Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > mapping IPs

Reply
Thread Tools

mapping IPs

 
 
Tom Linden
Guest
Posts: n/a
 
      03-03-2006
I have a number of nodes on a lan served by a 2900 switch and
2600 router. Most of these nodes have both routable and non-routable
ip in the 10.x.x.x range. The router is, of course, the gateway and has
a routable IP. Is it possible with either the switch or the router to
recognize and associate a non-routable IP with the routable IP of the
router? If so, how would I go about this?
Tom
 
Reply With Quote
 
 
 
 
J.Cottingim
Guest
Posts: n/a
 
      03-03-2006
Tom,
I believe what you mean to say by "routable" and "non-routable" is that
the router has both private (RFC: 191 and public address on it.

In that case, what you're looking for is NAT.
Here's one way to do this:
1. Configure the interface that has the private address as the
"inside" interface.
2. Configure the other interface (the one that has the public address)
as the outside interface.
3. Create an ACL that identifies what "inside" addresses should be
translated to the "outside" address.
4. Assosiate that ACL with a NAT statement that causes the router to
perform the NAT

===========================
Here's a configuration EXAMPLE:
===========================

interface FastEthernet0/0
description OUTSIDE INTERFACE TO THE INTERNET
ip address 12.12.12.1 255.255.255.252 ! <-- your public address
ip access-group 101 in ! <-- ACL stops all
the "bad" stuff
no ip unreachables ! <-- a little
security here
no cdp enable
ip nat outside ! <-- THIS is
the outside
!
interface FastEthernet0/1
description INSIDE INTERFACE TO PRIVATE NETWORK
ip address 10.1.1.1 255.255.255.0
ip nat inside ! <-- THIS is
the inside
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit any
!
access-list 101 remark PREVENT UNWANTED ACCESS
access-list 101 remark DENY RFC 1918 SOURCES
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.0.15.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 remark ANTI-SPOOFING PROTECTION
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 224.0.0.0 31.255.255.255 any
access-list 101 remark DENY BROADCASTS
access-list 101 deny ip 255.0.0.0 0.255.255.255 any
access-list 101 deny ip any 255.0.0.0 0.255.255.255
access-list 101 remark PERMIT/DENY a few knowns
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any echo
access-list 101 remark PREVENT ANY INBOUND SNMP
access-list 101 deny udp any any eq snmp
access-list 101 deny udp any any eq snmptrap
access-list 101 remark ICMP TYPES
access-list 101 deny icmp any any
access-list 101 remark PREVENT CISCO CODE VULNERABILITY
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny pim any any
access-list 101 remark PERMIT everything else
access-list 101 permit ip any any


Good luck
J.Cottingim

 
Reply With Quote
 
 
 
 
Tom Linden
Guest
Posts: n/a
 
      03-03-2006
Thanks, this is not an area in which I have a lot of familiarity.
I have a spare router that I can test it out on, and following your
advice I did the first part, but ran into trouble on inside part.

csco(config)#int eth 0/0
csco(config-if)#description OUTSIDE INTERFACE TO THE INTERNET
csco(config-if)#ip address 206.55.xxx.xxx 255.255.255.240
csco(config-if)#ip access-group 101 in
csco(config-if)#no ip unreachables
csco(config-if)#no cdp enable
csco(config-if)#ip nat outside
csco(config-if)#exit
csco(config)#int eth 0/1
^
% Invalid input detected at '^' marker.




On 3 Mar 2006 07:46:34 -0800, J.Cottingim <(E-Mail Removed)> wrote:

