ~ $ ping 10.10.2.47
PING 10.10.2.47 (10.10.2.47) 56 (84) bytes of data.
64 bytes from 10.10.2.47: icmp_seq = 5 ttl = 63 times = 1.45 ms
64 bytes from 10.10.2.47: icmp_seq = 8 ttl = 63 times = 2.22 ms
64 bytes from 10.10.2.47: icmp_seq = 10 ttl = 63 times = 1.43 ms
^ C
-10.10.2.47 - ping statistics
21 packets transmitted, received 3, 85% packet loss, time 20106ms
RTT min/avg/max/leg = 1.430/1.703/2.223/0.367 ms
When I change the WIFI open network security or any other method, ping to ISE work very well. Help, please!
Web Auth (CWA) Centre works different controllers/APs works in mode FlexConnect. Please consult this guide and check if you have a similar setup.
If so, please post screenshots with your configs (ACL redirect, political in ISE and WLC SSD settings).
In addition, the version of the code you run in your controller and ISE.
Thank you for evaluating useful messages!
-
ASA Configuration of VPN Site to Site - NAT issues
Greetings,
I am responsible to configure a VPN connection from site to site to a business partner in which I want to firstly NAT to my internal IP to a public IP address and then send it through the tunnel, and vice versa when they try to access my servers I want to get to them through the external IP address. Here's what I think I do, but I was wondering what were the thoughts of the community.
All of the IP addresses represented below are fictitious.
Internal servers Public IP address
10.50.220.150 208.180.170.182
10.50.220.151 208.180.170.183
10.50.220.152 208.180.170.184
Local peer IP: 208.180.254.29
Distance from peer IP: 207.190.218.31
Local network: 208.180.170.0/24
Remote network: 207.190.239.0/24
From my understanding, NAT occur before being sent to a tunnel, or to the internet, etc, so the configuration that I think I need is the following:
NAT (inside) 0 access-list sheep
NAT (inside) 2 10.50.220.150
NAT (inside) 3 10.50.220.151
NAT (inside) 4 10.50.220.152
Global 2 208.180.170.182 (outside)
overall 3 208.180.170.183 (outside)
Global 4 208.180.170.184 (outside)
IP 208.180.170.0 allow Access-list extended sheep 255.255.255.0 207.190.239.0 255.255.255.0 (do I still need this since coordinated to a public IP address still?)
access-list s2s client scope ip 208.180.170.0 allow 255.255.255.0 207.190.239.0 255.255.255.0
Route outside 207.190.239.0 255.255.255.0 207.190.218.31
card crypto off peers set 1 207.190.218.31
Crypto card outside 1 correspondence address s2s-customer
[... rest of the configuration failed..]
That look / her right? If this isn't the case, please advise.
Thank you.
Yes.
PAT (nat/global) will take care of outgoing and static traffic will take care of incoming traffic.
You can create political NAT as well to handle this traffic.
Federico.
-
VPN / Natting issue - connectivity to 3rd Party Partner Site
Hello
I received a request to provide a connectivity solution between our private server 10.102.x.y and a3rd advantage partner server. 10.247.x.y solution of VPN site to site. I want to hide our real IP of 10.102.x.y and replace 10.160.x.y (using Natting).
The configuration is the following:
3rd party partner server->
3rd party ASA FW-> Tunnel VPN IPSec Internet-> Our ASA FW-> Our server private 10.247.x.y 10.102.x.y private IP
NAT'd IP10.160.xy
My dogs entered so far (still awaiting 3rd party to set up their ASA)
name 10.160.x.y OurNat'dServer
crypto ISAKMP policy 6
preshared authentication
aes-256 encryption
sha hash
Group 5
lifetime 28800Crypto ipsec transform-set 3rd Party esp-aes-256 esp-sha-hmac
3rd party ip host 10.160.x.y host 10.247.x.y allowed extended access list
tunnel-group 80.x.x.x type ipsec-l2l
80.x.x.x group of tunnel ipsec-attributes
pre-shared key xxxxxxxxxfootball match 117 card crypto vpnmap address 3rd party
card crypto vpnmap 117 counterpart set 80.x.x.x
card crypto vpnmap 117 the transform-set 3rd Party value
public static 10.160.x.y (Interior, exterior) 10.102.x.y netmask 255.255.255.255
The config goes to meet my requirements and the solution envisaged, or is my inaccurate understanding?
