Cisco Switching/Routing :: 871 Creating Multiple Static NAT
Mar 11, 2012
I am trying to configure a Cisco 871 router.I have 3 servers on my network that need static public IPs but also still need to communicate on the local network.
I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.
I can access those servers internally using the public IPs but not from outside the network. A tracroute from outside the network gets dropped when it gets to my ISP.
I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to set up static routes? Will that update the next hop's routing table?
View 2 Replies
ADVERTISEMENT
Aug 14, 2012
I configure multiple static RPs and one of the ACLs denies a source will it move on to the next entry that covers it in another acl? [code] i.e. 1.1.1.1 will be used as the RP for 224 to 238 and 2.2.2.2 will be used as the RP for 239.Will that work correctly, i.e. if a source is trying to register with the router and its for the group 239.1.1.1, will it be denied against the first RP and then permitted against the second RP?
View 2 Replies
View Related
Jun 10, 2013
Is there any way to have my Cisco 877W Router alter from using one static route to another static route when another router on the network is reporting destination host unreachable?
Router 1 (192.168.2.253)
Dialer0 -> ppoe to internet
Vlan1 -> local 192.168.2.0/24
Router 2 (192.168.2.254)
Dialer0 -> ppoe to managed VPN (172.16.28.1)
Vlan1 -> local 192.168.2.0/24
Router 2 is connected to another network through a managed VPN and that network also has internet access. I want to be able to have two routes to the internet on Router 2. And when Router 1 internet goes down packets get routed through the VPN instead.
I currently have on Router 2
ip route 0.0.0.0 0.0.0.0 192.168.2.253
ip route 10.0.0.0 255.255.255.0 Dialer0
ip route 0.0.0.0 0.0.0.0 172.16.28.5 250
Which does nothing when Router 1 has its Dialer0 interface shutdown, or goes offline completely.I suspect I could reverse the setup and have everything routed through the VPN by default and then if / when Dialer0 interface goes down it would switch to using Router 2, but if the problem is in the remote network and interface Dialer0 stays up, it would probably do the same thing... nothing.All devices mentioned are Cisco 877W routers with ADSL and a bunch of fast ethernet interfaces.
View 2 Replies
View Related
Oct 8, 2011
I have 8 RVs4000's to built a test system with. On each side of the network is 2 servers, both with 2 NIC's. Both are on different /24 networks.
The idea is to simulate a WAN link, with the RVS4000's G1 & G2 running in "Gateway" mode to simulate the WAN. All other RVS4000's will be in Router mode ('R1,R2...etc..') All networks in /24 range. As I understand it, the RVS4000 CANNOT take 2 diverse networks on the LAN side: - ie 192.168.168.1 & 10.1.1.1 on the LAN side. The NIC's on the server only need to communicate to the similar type of addresses on the other side - 192.168.168.1 on server 1 to 192.168.170.2 on server 2, but NOT 192.168.168.1 to 10.1.2.1 on server 2. The G1 & G2 link is so that all communications are routed between this link - as a testing point.
So, my questions are this:
1) Will this work? Is there any easier way of doing this? (Bear in mind this is the only equipment i have to do this).
2) Is the static routing I have thought of work? (see below)
R1
0.0.0.0 0.0.0.0 10.1.1.10
R2
5.5.5.0 255.255.255.0 10.1.1.100
4.4.4.0 255.255.255.0 1.1.1.200
[code]....
I know using the RVS4000's inbuilt RIP may be easier, but I've never configured RIP routing. As this is a test environment, using static routing would be enough to get it going. No security lock down is required, all I'm trying to enable is for the servers to communicate with each other (NIC1 on both servers e.g 10.1.1.1 on server 1 to 10.1.2.1 on NIC 1server 2, and NI 2 on server 1 192.168.168.1 to NI 2 on server 2 192.168.170.1) The 10.1.x.x networks DO not need to talk to the 192.168.x.x networks. THe G1 & G2 link is just for testing - but all communications must pass through here and be routed to their relevant networks on the other side.
View 4 Replies
View Related
Nov 15, 2011
In my live VPN concentrator at work, my 5520 is showing a static route for each VPN client that is connected to my SSL vpn right now. This kind of confused me because wouldn't only one route to the address pools subnet be needed for my vpn users?
View 12 Replies
View Related
Mar 22, 2012
I have created a simple static ip address by using this command:
interface Vlan1
nameif inside
security-level 100
[Code].....
