Nat and vlans on 1841 router

Similar Messages

• Vlan subinterface nat and routing

  hi,
  i've a cisco 1800 with .248 pool public ip .The router is connected with dce on serial port to my isp and
  is configured with first public ip of my subnet on fe0/0 .
  I've to serve to vlan (1 and 20) with this router so i 've connected the router fe0/0 to switch trunk port
  and created a subinterface fe0/0.20 with dot1q encryption and ip 192.168.40.1. I also created a dhcp pool for vlan20 interface.
  Now i can go to internet trought fe/0.0 . configured vlan 20 device receive 192.168.40.0/24 ip so dhcp pool work.
  vlan 20 device can ping 192.168.40.1 and 82.85.162.1 (fe0/0.20 and fe0/0) but not want to go to internet.
  show ip nat traslation is empty.
  this is my show ip route:
  Gateway of last resort is 213.205.53.77 to network 0.0.0.0
       217.133.64.0/32 is subnetted, 1 subnets
  C       217.133.64.49 is directly connected, Virtual-Access1
  C    192.168.40.0/24 is directly connected, FastEthernet0/0.20
       82.0.0.0/26 is subnetted, 1 subnets
  C       82.85.162.0 is directly connected, FastEthernet0/0
       213.205.53.0/32 is subnetted, 1 subnets
  C       213.205.53.77 is directly connected, Virtual-Access1
  S*   0.0.0.0/0 [1/0] via 213.205.53.77
  this is my configuration:
  Current configuration : 2586 bytes
  version 12.4
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname ##############
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  logging buffered 64000
  no logging console
  enable secret 5 ####################
  aaa new-model
  aaa session-id common
  clock timezone GMT+1 1
  clock summer-time GMT+2 recurring
  no ip source-route
  ip dhcp excluded-address 82.85.162.1
  ip dhcp excluded-address 192.168.40.1
  ip dhcp pool LAN_Roma_Eletronica
     network 82.85.162.0 255.255.255.192
     default-router 82.85.162.1
     dns-server 213.205.36.70 213.205.32.70
     lease 0 0 15
  ip dhcp pool vlan20
     network 192.168.40.0 255.255.255.0
     default-router 192.168.40.1
     dns-server 8.8.8.8 8.8.4.4
     lease 0 0 15
  ip cef
  no ip domain lookup
  ip name-server 213.205.32.70
  ip name-server 213.205.36.70
  multilink bundle-name authenticated
  username ######### password 7 #########
  archive
   log config
    hidekeys
  interface FastEthernet0/0
   ip address 82.85.162.1 255.255.255.192
   ip nat outside
   ip virtual-reassembly
   duplex auto
   speed auto
   no keepalive
  interface FastEthernet0/0.20
   encapsulation dot1Q 20
   ip address 192.168.40.1 255.255.255.0
   ip nat inside
   ip virtual-reassembly
  interface FastEthernet0/1
   no ip address
   duplex auto
   speed auto
  interface Serial0/0/0
   bandwidth 2048
  no ip address
   encapsulation frame-relay IETF
   no fair-queue
   frame-relay traffic-shaping
   hold-queue 4096 in
   hold-queue 4096 out
  interface Serial0/0/0.100 point-to-point
   bandwidth 1600
   no cdp enable
   frame-relay interface-dlci 100 ppp Virtual-Template1
    class FR-1600
  interface Virtual-Template1
   bandwidth 1600
   ip address negotiated
   ip tcp adjust-mss 1410
   keepalive 5
   ppp chap hostname #################
   ppp chap password 7 ################
   ppp pap sent-username ############## password 7 ##############
   ppp ipcp route default
  ip forward-protocol nd
  no ip http server
  ip nat inside source list 110 interface FastEthernet0/0 overload
  map-class frame-relay FR-1600
   frame-relay cir 1600000
   frame-relay bc 200000
   frame-relay mincir 1000000
  access-list 1 permit 192.168.40.0 0.0.0.255
  access-list 110 permit ip 192.168.40.0 0.0.0.255 any
  control-plane
  line con 0
   session-timeout 60
   exec-timeout 60 0
   privilege level 15
  line aux 0
   privilege level 15
  line vty 0 4
   session-timeout 60
   access-class 10 in
   exec-timeout 60 0
  scheduler allocate 20000 1000
  end

