Cisco 837 static route

growse · 17 Sep 2006 at 17:40

I'm with zen and thus have more than one static adsl ip assigned to me. Currently the router address is at (something).222 and I've got the network of (something).216, with a broadcast of (something).223.

Now, everything works swimmingly - I've got nat going on behind the router (cisco 837), dhcp works etc etc. However, what I want to do now is to take one particular host (or internal ip address) and route everything that arrives bound for one of my external addresses, say (something).221 directly to that host, and also have all traffic that goes the other way come from that 221 address. Effectivley take that host from out of the nat and give it it's own external ip address.

I'm fairly sure this is possible, but I'm keen to know:

a) How? Is it "ip route (something).221 255.255.255.255 192.168.0.20" or something else?

b) Can I do this and still get the host to obtain an internal address from the router via dhcp? Or will I have to reconfigure the host with the external ip address that I want?

Ta

oddjob62 · 17 Sep 2006 at 18:06

My cisco knowledge is limited, but i think you need to do a "static address translation"

This may help.
http://www.cisco.com/warp/public/794/827spat.html

FordPrefect · 17 Sep 2006 at 19:23

The easiest way is to statically NAT the addresses one to one. It is possible to route them as well, cant remember how its done now, Tolien will prolly know as I believe he has a setup similar to you

growse · 17 Sep 2006 at 19:51

I can do static port mapping, even on a range of ip addresses, so (something).217 port 80 goes to 192.168.0.2 port 80, and (something).218 port 443 goes to 192.168.0.10 port 443, but I need to put an entire host behind a particular ip, whilst at the same time retain normal NAT for all the other hosts.

*edit* yay! I just dropped my access to the router by doing a silly ip nat outside command. Seems like it might be what I want, but not sure....

tolien · 17 Sep 2006 at 20:08

As Fordprefect says, what you'd normally do would be give all the machines the RFC1918 IPs, then statically NAT one of your public IPs to a given RFC1918 IP (so the machine keeps its RFC1918 IP, but the outside world sees it as the public IP, and incoming traffic gets NATed the same). The interfaces stay the same with respect to inside and outside.

If I'd access to my 877 right now, I'd paste chunks of my config.

growse · 17 Sep 2006 at 20:21

tolien said:
As Fordprefect says, what you'd normally do would be give all the machines the RFC1918 IPs, then statically NAT one of your public IPs to a given RFC1918 IP (so the machine keeps its RFC1918 IP, but the outside world sees it as the public IP, and incoming traffic gets NATed the same). The interfaces stay the same with respect to inside and outside.

If I'd access to my 877 right now, I'd paste chunks of my config.

I assumed this was the case. So all of my internal network is 192.168.0.0/24, and I want to map a single external ip address to a single internal ip. Thing is, I don't know how whether this is "ip nat inside", "ip nat outside", "ip route" or what. Hacking through the cisco documentation atm...

*edit* think I've got it. I was redirecting specific external ip addresses to specific internal ones on a specific port:

Code:

ip nat inside source static tcp 192.168.0.2 993 (something).218 993 extendable

and I've just tried that without the extendable and without the port bit

Code:

ip nat inside source static 192.168.0.20 (something).221

(something).221 is replying to pings, so it seems to be accessible from the outside. My question is - is this two way? So traffic originating from 192.168.0.20 will be translated into having a source of (something).221 ?

tolien · 17 Sep 2006 at 20:28

IIRC you'd use ip nat inside source static [internal IP] [public IP], then remove that IP from the nat pool.

growse · 17 Sep 2006 at 20:39

tolien said:
IIRC you'd use ip nat inside source static [internal IP] [public IP], then remove that IP from the nat pool.

Remove from the what now?

I have:

Code:

ip nat inside source list 102 interface Dialer1 overload

access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
route-map NONAT permit 10
 match ip address 102

Think this means that it nats everything on 192.168.0.0/24?

tolien · 17 Sep 2006 at 21:09

growse said:
Remove from the what now?

I'm skimming the Cisco documentation myself (for one, it's been ages since I had to play with the NAT config) - came up with an example with one static NAT and the rest dynamically done from a pool (with the idea being much the same as a static DHCP lease).

Think this means that it nats everything on 192.168.0.0/24?

Yep.