But, no matter what, the I can't ping the static address or access the computer 10.2.1.2 from outside of the asa 5505. I have attempted to ping from inside of the asa 5505 or from another computer. I just does not work.
I also have created several rules that allows icmp traffic.
icmp unreachable rate-limit 1 burst-size 1
icmp permit any echo-reply inside
icmp permit 10.2.1.0 255.255.255.0 inside
icmp permit any echo-reply outside
icmp permit any outside
View 1 Replies
View Related
May 20, 2011
I'm trying to set up a network for a friends small office so we can share files between each of the computers.i have tried to do it through the workgroup but with no luck as some can see the other machines and some cant?
Hardware/software:
Thompson wireless Router
laptop with Windows 7
laptop with Windows Vista
laptop with Windows XP SP2
Mac
I have set the network discovery to on in W7 & Vista and and ran the network wizard in XP At the moment the vista and W7 machine can see each other but i get and error saying cannot access //(computer name)with the W7 and XP machines i can send a file when i type in the ip address (//192.168.1.?) into the W7 search bar but the XP computer is not shown in the network folder?
View 2 Replies
View Related
Apr 8, 2013
I could not ping 8.8.8.8 and access internet after creating the VPN. Below is my setup and router configuration: [code] From the router 1941, i could ping up to 58.185.149.141 but not up to 58.185.149.140. Since i cannot ping 58.185.149.140, i suppose i cannot ping 8.8.8.8. I am sure 58.185.185.140 is there as i use another PC which is connected directed to the office network instead of through the router 1941, it could ping 58.185.149.140.For your info, the g0/1/0 is connected to the PC while g0/1 is connected to the office network.
View 2 Replies
View Related
Nov 20, 2011
I have a problem to create a VLAN with a Cisco 2801.,I need to have base ports FastEthernet 0 / 0 and FastEthernet 0 / 1, in the same VLAN.
Basically I'm trying to switch access redundacion, now I have redundant switches in which I have the servers, but if one of these switches fails, and,coincidentally is where I have connected the router, the server runs out of internet connection.,I idea is to connect the FastEthernet 0 / 0 to a switch, and FastEthernet 0 / 1, to the other switch,but I managed to have these two ports in the same vlan, in order to have a unique IP for both FastEthernet ports,As I can do this?. do is a lot of documents using the switchport command, but this command is not available in my router, I tried different IOS, and nothing.,currently I have the following IOS: c2801-adventerprisek9-mz.124-24.T6.bin
View 2 Replies
View Related
Mar 9, 2010
Is it possible to have multiple dhcp pools for multiple VLANs? The switch is a 6509 and/or 4506 catalyst. I don't want to use server-based products.
View 5 Replies
View Related
Jan 11, 2012
I'm running a IPSec VPN between a 5520 ASA and a 2811 router. The ASA has a static IP and the router has a DHCP interface.The VPN seems to work fine once I get done clearing old SAs, but each new IPSEC SA creates a new ISAKMP SA on the router? There are multiple subnets that need to create multiple IPSEC SAs. Eventually I can clear the older ISAKMP SAs and get all the traffic on one ISAKMP SA, but until I clear older SAs, new associations won't form. Why the router (initiator) would keep creating new ISAKMP SAs and not use an established one? Using PSK, aggressive mode and no PFS. ASA has another dynamic crypto map with lower priority than this one. Using FQDN for identity on the router. ASA version 8.2(5) and IOS is 12.4(20)T1.
Must be something I'm not understanding. The ASA says no established SA and drops the new SA attempt until I clear older ISAKMP SAs out of the router. Interesting, the first few IPSec SAs form when the tunnel initially comes up. I assume the initial requests are getting cached and work immediately after the first ISAKMP SA forms, but subsequent IPSec SA attempts will fail. Once all subnets are talking with 1 ISAKMP SA, rekeys don't cause any problems. Since the router subnets have to instantiate the new IPSec SAs, this is a real pain to go through anytime the WAN/VPN fails.
View 1 Replies
View Related
May 20, 2013
We have observed WS-C4507R-E got rebooted while creating the L3 VLAN ( while No shut).Is there any known bug for below IOS ?cat4500-entservicesk9-mz.122-40.SG.bin,
View 4 Replies
View Related
Jan 6, 2013
I'm looking to see if it is possible to run a vPC between to vDC's on a single 7010? We have a Production setup that runs dual 7010's with vPC's between the chassis but in our lab we only have a single 7010 with a 32 port 10gig module. I was thinking that maybe we could create 4 vDC's on the 7010 and run a vPC between the vDC's.