  There's 2 problems:
  1- your "ip nat outside" location is wrong, you must put it on virtual-template1.
  2-change "ip nat inside source list 110 interface FastEthernet0/0 overload" to "ip nat inside source list 110 interface virtual-template1 overload"
  HTH
  Houtan

• How to enable routing between HWIC-4ESW and Onboard FE on cisco 1841 router..?

  Hello All,
  I have a cisco 1841 router, recently i have purchased HWIC-4ESW slot for my router. The module is working fine i could able to see additional FE ports(fe0/0/0,fe0/0/1...).Now problem comes in routing i.e. these HWIC-4ESW ports and Onboard FEs are not communicating.If any bode knows the solution kindly let me know the configuration details..
  Thanks,Sazz

  Hi,
  Look at the configs below.
  How can I use IP Routing so communication is possible across all subnets?
  Router>en
  Router#config t
  Router(config)#int fa0/0
  Router(config-if)#description ***INTERNET***
  Router(config-if)#ip address xxx.xxx.xxx.xxx 255.255.255.252
  Router(config-if)#no shut
  Router(config-if)#ip nat outside
  Router(config-if)#exit
  !On-board interface
  Router(config)#int fa0/1
  Router(config-if)#description ***LAN***
  Router(config-if)#ip address 10.0.xxx.xxx 255.255.255.0
  Router(config-if)#no shut
  Router(config-if)#ip nat inside
  Router(config-if)#exit
  Router#vlan database
  % Warning: It is recommended to configure VLAN from config mode,
    as VLAN database mode is being deprecated. Please consult user
    documentation for configuring VTP/VLAN in config mode.
  Router(vlan)#vlan 10
  VLAN 10 modified:
  Router(vlan)#vlan 20
  VLAN 20 added:
      Name: VLAN0020
  Router(vlan)#exit
  APPLY completed.
  Exiting....
  Router#config t
  Router(config)#int vlan 10
  Router(config-if)#ip address 172.16.xxx.xxx 255.255.255.0
  Router(config-if)#ip nat inside
  Router(config-if)#no shut
  Router(config-if)#exit
  Router(config)#int vlan 20
  Router(config-if)#ip address 192.168.xxx.xxx 255.255.255.0
  Router(config-if)#ip nat inside
  Router(config-if)#no shut
  Router(config-if)#exit
  !HwIC-4ESW interface
  Router(config)#int fa0/0/0
  Router(config-if)#switchport mode access
  Router(config-if)#switchport access vlan 10
  Router(config-if)#exit
  !HWIC-4ESW Interface
  Router(config)#int fa0/0/1
  Router(config-if)#switchport mode access
  Router(config-if)#switchport access vlan 20
  Router(config-if)#exit
  Router(config)#exit
  Router#copy run start
  Destination filename [startup-config]?
  Building configuration...
  [OK]
  Router#config t
  Router(config)#ip name-server xxx.xxx.xxx.xxx
  Router(config)#ip name-server xxx.xxx.xxx.xxx
  Router(config)#exit
  Regards,

• NAT and Routed Network with Two ISP's on one router

  I'm sure this has been done covered many times, but I am not finding it.
  I have two ISP connections.
  With ISP-A I have a /30 between us and 200.100.100.0/24 is routed to me via the /30 for thsi example we will say the /30 is 1.1.1.1 on isp end and 1.1.1.2 on my end
  With ISP-B I have a 100.0.0.0/29 subnet. and the ISP gateway is on that subnet at 100.0.0.1
  On the inside of my network I have devices using both 200.100.100.x addresses and devices on 192.168.100.x that need to use NAT.
  I would like all of the devices on 200.100.100.x addresses to continue using ISP-A as their gateway.
  Everything on 192.168.100.x should use NAT and go out ISP-B
  I have tried
  ip nat inside source route-map ISP-A interface GigabitEthernet0/1 overload
  route-map ISP-B permit 10
   match ip address 101
   match interface GigabitEthernet0/1
   set ip next-hop 100.0.0.1
  route-map ISP-A permit 10
   match ip address 111
   match interface Multilink1
   set ip next-hop 1.1.1.1
  The problem comes when I have default routes to ISP-A in the router than none of the ISP-B traffic works, and vice versa.