> Tom,
> I believe what you mean to say by "routable" and "non-routable" is that
> the router has both private (RFC: 191 and public address on it.
>
> In that case, what you're looking for is NAT.
> Here's one way to do this:
> 1. Configure the interface that has the private address as the
> "inside" interface.
> 2. Configure the other interface (the one that has the public address)
> as the outside interface.
> 3. Create an ACL that identifies what "inside" addresses should be
> translated to the "outside" address.
> 4. Assosiate that ACL with a NAT statement that causes the router to
> perform the NAT
>
> ===========================
> Here's a configuration EXAMPLE:
> ===========================
>
> interface FastEthernet0/0
> description OUTSIDE INTERFACE TO THE INTERNET
> ip address 12.12.12.1 255.255.255.252 ! <-- your public address
> ip access-group 101 in ! <-- ACL stops all
> the "bad" stuff
> no ip unreachables ! <-- a little
> security here
> no cdp enable
> ip nat outside ! <-- THIS is
> the outside
> !
> interface FastEthernet0/1
> description INSIDE INTERFACE TO PRIVATE NETWORK
> ip address 10.1.1.1 255.255.255.0
> ip nat inside ! <-- THIS is
> the inside
> !
> ip nat inside source list 1 interface FastEthernet0/0 overload
> !
> access-list 1 permit any
> !
> access-list 101 remark PREVENT UNWANTED ACCESS
> access-list 101 remark DENY RFC 1918 SOURCES
> access-list 101 deny ip 10.0.0.0 0.255.255.255 any
> access-list 101 deny ip 172.16.0.0 0.0.15.255 any
> access-list 101 deny ip 192.168.0.0 0.0.255.255 any
> access-list 101 remark ANTI-SPOOFING PROTECTION
> access-list 101 deny ip host 0.0.0.0 any
> access-list 101 deny ip 127.0.0.0 0.255.255.255 any
> access-list 101 deny ip 192.0.2.0 0.0.0.255 any
> access-list 101 deny ip 224.0.0.0 31.255.255.255 any
> access-list 101 remark DENY BROADCASTS
> access-list 101 deny ip 255.0.0.0 0.255.255.255 any
> access-list 101 deny ip any 255.0.0.0 0.255.255.255
> access-list 101 remark PERMIT/DENY a few knowns
> access-list 101 permit icmp any any echo-reply
> access-list 101 permit icmp any any time-exceeded
> access-list 101 deny icmp any any echo
> access-list 101 remark PREVENT ANY INBOUND SNMP
> access-list 101 deny udp any any eq snmp
> access-list 101 deny udp any any eq snmptrap
> access-list 101 remark ICMP TYPES
> access-list 101 deny icmp any any
> access-list 101 remark PREVENT CISCO CODE VULNERABILITY
> access-list 101 deny 53 any any
> access-list 101 deny 55 any any
> access-list 101 deny 77 any any
> access-list 101 deny pim any any
> access-list 101 remark PERMIT everything else
> access-list 101 permit ip any any
>
>
> Good luck
> J.Cottingim
>


 
Reply With Quote
 
Tom Linden
Guest
Posts: n/a
 
      03-03-2006
I should have added that on this router there is no FastEthernet option
but on the other there is. How is it enabled?


On Fri, 03 Mar 2006 10:18:27 -0800, Tom Linden <(E-Mail Removed)> wrote:

> Thanks, this is not an area in which I have a lot of familiarity.
> I have a spare router that I can test it out on, and following your
> advice I did the first part, but ran into trouble on inside part.
>
> csco(config)#int eth 0/0
> csco(config-if)#description OUTSIDE INTERFACE TO THE INTERNET
> csco(config-if)#ip address 206.55.xxx.xxx 255.255.255.240
> csco(config-if)#ip access-group 101 in
> csco(config-if)#no ip unreachables
> csco(config-if)#no cdp enable
> csco(config-if)#ip nat outside
> csco(config-if)#exit
> csco(config)#int eth 0/1
> ^
> % Invalid input detected at '^' marker.
>
>
>
>
> On 3 Mar 2006 07:46:34 -0800, J.Cottingim <(E-Mail Removed)> wrote:
>
>> Tom,
>> I believe what you mean to say by "routable" and "non-routable" is that
>> the router has both private (RFC: 191 and public address on it.
>>
>> In that case, what you're looking for is NAT.
>> Here's one way to do this:
>> 1. Configure the interface that has the private address as the
>> "inside" interface.
>> 2. Configure the other interface (the one that has the public address)
>> as the outside interface.
>> 3. Create an ACL that identifies what "inside" addresses should be
>> translated to the "outside" address.
>> 4. Assosiate that ACL with a NAT statement that causes the router to
>> perform the NAT
>>
>> ===========================
>> Here's a configuration EXAMPLE:
>> ===========================
>>
>> interface FastEthernet0/0
>> description OUTSIDE INTERFACE TO THE INTERNET
>> ip address 12.12.12.1 255.255.255.252 ! <-- your public address
>> ip access-group 101 in ! <-- ACL stops all
>> the "bad" stuff
>> no ip unreachables ! <-- a little
>> security here
>> no cdp enable
>> ip nat outside ! <-- THIS is
>> the outside
>> !
>> interface FastEthernet0/1
>> description INSIDE INTERFACE TO PRIVATE NETWORK
>> ip address 10.1.1.1 255.255.255.0
>> ip nat inside ! <-- THIS is
>> the inside
>> !
>> ip nat inside source list 1 interface FastEthernet0/0 overload
>> !
>> access-list 1 permit any
>> !
>> access-list 101 remark PREVENT UNWANTED ACCESS
>> access-list 101 remark DENY RFC 1918 SOURCES
>> access-list 101 deny ip 10.0.0.0 0.255.255.255 any
>> access-list 101 deny ip 172.16.0.0 0.0.15.255 any
>> access-list 101 deny ip 192.168.0.0 0.0.255.255 any
>> access-list 101 remark ANTI-SPOOFING PROTECTION
>> access-list 101 deny ip host 0.0.0.0 any
>> access-list 101 deny ip 127.0.0.0 0.255.255.255 any
>> access-list 101 deny ip 192.0.2.0 0.0.0.255 any
>> access-list 101 deny ip 224.0.0.0 31.255.255.255 any
>> access-list 101 remark DENY BROADCASTS
>> access-list 101 deny ip 255.0.0.0 0.255.255.255 any
>> access-list 101 deny ip any 255.0.0.0 0.255.255.255
>> access-list 101 remark PERMIT/DENY a few knowns
>> access-list 101 permit icmp any any echo-reply
>> access-list 101 permit icmp any any time-exceeded
>> access-list 101 deny icmp any any echo
>> access-list 101 remark PREVENT ANY INBOUND SNMP
>> access-list 101 deny udp any any eq snmp
>> access-list 101 deny udp any any eq snmptrap
>> access-list 101 remark ICMP TYPES
>> access-list 101 deny icmp any any
>> access-list 101 remark PREVENT CISCO CODE VULNERABILITY
>> access-list 101 deny 53 any any
>> access-list 101 deny 55 any any
>> access-list 101 deny 77 any any
>> access-list 101 deny pim any any
>> access-list 101 remark PERMIT everything else
>> access-list 101 permit ip any any
>>
>>
>> Good luck
>> J.Cottingim
>>