View 2 Replies
View Related
Mar 14, 2013
I was reading the documentation of the Catalyst 4500-X for creating VSS and MEC (multichassis etherchannel).In the VSS specific part, it's written"Cisco Release IOS XE 3.4.0SG does not support Layer 3 MEC".
Can I still use VlanX interfaces ad route through them?In my setup I only have IP addresses assigned to vlanX interfaces (with some VRF-lite magic)[code] Does that sentence only mean that I can't have IP assigned directly to the MEC?
View 4 Replies
View Related
Oct 1, 2012
i am running c3640-is-mz.124-21.bin on a cisco router 3640. i am trying to create a monitor session in the CLI and everytime i type the command Router(config)#monitor session 1 interface ethernet2/1 % Invalid input detected at '^' marker. Router(config)#monitor session 1 interface ethernet2/1 ^% Invalid input detected at '^' marker. i get the error invalid input ?
View 10 Replies
View Related
Jan 24, 2013
We have a 3560 switch running IOS universalk9-mz.150-1.SE3.bin.Recently, we saw two problems with this switch:-
1. if we try to enable subinterface on any routed interface , for eg. gig1/1, it says invalid input detected. It doesnt accept encapsulation command also. Following was done to enable subinterface:
int gig1/1
no ip address
int gig1/1.2000
ip address 1.1.1.1
under the gi1/1.2000 subinterface, it doesnt present the option of ip address.
2. we created a layer 2 vlan 2000 like: vlan 2000 When we do an exit after creating this vlan , it gives following error:-
%SW_VLAN-4-VLAN_CREATE_FAIL: Failed to create VLANs 2000: extended VLAN(s) not allowed in current VTP mode
View 6 Replies
View Related
Sep 23, 2012
I have a live 28port Catalyst 2960S switch. By live I mean that there is an essential piece of equipment plugged into this switch that can suffer little to no downtime. Over the course of time the number of devices patched into this location has increased to exceed the 24 ports available and we have had to resort to adding unmanaged switches to fill the need. We have acquired an additional 2960 & stacking modules that I would like to stack together, keeping the existing switch as the master. It is my understanding that the stacking modules are hot-swappable and that this member switch can be added without bringing the master switch down, thus creating zero down time for the financial server that is connected.
The steps I believe that need to be followed are as such: write mem to existing switch and backup to our TFTP serverinstall the stack module in the existing (while powered up) and new (while powered down)place the 2 redundant FlexStack link cables on both switchesthen simply power the member switch on After boot the member switch will get it's OS and configuration from the master and I can begin moving CAT5 cables from the unmanaged switches to the stack.
View 2 Replies
View Related
Feb 12, 2013
I was given a task of creating a vlan and isolating one pc to access an internal website (192.168.90.15) on a specific port (port 8080)The pc is connected in the following manner:
PC--> HP Switch --> Cisco Small Business SG200 switch --> 3550 Catalyst 1, 3550 Catalyst 2 and 3550 Catalyst 3.
I have created a vlan 110 on the Main 3550 Catalyst switch and successfully added the pc to that vlan.However, that PC must be able to access the internet and an internal website on port 8080.I have placed an access-list on the main 3550 catalyst switch which is connected to our router as below:
Client ip address: 192.168.100.2
VLAN 110: 192.168.100.3
access-list 110 permit tcp host 192.168.100.2 host 192.168.90.15 eq 8080access-list 110 permit icmp host 192.168.100.2 anyaccess-list 110 deny ip 192.168.100.0 0.0.0.255 ? I was unable to access the webserver even after many attempts.
View 2 Replies
View Related
Dec 27, 2012
I have a stack of 2 x 3750X switches these are running 12.2(55)SE5. I needed to add some static IP routes and found that the ‘ip routing’ command is not supported. I came across a document that stated “On switches running the LAN base feature, static routing on VLANs is supported only with Cisco IOS Release 12.2(58)SE and later.” So I have upgraded to 12.2(58)SE2, but ‘ip routing’ is still not a valid command.
The release notes state:“On the Cisco Catalyst 3560-X and 3750-X Series, it adds support for 16 static IPv4 routes in the LAN Base image.”
I have read other posts that talk about running the ‘sdm prefer routing’ command which I have done, but I am still unable to add any routes or run the ‘ip routing’ command.