  I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
  If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
  http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
  HTH

• Static NAT (in and out) and PAT on a Router

  Static NAT and PAT
  I need to have a customer network connected to my extranet.
  I’m not in control of the customer network addressing. But need to configure a VPN connection.
  I will supply the router that will also be the customer Firewall to the Internet (PAT).
  (1) I need to be able to do PAT on traffic from internal hosts to the Internet.
  (2) I need to hide (NAT) the customer network behind a network supplied by me (match-host), when they are accessing my extranet (through VPN).
  (3) I need to be able to access hosts on the customer network, through the hiding (NAT) addresses from my extranet (through VPN).
  The following configuration will solve (1) & (2), but I can not (3) reach the internal servers from my extranet, except if the internal host has made connection to the extranet, witch will create a translate entry in the NAT table.
  Extranet is: 172.16.16.0/24
  Internal net is: 192.168.1.0/24
  interface Vlan1
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  interface FastEthernet4
  ip address 1.1.1.1
  ip nat outside
  access-list 175 deny 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
  access-list 175 permit 192.168.1.0 0.0.0.255 any
  access-list 176 permit 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
  ip nat pool FRO 10.192.10.1 10.192.10.254 netmask 255.255.255.0 type match-host
  ip nat inside source list 175 interface FastEthernet4 overload
  ip nat inside source route-map HIDE pool FRO reversible
  route-map HIDE permit 10
  match ip address 176

  Create a NAT configuration in the router which also translates even your outside Global address(your extranet) into the inside Global(any private) address through the keyword "rotary".Only this rotary pool will provide the pool of inside global IP address for yopur outside Global IP addresses.
  The following white paper will provide you with the required information,
  http://www.cisco.com/en/US/products/ps6640/products_white_paper09186a0080091cb9.shtml

• Connection issue between Cisco 515 Pix and Cisco 1841 router

  Hi,
  I am having a problem getting a Cisco Pix 515 communicating to a Cisco 1841. I am currently studying for CCNA so forgive me if it's obvious to the rest of you where the problem lies.
  The client currently has an ISDN service which is being moved over to a 2MB E1 connection.
  I have configured the 1841 router with G.703 WIC according to the information given to me by the ISP. I have configured the 1841 to have the same internal IP as the ISDN Cisco 800 series router, hoping for a simple swap over. The Pix 515 sits behind the ISDN at present and will be behind the 1841 when it is active.
  Once I unplug the 800 series ISDN router and plug the 1841 into the pix, I cannot get any response what so ever. I have tried changing the ethernet connection speeds between the pix and 1841 hoping it would be as simple as that without success. Can't get ping responses from either end but I can when the ISDN service is plugged in. Both ISDN and E1 link are supplied by the same ISP, Telstra Australia and the fixed IP's are able to move over to the E1 service.
  I have not touched the pix in any way. A seperate company configured the router a couple of years ago.
  I have included the configurations of the existing ISDN, Pix and the 1841 for you to review. Any advise/solutions would be greatly appreciated.
  Thanks in Advance,

