Configuring NAT on Cisco 1720 1

[lovecisco]

I have a Cisco 1720 with T1. I also have 5 usable IP addresses. I like to enable NAT and use private IP addresses for workstations. I have searched Cisco Web to find out the Document for this but I could not. Does anyone know how to do step by step please? I also need to open ports for SMTP, POP, PCA, and HTTP. Thanks in advance.

 

[routerman]

Have a look at this.

interface FastEthernet0/0
description Inside Lan
ip address 10.17.41.3 255.255.255.0
ip nat inside
!
interface Serial0/0:0
description Internet_Connection
ip address 112.38.206.254 255.255.255.252
ip nat outside
!
!
ip nat pool rooms_lan 112.38.206.254 112.38.206.254 netmask 255.255.255.252

The last statement defines the source address in the outgoing NAT packets, and the overload key word enables port address translation. So multiple inside hosts will use the same outgoing address.

 

[Dolphy]

Tell us more on your ports.

Do you have a mail server and web server inside your network OR you want the workstations to access an external mail server and the web ?

 

[lovecisco]

Yes I do.
I have Web and Exchange server so that I need to map POP, SMTP, HTTP, PC Anywhere, and PPTP ports. I'd appreciate your help.

 

[Dolphy]

I'll show you one possible config:

a.a.a.a is your Public IP for your Web Server
b.b.b.b is your Public IP for your Exchange Server
c.c.c.c is your Public IP for your Router

-----IP INSPECT let you go to the Internet------
ip inspect name myfw tcp
ip inspect name myfw udp
ip inspect name myfw ftp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto mib ipsec flowmib history tunnel size 200
crypto mib ipsec flowmib history failure size 200
!

interface Ethernet0
description Private Side
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip inspect myfw in
half-duplex
!
interface Serial0
description Public Side
ip address c.c.c.c 255.255.255.?
ip access-group 101 in
ip nat outside
speed 10
half-duplex
!
------ Use your c.c.c.c to make Nat --------------------
ip nat inside source list 1 interface Serial0 overload

------ You match one Public IP to your Servers-------
ip nat inside source static 192.168.1.2 a.a.a.a extendable
ip nat inside source static 192.168.1.3 b.b.b.b extendable
!
ip classless
ip route 0.0.0.0 0.0.0.0 (insert IP address of the next router here)
no ip http server
ip pim bidir-enable
!
access-list 1 permit 192.168.1.0 0.0.0.255
-----------Ports for Web Server------------------
access-list 101 permit tcp any host a.a.a.a eq www
access-list 101 permit tcp any host a.a.a.a eq 5631 (pca_data)
access-list 101 permit tcp any host a.a.a.a eq 5632 (pca)
access-list 101 permit tcp any host a.a.a.a eq 1723 (pptp)
-----------Ports for Exchange Server-------------
access-list 101 permit tcp any host b.b.b.b eq

http://www (if

you use WEB ACCESS)
access-list 101 permit tcp any host b.b.b.b eq smtp
access-list 101 permit tcp any host b.b.b.b eq pop
access-list 101 permit tcp any host b.b.b.b eq 5631
access-list 101 permit tcp any host b.b.b.b eq 5632
access-list 101 permit tcp any host b.b.b.b eq 1723

!I placed the PCA and PPTP on each Server but place it only on the good one !!!

!You'll probably have to create a UDP access list for the PCA and PPTP, but I'm not sure... if so, do this on "a" or "b" depending on witch server it is:

access-list 101 permit UDP any host b.b.b.b eq 5631
access-list 101 permit UDP any host b.b.b.b eq 5632
access-list 101 permit UDP any host b.b.b.b eq 1723

Hope it help !