View 4 Replies
View Related
May 28, 2013
Two Cisco C2960G Switches connected with each other using an EtherChannel Trunk Ports.IOS Image has been upgraded to c2960-lanbasek9-mz. 122- 58.SE2.bin.The global command "sdm prefer lanbase-routing" has been executed to set the default template to "lanbase-routing".The global command "ip routing" has been executed to enable the ip routing.An IP route has been configured in each switch to point to each other for the static routing purpose (Please see the 2 attached configuration files) The hosts in VLAN 111 and VLAN 110 are not able to see each other even the ip static routes have been configured.May be I have misconfigured some settings but not sure what's the actual problem.
View 11 Replies
View Related
Dec 3, 2011
asa 5505 is on head office.is it possible to configure it as a router from headoffice to branches 1,2 and internet [code]
View 7 Replies
View Related
Mar 13, 2012
I am trying to configure a Cisco 871 router.There are 3 servers on my network that need static public IPs but also still need to communicate on the local network.I have given my WAN interface the first IP in the block and set up PAT for the rest of the computers on the network with that IP which is working fine. Next I set up static NAT rules for the servers translating 3 of the remaining public IPs to the internal addresses of the servers.I can access those servers internally using the public IPs but not from outside the network. A traceroute from outside the network gets dropped when it gets to my ISP.I've never configured more than one static ip for a network before and i know i've just missed a step here. Do I also need to use static routes? Will that update the next hop's routing table? Do I need to make an ACL to permit any host to the servers? If so, do I use the internal or external address? [code]
View 2 Replies
View Related
Oct 16, 2012
Is it possible to have 2 IP addresses on wan and setup specific routing rules for each IP ? Or do I need to use another router for that and if which one ?
View 4 Replies
View Related
Oct 24, 2012
I have a network with a Catalyst 3750 as the main switch and then some Catalyst 2960 switches that are plugged in to that. I have a server running windows server 2008 with a couple of virtual machines running in Hyper-V. I created 4 VLANS listed below and gave the 3750 the following IP Address.I would like the 3750 to only be configurable from VLAN 40 but currently every VLAN can connect to it, I noticed in the standard web page settings there was a setting for "Management VLAN" but it was set to 1 and would not let me change it, I kinda assumed that was for the management port in the back.-Now the tricky part, I was trying to set up routing between the VLANs and so far I have only been able to get a sort of "all or nothing" routing to work. I can turn IP routing on and add two or more VLANs to the routing and it works fine. But what I was hoping to do is create a couple of "junction vlans" that would only route to one or two other vlans. For instance, I wanted to create a VLAN 100 that routed to VLAN 20 and 30 but nothing else. I also want to route VLAN 1 just to VLAN 30, and so on. I am able to do each one of the cases but only one, it seems like the switch only supports one "routing table" am I missing something or is this just a limitation of the switch?
View 2 Replies
View Related
Feb 15, 2013
We have two Cisco 5505 firewalls connecting to two ISP's . The two internal LAN's on the firewalls are 192.168.184.0/24 & 192.168.186.0/24. We also have a Cisco C3560x layer3 switch with vlan interfaces 184.3 & 186.3. We have two DGS-3100 Dlink layer 2 switches connecting our users to the Layer 3. Ip routing is enabled for intervlan communication & I can reach the Switch interfaces & firewall gateways from machines on both on the vlans.We have pbr enabled on the 3560 & users only on the .186 network can get to the internet. The switch is running the ipservices license & the sdm template is "desktop routing" .
Users on the .184 cannot access the internet but we can ping the layer3 interface & the firewall gateway. [code]
View 20 Replies
View Related
Sep 2, 2012
I have a Cisco 1841 router at home with version 12.4(13r)T advanced ip services. The setup is extremely simple:
1) PPPOE dialer to my service provider over ADSL
2) Nat overload on the dialer interface.
3) 2 V LAN s one for home network (wired) and one for wireless both v LAN's are connected through interface v LAN s respectively.
My problem is when I configure static NAT to map RDP or any other protocol to inside hosts this does n`t work.
"
ip nat source static tcp 192.168.20.3 2222 interface Dialer1 2222
ip nat source static tcp 192.168.20.3 3389 xx.xx.xx.xx 3389 extendable
ip nat inside source list 20 interface Dialer1 overload
"
When I open wire shark and sniff the traffic on home computer which is the one I`m trying to reach I can't see any traffic. And While performing Nat debugging I am also not able to see traffic going to that port (for example 3389).