  Hi,
  The outside interface on your PIX is configured as 10BaseT which would be fine when using the original 800 series ISDN router.
  Now with your new 1841, the interface that the PIX connects to is Fast Ethernet so you need to change your outside interface on the PIX to the same
  If you want to use auto negotiation between the PIX and router then the command to do this on the PIX is
  interface ethernet0 auto
  I recommend using hard coded settings between the PIX and router and the command to do this on this PIX is
  interface ethernet0 100full
  You will also need to change your router as:
  interface FastEthernet0/0
  speed 100
  duplex full
  If you can't configure the PIX as you mentioned an external company did it, then i guess you could change your Fast Ethernet interface to "speed 10", "duplex half".
  This won't create a bottleneck as you only have a 2 MB connection to your ISP
  Everything else looks good, don't worry about asking questions on the forum, this is what its for.
  HTH
  Paddy

• VLAN with 1700 router and Linksys switch

  I am trying to use a 1700 router to route between to IP subnets on two different VLANs setup on a Linksys switch. I do not have access to the switch so I am working with another tech that handles the switch. I setup two subinterfaces on the FE port of the router. Int Fa0.1 uses IP 1.1.1.1 and VLAN 1 native using 802.1q. Int Fa0.2 uses IP 2.2.2.2 and VLAN 2. I asked the switch tech to setup his switch accordingly. My problem right now is that the router will only ping IPs on the native VLAN. Meaning if I make Fa0.1 VLAN 1 native I can ping devices on 1.1.1.0/24 and if I make Fa0.2 VLAN 2 native then I can ping on 2.2.2.0/24. When I passed this along to the tech he explains something about setting up his ports for tagged or untagged but I don't know who this would apply to the router but he doesn't have a solution either. Is there anythin I can do on the router side to fix this?
  Thanks,
  Diego

  hi,
  I've tried connecting cisco to non cisco devices.Tagged ports simply means allowing different vlan to pass to that port and Untagged is passing only the native vlan.For your case since you want that two VLAN will communicate,port should be tagged.Tagged is simply trunking in terms to cisco.So that the 802.1q frames will pass that port.

• Help needed with AT&T 3G MicroCell going through 1841 Router

  I am trying to get an AT&T 3G MicroCell (made by Cisco) to communicate to the Internet through our Cisco 1841 Router.
  The router has only basic NAT  and no Firewall setting.
  The AT&T 3G MicroCell is not a configurable device and it directly connected to a switch port on the router.
  DHCP is supplied to it by the router.
  We are using Comcast Business Class modem but it is set as a passive gateway pass through device so by passing the router is not an option.
  The MicroCell is unable to establish connectivity with the AT&T auto-configuration on the Internet.
  So far AT&T support has not been very helpful or knowledgeable.
  Anyone have experience with the MicroCell device and connectivity?
  They recommend some advanced settings for UPD and TCP ports but the router shows them as open.
  It primarily uses ipsec ports
  Any ideas? 

  I have this same issue with the MicroCell plugged directly into the WAN (DHCP) connection to the house from the ISP...................
  I also have this same issue with the unit plugged into the DMZ on the router with pass all, all protocol's in and out .....
  My problem is GPS related, as in the new 911 database has "virtually" moved my 2 bedroom house 4 miles east of my "physical" location.
  Ain't modern tech great......(now if we could just get people great)  only problem with high tech is............GARBAGE IN >> GARBAGE OUT........it still depends on "intelligent" life to program everything.

• WCCP on 1841 router

  Having a problem with a configuration of our guest network and our content filter (S170 IronPort). The 1841 has 3 interfaces. 0/0 is on the LAN side, 0/1/0 is connected to the Ironport, 0/1 is connected to the ISP. So we would like to redirect all traffic from the LAn interface to the Ironport and then out to the internet. For some reason with the configuration below it does not redirect the traffic. When I apply WCCP to the LAN interface it redirects but the cleints stop gettin g internet traffic. Does anyone have any expereince or ideas on how to make this work in the environment?
  The ironport is 10.x.5.30 and conneted to fa0/1/0
  ip wccp web-cache redirect-list https-cache
  ip wccp 80 redirect-list https-cache
  interface FastEthernet0/1/0
  description WCCP port
  ip address 10.x.5.10 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip wccp web-cache redirect in
  ip wccp 80 redirect in
  no ip nat inside
  ip virtual-reassembly
  ip route-cache flow
  exit
  interface FastEthernet0/0
  description $ES_LAN$$FW_INSIDE$
  ip address 10.x.4.20 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface FastEthernet0/1
  description outside$ETH-WAN$
  ip address 50.x.89.145 255.255.255.248
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  no cdp enable
  no mop enabled
  ip access-list extended https-cache
  permit ip 10.245.4.0 0.0.0.255 any
  ip route 0.0.0.0 0.0.0.0 50.x.89.150
  ip route 10.0.0.0 255.0.0.0 10.x.4.1
  ip route 172.16.0.0 255.248.0.0 10.x.4.1

