config for router with dhcp client, server, nat, port forwarding

[csross]

I am going to replace the netgear connected to my cable modem with a 3640. I need to have the router

1) get an address from the isp
2) provide addresses to the clients on the internal network
3) use nat so the private net can get out onto the internet
4) use port forwarding to forward incoming ssh or connection to go to an incoming unix server.

Does anyone have the configuration. I know there are alot of docs on this but I need something to bring it together.

Thanks

 

[pmesjar]

1) get an address from ISP - for NAT setup that will be your inside global, let's say 210.100.10.0/24

2) internal address for clients - for NAT setup that will be your inside local, let's say 172.16.0.0/16. To distribute IP addresses for clients, you can use Cisco router as DHCP server:

Router(config)# service dhcp
Router(config)# ip dhcp pool DHCP
Router(config-dhcp)# network 172.16.0.0 255.255.0.0
Router(config-dhcp)# default-router 172.16.0.1

you can assign more properties to clients under dhcp pool configuration, like DNS server ip addresses, domain names, etc... check the guides on Cisco site.

3) NAT for internal clients - if you have more internal addresses than those provided to you by ISP, you need to use PAT (or NAPT):

Router(config)# access-list 1 permit 172.16.0.0 0.0.255.255
Router(config)# ip nat pool NAT 210.100.10.1 210.100.10.254 netmask 255.255.255.0
Router(config)# ip nat inside source list 1 pool NAT overload
Router(config)# int s0
Router(config-if)# ip nat outside
Router(config)# int e0
Router(config-if)# ip nat inside

4) Port forwarding (SSH) to server - let's say your server address is 172.16.0.254, and from outside it will be reachable on 210.100.10.254:

Router(config)# ip nat inside source static tcp 172.16.0.254 22 210.100.10.254 22

Finally, don't forget to exclude 172.16.0.254 from DHCP assignment:
Router(config)# ip dhcp excluded-address 172.16.0.254

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[csross]

Thank you for the information. I have a 2611 which I will configure for this. I want to create subinterfaces for the ethernet. Can I apply nat to one of the subinterfaces and not to the other? If so, any suggestions?

Thamks

 

[pmesjar]

Yes, you need to apply nat to subinterfaces and yes you can specify which one will be nated and which one will not:

"ip nat inside" specifies where your inside local addresses are, in other words your inside clients that needs to be nated

"ip nat outside" specifies your public connection

You need at least one inside and one outside interface, however I did not found any restrictions on max. number of inside or outside interfaces you can specify.

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[csross]

When I tried to assign the address to the sub-interfaces, I got an error "configuring ip routing on a lab subinterface is only allowed if that subinterface is already configured as pasr of a 802.10, 802.1q, isl vlan". This is not a fastethernet interface which I thought it must be.

If I assign secondary addresses to the interface, can I nat on one of the addresses and not the other?

Needlesstosay I'm new to natting, etc.

 

[dearingkr]

pmesjar,
Correct me if I'm wrong...
Chances are if he's getting an IP address from the ISP, he won't have a block of public IP's to NAT. If that's the case, he'll have to PAT the single IP he's getting from the ISP.

MCSE CCNA CCDA

 

[csross]

Am I wrong in thinking I can use the 'overload' parameter so I can just use one public IP.

When you have secondary IP's on an interface, how do you specify that you only want one natted?

 

[pmesjar]

Dearingkr, of course if he is going to get only one IP he needs to configure PAT, my commands was just an example.

I dind't try NAT with secondary addresses, but from what I know about NAT, it might work like you want it to - your access-list specifies which addresses from inside will be NATed and then you can create a pool of IP addresses consisting of just one IP address:

Router(config)# ip nat pool <POOL-NAME> <BOTTOM-IP> <UPPER-IP> prefix-length 32

BOTTOM-IP and UPPER-IP will be the same IP addresses - the address that is given to you by your provider which you want to nat.

and bound the access-list to this pool using:

Router(config)# ip nat inside source list <ACL-NUMBER> pool <POOL-NAME> overload

Peter Mesjar
CCNP, A+ certified
pmesjar@centrum.sk

"The only true wisdom is in knowing you know nothing.

 

[csross]

thanks.

I configured the e 0/0 interface with ip address dhcp and I'd like to know what address it obtained, because I do not think it got anything. Is there a way to see it.
Any suggestions?

 

[csross]

That e 0/0 will be connected to a cable modem and get the ip from an ISP. I need to see what address is obtained so I can use it for port forwarding. I also will be overloading that address for my internal clients.