View 7 Replies
View Related
Apr 22, 2013
I just did configuration on Cisco 892F router. Everything works fine, but static nat is not working. I create static nat on tcp port 80 (http). I don't know where is the problem. All nats working fine except static nat. Even though internet connection is ok in my lan.
i cannot access my router from the internet.
View 6 Replies
View Related
May 7, 2011
I am fairly new to the Cisco world and aim to take my CCNA in the coming months.I am now working with a customer who has several Cisco 857 (UK PPPOA ADSL over POTS)The have sonicwall firewall VPN devices that needs to have one block of 8 static ip addreses from the ISP at each site.The current configurations use the network address on the VLAN interface use Static NAT to a private IP address to connect to port 23 on the VLAN interface. Why would you set up the router this way?,I thought that from a block of 8 IPs the first would be the network address the last the broadcas address, one for the router (on the VLAN interface) leaves 5 usable for the hosts attached to the ethernet ports on the VLAN.
View 2 Replies
View Related
Jun 10, 2011
I am setting up a Cisco ASA 5505 first time for My organisation, I usually setup Cisco Router, I have 10 Static IP, & Have 6 Server (S-1, S-2, S-3, S-4, S-5, S-6), Traffic Should be pass through the ASA and is distributed to the destination server that is specified in the packet. LAN servers can be separated into discrete networks for security. For example, a private LAN for internal traffic accessed only via remote dial-in VPN sessions and Want to Configure DMZ for Server (S-4, S-5, S-6) that allows public web traffic.
I have Attached My Network Diagram I have some question,
1:- Can we Configure Multiple Static IP On ASA 5505 ?
2:- If Diagram is wrong what change need to be done ?
View 2 Replies
View Related
Mar 12, 2012
We have a need for an inside address to have more than one static NAT outside addresses. I know this wasn't possible before 8.3.X code. I still can't quite get it to work with 8.4.X code yet.
Here is what I had with 8.2 code.
static (inside,outside) 10.21.197.0 10.17.197.0 netmask 255.255.255.0
our inside network is 10.17.197.X/24. the current NAT we have in place is 10.21.197.X/24.
we need to add an additional NAT of 10.22.197.X/24 and I also have networks that will need to hit the address with no NAT.
I do know the source networks where I need each of the three cases:
from 172.20.X.X I need to hit the inside of 10.17.197.X natively, no NAT.
from 192.168.X.X i need to hit the inside of 10.17.197.X with 10.21.197.X NAT
from 10.10.X.X I need to hit the inside of 10.17.197.X with 10.22.197.X NAT
View 2 Replies
View Related
Feb 24, 2012
I need to replace an ASA with an IOS firewall router, and am not sure how to migrate the NAT configuration. Specifically, there is an interface "3rdparty" that has onward connectivity to other private addresses, so our internal addressing is hidden. For some reason there are static NAT rules in different directions across the interface, but at present I cannot see why. Thinking in router terms, all that springs to mind is the inside and outside tags for the interfaces, but also that it might need "overlapping" NAT to be configured.
[code]...
View 2 Replies
View Related
Jan 5, 2013
I guess i am just getting old and forgot how this works, or i have an IOS load with an undocumented feature in it.A customer of ours wishes to have their exchange server appear to the outside world on a seperate IP address as their public pool address is.in the past this has not been an issue, however in the current configuration we are unable to get the source address to appear per the NAT statement it always sources on the overloaded IP. below is the relevant NAT config, am i missing something, or have i hit a IOS feature? [code] There is a 45% chance i have forgotten everything i learned on the NOC desk and a 50% chance that it is somethine really stupid and 5% IOS is broken
View 5 Replies
View Related
Aug 23, 2011
I've 8 Static IP assigned me from my ISP.
x.y.w.56 (not usable)x.y.w.57x.y.w.58x.y.w.59x.y.w.60x.y.w.61x.y.w.62x.y.w.63 (no usable)Subnet 255.255.255.248
I've a 877 Router and I would to:NAT al LAN Client with x.y.w.57Configure some ports ( i.e. 80 and 443) to be forewarded from x.y.w.57 to one LAN Server ( i.e. 192.168.0.1)Configure some ports ( i.e. 443) to be forewarded from x.y.w.58 to another LAN Server ( i.e. 192.168.0.2)
View 3 Replies
View Related