  Hi Corey,
  CME is not supported on the 1841 (minimum 1861)
  Here's why;
  Both slots on the Cisco 1841 router are HWIC slots and provide compatibility with WICs and multiflex trunk (VWICs) interface cards
  (for data only).
  VoIP Support
  Voice-over-IP (VoIP) pass-through only
  http://www.cisco.com/en/US/prod/collateral/routers/ps5853/product_data_sheet0900aecd8016a59b.html
  Cheers!
  Rob

• I want to use Back to my mac. When I try to turn it on, it says "Back to My Mac may be slow because more than one device on your network is providing network services.   Turn off NAT and DHCP on one of the devices and try again." How do I fix this?

  Not sure if I am doing this right. This is my first time in the support community.
  I imagine what I put in my heading was supposed to go in here.
  I want to use Back to my mac. When I try to turn it on, it says "Back to my mac may be slow because more than one device on your network is providing network services. Turn off NAT and DHCP on one of the devices and try again. See the documentation that came with your device for information about turning off network services"
  Does anyone know how I do this? I contacted my ISP (Telus in Canada) and they did not know anything (not that they usually do).

  Why do ISPs insist upon making things so difficult for their customers?
  If you cannot get them to understand that you would prefer to use your own router over their piece of cheap junk, perhaps the information in the following will be useful:
  http://keithbalomben.wordpress.com/2012/03/29/telus-actiontec-v1000h-hacks-and-i nformation/
  Scroll down to DHCP Settings
  You will need to log in with proper "technician" credentials. They are provided in the above link as
  Username: tech
  Password: t3lu5tv
  ... but these may or may not work. Try it, and if you cannot get anywhere at least now you know what to ask Telus to do in return for your business.

• How do I add a Subnet and vlan with a catalyst 3550 and RV120

  Hello Friends.
  I have a scenario that i'm hoping i can get some help with. I'll be as detailed and descriptive as i can.
  This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
  I have a business class gateway with a private range of 12 public addresses. Ther modem does nothing but act as a gateway since i have disabled the firewall and DHCP.
  In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing i replicated the IP scheme of the modem as to not disturb and distrup the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
  The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
  DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
  There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
  VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
  There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
  I want to implement subnets into the network and VLANS as well on a new Layer 3 switche from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
  I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
  I want to replace the 10.0.0.0/24 DHCP alltogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
  I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
  Iv'e thought of replacing all the wireless nodes with RV120's and use VLAN. Dont know if that strategy works. Need to think it through.
  I want the 192.168.0.0/24 IP range comunicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
  Any advice on how to do this?
  As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introdue a DCHP, WINS, DNS server.

  Hi Omid, it sounds like you're proposing the 3550 switch but you're not decided yet. The 3550 switch is a pretty old device and needs enhanced multilayer image. It may be more prudent to use a more current switch such as small business SG300 or SG500 as the feature set is more rich and it supports around 480 LAN connections.
  To answer the inquiry, the RV120W, when you create a VLAN it will automatically create an IP interface. From this you may assign subnet as you like along with 'enable or disable' for inter vlan routing. Since the RV120W has this feature, a layer 3 switch is not required unless you are looking to keep the routing load smaller by routing locally with the switch.
  With Catalyst or a small business switch you would need to create a VLAN. After creating the VLAN, on a Catalyst you can simply issue "switchport trunk encapsulation dot1q" on the desired interface and all VLAN will passage without issue. For a port connecting a user "switchport mode access" "native vlan xx" This will assign the port as untag member of the desired VLAN.
  If using a small business switch, it is slightly different, you still create the VLAN but the command issue is a bit different  "switchport trunk allowed vlan add xx" for the link to the router, where xx = the VLAN ID to tag to the router. For access client it remains the same as Catalyst.

