Nat and vlans on 1841 router
i have an old 1605 router that is doing nat for me. e0/0 is my external interface. e0/1 is my internal interface 172.16.0.1 255.255.255.252
i have nat enabled on the router on the 1605r. It works fine when i directly connect a pc to the internal interface.
I have a 1841 router. interface f0/0 172.16.0.2 255.255.255.252 is connected to e0/1 on the 1605r.
Now on the f0/1 of the 1841 i have two subinteraces f0/1.1 10.0.0.1 255.240.0.0
and f0/1.2 192.168.0.1 255.255.255.0
i have dot1q encapsulation on the interfaces with vlan 1/f0/1.1 set to native.
The 2 vlans can talk fine, i can ping each machine on the vlans. But i can only ping as far as 172.16.0.2/ f0/0.
i have a static route set on 1841 router 0.0.0.0 0.0.0.0 172.16.0.1.
Can anyone tell me what im doing wrong.
I believe that the first issue is a routing question on the 1605. When anything on the VLANs of the 1841 attempts to ping to any address on the 1605 the source address of the ping will be 10.0.x.x or will be 192.168.0.x. Is there anything on the 1605 that tells it where this address space is and what interface to use to get to it?
I believe that supplying static routes on the 1605 for ip route 10.0.0.0 255.240.0.0 172.16.0.2 and ip route 192.168.0.0 255.255.255.0 172.16.0.2 will allow devices on the VLANs to ping addresses on the 1605.
If you want the devices on the VLANs to access things beyond the 1605 there is probably another issue. I am guessing that the NAT that you have configured processes the 172.16.0.0 subnet and prbably does not have anything in it about 10.0.0.0 or 192.168.0.0. You will probably have to add to the NAT logic to cover these addresses as well.
HTH
Rick
Similar Messages
-
Vlan subinterface nat and routing
hi,
i've a cisco 1800 with .248 pool public ip .The router is connected with dce on serial port to my isp and
is configured with first public ip of my subnet on fe0/0 .
I've to serve to vlan (1 and 20) with this router so i 've connected the router fe0/0 to switch trunk port
and created a subinterface fe0/0.20 with dot1q encryption and ip 192.168.40.1. I also created a dhcp pool for vlan20 interface.
Now i can go to internet trought fe/0.0 . configured vlan 20 device receive 192.168.40.0/24 ip so dhcp pool work.
vlan 20 device can ping 192.168.40.1 and 82.85.162.1 (fe0/0.20 and fe0/0) but not want to go to internet.
show ip nat traslation is empty.
this is my show ip route:
Gateway of last resort is 213.205.53.77 to network 0.0.0.0
217.133.64.0/32 is subnetted, 1 subnets
C 217.133.64.49 is directly connected, Virtual-Access1
C 192.168.40.0/24 is directly connected, FastEthernet0/0.20
82.0.0.0/26 is subnetted, 1 subnets
C 82.85.162.0 is directly connected, FastEthernet0/0
213.205.53.0/32 is subnetted, 1 subnets
C 213.205.53.77 is directly connected, Virtual-Access1
S* 0.0.0.0/0 [1/0] via 213.205.53.77
this is my configuration:
Current configuration : 2586 bytes
version 12.4
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname ##############
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 64000
no logging console
enable secret 5 ####################
aaa new-model
aaa session-id common
clock timezone GMT+1 1
clock summer-time GMT+2 recurring
no ip source-route
ip dhcp excluded-address 82.85.162.1
ip dhcp excluded-address 192.168.40.1
ip dhcp pool LAN_Roma_Eletronica
network 82.85.162.0 255.255.255.192
default-router 82.85.162.1
dns-server 213.205.36.70 213.205.32.70
lease 0 0 15
ip dhcp pool vlan20
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 8.8.8.8 8.8.4.4
lease 0 0 15
ip cef
no ip domain lookup
ip name-server 213.205.32.70
ip name-server 213.205.36.70
multilink bundle-name authenticated
username ######### password 7 #########
archive
log config
hidekeys
interface FastEthernet0/0
ip address 82.85.162.1 255.255.255.192
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no keepalive
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.40.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
no ip address
duplex auto
speed auto
interface Serial0/0/0
bandwidth 2048
no ip address
encapsulation frame-relay IETF
no fair-queue
frame-relay traffic-shaping
hold-queue 4096 in
hold-queue 4096 out
interface Serial0/0/0.100 point-to-point
bandwidth 1600
no cdp enable
frame-relay interface-dlci 100 ppp Virtual-Template1
class FR-1600
interface Virtual-Template1
bandwidth 1600
ip address negotiated
ip tcp adjust-mss 1410
keepalive 5
ppp chap hostname #################
ppp chap password 7 ################
ppp pap sent-username ############## password 7 ##############
ppp ipcp route default
ip forward-protocol nd
no ip http server
ip nat inside source list 110 interface FastEthernet0/0 overload
map-class frame-relay FR-1600
frame-relay cir 1600000
frame-relay bc 200000
frame-relay mincir 1000000
access-list 1 permit 192.168.40.0 0.0.0.255
access-list 110 permit ip 192.168.40.0 0.0.0.255 any
control-plane
line con 0
session-timeout 60
exec-timeout 60 0
privilege level 15
line aux 0
privilege level 15
line vty 0 4
session-timeout 60
access-class 10 in
exec-timeout 60 0
scheduler allocate 20000 1000
endThere's 2 problems:
1- your "ip nat outside" location is wrong, you must put it on virtual-template1.
