«

I have a number of nodes on a lan served by a 2900 switch and
2600 router. Most of these nodes have both routable and non-routable
ip in the 10.x.x.x range. The router is, of course, the gateway and has
a routable IP. Is it possible with either the switch or the router to
recognize and associate a non-routable IP with the routable IP of the
router? If so, how would I go about this?
Tom

Tom,
I believe what you mean to say by "routable" and "non-routable" is that
the router has both private (RFC: 191 and public address on it.

In that case, what you're looking for is NAT.
Here's one way to do this:
1. Configure the interface that has the private address as the
"inside" interface.
2. Configure the other interface (the one that has the public address)
as the outside interface.
3. Create an ACL that identifies what "inside" addresses should be
translated to the "outside" address.
4. Assosiate that ACL with a NAT statement that causes the router to
perform the NAT

===========================
Here's a configuration EXAMPLE:
===========================

interface FastEthernet0/0
description OUTSIDE INTERFACE TO THE INTERNET
ip address 12.12.12.1 255.255.255.252 ! <-- your public address
ip access-group 101 in ! <-- ACL stops all
the "bad" stuff
no ip unreachables ! <-- a little
security here
no cdp enable
ip nat outside ! <-- THIS is
the outside
!
interface FastEthernet0/1
description INSIDE INTERFACE TO PRIVATE NETWORK
ip address 10.1.1.1 255.255.255.0
ip nat inside ! <-- THIS is
the inside
!
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit any
!
access-list 101 remark PREVENT UNWANTED ACCESS
access-list 101 remark DENY RFC 1918 SOURCES
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.0.15.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 remark ANTI-SPOOFING PROTECTION
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 224.0.0.0 31.255.255.255 any
access-list 101 remark DENY BROADCASTS
access-list 101 deny ip 255.0.0.0 0.255.255.255 any
access-list 101 deny ip any 255.0.0.0 0.255.255.255
access-list 101 remark PERMIT/DENY a few knowns
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any echo
access-list 101 remark PREVENT ANY INBOUND SNMP
access-list 101 deny udp any any eq snmp
access-list 101 deny udp any any eq snmptrap
access-list 101 remark ICMP TYPES
access-list 101 deny icmp any any
access-list 101 remark PREVENT CISCO CODE VULNERABILITY
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny pim any any
access-list 101 remark PERMIT everything else
access-list 101 permit ip any any


Good luck
J.Cottingim

Thanks, this is not an area in which I have a lot of familiarity.
I have a spare router that I can test it out on, and following your
advice I did the first part, but ran into trouble on inside part.

csco(config)#int eth 0/0
csco(config-if)#description OUTSIDE INTERFACE TO THE INTERNET
csco(config-if)#ip address 206.55.xxx.xxx 255.255.255.240
csco(config-if)#ip access-group 101 in
csco(config-if)#no ip unreachables
csco(config-if)#no cdp enable
csco(config-if)#ip nat outside
csco(config-if)#exit
csco(config)#int eth 0/1
^
% Invalid input detected at '^' marker.




On 3 Mar 2006 07:46:34 -0800, J.Cottingim <> wrote:

> Tom,
> I believe what you mean to say by "routable" and "non-routable" is that
> the router has both private (RFC: 191 and public address on it.
>
> In that case, what you're looking for is NAT.
> Here's one way to do this:
> 1. Configure the interface that has the private address as the
> "inside" interface.
> 2. Configure the other interface (the one that has the public address)
> as the outside interface.
> 3. Create an ACL that identifies what "inside" addresses should be
> translated to the "outside" address.
> 4. Assosiate that ACL with a NAT statement that causes the router to
> perform the NAT
>
> ===========================
> Here's a configuration EXAMPLE:
> ===========================
>
> interface FastEthernet0/0
> description OUTSIDE INTERFACE TO THE INTERNET
> ip address 12.12.12.1 255.255.255.252 ! <-- your public address
> ip access-group 101 in ! <-- ACL stops all
> the "bad" stuff
> no ip unreachables ! <-- a little
> security here
> no cdp enable
> ip nat outside ! <-- THIS is
> the outside
> !
> interface FastEthernet0/1
> description INSIDE INTERFACE TO PRIVATE NETWORK
> ip address 10.1.1.1 255.255.255.0
> ip nat inside ! <-- THIS is
> the inside
> !
> ip nat inside source list 1 interface FastEthernet0/0 overload
> !
> access-list 1 permit any
> !
> access-list 101 remark PREVENT UNWANTED ACCESS
> access-list 101 remark DENY RFC 1918 SOURCES
> access-list 101 deny ip 10.0.0.0 0.255.255.255 any
> access-list 101 deny ip 172.16.0.0 0.0.15.255 any
> access-list 101 deny ip 192.168.0.0 0.0.255.255 any
> access-list 101 remark ANTI-SPOOFING PROTECTION
> access-list 101 deny ip host 0.0.0.0 any
> access-list 101 deny ip 127.0.0.0 0.255.255.255 any
> access-list 101 deny ip 192.0.2.0 0.0.0.255 any
> access-list 101 deny ip 224.0.0.0 31.255.255.255 any
> access-list 101 remark DENY BROADCASTS
> access-list 101 deny ip 255.0.0.0 0.255.255.255 any
> access-list 101 deny ip any 255.0.0.0 0.255.255.255
> access-list 101 remark PERMIT/DENY a few knowns
> access-list 101 permit icmp any any echo-reply
> access-list 101 permit icmp any any time-exceeded
> access-list 101 deny icmp any any echo
> access-list 101 remark PREVENT ANY INBOUND SNMP
> access-list 101 deny udp any any eq snmp
> access-list 101 deny udp any any eq snmptrap
> access-list 101 remark ICMP TYPES
> access-list 101 deny icmp any any
> access-list 101 remark PREVENT CISCO CODE VULNERABILITY
> access-list 101 deny 53 any any
> access-list 101 deny 55 any any
> access-list 101 deny 77 any any
> access-list 101 deny pim any any
> access-list 101 remark PERMIT everything else
> access-list 101 permit ip any any
>
>
> Good luck
> J.Cottingim
>

I should have added that on this router there is no FastEthernet option
but on the other there is. How is it enabled?


On Fri, 03 Mar 2006 10:18:27 -0800, Tom Linden <> wrote:

> Thanks, this is not an area in which I have a lot of familiarity.
> I have a spare router that I can test it out on, and following your
> advice I did the first part, but ran into trouble on inside part.
>
> csco(config)#int eth 0/0
> csco(config-if)#description OUTSIDE INTERFACE TO THE INTERNET
> csco(config-if)#ip address 206.55.xxx.xxx 255.255.255.240
> csco(config-if)#ip access-group 101 in
> csco(config-if)#no ip unreachables
> csco(config-if)#no cdp enable
> csco(config-if)#ip nat outside
> csco(config-if)#exit
> csco(config)#int eth 0/1
> ^
> % Invalid input detected at '^' marker.
>
>
>
>
> On 3 Mar 2006 07:46:34 -0800, J.Cottingim <> wrote:
>
>> Tom,
>> I believe what you mean to say by "routable" and "non-routable" is that
>> the router has both private (RFC: 191 and public address on it.
>>
>> In that case, what you're looking for is NAT.
>> Here's one way to do this:
>> 1. Configure the interface that has the private address as the
>> "inside" interface.
>> 2. Configure the other interface (the one that has the public address)
>> as the outside interface.
>> 3. Create an ACL that identifies what "inside" addresses should be
>> translated to the "outside" address.
>> 4. Assosiate that ACL with a NAT statement that causes the router to
>> perform the NAT
>>
>> ===========================
>> Here's a configuration EXAMPLE:
>> ===========================
>>
>> interface FastEthernet0/0
>> description OUTSIDE INTERFACE TO THE INTERNET
>> ip address 12.12.12.1 255.255.255.252 ! <-- your public address
>> ip access-group 101 in ! <-- ACL stops all
>> the "bad" stuff
>> no ip unreachables ! <-- a little
>> security here
>> no cdp enable
>> ip nat outside ! <-- THIS is
>> the outside
>> !
>> interface FastEthernet0/1
>> description INSIDE INTERFACE TO PRIVATE NETWORK
>> ip address 10.1.1.1 255.255.255.0
>> ip nat inside ! <-- THIS is
>> the inside
>> !
>> ip nat inside source list 1 interface FastEthernet0/0 overload
>> !
>> access-list 1 permit any
>> !
>> access-list 101 remark PREVENT UNWANTED ACCESS
>> access-list 101 remark DENY RFC 1918 SOURCES
>> access-list 101 deny ip 10.0.0.0 0.255.255.255 any
>> access-list 101 deny ip 172.16.0.0 0.0.15.255 any
>> access-list 101 deny ip 192.168.0.0 0.0.255.255 any
>> access-list 101 remark ANTI-SPOOFING PROTECTION
>> access-list 101 deny ip host 0.0.0.0 any
>> access-list 101 deny ip 127.0.0.0 0.255.255.255 any
>> access-list 101 deny ip 192.0.2.0 0.0.0.255 any
>> access-list 101 deny ip 224.0.0.0 31.255.255.255 any
>> access-list 101 remark DENY BROADCASTS
>> access-list 101 deny ip 255.0.0.0 0.255.255.255 any
>> access-list 101 deny ip any 255.0.0.0 0.255.255.255
>> access-list 101 remark PERMIT/DENY a few knowns
>> access-list 101 permit icmp any any echo-reply
>> access-list 101 permit icmp any any time-exceeded
>> access-list 101 deny icmp any any echo
>> access-list 101 remark PREVENT ANY INBOUND SNMP
>> access-list 101 deny udp any any eq snmp
>> access-list 101 deny udp any any eq snmptrap
>> access-list 101 remark ICMP TYPES
>> access-list 101 deny icmp any any
>> access-list 101 remark PREVENT CISCO CODE VULNERABILITY
>> access-list 101 deny 53 any any
>> access-list 101 deny 55 any any
>> access-list 101 deny 77 any any
>> access-list 101 deny pim any any
>> access-list 101 remark PERMIT everything else
>> access-list 101 permit ip any any
>>
>>
>> Good luck
>> J.Cottingim
>>
>

Please ignore. I thought the two routers were identical one is 2620 which
has Fast
and the other is 2610 which doesn't say 10/100 ethernet 0/0 only ethernet
0/0

n Fri, 03 Mar 2006 10:48:06 -0800, Tom Linden <> wrote:

> I should have added that on this router there is no FastEthernet option
> but on the other there is. How is it enabled?
>
>
> On Fri, 03 Mar 2006 10:18:27 -0800, Tom Linden <> wrote:
>
>> Thanks, this is not an area in which I have a lot of familiarity.
>> I have a spare router that I can test it out on, and following your
>> advice I did the first part, but ran into trouble on inside part.
>>
>> csco(config)#int eth 0/0
>> csco(config-if)#description OUTSIDE INTERFACE TO THE INTERNET
>> csco(config-if)#ip address 206.55.xxx.xxx 255.255.255.240
>> csco(config-if)#ip access-group 101 in
>> csco(config-if)#no ip unreachables
>> csco(config-if)#no cdp enable
>> csco(config-if)#ip nat outside
>> csco(config-if)#exit
>> csco(config)#int eth 0/1
>> ^
>> % Invalid input detected at '^' marker.
>>
>>
>>
>>
>> On 3 Mar 2006 07:46:34 -0800, J.Cottingim <> wrote:
>>
>>> Tom,
>>> I believe what you mean to say by "routable" and "non-routable" is that
>>> the router has both private (RFC: 191 and public address on it.
>>>
>>> In that case, what you're looking for is NAT.
>>> Here's one way to do this:
>>> 1. Configure the interface that has the private address as the
>>> "inside" interface.
>>> 2. Configure the other interface (the one that has the public address)
>>> as the outside interface.
>>> 3. Create an ACL that identifies what "inside" addresses should be
>>> translated to the "outside" address.
>>> 4. Assosiate that ACL with a NAT statement that causes the router to
>>> perform the NAT
>>>
>>> ===========================
>>> Here's a configuration EXAMPLE:
>>> ===========================
>>>
>>> interface FastEthernet0/0
>>> description OUTSIDE INTERFACE TO THE INTERNET
>>> ip address 12.12.12.1 255.255.255.252 ! <-- your public address
>>> ip access-group 101 in ! <-- ACL stops all
>>> the "bad" stuff
>>> no ip unreachables ! <-- a little
>>> security here
>>> no cdp enable
>>> ip nat outside ! <-- THIS is
>>> the outside
>>> !
>>> interface FastEthernet0/1
>>> description INSIDE INTERFACE TO PRIVATE NETWORK
>>> ip address 10.1.1.1 255.255.255.0
>>> ip nat inside ! <-- THIS is
>>> the inside
>>> !
>>> ip nat inside source list 1 interface FastEthernet0/0 overload
>>> !
>>> access-list 1 permit any
>>> !
>>> access-list 101 remark PREVENT UNWANTED ACCESS
>>> access-list 101 remark DENY RFC 1918 SOURCES
>>> access-list 101 deny ip 10.0.0.0 0.255.255.255 any
>>> access-list 101 deny ip 172.16.0.0 0.0.15.255 any
>>> access-list 101 deny ip 192.168.0.0 0.0.255.255 any
>>> access-list 101 remark ANTI-SPOOFING PROTECTION
>>> access-list 101 deny ip host 0.0.0.0 any
>>> access-list 101 deny ip 127.0.0.0 0.255.255.255 any
>>> access-list 101 deny ip 192.0.2.0 0.0.0.255 any
>>> access-list 101 deny ip 224.0.0.0 31.255.255.255 any
>>> access-list 101 remark DENY BROADCASTS
>>> access-list 101 deny ip 255.0.0.0 0.255.255.255 any
>>> access-list 101 deny ip any 255.0.0.0 0.255.255.255
>>> access-list 101 remark PERMIT/DENY a few knowns
>>> access-list 101 permit icmp any any echo-reply
>>> access-list 101 permit icmp any any time-exceeded
>>> access-list 101 deny icmp any any echo
>>> access-list 101 remark PREVENT ANY INBOUND SNMP
>>> access-list 101 deny udp any any eq snmp
>>> access-list 101 deny udp any any eq snmptrap
>>> access-list 101 remark ICMP TYPES
>>> access-list 101 deny icmp any any
>>> access-list 101 remark PREVENT CISCO CODE VULNERABILITY
>>> access-list 101 deny 53 any any
>>> access-list 101 deny 55 any any
>>> access-list 101 deny 77 any any
>>> access-list 101 deny pim any any
>>> access-list 101 remark PERMIT everything else
>>> access-list 101 permit ip any any
>>>
>>>
>>> Good luck
>>> J.Cottingim
>>>
>>
>

I bought Fast ethernet module off ebay, 1FE-TX, in order to
configure the inside IP's but it seems the router is not recognizing it.

Thw diodes on both the router and the 2600 switch look happy, but when I
try to configure the interface, it isn't recognized.

csco(config)#int fastEthernet 0/?
<0-1> FastEthernet interface number

csco(config)#int fastEthernet 0/1
^
% Invalid input detected at '^' marker.


any ideas?

Tom


On 3 Mar 2006 07:46:34 -0800, J.Cottingim <> wrote:

> Tom,
> I believe what you mean to say by "routable" and "non-routable" is that
> the router has both private (RFC: 191 and public address on it.
>
> In that case, what you're looking for is NAT.
> Here's one way to do this:
> 1. Configure the interface that has the private address as the
> "inside" interface.
> 2. Configure the other interface (the one that has the public address)
> as the outside interface.
> 3. Create an ACL that identifies what "inside" addresses should be
> translated to the "outside" address.
> 4. Assosiate that ACL with a NAT statement that causes the router to
> perform the NAT
>
> ===========================
> Here's a configuration EXAMPLE:
> ===========================
>
> interface FastEthernet0/0
> description OUTSIDE INTERFACE TO THE INTERNET
> ip address 12.12.12.1 255.255.255.252 ! <-- your public address
> ip access-group 101 in ! <-- ACL stops all
> the "bad" stuff
> no ip unreachables ! <-- a little
> security here
> no cdp enable
> ip nat outside ! <-- THIS is
> the outside
> !
> interface FastEthernet0/1
> description INSIDE INTERFACE TO PRIVATE NETWORK
> ip address 10.1.1.1 255.255.255.0
> ip nat inside ! <-- THIS is
> the inside
> !
> ip nat inside source list 1 interface FastEthernet0/0 overload
> !
> access-list 1 permit any
> !
> access-list 101 remark PREVENT UNWANTED ACCESS
> access-list 101 remark DENY RFC 1918 SOURCES
> access-list 101 deny ip 10.0.0.0 0.255.255.255 any
> access-list 101 deny ip 172.16.0.0 0.0.15.255 any
> access-list 101 deny ip 192.168.0.0 0.0.255.255 any
> access-list 101 remark ANTI-SPOOFING PROTECTION
> access-list 101 deny ip host 0.0.0.0 any
> access-list 101 deny ip 127.0.0.0 0.255.255.255 any
> access-list 101 deny ip 192.0.2.0 0.0.0.255 any
> access-list 101 deny ip 224.0.0.0 31.255.255.255 any
> access-list 101 remark DENY BROADCASTS
> access-list 101 deny ip 255.0.0.0 0.255.255.255 any
> access-list 101 deny ip any 255.0.0.0 0.255.255.255
> access-list 101 remark PERMIT/DENY a few knowns
> access-list 101 permit icmp any any echo-reply
> access-list 101 permit icmp any any time-exceeded
> access-list 101 deny icmp any any echo
> access-list 101 remark PREVENT ANY INBOUND SNMP
> access-list 101 deny udp any any eq snmp
> access-list 101 deny udp any any eq snmptrap
> access-list 101 remark ICMP TYPES
> access-list 101 deny icmp any any
> access-list 101 remark PREVENT CISCO CODE VULNERABILITY
> access-list 101 deny 53 any any
> access-list 101 deny 55 any any
> access-list 101 deny 77 any any
> access-list 101 deny pim any any
> access-list 101 remark PERMIT everything else
> access-list 101 permit ip any any
>
>
> Good luck
> J.Cottingim
>

In article <ops6jiu41mzgicya@hyrrokkin>, Tom Linden <> wrote:
>I bought Fast ethernet module off ebay, 1FE-TX, in order to
>configure the inside IP's but it seems the router is not recognizing it.

>Thw diodes on both the router and the 2600 switch look happy, but when I
>try to configure the interface, it isn't recognized.

The NM-1FE-TX is not supported on the 2600, or at least wasn't
through several generations of documentation. See Table 2 of
http://www.cisco.com/en/US/products/...080091b89.html


My memory is that there was a route to Fast Ethernet on the 2600
by using a WIC on an NM-1E2W, but the table I just referred to indicates
that is not an option.

your NM-1FE-TX may be defective

try using the s"show diag 1" ommand to check

Here is the output from one of my 2600's that has a NM-1FE-TX


MERV1#sh diag 1
Slot 1:
Fast-ethernet Port adapter, 1 port
Port adapter is analyzed
Port adapter insertion time unknown
EEPROM contents at hardware discovery:
Hardware revision 1.0 Board revision H0
Serial number 25207545 Part number 800-03490-02
FRU Part Number: NM-1FE-TX=

Test history 0x0 RMA number 00-00-00
EEPROM format version 1
EEPROM contents (hex):
0x00: 01 44 01 00 01 80 A2 F9 50 0D A2 02 00 00 00 00
0x10: 88 00 00 00 01 03 06 00 FF FF FF FF FF FF FF FF

Forgot, on my 2600 I am running 12.3(12a) with 64 M of memory and 16 M
of flash memory

System image file is "flash:c2600-ik9o3s3-mz.123-12a.bin"

In IOS configuration mode you can you remove a command by placing no in
front, so

enable
conf t
no ip name-server 206.55.237.3
no ip name-server 206.55.237.4
ip name server <place your name server IP address here>

There are global commands, interface commands and routing process
commands

The "ip nameserver" command is an example of a global command


int eth 0/0
description OUTSIDE INTERFACE TO THE INTERNET
ip address 206.55.xxx.xxx 255.255.255.240
ip access-group 101 in
no ip unreachables
no ip proxy-arp
no ip redirects
no cdp enable
ip nat outside
exit

int fa 1/0
description INSIDE INTERFACE
ip address 10.0.0.1 255.255.255.0
ip nat inside
exit

logging buffer 10000 debug
no logging console