• Using modem Sagem f@st 3464 (Scarlet One : vdsl   tv   VoIP   wi-fi) : impossible to create a new Wi-Fi network (2.4 or 5 GHz) ? Conflict with DHCP / NAT and so on. No answer from the Apple help desk, Air Port Utility 6.1 unusable (configuration = Win 7)

  Good afternoon,
  My internet connection is delivered by a modem Sagem f@st 3464 (Scarlet One : vdsl   tv   VoIP   wi-fi), it's almost the same than a BBox-2 from Belgacom (software and configuration).
  This modem has 4 ethernet port, 2 for TV, 2 for LAN, the WAN port is RJ-11 and the connection is a PPPoE (in fact, it's the Belgacom network). I also got a Wi-Fi 802.11g on it.
  The main raison why I bought a TC is the dual Wi-Fi 2.4 GHz and 5 GHz (for 802.11n), especially for my MacBook Pro and my iPad 3.
  First of all, can I do the following with my TC :
  1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
  2) create a new Wi-Fi network using the TC ?
  Up to now, after 2 man days of configuration, my TC is connected to my existing LAN network, as a bridge, but there is no new Wi-Fi network.
  The Airport Utility 6.1 "Wizard" is just un-usable and I need to use a Win 7 laptop in order to get access to all the configuration !
  The standard manual is very poor.
  Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
  Sincerely yours,
  AVDB

  1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
  2) create a new Wi-Fi network using the TC ?
  Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
  This is easy enough to do..
  Plug the TC directly into a computer.. without other connections to do the setup.
  Using the newly installed 5.6 utility.
  Bridge the TC.
  Create a wireless network.
  This is an older screen shot and I would set security to WPA2 Personal only not WPA/WPA2 Personal as shown above.
  I do recommend you use wireless names that are short, no spaces, pure alphanumeric.
  Update the TC..
  Now plug it into the modem router.. it will be a part of the network without doing NAT and DHCP itself.. which you do not want.. that leads to double NAT issues.. but it is a WAP that provides access to devices on both 2.4ghz and 5ghz bands directly to the main router.