2-change "ip nat inside source list 110 interface FastEthernet0/0 overload" to "ip nat inside source list 110 interface virtual-template1 overload"
HTH
Houtan -
How to enable routing between HWIC-4ESW and Onboard FE on cisco 1841 router..?
Hello All,
I have a cisco 1841 router, recently i have purchased HWIC-4ESW slot for my router. The module is working fine i could able to see additional FE ports(fe0/0/0,fe0/0/1...).Now problem comes in routing i.e. these HWIC-4ESW ports and Onboard FEs are not communicating.If any bode knows the solution kindly let me know the configuration details..
Thanks,SazzHi,
Look at the configs below.
How can I use IP Routing so communication is possible across all subnets?
Router>en
Router#config t
Router(config)#int fa0/0
Router(config-if)#description ***INTERNET***
Router(config-if)#ip address xxx.xxx.xxx.xxx 255.255.255.252
Router(config-if)#no shut
Router(config-if)#ip nat outside
Router(config-if)#exit
!On-board interface
Router(config)#int fa0/1
Router(config-if)#description ***LAN***
Router(config-if)#ip address 10.0.xxx.xxx 255.255.255.0
Router(config-if)#no shut
Router(config-if)#ip nat inside
Router(config-if)#exit
Router#vlan database
% Warning: It is recommended to configure VLAN from config mode,
as VLAN database mode is being deprecated. Please consult user
documentation for configuring VTP/VLAN in config mode.
Router(vlan)#vlan 10
VLAN 10 modified:
Router(vlan)#vlan 20
VLAN 20 added:
Name: VLAN0020
Router(vlan)#exit
APPLY completed.
Exiting....
Router#config t
Router(config)#int vlan 10
Router(config-if)#ip address 172.16.xxx.xxx 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#no shut
Router(config-if)#exit
Router(config)#int vlan 20
Router(config-if)#ip address 192.168.xxx.xxx 255.255.255.0
Router(config-if)#ip nat inside
Router(config-if)#no shut
Router(config-if)#exit
!HwIC-4ESW interface
Router(config)#int fa0/0/0
Router(config-if)#switchport mode access
Router(config-if)#switchport access vlan 10
Router(config-if)#exit
!HWIC-4ESW Interface
Router(config)#int fa0/0/1
Router(config-if)#switchport mode access
Router(config-if)#switchport access vlan 20
Router(config-if)#exit
Router(config)#exit
Router#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
Router#config t
Router(config)#ip name-server xxx.xxx.xxx.xxx
Router(config)#ip name-server xxx.xxx.xxx.xxx
Router(config)#exit
Regards, -
NAT and Routed Network with Two ISP's on one router
I'm sure this has been done covered many times, but I am not finding it.
I have two ISP connections.
With ISP-A I have a /30 between us and 200.100.100.0/24 is routed to me via the /30 for thsi example we will say the /30 is 1.1.1.1 on isp end and 1.1.1.2 on my end
With ISP-B I have a 100.0.0.0/29 subnet. and the ISP gateway is on that subnet at 100.0.0.1
On the inside of my network I have devices using both 200.100.100.x addresses and devices on 192.168.100.x that need to use NAT.
I would like all of the devices on 200.100.100.x addresses to continue using ISP-A as their gateway.
Everything on 192.168.100.x should use NAT and go out ISP-B
I have tried
ip nat inside source route-map ISP-A interface GigabitEthernet0/1 overload
route-map ISP-B permit 10
match ip address 101
match interface GigabitEthernet0/1
set ip next-hop 100.0.0.1
route-map ISP-A permit 10
match ip address 111
match interface Multilink1
set ip next-hop 1.1.1.1
The problem comes when I have default routes to ISP-A in the router than none of the ISP-B traffic works, and vice versa.I think for this to work correctly and be able to split traffic between the 2 ISPs, you would need to use BGP, because default is going to use one ISP or the other.
If you can use BGP, this link will help you in load shearing between multiple ISPs when you have one router.
http://www.cisco.com/c/en/us/support/docs/ip/border-gateway-protocol-bgp/13762-40.html#conf4
HTH -
Static NAT (in and out) and PAT on a Router
Static NAT and PAT
I need to have a customer network connected to my extranet.
Im not in control of the customer network addressing. But need to configure a VPN connection.
I will supply the router that will also be the customer Firewall to the Internet (PAT).
(1) I need to be able to do PAT on traffic from internal hosts to the Internet.
(2) I need to hide (NAT) the customer network behind a network supplied by me (match-host), when they are accessing my extranet (through VPN).
(3) I need to be able to access hosts on the customer network, through the hiding (NAT) addresses from my extranet (through VPN).
The following configuration will solve (1) & (2), but I can not (3) reach the internal servers from my extranet, except if the internal host has made connection to the extranet, witch will create a translate entry in the NAT table.
Extranet is: 172.16.16.0/24
Internal net is: 192.168.1.0/24
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
interface FastEthernet4
ip address 1.1.1.1
ip nat outside
access-list 175 deny 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
access-list 175 permit 192.168.1.0 0.0.0.255 any
access-list 176 permit 192.168.1.0 0.0.0.255 172.16.16.0 0.0.0.255
ip nat pool FRO 10.192.10.1 10.192.10.254 netmask 255.255.255.0 type match-host
ip nat inside source list 175 interface FastEthernet4 overload
ip nat inside source route-map HIDE pool FRO reversible
route-map HIDE permit 10
match ip address 176Create a NAT configuration in the router which also translates even your outside Global address(your extranet) into the inside Global(any private) address through the keyword "rotary".Only this rotary pool will provide the pool of inside global IP address for yopur outside Global IP addresses.
The following white paper will provide you with the required information,
http://www.cisco.com/en/US/products/ps6640/products_white_paper09186a0080091cb9.shtml -
Connection issue between Cisco 515 Pix and Cisco 1841 router
Hi,
I am having a problem getting a Cisco Pix 515 communicating to a Cisco 1841. I am currently studying for CCNA so forgive me if it's obvious to the rest of you where the problem lies.
The client currently has an ISDN service which is being moved over to a 2MB E1 connection.
I have configured the 1841 router with G.703 WIC according to the information given to me by the ISP. I have configured the 1841 to have the same internal IP as the ISDN Cisco 800 series router, hoping for a simple swap over. The Pix 515 sits behind the ISDN at present and will be behind the 1841 when it is active.
Once I unplug the 800 series ISDN router and plug the 1841 into the pix, I cannot get any response what so ever. I have tried changing the ethernet connection speeds between the pix and 1841 hoping it would be as simple as that without success. Can't get ping responses from either end but I can when the ISDN service is plugged in. Both ISDN and E1 link are supplied by the same ISP, Telstra Australia and the fixed IP's are able to move over to the E1 service.
I have not touched the pix in any way. A seperate company configured the router a couple of years ago.
I have included the configurations of the existing ISDN, Pix and the 1841 for you to review. Any advise/solutions would be greatly appreciated.
Thanks in Advance,Hi,
The outside interface on your PIX is configured as 10BaseT which would be fine when using the original 800 series ISDN router.
Now with your new 1841, the interface that the PIX connects to is Fast Ethernet so you need to change your outside interface on the PIX to the same
If you want to use auto negotiation between the PIX and router then the command to do this on the PIX is
interface ethernet0 auto
I recommend using hard coded settings between the PIX and router and the command to do this on this PIX is
interface ethernet0 100full
You will also need to change your router as:
interface FastEthernet0/0
speed 100
duplex full
If you can't configure the PIX as you mentioned an external company did it, then i guess you could change your Fast Ethernet interface to "speed 10", "duplex half".
This won't create a bottleneck as you only have a 2 MB connection to your ISP
Everything else looks good, don't worry about asking questions on the forum, this is what its for.
HTH
Paddy -
VLAN with 1700 router and Linksys switch
I am trying to use a 1700 router to route between to IP subnets on two different VLANs setup on a Linksys switch. I do not have access to the switch so I am working with another tech that handles the switch. I setup two subinterfaces on the FE port of the router. Int Fa0.1 uses IP 1.1.1.1 and VLAN 1 native using 802.1q. Int Fa0.2 uses IP 2.2.2.2 and VLAN 2. I asked the switch tech to setup his switch accordingly. My problem right now is that the router will only ping IPs on the native VLAN. Meaning if I make Fa0.1 VLAN 1 native I can ping devices on 1.1.1.0/24 and if I make Fa0.2 VLAN 2 native then I can ping on 2.2.2.0/24. When I passed this along to the tech he explains something about setting up his ports for tagged or untagged but I don't know who this would apply to the router but he doesn't have a solution either. Is there anythin I can do on the router side to fix this?
Thanks,
Diegohi,
I've tried connecting cisco to non cisco devices.Tagged ports simply means allowing different vlan to pass to that port and Untagged is passing only the native vlan.For your case since you want that two VLAN will communicate,port should be tagged.Tagged is simply trunking in terms to cisco.So that the 802.1q frames will pass that port. -
Help needed with AT&T 3G MicroCell going through 1841 Router
I am trying to get an AT&T 3G MicroCell (made by Cisco) to communicate to the Internet through our Cisco 1841 Router.
The router has only basic NAT and no Firewall setting.
The AT&T 3G MicroCell is not a configurable device and it directly connected to a switch port on the router.
DHCP is supplied to it by the router.
We are using Comcast Business Class modem but it is set as a passive gateway pass through device so by passing the router is not an option.
The MicroCell is unable to establish connectivity with the AT&T auto-configuration on the Internet.
So far AT&T support has not been very helpful or knowledgeable.
Anyone have experience with the MicroCell device and connectivity?
They recommend some advanced settings for UPD and TCP ports but the router shows them as open.
It primarily uses ipsec ports
Any ideas?I have this same issue with the MicroCell plugged directly into the WAN (DHCP) connection to the house from the ISP...................
I also have this same issue with the unit plugged into the DMZ on the router with pass all, all protocol's in and out .....
My problem is GPS related, as in the new 911 database has "virtually" moved my 2 bedroom house 4 miles east of my "physical" location.
Ain't modern tech great......(now if we could just get people great) only problem with high tech is............GARBAGE IN >> GARBAGE OUT........it still depends on "intelligent" life to program everything. -
Having a problem with a configuration of our guest network and our content filter (S170 IronPort). The 1841 has 3 interfaces. 0/0 is on the LAN side, 0/1/0 is connected to the Ironport, 0/1 is connected to the ISP. So we would like to redirect all traffic from the LAn interface to the Ironport and then out to the internet. For some reason with the configuration below it does not redirect the traffic. When I apply WCCP to the LAN interface it redirects but the cleints stop gettin g internet traffic. Does anyone have any expereince or ideas on how to make this work in the environment?
The ironport is 10.x.5.30 and conneted to fa0/1/0
ip wccp web-cache redirect-list https-cache
ip wccp 80 redirect-list https-cache
interface FastEthernet0/1/0
description WCCP port
ip address 10.x.5.10 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip wccp web-cache redirect in
ip wccp 80 redirect in
no ip nat inside
ip virtual-reassembly
ip route-cache flow
exit
interface FastEthernet0/0
description $ES_LAN$$FW_INSIDE$
ip address 10.x.4.20 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface FastEthernet0/1
description outside$ETH-WAN$
ip address 50.x.89.145 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
no mop enabled
ip access-list extended https-cache
permit ip 10.245.4.0 0.0.0.255 any
ip route 0.0.0.0 0.0.0.0 50.x.89.150
ip route 10.0.0.0 255.0.0.0 10.x.4.1
ip route 172.16.0.0 255.248.0.0 10.x.4.1Hi Corey,
CME is not supported on the 1841 (minimum 1861)
Here's why;
Both slots on the Cisco 1841 router are HWIC slots and provide compatibility with WICs and multiflex trunk (VWICs) interface cards
(for data only).
VoIP Support
Voice-over-IP (VoIP) pass-through only
http://www.cisco.com/en/US/prod/collateral/routers/ps5853/product_data_sheet0900aecd8016a59b.html
Cheers!
Rob -
Not sure if I am doing this right. This is my first time in the support community.
I imagine what I put in my heading was supposed to go in here.
I want to use Back to my mac. When I try to turn it on, it says "Back to my mac may be slow because more than one device on your network is providing network services. Turn off NAT and DHCP on one of the devices and try again. See the documentation that came with your device for information about turning off network services"
Does anyone know how I do this? I contacted my ISP (Telus in Canada) and they did not know anything (not that they usually do).Why do ISPs insist upon making things so difficult for their customers?
If you cannot get them to understand that you would prefer to use your own router over their piece of cheap junk, perhaps the information in the following will be useful:
http://keithbalomben.wordpress.com/2012/03/29/telus-actiontec-v1000h-hacks-and-i nformation/
Scroll down to DHCP Settings
You will need to log in with proper "technician" credentials. They are provided in the above link as
Username: tech
Password: t3lu5tv
... but these may or may not work. Try it, and if you cannot get anywhere at least now you know what to ask Telus to do in return for your business. -
How do I add a Subnet and vlan with a catalyst 3550 and RV120
Hello Friends.
I have a scenario that i'm hoping i can get some help with. I'll be as detailed and descriptive as i can.
This is for a business with 100 employees nodes and 100 camera nodes all needing IP internet through private addressing and public gateway.
I have a business class gateway with a private range of 12 public addresses. Ther modem does nothing but act as a gateway since i have disabled the firewall and DHCP.
In place of the firewall and DCHP from the modem i have installed a RV120 Firewall with VPN. When installing i replicated the IP scheme of the modem as to not disturb and distrup the devices assigned addresses from that scheme from the modem. I did this because the owner could not have any down time or any disruption to the business operations.
The RV120 now acts as firewall , DHCP , and VPN. I'll address the subnet first. I's using 10.0.0.0/24 subnet range.
DHCP is assigning 10.1.10.50 - 10.1.10.100 the rest are static and i plan to use static DHCP with the IP and MAC assigned to each static DHCP address.
There are 100 cameras with static IP addresses in the range of 10.1.10.11 - 10.1.10.40, and 10.1.0.1.101 - 10.1.10.170.
VPN uses PPTP assigned address 10.1.10.6 - 10.1.10.10.
There are no layer 3 switches that i know of. Just a layer two that is the primary swith and ports have run out, and various out of the box switches and wireless access points connected to the primary switch.
I want to implement subnets into the network and VLANS as well on a new Layer 3 switche from cisco. Thinking 3550 from Cisco or one of the older layer 2 switches with layer three capabilities.
I also want to introduce a 192.168.0.0/24 IP range for the existing wireless network and segment the traffic from the rest of the traffic on other ranges.
I want to replace the 10.0.0.0/24 DHCP alltogether and the static addresses for end user nodes on the same network, but keep that range just for camera nodes segmented.
I want to implement a NEW end user IP range and VLAN for employee/guest networks using the 172.16.0.0/24 range.
Iv'e thought of replacing all the wireless nodes with RV120's and use VLAN. Dont know if that strategy works. Need to think it through.
I want the 192.168.0.0/24 IP range comunicate to with the 172.16.0.0/24 and possibly the 10.0.0.0/24 range.
Any advice on how to do this?
As a side note the next step after this is to install a server domain controller as all the computers are all stand alones in their own workgroups. It's a simultaneous project that will introdue a DCHP, WINS, DNS server.Hi Omid, it sounds like you're proposing the 3550 switch but you're not decided yet. The 3550 switch is a pretty old device and needs enhanced multilayer image. It may be more prudent to use a more current switch such as small business SG300 or SG500 as the feature set is more rich and it supports around 480 LAN connections.
To answer the inquiry, the RV120W, when you create a VLAN it will automatically create an IP interface. From this you may assign subnet as you like along with 'enable or disable' for inter vlan routing. Since the RV120W has this feature, a layer 3 switch is not required unless you are looking to keep the routing load smaller by routing locally with the switch.
With Catalyst or a small business switch you would need to create a VLAN. After creating the VLAN, on a Catalyst you can simply issue "switchport trunk encapsulation dot1q" on the desired interface and all VLAN will passage without issue. For a port connecting a user "switchport mode access" "native vlan xx" This will assign the port as untag member of the desired VLAN.
If using a small business switch, it is slightly different, you still create the VLAN but the command issue is a bit different "switchport trunk allowed vlan add xx" for the link to the router, where xx = the VLAN ID to tag to the router. For access client it remains the same as Catalyst. -
Good afternoon,
My internet connection is delivered by a modem Sagem f@st 3464 (Scarlet One : vdsl tv VoIP wi-fi), it's almost the same than a BBox-2 from Belgacom (software and configuration).
This modem has 4 ethernet port, 2 for TV, 2 for LAN, the WAN port is RJ-11 and the connection is a PPPoE (in fact, it's the Belgacom network). I also got a Wi-Fi 802.11g on it.
The main raison why I bought a TC is the dual Wi-Fi 2.4 GHz and 5 GHz (for 802.11n), especially for my MacBook Pro and my iPad 3.
First of all, can I do the following with my TC :
1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
2) create a new Wi-Fi network using the TC ?
Up to now, after 2 man days of configuration, my TC is connected to my existing LAN network, as a bridge, but there is no new Wi-Fi network.
The Airport Utility 6.1 "Wizard" is just un-usable and I need to use a Win 7 laptop in order to get access to all the configuration !
The standard manual is very poor.
Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
Sincerely yours,
AVDB1) connecting the TC using a ethernet cable from one of the two modem's LAN ports to the TC's WAN port
2) create a new Wi-Fi network using the TC ?
Does someone already create a new Wi-Fi network using its TC connected by Ethernet on a modem/router device ? How do you set up the DHCP (and NAT) ? Which range did you use ?
This is easy enough to do..
Plug the TC directly into a computer.. without other connections to do the setup.
Using the newly installed 5.6 utility.
Bridge the TC.
Create a wireless network.
This is an older screen shot and I would set security to WPA2 Personal only not WPA/WPA2 Personal as shown above.
I do recommend you use wireless names that are short, no spaces, pure alphanumeric.
Update the TC..
Now plug it into the modem router.. it will be a part of the network without doing NAT and DHCP itself.. which you do not want.. that leads to double NAT issues.. but it is a WAP that provides access to devices on both 2.4ghz and 5ghz bands directly to the main router. -
Howto: Zones in private subnets using ipfilter's NAT and Port forwarding
This setup supports the following features:
* Requires 1 Network interface total.
* Supports 1 or more public ips.
* Allows Zone to Zone private network traffic.
* Allows internet access from the global zones.
* Allows direct (via ipfilter) internet access to ports in non-global zones.
(change networks to suit your needs, the number of public and private ip was lowered to simplify this doc)
Network setup:
iprb0 65.38.103.1/24
defaultrouter 65.38.103.254
iprb0:1 192.168.1.1/24 (in global zone)
Create a zone on iprb0 with an ip of 192.168.1.2
### Example /etc/ipf/ipnat.conf
# forward from a public port to a private zone port
rdr iprb0 65.38.103.1/32 port 2222 -> 192.168.1.2 port 22
# force outbound zone traffic thru a certain ip address
# required for mail servers because of reverse lookup
map iprb0 192.168.1.2/32 -> 65.38.103.1/32 proxy port ftp ftp/tcp
map iprb0 192.168.1.2/32 -> 65.38.103.1/32 portmap tcp/udp auto
map iprb0 192.168.1.2/32 -> 65.38.103.1
# allow any 192.168.1.x zone to use the internet
map iprb0 192.168.1.0/24 -> 0/32 proxy port ftp ftp/tcp
map iprb0 192.168.1.0/24 -> 0/32 portmap tcp/udp auto
map iprb0 192.168.1.0/24 -> 0/32For testing purposes you can leave /etc/ipf/ipf.conf empty.
Be aware the you must "svcadm disable ipfilter; svcadm enable ipfilter" to reload rules and the rules stay loaded if they are just disabled(bug).
Zones can't modify their routes and inherit the default routes of the global zone. Because of this we have to trick the non-global zones into using a router that doesn't exist.
Create /etc/init.d/zone_route_hack
Link this file to /etc/rc3.d/S99zone_route_hack.