>


 
Reply With Quote
 
Tom Linden
Guest
Posts: n/a
 
      03-03-2006
Please ignore. I thought the two routers were identical one is 2620 which
has Fast
and the other is 2610 which doesn't say 10/100 ethernet 0/0 only ethernet
0/0

n Fri, 03 Mar 2006 10:48:06 -0800, Tom Linden <(E-Mail Removed)> wrote:

> I should have added that on this router there is no FastEthernet option
> but on the other there is. How is it enabled?
>
>
> On Fri, 03 Mar 2006 10:18:27 -0800, Tom Linden <(E-Mail Removed)> wrote:
>
>> Thanks, this is not an area in which I have a lot of familiarity.
>> I have a spare router that I can test it out on, and following your
>> advice I did the first part, but ran into trouble on inside part.
>>
>> csco(config)#int eth 0/0
>> csco(config-if)#description OUTSIDE INTERFACE TO THE INTERNET
>> csco(config-if)#ip address 206.55.xxx.xxx 255.255.255.240
>> csco(config-if)#ip access-group 101 in
>> csco(config-if)#no ip unreachables
>> csco(config-if)#no cdp enable
>> csco(config-if)#ip nat outside
>> csco(config-if)#exit
>> csco(config)#int eth 0/1
>> ^
>> % Invalid input detected at '^' marker.
>>
>>
>>
>>
>> On 3 Mar 2006 07:46:34 -0800, J.Cottingim <(E-Mail Removed)> wrote:
>>
>>> Tom,
>>> I believe what you mean to say by "routable" and "non-routable" is that
>>> the router has both private (RFC: 191 and public address on it.
>>>
>>> In that case, what you're looking for is NAT.
>>> Here's one way to do this:
>>> 1. Configure the interface that has the private address as the
>>> "inside" interface.
>>> 2. Configure the other interface (the one that has the public address)
>>> as the outside interface.
>>> 3. Create an ACL that identifies what "inside" addresses should be
>>> translated to the "outside" address.
>>> 4. Assosiate that ACL with a NAT statement that causes the router to
>>> perform the NAT
>>>
>>> ===========================
>>> Here's a configuration EXAMPLE:
>>> ===========================
>>>
>>> interface FastEthernet0/0
>>> description OUTSIDE INTERFACE TO THE INTERNET
>>> ip address 12.12.12.1 255.255.255.252 ! <-- your public address
>>> ip access-group 101 in ! <-- ACL stops all
>>> the "bad" stuff
>>> no ip unreachables ! <-- a little
>>> security here
>>> no cdp enable
>>> ip nat outside ! <-- THIS is
>>> the outside
>>> !
>>> interface FastEthernet0/1
>>> description INSIDE INTERFACE TO PRIVATE NETWORK
>>> ip address 10.1.1.1 255.255.255.0
>>> ip nat inside ! <-- THIS is
>>> the inside
>>> !
>>> ip nat inside source list 1 interface FastEthernet0/0 overload
>>> !
>>> access-list 1 permit any
>>> !
>>> access-list 101 remark PREVENT UNWANTED ACCESS
>>> access-list 101 remark DENY RFC 1918 SOURCES
>>> access-list 101 deny ip 10.0.0.0 0.255.255.255 any
>>> access-list 101 deny ip 172.16.0.0 0.0.15.255 any
>>> access-list 101 deny ip 192.168.0.0 0.0.255.255 any
>>> access-list 101 remark ANTI-SPOOFING PROTECTION
>>> access-list 101 deny ip host 0.0.0.0 any
>>> access-list 101 deny ip 127.0.0.0 0.255.255.255 any
>>> access-list 101 deny ip 192.0.2.0 0.0.0.255 any
>>> access-list 101 deny ip 224.0.0.0 31.255.255.255 any
>>> access-list 101 remark DENY BROADCASTS
>>> access-list 101 deny ip 255.0.0.0 0.255.255.255 any
>>> access-list 101 deny ip any 255.0.0.0 0.255.255.255
>>> access-list 101 remark PERMIT/DENY a few knowns
>>> access-list 101 permit icmp any any echo-reply
>>> access-list 101 permit icmp any any time-exceeded
>>> access-list 101 deny icmp any any echo
>>> access-list 101 remark PREVENT ANY INBOUND SNMP
>>> access-list 101 deny udp any any eq snmp
>>> access-list 101 deny udp any any eq snmptrap
>>> access-list 101 remark ICMP TYPES
>>> access-list 101 deny icmp any any
>>> access-list 101 remark PREVENT CISCO CODE VULNERABILITY
>>> access-list 101 deny 53 any any
>>> access-list 101 deny 55 any any
>>> access-list 101 deny 77 any any
>>> access-list 101 deny pim any any
>>> access-list 101 remark PERMIT everything else
>>> access-list 101 permit ip any any
>>>
>>>
>>> Good luck
>>> J.Cottingim
>>>