• Howto: Zones in private subnets using ipfilter's NAT and Port forwarding

  This setup supports the following features:
  * Requires 1 Network interface total.
  * Supports 1 or more public ips.
  * Allows Zone to Zone private network traffic.
  * Allows internet access from the global zones.
  * Allows direct (via ipfilter) internet access to ports in non-global zones.
  (change networks to suit your needs, the number of public and private ip was lowered to simplify this doc)
  Network setup:
  iprb0 65.38.103.1/24
  defaultrouter 65.38.103.254
  iprb0:1 192.168.1.1/24 (in global zone)
  Create a zone on iprb0 with an ip of 192.168.1.2
  ### Example /etc/ipf/ipnat.conf
  # forward from a public port to a private zone port
  rdr iprb0 65.38.103.1/32 port 2222 -> 192.168.1.2 port 22
  # force outbound zone traffic thru a certain ip address
  # required for mail servers because of reverse lookup
  map iprb0 192.168.1.2/32 -> 65.38.103.1/32 proxy port ftp ftp/tcp
  map iprb0 192.168.1.2/32 -> 65.38.103.1/32 portmap tcp/udp auto
  map iprb0 192.168.1.2/32 -> 65.38.103.1
  # allow any 192.168.1.x zone to use the internet
  map iprb0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
  map iprb0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
  map iprb0 192.168.1.0/24 -> 0/32For testing purposes you can leave /etc/ipf/ipf.conf empty.
  Be aware the you must "svcadm disable ipfilter; svcadm enable ipfilter" to reload rules and the rules stay loaded if they are just disabled(bug).
  Zones can't modify their routes and inherit the default routes of the global zone. Because of this we have to trick the non-global zones into using a router that doesn't exist.
  Create /etc/init.d/zone_route_hack
  Link this file to /etc/rc3.d/S99zone_route_hack.
  #/bin/sh
  # based on information found at
  # http://blogs.sun.com/roller/page/edp?entry=using_branded_zones_on_a
  # http://forum.sun.com/jive/thread.jspa?threadID=75669&messageID=275741
  fake_router=192.168.1.254
  public_net=65.38.103.0
  router=`netstat -rn | grep default | grep -v " $fake_router " | nawk '{print $2}'`
  # send some data to the real network router so we look up it's arp address
  ping -sn $router 1 1 >/dev/null
  # record the arp address of the real router
  router_arp=`arp $router | nawk '{print $4}'`
  # delete any existing arp address entry for our fake private subnet router
  arp -d $fake_router >/dev/null
  # assign the real routers arp address to our fake private subnet router
  arp -s $fake_router $router_arp
  # route our private subnet through our fake private subnet router
  route add default $fake_router
  # Can't create this route until the zone/interface are loaded
  # Adjust this based on your hardware and number of zones
  sleep 300
  # Duplicate this line for every non-global zone with a private ip that
  # will have ipfilter rdr (redirects) pointing to it
  route add -net $public_net 192.168.1.2 -ifaceNow we have both public and private ip addresses on our one iprb0 interface. If we'd really like our private zone network to really be private we don't want any non-NAT'ed 192.168.1.x traffic leaving the interface. Since ipfilter can't block traffic between zones because they use loopbacks we can just block the 192.168.1.x traffic and the zones can still talk.
  The following /etc/ipf/ipf.conf defaults to deny.
  # ipf.conf
  # IP Filter rules to be loaded during startup
  # See ipf(4) manpage for more information on
  # IP Filter rules syntax.
  # INCOMING DEFAULT DENY
  block in all
  block return-rst in proto tcp all
  # two open ports one of which is redirected in ipnat.conf
  pass in quick on iprb0 proto tcp from any to any port = 22 flags S keep state keep frags
  pass in quick on iprb0 proto tcp from any to any port = 2222 flags S keep state keep frags
  # INCOMING PING
  pass in quick on iprb0 proto icmp from any to 65.38.103.0/24 icmp-type 8 keep state
  # INCOMING GLOBAL ZONE UNIX TRACEROUTE FIX PART 1
  #pass in quick on iprb0 proto udp from any to 65.38.103.0/24 keep state
  # OUTGOING RULES
  block out all
  # ALL INTERNAL TRAFFIC STAYS INTERNAL (Zones use non-filtered loopback)
  # remove/edit as needed to actually talk to local private physical networks
  block out quick from any to 192.168.0.0/16
  block out quick from any to 172.16.0.0/12
  block out quick from any to 10.0.0.0/8
  block out quick from any to 0.0.0.0/8
  block out quick from any to 127.0.0.0/8
  block out quick from any to 169.254.0.0/16
  block out quick from any to 192.0.2.0/24
  block out quick from any to 204.152.64.0/23
  block out quick from any to 224.0.0.0/3
  # Allow traffic out the public interface on the public address
  pass out quick on iprb0 from 65.38.103.1/32 to any flags S keep state keep frags
  # OUTGOING PING
  pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 8 keep state
  # Allow traffic out the public interface on the private address (needs nat and router arp hack)
  pass out quick on iprb0 from 192.168.1.0/24 to any flags S keep state keep frags
  # OUTGOING PING
  pass out quick on iprb0 proto icmp from 192.168.1.0/24 to any icmp-type 8 keep state
  # INCOMING TRACEROUTE FIX PART 2
  #pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 3 keep stateIf you want incoming and outgoing internet in your zones it is easier if you just give them public ips and setup a firewall in the global zone. If you have limited public ip address(I'm setting up a colocation 1u server) then you might take this approach. One of the best things about doing thing this way is that any software configured in the non-global zones will never be configured to listen on an ip address that might change if you change public ips.