Any help on this would be appreciated.
Thanks in advance,
Select this option.
Hello
Who will break actually internet traffic with this server because the external address that is sent over the internet is considered to be a 10.160.x.y. In the past, I did something like this:
public static 10.160.x.y (Interior, exterior), list-dest-3rdParty access policy
policy-dest-3rdParty of the ip host 10.102.x.y host 10.247.x.y allowed extended access list
Who will ONLY perform NAT traffic on this server if traffic is coming from the 10.247.x.y.
-
Cannot add a device Cisco IOS - development issue?
I try to add a router IOS (as a platform) my Hyperic (3.2.1) resources and I kept getting this error (see the following stack trace).
=============================================================
java.lang.NullPointerException at
org.hyperic.hq.ui.action.resource.platform.inventory.NewPlatformAction.execute(NewPlatformAction.java:108) to
org.hyperic.hq.ui.action.BaseRequestProcessor.processActionPerform(BaseRequestProcessor.java:63) to
org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:236) to
org.apache.struts.action.ActionServlet.process(ActionServlet.java:1196) to
org.apache.struts.action.ActionServlet.doPost(ActionServlet.java:432) to
javax.servlet.http.HttpServlet.service(HttpServlet.java:717) to
javax.servlet.http.HttpServlet.service(HttpServlet.java:810) to
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252) to
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
....
=============================================================
So, I downloaded the src and it built with the following parameters of the construction.
Windows Server 2003 SP2 (Standard edition)
Java 1.5 update 15, Ant 1.7.0 JBoss 4.0.3SP1, PostgreSQL
However, I still get the same error. After adding a few log statements, I realized that in NewPlatformAction.java ("run" method), the value of the agent is zero [agent is created by calling BizAppUtils.getAgentConnection (...)] which causes the NullPointerException in the above stack trace [boss.createPlatform (...,...,..., agent.getId ())].
BizAppUtils.getAgentConnection () is essentially a block of code to check if the "IP Port string' is null or not and this string always seems to be the null value. I put some instructions to log in NewPlatformAction.java and BizAppUtils.java and have cut-and - paste a few lines of the log server below.
Basically, BizAppUtils jump the complete code block that is supposed to create an Agent.
==============================================================
2008-03-13 12:23:32, 537 [http - 0.0.0.0 - 7080-2] INFO [NewPlatformAction] find the type of platform [10004]
2008-03-13 12:23:32, 537 [http - 0.0.0.0-7080-2] INFO [NewPlatformAction] platform [Cisco 1720] was created with attributes add ImageButtonBean = [null, null] cancel = ImageButtonBean [null, null] create = ImageButtonBean [null, null] Delete = ImageButtonBean [null, null] ok = ImageButtonBean [38: 10] Delete = ImageButtonBean [null, null] reset = enable ImageButtonBean [null, null] = ImageButtonBean [null, null] userset = ImageButtonBean [null, null] pageSize = null startMonth = 2 startDay = 2 startYear = 1 startHour = 12 startMin = 23 startAmPm = pm endMonth = 0 endDay = 1 endYear = 2008 endHour = 12 endMin = 23 endAmPm = null startTime = now recurInterval = recurrenceFrequencyDaily = numDays daily = 1 NumSemaines = 1 recurrenceDay=[Ljava.lang.Integer;@121e1bb recurrenceFrequencyMonthly = onEach numMonths = 1 recurrenceWeek = null monthlyRecurrenceDay = null eachDay 1 endTime = none = RID = null type = null name = Cisco 1720 location = lab description = router Cisco 1720 cpuCount = null fqdn = cisco1720.inside.eclyptic.com FPS = [{address = 10.100.1.13 netmask = mACAddress = id = 0 mTime = null cTime = null}] numIps = 1
2008-03-13 12:23:32, 553 forms of INFO [NewPlatformAction] [http - 0.0.0.0 - 7080-2] string value for the ip port is: null...
2008-03-13 12:23:32, 553 [http - 0.0.0.0 - 7080-2] INFO [BizappUtils] Agent ip port string: null...
2008-03-13 12:23:32, 553 [http - 0.0.0.0 - 7080-2] INFO [BizappUtils], returning null
2008-03-13 12:23:32, 553 [http - 0.0.0.0 - 7080-2] INFO [NewPlatformAction] after the creation of agent
2008-03-13 12:23:32, 553 [http - 0.0.0.0 - 7080-2] INFO [NewPlatformAction] check for agent == null is true
==============================================================
I have attached a screenshot ' create new platform "UI of Hyperic and my modified source files.
I would really like to know if I'm doing something wrong or is this a valid bug in Hyperic?
I just want to add this IOS device to Hyperic to familiarize myself with how Hyperic manages network devices. My long-term goal is to add network devices in Hyperic via an API - so pointers (or the samples/docs) to an API which allows to add devices to Hyperic is also really useful.Hi Michelle,
I was able to reproduce using a fresh installation with no agent installed. At least one officer has, on the same machine that the HQ server is fine. We should apply rather than just displaying this message:
"There is no agent available to treat this platform."Can you install + import agent and try again?
-
Cisco 867VAE configuration issues - does no routing between LAN &; WAN
Im trying to configure a 867VAE to use our ADSL line. I can do to connect to the ISP, get an IP on their part and can ping 8.8.8.8 (Server DNS Googles) since the CLI routers but the side LAN does not work.
Im just trying to assign static addresses to the side in the 192.168.1.0 LAN range, but it does not seem to carry the traffic from one side to the other. Can it be related to not being able to assign an IP address to all four ports Fast Ethernet (switch)? I get IP addresses cannot be set up on L2 links so Ive vlan1 configuration instead, but that cannot link to any real interface
Attached is the current running config
Can as a question you please recommend a good book to learn how to do this sort of thing?
Thank you
Hi ports 800 series which are l2 may not take an ip address like you because they are pure switch ports, so if you your using several VLANS part SVI Layer 3 must be set to the router and the switchports to shared resources, if only using the vlan 1 should not no need to trunk or make changes to these default ports , they are in the vlan 1
You have a switch involved or are your PC connection directly to these ports, you set the gateway default ip address vlan 1?
The interface vlan 1 shows to the top and to the top when you run int ip see the brief
VLAN 1 is related to these ports, so when you connect to a pc with a correct address in this range him vlan will come and you should be able to ping from the local pc to the internet
You don't have to bother with books that all things CCNA are on youtube and much easier to learn videos and books as you can see it being configured
Maybe you are looking for
-
HOWTO install all my favorite modules
Is there a tool to use with the recorded list as "My Favorite Add-ons" I saved on mozill.org, Whiteout have to choose them one by one? " It's the Add-ons that are applicable to the operating system. Thanks for the help. Masoud
-
To access the videos on iPhone on iMac
When I shoot still photos on my iPhone 6 Plus, they automatically appear on my iMac under Aperture (via Shared > iCloud > My Photo Stream). When I turn the video on my iPhone 6 more, I don't know where they're going. I checked iMovie; nothing. My qu
-
Satellite A300 - Microphone does not work do not
Hello world I have problem with microphone as it it does not work. Can you tell me the solution my model number of the laptop is Satellite A300... Thank you very much... NaveeN
-
Driver missing for 'Base system device' x 2 after Windows 7 install
-
I have HP iron for transfer on fabric (for clear fabric) for inkjet. I don't have an inkjet printer. New printer is laser CP1025nw Can I use this transfer paper in this new printer?