>>

>


 
Reply With Quote
 
Tom Linden
Guest
Posts: n/a
 
      03-17-2006
I bought Fast ethernet module off ebay, 1FE-TX, in order to
configure the inside IP's but it seems the router is not recognizing it.

Thw diodes on both the router and the 2600 switch look happy, but when I
try to configure the interface, it isn't recognized.

csco(config)#int fastEthernet 0/?
<0-1> FastEthernet interface number

csco(config)#int fastEthernet 0/1
^
% Invalid input detected at '^' marker.


any ideas?

Tom


On 3 Mar 2006 07:46:34 -0800, J.Cottingim <(E-Mail Removed)> wrote:

> Tom,
> I believe what you mean to say by "routable" and "non-routable" is that
> the router has both private (RFC: 191 and public address on it.
>
> In that case, what you're looking for is NAT.
> Here's one way to do this:
> 1. Configure the interface that has the private address as the
> "inside" interface.
> 2. Configure the other interface (the one that has the public address)
> as the outside interface.
> 3. Create an ACL that identifies what "inside" addresses should be
> translated to the "outside" address.
> 4. Assosiate that ACL with a NAT statement that causes the router to
> perform the NAT
>
> ===========================
> Here's a configuration EXAMPLE:
> ===========================
>
> interface FastEthernet0/0
> description OUTSIDE INTERFACE TO THE INTERNET
> ip address 12.12.12.1 255.255.255.252 ! <-- your public address
> ip access-group 101 in ! <-- ACL stops all
> the "bad" stuff
> no ip unreachables ! <-- a little
> security here
> no cdp enable
> ip nat outside ! <-- THIS is
> the outside
> !
> interface FastEthernet0/1
> description INSIDE INTERFACE TO PRIVATE NETWORK
> ip address 10.1.1.1 255.255.255.0
> ip nat inside ! <-- THIS is
> the inside
> !
> ip nat inside source list 1 interface FastEthernet0/0 overload
> !
> access-list 1 permit any
> !
> access-list 101 remark PREVENT UNWANTED ACCESS
> access-list 101 remark DENY RFC 1918 SOURCES
> access-list 101 deny ip 10.0.0.0 0.255.255.255 any
> access-list 101 deny ip 172.16.0.0 0.0.15.255 any
> access-list 101 deny ip 192.168.0.0 0.0.255.255 any
> access-list 101 remark ANTI-SPOOFING PROTECTION
> access-list 101 deny ip host 0.0.0.0 any
> access-list 101 deny ip 127.0.0.0 0.255.255.255 any
> access-list 101 deny ip 192.0.2.0 0.0.0.255 any
> access-list 101 deny ip 224.0.0.0 31.255.255.255 any
> access-list 101 remark DENY BROADCASTS
> access-list 101 deny ip 255.0.0.0 0.255.255.255 any
> access-list 101 deny ip any 255.0.0.0 0.255.255.255
> access-list 101 remark PERMIT/DENY a few knowns
> access-list 101 permit icmp any any echo-reply
> access-list 101 permit icmp any any time-exceeded
> access-list 101 deny icmp any any echo
> access-list 101 remark PREVENT ANY INBOUND SNMP
> access-list 101 deny udp any any eq snmp
> access-list 101 deny udp any any eq snmptrap
> access-list 101 remark ICMP TYPES
> access-list 101 deny icmp any any
> access-list 101 remark PREVENT CISCO CODE VULNERABILITY
> access-list 101 deny 53 any any
> access-list 101 deny 55 any any
> access-list 101 deny 77 any any
> access-list 101 deny pim any any
> access-list 101 remark PERMIT everything else
> access-list 101 permit ip any any
>
>
> Good luck
> J.Cottingim
>