#/bin/sh
# based on information found at
# http://blogs.sun.com/roller/page/edp?entry=using_branded_zones_on_a
# http://forum.sun.com/jive/thread.jspa?threadID=75669&messageID=275741
fake_router=192.168.1.254
public_net=65.38.103.0
router=`netstat -rn | grep default | grep -v " $fake_router " | nawk '{print $2}'`
# send some data to the real network router so we look up it's arp address
ping -sn $router 1 1 >/dev/null
# record the arp address of the real router
router_arp=`arp $router | nawk '{print $4}'`
# delete any existing arp address entry for our fake private subnet router
arp -d $fake_router >/dev/null
# assign the real routers arp address to our fake private subnet router
arp -s $fake_router $router_arp
# route our private subnet through our fake private subnet router
route add default $fake_router
# Can't create this route until the zone/interface are loaded
# Adjust this based on your hardware and number of zones
sleep 300
# Duplicate this line for every non-global zone with a private ip that
# will have ipfilter rdr (redirects) pointing to it
route add -net $public_net 192.168.1.2 -ifaceNow we have both public and private ip addresses on our one iprb0 interface. If we'd really like our private zone network to really be private we don't want any non-NAT'ed 192.168.1.x traffic leaving the interface. Since ipfilter can't block traffic between zones because they use loopbacks we can just block the 192.168.1.x traffic and the zones can still talk.
The following /etc/ipf/ipf.conf defaults to deny.
# ipf.conf
# IP Filter rules to be loaded during startup
# See ipf(4) manpage for more information on
# IP Filter rules syntax.
# INCOMING DEFAULT DENY
block in all
block return-rst in proto tcp all
# two open ports one of which is redirected in ipnat.conf
pass in quick on iprb0 proto tcp from any to any port = 22 flags S keep state keep frags
pass in quick on iprb0 proto tcp from any to any port = 2222 flags S keep state keep frags
# INCOMING PING
pass in quick on iprb0 proto icmp from any to 65.38.103.0/24 icmp-type 8 keep state
# INCOMING GLOBAL ZONE UNIX TRACEROUTE FIX PART 1
#pass in quick on iprb0 proto udp from any to 65.38.103.0/24 keep state
# OUTGOING RULES
block out all
# ALL INTERNAL TRAFFIC STAYS INTERNAL (Zones use non-filtered loopback)
# remove/edit as needed to actually talk to local private physical networks
block out quick from any to 192.168.0.0/16
block out quick from any to 172.16.0.0/12
block out quick from any to 10.0.0.0/8
block out quick from any to 0.0.0.0/8
block out quick from any to 127.0.0.0/8
block out quick from any to 169.254.0.0/16
block out quick from any to 192.0.2.0/24
block out quick from any to 204.152.64.0/23
block out quick from any to 224.0.0.0/3
# Allow traffic out the public interface on the public address
pass out quick on iprb0 from 65.38.103.1/32 to any flags S keep state keep frags
# OUTGOING PING
pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 8 keep state
# Allow traffic out the public interface on the private address (needs nat and router arp hack)
pass out quick on iprb0 from 192.168.1.0/24 to any flags S keep state keep frags
# OUTGOING PING
pass out quick on iprb0 proto icmp from 192.168.1.0/24 to any icmp-type 8 keep state
# INCOMING TRACEROUTE FIX PART 2
#pass out quick on iprb0 proto icmp from 65.38.103.1/32 to any icmp-type 3 keep stateIf you want incoming and outgoing internet in your zones it is easier if you just give them public ips and setup a firewall in the global zone. If you have limited public ip address(I'm setting up a colocation 1u server) then you might take this approach. One of the best things about doing thing this way is that any software configured in the non-global zones will never be configured to listen on an ip address that might change if you change public ips.Instead of using the script as a legacy_run script, set it up in SMF.
First create the file /var/svc/manifest/system/ip-route-hack.xml with
the following
---Start---
<?xml version="1.0"?>
<!DOCTYPE service_bundle SYSTEM
"/usr/share/lib/xml/dtd/service_bundle.dtd.1">
<!--
ident "@(#)ip-route-hack.xml 1.0 09/21/06"
-->
<service_bundle type='manifest' name='NATtrans:ip-route-hack'>
<service
name='system/ip-route-hack'
type='service'
version='1'>
<create_default_instance enabled='true' />
<single_instance />
<dependency
name='physical'
grouping='require_all'
type='service'
restart_on='none'>
<service_fmri value='svc:/network/physical:default' />
</dependency>
<dependency
name='loopback'
grouping='require_all'
type='service'
restart_on='none'>
<service_fmri value='svc:/network/loopback:default' />
</dependency>
<exec_method
type='method'
name='start'
exec='/lib/svc/method/svc-ip-route-hack start'
timeout_seconds='0' />
<property_group name='startd' type='framework'>
<propval name='duration' type='astring'
value='transient' />
</property_group>
<stability value='Unstable' />
<template>
<common_name>
<loctext xml:lang='C'>
Hack to allow zone to NAT translate.
</loctext>
</common_name>
<documentation>
<manpage
title='zones'
section='1M'
manpath='/usr/share/man' />
</documentation>
</template>
</service>
</service_bundle>
---End---
then modify /var/svc/manfiest/system/zones.xml and add the following
dependancy
---Start---
<dependency
name='inet-ip-route-hack'
type='service'
grouping='require_all'
restart_on='none'>
<service_fmri value='svc:/system/ip-route-hack' />
</dependency>
---End---
Finally create the file /lib/svc/method/svc-ip-route-hack with the
contents of S99zone_route_hack, minus the sleep timer (perms 0755). Run
'svccfg import /var/svc/manifest/system/ip-route-hack.xml' and 'svccfg
import /var/svc/manifest/system/zones.xml'.
This will guarantee that ip-route-hack is run before zones are started,
but after the interfaces are brought on line. It is worth noting that
zones.xml may get overwritten during a patch, so if it suddenly stops
working, that could be why. -
Static NAT and same IP address for two interfaces
We have a Cisco ASA 5520 and in order to conserve public IP addresses and configuration (possibly) can we use the same public IP address for a static NAT with two different interfaces? Here is an example of what I'm refering too where 10.10.10.10 would be the same public IP address.
static (inside,Outside) 10.10.10.10 access-list inside_nat_static_1
static (production,Outside) 10.10.10.10 access-list production_nat_static_1
Thanks for any help.
JeffHi Jeff,
Unfortunately this cannot be done, on the ASA packet classification is done on the basis of mac-address, destination nat and route, and here you are confusing the firewall, to which interface does the ip belong to. I haven't ever tried to do it, but it should cause you issues.
Thanks,
Varun Rao
Security Team,
Cisco TAC -
Logical network to physical network mapping (subnets and VLANS) in SCVMM 2012 R2
In much of the blogs, documentation and literature on VMM, there are examples of deploying multiple logical networks onto one physical network i.e. Cluster (logical) + Storage (logical) + Backup (logical) + Live Migration (logical) + Management
(logical) on top of Datacenter (physical).
Does this mean it would be possible to have one (physical) flat VLAN-less network with one subnet and then have all those logical networks (with subnets and VLANs) on top of it? Even with a simple unmanaged L2 switch that doesn't support VLANs itself?
If not, just how do you map multiple logical networks to just one physical network? How does that work in practice? Is a L3 switch needed to route traffic between logical networks for example?Hi. VMM Networking may be overwhelmed for the most, at first. But you really need to understand the modeling here and how things are related to each other. Especially if using NIC teaming in WS 2012 (and R2) together with this mix.
I suggest that you read the following whitepaper where we explain how to setup networking in VMM (also to support network virtualization, but that is absolutely not mandatory): http://gallery.technet.microsoft.com/Hybrid-Cloud-with-NVGRE-aa6e1e9a
-kn
Kristian (Virtualization and some coffee: http://kristiannese.blogspot.com )
Maybe you are looking for
-
No class registered for interface 'mx.styles::IStyleManager2'.
when i run this code in flex3.2 <?xml version="1.0" encoding="utf-8"?> <mx:VBox xmlns:mx="http://www.adobe.com/2006/mxml" width="400" height="300" creationComplete="init()"> <mx:Script> <![CDATA[ import mx.controls.Alert; import mx.co [Bindable] priv
-
I want to change the G/L account via FS00. But something can't be changed, such as Recon. account for acct type. How can I change them? Thanks
-
hi all, I need to design one smartform that dimensions are height - 29 cm and width 33 cm . Can anybody tell me which page format is suitable for this. and how can we create our own page format ? is it Possible. Please suggest Regards Rami
-
Mail in Leopard (10.5.4) stops checking my IMAP e-mail account
I run my own IMAP e-mail server and have Leopard Mail check it every 5 minutes or so. Upon first start-up of Mail it works fine. After a while it stops checking e-mail. I first noticed this when I would hear a new e-mail come in via my iPhone (which
-
Due to the crash of the PC, I have to install the license of Photoshop CS3 on to a different computer. Unfortunately, the on-ine activation seems not to be more available. I have a valid license and I need to use my CS3. How can this trouble be fixed