Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Static and dynamic Nat with two outside interfaces ???
- Thread starter soreldid
- Start date
- Thread starter
- #3
Right know i achieve both dynamic NAT working with this configuration:
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname test
!
enable password 7 0016040016
!
memory-size iomem 25
ip subnet-zero
no ip source-route
!
isdn switch-type basic-net3
isdn voice-call-failure 0
isdn tei-negotiation first-call
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key bravo address 213.56.228.Y
!
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto map test 1 ipsec-isakmp
set peer 213.56.228.Y
set transform-set 3DES-MD5
set pfs group2
match address 131
!
cns event-service server
!
!
!
interface BRI0
no ip address
encapsulation ppp
no keepalive
dialer pool-member 1
isdn switch-type basic-net3
no cdp enable
ppp authentication chap pap callin
!
interface FastEthernet0
ip address 217.167.130.X 255.255.255.240
no ip redirects
no ip proxy-arp
ip nat outside
no ip route-cache
no ip mroute-cache
speed auto
half-duplex
crypto map test
!
interface Serial0
ip address 192.168.18.1 255.255.255.0
ip nat inside
clockrate 128000
!
interface Serial1
ip address 80.111.29.X 255.255.255.0
ip nat outside
clockrate 128000
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 180
dialer string 085555555
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname XXX
ppp chap password 7 XXX
ppp pap sent-username XXX password 7 XXX
!
ip nat pool pool-ADSL 80.111.29.X 80.111.29.X prefix-length 24
ip nat pool pool-LS 217.167.130.X 217.167.130.X prefix-length 24
ip nat inside source route-map MAP-ADSL pool pool-ADSL
ip nat inside source route-map MAP-LS pool pool-LS
ip nat inside source static tcp 192.168.18.2 23 217.167.130.X 23
ip classless
ip route 0.0.0.0 0.0.0.0 80.111.29.2
ip route 192.168.123.0 255.255.255.0 217.167.130.222
ip route 194.98.65.65 255.255.255.255 217.167.130.222
no ip http server
!
access-list 131 permit ip 192.168.123.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 131 permit ip 192.168.18.0 0.0.0.255 192.168.123.0 0.0.0.255
access-list 131 deny ip any any
access-list 151 deny ip 192.168.18.0 0.0.0.255 192.168.123.0 0.0.0.255
access-list 151 deny ip 192.168.123.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 151 permit ip 192.168.18.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map MAP-ADSL permit 10
match ip address 151
match interface Serial1
!
route-map MAP-LS permit 10
match ip address 151
match interface FastEthernet0
!
!
line con 0
password 7 050F0F0B285C411B0D
line aux 0
line vty 0 4
password 7 06041D205A41
login
!
end
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname test
!
enable password 7 0016040016
!
memory-size iomem 25
ip subnet-zero
no ip source-route
!
isdn switch-type basic-net3
isdn voice-call-failure 0
isdn tei-negotiation first-call
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key bravo address 213.56.228.Y
!
!
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
!
crypto map test 1 ipsec-isakmp
set peer 213.56.228.Y
set transform-set 3DES-MD5
set pfs group2
match address 131
!
cns event-service server
!
!
!
interface BRI0
no ip address
encapsulation ppp
no keepalive
dialer pool-member 1
isdn switch-type basic-net3
no cdp enable
ppp authentication chap pap callin
!
interface FastEthernet0
ip address 217.167.130.X 255.255.255.240
no ip redirects
no ip proxy-arp
ip nat outside
no ip route-cache
no ip mroute-cache
speed auto
half-duplex
crypto map test
!
interface Serial0
ip address 192.168.18.1 255.255.255.0
ip nat inside
clockrate 128000
!
interface Serial1
ip address 80.111.29.X 255.255.255.0
ip nat outside
clockrate 128000
!
interface Dialer1
ip address negotiated
encapsulation ppp
dialer pool 1
dialer idle-timeout 180
dialer string 085555555
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname XXX
ppp chap password 7 XXX
ppp pap sent-username XXX password 7 XXX
!
ip nat pool pool-ADSL 80.111.29.X 80.111.29.X prefix-length 24
ip nat pool pool-LS 217.167.130.X 217.167.130.X prefix-length 24
ip nat inside source route-map MAP-ADSL pool pool-ADSL
ip nat inside source route-map MAP-LS pool pool-LS
ip nat inside source static tcp 192.168.18.2 23 217.167.130.X 23
ip classless
ip route 0.0.0.0 0.0.0.0 80.111.29.2
ip route 192.168.123.0 255.255.255.0 217.167.130.222
ip route 194.98.65.65 255.255.255.255 217.167.130.222
no ip http server
!
access-list 131 permit ip 192.168.123.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 131 permit ip 192.168.18.0 0.0.0.255 192.168.123.0 0.0.0.255
access-list 131 deny ip any any
access-list 151 deny ip 192.168.18.0 0.0.0.255 192.168.123.0 0.0.0.255
access-list 151 deny ip 192.168.123.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 151 permit ip 192.168.18.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map MAP-ADSL permit 10
match ip address 151
match interface Serial1
!
route-map MAP-LS permit 10
match ip address 151
match interface FastEthernet0
!
!
line con 0
password 7 050F0F0B285C411B0D
line aux 0
line vty 0 4
password 7 06041D205A41
login
!
end
- Thread starter
- #4
In fact i was wrong because it Works.
excuse me for disturbing.
Do you know how i can do a configuration example with this conf and where i have to put it ?
If you see any mistake, or a better way to do something may you tell it please.
Thanks.
Bye
excuse me for disturbing.
Do you know how i can do a configuration example with this conf and where i have to put it ?
If you see any mistake, or a better way to do something may you tell it please.
Thanks.
Bye
you could try setting up a pool that only had that single IP address in it (217.167.130.X). Then create an additional route-map that references an access-list. In the access-list only permit that single internal host for telnet protocol....
thats one idea off the top of my head...i will look into it some more.. let me know if this works or not.... Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com
thats one idea off the top of my head...i will look into it some more.. let me know if this works or not.... Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com
- Thread starter
- #7
well, if you are wanting to support multiple pools you should use route-maps. route-maps will ensure that the router keeps a full translation of outside and inside addresses with protocol and port number. Where if route-maps are not used then only the inside translation information is maintained and there is not protocol or port number information maintained either. what could potentially happen in this case is that any external host could send packets to an internal host that got translated because there is not any protocol or port information associated with the translation.
Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com
Erik Rudnick, CCIE No. 9545
mailto:erik@kuriosity.com
- Status
Similar threads
- Locked
- Question