 
Reply With Quote
 
Walter Roberson
Guest
Posts: n/a
 
      03-17-2006
In article <ops6jiu41mzgicya@hyrrokkin>, Tom Linden <(E-Mail Removed)> wrote:
>I bought Fast ethernet module off ebay, 1FE-TX, in order to
>configure the inside IP's but it seems the router is not recognizing it.


>Thw diodes on both the router and the 2600 switch look happy, but when I
>try to configure the interface, it isn't recognized.


The NM-1FE-TX is not supported on the 2600, or at least wasn't
through several generations of documentation. See Table 2 of
http://www.cisco.com/en/US/products/...080091b89.html


My memory is that there was a route to Fast Ethernet on the 2600
by using a WIC on an NM-1E2W, but the table I just referred to indicates
that is not an option.
 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      03-17-2006
your NM-1FE-TX may be defective

try using the s"show diag 1" ommand to check

Here is the output from one of my 2600's that has a NM-1FE-TX


MERV1#sh diag 1
Slot 1:
Fast-ethernet Port adapter, 1 port
Port adapter is analyzed
Port adapter insertion time unknown
EEPROM contents at hardware discovery:
Hardware revision 1.0 Board revision H0
Serial number 25207545 Part number 800-03490-02
FRU Part Number: NM-1FE-TX=

Test history 0x0 RMA number 00-00-00
EEPROM format version 1
EEPROM contents (hex):
0x00: 01 44 01 00 01 80 A2 F9 50 0D A2 02 00 00 00 00
0x10: 88 00 00 00 01 03 06 00 FF FF FF FF FF FF FF FF

 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      03-17-2006
Forgot, on my 2600 I am running 12.3(12a) with 64 M of memory and 16 M
of flash memory

System image file is "flash:c2600-ik9o3s3-mz.123-12a.bin"

 
Reply With Quote
 
Merv
Guest
Posts: n/a
 
      03-17-2006
In IOS configuration mode you can you remove a command by placing no in
front, so

enable
conf t
no ip name-server 206.55.237.3
no ip name-server 206.55.237.4
ip name server <place your name server IP address here>

There are global commands, interface commands and routing process
commands

The "ip nameserver" command is an example of a global command


int eth 0/0
description OUTSIDE INTERFACE TO THE INTERNET
ip address 206.55.xxx.xxx 255.255.255.240
ip access-group 101 in
no ip unreachables
no ip proxy-arp
no ip redirects
no cdp enable
ip nat outside
exit

int fa 1/0
description INSIDE INTERFACE
ip address 10.0.0.1 255.255.255.0
ip nat inside
exit

logging buffer 10000 debug
no logging console

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
HSRP: virtual IPs without real IPs? Martijn Lievaart Cisco 4 02-15-2012 08:16 AM
Checking IP addresses against lists of IPs, partial IPs, and netmasks. Adam Funk Perl Misc 12 07-05-2005 01:49 PM
Thunderbird revealing internal IPs scorpius Firefox 30 12-14-2004 08:02 AM
mapping ips..... Captain Cisco 4 05-27-2004 09:34 AM
PIX 515E and Windows Webserver w/ multiple IPs on single NIC Gilbert T. Gutierrez, Jr. Cisco 0 10-21-2003 10:41 PM



Advertisments