  Instead of using the script as a legacy_run script, set it up in SMF.
  First create the file /var/svc/manifest/system/ip-route-hack.xml with
  the following
  ---Start---
  <?xml version="1.0"?>
  <!DOCTYPE service_bundle SYSTEM
  "/usr/share/lib/xml/dtd/service_bundle.dtd.1">
  <!--
  ident "@(#)ip-route-hack.xml 1.0 09/21/06"
  -->
  <service_bundle type='manifest' name='NATtrans:ip-route-hack'>
  <service
  name='system/ip-route-hack'
  type='service'
  version='1'>
  <create_default_instance enabled='true' />
  <single_instance />
  <dependency
  name='physical'
  grouping='require_all'
  type='service'
  restart_on='none'>
  <service_fmri value='svc:/network/physical:default' />
  </dependency>
  <dependency
  name='loopback'
  grouping='require_all'
  type='service'
  restart_on='none'>
  <service_fmri value='svc:/network/loopback:default' />
  </dependency>
  <exec_method
  type='method'
  name='start'
  exec='/lib/svc/method/svc-ip-route-hack start'
  timeout_seconds='0' />
  <property_group name='startd' type='framework'>
  <propval name='duration' type='astring'
  value='transient' />
  </property_group>
  <stability value='Unstable' />
  <template>
  <common_name>
  <loctext xml:lang='C'>
  Hack to allow zone to NAT translate.
  </loctext>
  </common_name>
  <documentation>
  <manpage
  title='zones'
  section='1M'
  manpath='/usr/share/man' />
  </documentation>
  </template>
  </service>
  </service_bundle>
  ---End---
  then modify /var/svc/manfiest/system/zones.xml and add the following
  dependancy
  ---Start---
  <dependency
  name='inet-ip-route-hack'
  type='service'
  grouping='require_all'
  restart_on='none'>
  <service_fmri value='svc:/system/ip-route-hack' />
  </dependency>
  ---End---
  Finally create the file /lib/svc/method/svc-ip-route-hack with the
  contents of S99zone_route_hack, minus the sleep timer (perms 0755). Run
  'svccfg import /var/svc/manifest/system/ip-route-hack.xml' and 'svccfg
  import /var/svc/manifest/system/zones.xml'.
  This will guarantee that ip-route-hack is run before zones are started,
  but after the interfaces are brought on line. It is worth noting that
  zones.xml may get overwritten during a patch, so if it suddenly stops
  working, that could be why.

• Static NAT and same IP address for two interfaces

  We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
  static (inside,Outside) 10.10.10.10  access-list inside_nat_static_1
  static (production,Outside) 10.10.10.10  access-list production_nat_static_1
  Thanks for any help.
  Jeff

  Hi Jeff,
  Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• Logical network to physical network mapping (subnets and VLANS) in SCVMM 2012 R2

  In much of the blogs, documentation and literature on VMM, there are examples of deploying multiple logical networks onto one physical network i.e. Cluster (logical) + Storage (logical) + Backup (logical) + Live Migration (logical) + Management
  (logical) on top of Datacenter (physical).
  Does this mean it would be possible to have one (physical) flat VLAN-less network with one subnet and then have all those logical networks (with subnets and VLANs) on top of it? Even with a simple unmanaged L2 switch that doesn't support VLANs itself?
  If not, just how do you map multiple logical networks to just one physical network? How does that work in practice? Is a L3 switch needed to route traffic between logical networks for example?

  Hi. VMM Networking may be overwhelmed for the most, at first. But you really need to understand the modeling here and how things are related to each other. Especially if using NIC teaming in WS 2012 (and R2) together with this mix.
  I suggest that you read the following whitepaper where we explain how to setup networking in VMM (also to support network virtualization, but that is absolutely not mandatory): http://gallery.technet.microsoft.com/Hybrid-Cloud-with-NVGRE-aa6e1e9a
  -kn
  Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )