Cisco Model 91 - Help on how to create 1 DMZ IP with CLI?

I had to disable the http interface on this SOHO router because I
couldn't use it for PAT when I wanted to translate from an obscure
higher port on eth1 to 80 on two different web servers. The router's
http configuration interface allows setting one IP on DMZ - but I
don't know how to use CLI to do it. BTW, strangely, on this router
eth1 is the WAN side - not what I'm used to.

Now, I want to DMZ a single IP for all ports.protocols, and I'm stuck.

Frankly, I'm a newbie and wonder if someone can give me an example of
a DMZ setup using access-lists or just PAT. But, with PAT it seems one
has to direct to a specific service/port on the IP.

Saul Louis

I had similar problem with opening up non-standard ports to an internal
host. Port to application mapping (PAM) ip port-map didn't work for me
because it allows forwards only for predefined apps, so I use ip nat
commands. Cisco's nat is very flexible and allows to do almost any
translation.

Here is an example of session setting up NAT PAT using telnet CLI:
(of course you don't need to type anything before > or #
-------------------------------------------------
telnet <Router IP>
Username: ********
Password: ********
router>enable
Password: ********
router#conf t
router(config)#ip nat inside source static <DMZ IP> interface <WAN
interface>
router(config)#interface <LAN interface>
router(config-if)#ip nat inside
router(config-if)#end
router(config)#interface <WAN interface>
router(config-if)#ip nat outside
router(config-if)#end
router(config)#ip nat inside source list 120 interface <WAN interface>
overload
router(config)#access-list 120 permit ip <DMZ IP> 0.0.0.0 any
router(config)#end
router#exit
-------------------------------------------------
You can find details on the cisco web site. There is no extendable key
word in ip nat config because looks like it doesn't work at least in the
router I have.
To check the translation table:
router#show ip nat translations
Pro Inside global Inside local Outside local
Outside global
--- <WAN IP> <DMZ IP> --- ---

BTW, I have Dialer1 as WAN interface.



Saul Louis wrote:
> I had to disable the http interface on this SOHO router because I
> couldn't use it for PAT when I wanted to translate from an obscure
> higher port on eth1 to 80 on two different web servers. The router's
> http configuration interface allows setting one IP on DMZ - but I
> don't know how to use CLI to do it. BTW, strangely, on this router
> eth1 is the WAN side - not what I'm used to.
>
> Now, I want to DMZ a single IP for all ports.protocols, and I'm stuck.
>
> Frankly, I'm a newbie and wonder if someone can give me an example of
> a DMZ setup using access-lists or just PAT. But, with PAT it seems one
> has to direct to a specific service/port on the IP.

Artem

Thank you very much!

The configuration works.

Again, I appreciate your time.

Saul


Artem <em2351-> wrote in message news:<VZhZb.24466$ om>...
> I had similar problem with opening up non-standard ports to an internal
> host. Port to application mapping (PAM) ip port-map didn't work for me
> because it allows forwards only for predefined apps, so I use ip nat
> commands. Cisco's nat is very flexible and allows to do almost any
> translation.
>
> Here is an example of session setting up NAT PAT using telnet CLI:
> (of course you don't need to type anything before > or #
> -------------------------------------------------
> telnet <Router IP>
> Username: ********
> Password: ********
> router>enable
> Password: ********
> router#conf t
> router(config)#ip nat inside source static <DMZ IP> interface <WAN
> interface>
> router(config)#interface <LAN interface>
> router(config-if)#ip nat inside
> router(config-if)#end
> router(config)#interface <WAN interface>
> router(config-if)#ip nat outside
> router(config-if)#end
> router(config)#ip nat inside source list 120 interface <WAN interface>
> overload
> router(config)#access-list 120 permit ip <DMZ IP> 0.0.0.0 any
> router(config)#end
> router#exit
> -------------------------------------------------
> You can find details on the cisco web site. There is no extendable key
> word in ip nat config because looks like it doesn't work at least in the
> router I have.
> To check the translation table:
> router#show ip nat translations
> Pro Inside global Inside local Outside local
> Outside global
> --- <WAN IP> <DMZ IP> --- ---
>
> BTW, I have Dialer1 as WAN interface.
>
>
>
> Saul Louis wrote:
> > I had to disable the http interface on this SOHO router because I
> > couldn't use it for PAT when I wanted to translate from an obscure
> > higher port on eth1 to 80 on two different web servers. The router's
> > http configuration interface allows setting one IP on DMZ - but I
> > don't know how to use CLI to do it. BTW, strangely, on this router
> > eth1 is the WAN side - not what I'm used to.
> >
> > Now, I want to DMZ a single IP for all ports.protocols, and I'm stuck.
> >
> > Frankly, I'm a newbie and wonder if someone can give me an example of
> > a DMZ setup using access-lists or just PAT. But, with PAT it seems one
> > has to direct to a specific service/port on the IP.

Saul Louis