How to set up a PAT rule on a Cisco 837

Discussion in 'Cisco' started by John Chajecki, Jan 15, 2006.

  1. Can anyone give me guidance or point me to some documentation (with examples) on setting up PAT rules on the 837. I need a rule to translate incomming traffic on port 22 to port 16955 on a server connected to the DMZ port (ethernet2) of my 837.

    This was quite easy to do on a Linksys or Vigor ADSL router (pseudo DMZ notwithstanding) but seems to be rather more difficult to acheive on an 837. I have looked at Cisco's documentation (via Google search) but I haven't found anything that explains this in an easy to understand manner.

    Thanks in advance.
     
    John Chajecki, Jan 15, 2006
    #1
    1. Advertisements

  2. John Chajecki

    Darren Green Guest

    John,

    Hi.

    It's a long time since I did this on my home connection, it's changed now,
    however, from memory I recall that I had to mess around somewhat. To save
    yourself time check out the following example based on a Cisco 827, the
    basics should be similar.

    http://www.jcmichot.usenet-fr.net/ADSL-cisco827-pat-fw.html

    The bits I pieced together from my old config were something like:

    interface Dialer0
    description +++ Connection To ISP ADSL +++
    ip address xxx.xxx.xxx.xxx 255.255.255.240 (or ip address negotiated)
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname
    ppp chap password xxxxxxxx
    !

    My PAT entries were something like:

    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static tcp 10.10.10.10 443 interface Dialer0 443
    ip nat inside source static tcp 10.10.10.10 23 interface Dialer0 23
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip http server
    ip http secure-server

    Your source list (1) of course would be your LAN range going out. The
    statics represent a LAN host and port number that were mapped.

    I can't find the old access-list that I had but had an entry in from the
    outside (tied to Di0) permitting the relevant traffic back in. Again the
    link supplied will give you a full picture. Best to add the IP inspect stuff
    as well for additional security.

    HTH.

    Regards

    Darren
     
    Darren Green, Jan 15, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.