Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: D:\personal\html\miracles.gif

CISCO CONFIGS






Welcome visitor number: 29175
This site contains many typical configurations and tips for Cisco devices: (routers and switches)

For any comments please send mail to osama. Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: D:\personal\html\image001.gif



Osama 4 rules

 

Commun recommended commands


Config for routers

Config for switches

 

Config Voice

 

Config features

 

 

 

 

Software/Monitoring tools/Articles

 

 

Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: D:\personal\html\nets.gif

 

 

 

Osama 4 rules

 

To ensure your IP addressing schema is good make sure you respect the Osama 4 rules:

Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: D:\personal\html\net.jpg

 

 

Rule1:

IP subnets in local and remote LANs must be different: N1≠ N2

Rule2:

Router LAN address must belong to the subnet of local computers   :    L1 must belong to N1 and L2 must belong to N2

Rule3:

2 adjacents WANs must belong to the same subnet: W1 and W2 are in the same subnet

Rule4:

2 physical interfaces in any router can't belong to the same subnet: L1 and W1 can't be in the same subnet

 



Commun recommended commands

 

Config t

no service pad

no service dhcp

no service tcp-small-servers

no service udp-small-servers

no service finger

no service config

no ip finger

no ip bootp server

no ip source-route

no tftp-server service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

security authentication failure rate 3

!

username user1 password password1

username webuser privilege 15 password webpassword

!

Enable secret mysecret

Enable password mypassword

!

ip tcp synwait-time 10

!

Hostname internet-router

!

Interface FastEthernet 0/0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 no ip route-cache

 no ip mroute-cache

 no ip redirects

 no ip mask-reply

 no ip proxy-arp

 no ip directed-broadcast  !make sure you don't need it

!

no banner motd

banner login ^

                       ######  WARNING !  ######

 

You have accessed a Computer system.

You are required to have a personal authorization from the System  Administrator before you use this system.

Unauthorized access of a computer constitutes an offence.

You must ensure your User password conforms to the guidelines specified in the Security Manual.

If you understand this message and have been authorized to use this system please enter your username and password below to continue this session.

Otherwise, you must disconnect from this session immediately.

^

!

Logging 192.168.1.2

Logging trap debug

Logging on

!

!restrict web access to access list 1

ip http access-class 1

ip http server

ip http authentication local

access-list 1 permit 192.168.1.2

!

no snmp-server community private RW

no snmp-server community public RO

snmp-server community my-SNMP-RW RW 1

snmp-server community my-SNMP-RO RO 1

snmp-server host 192.168.1.2 traps my-SNMP-RO

snmp-server location server room

snmp-server contact cisco administrator (Mr hammadi tounsi)

!

line con 0

logging sync

login local

exec-timeout 10 0

exit

!

line vty 0 4

logging sync

login local

access-class 1 in

exec-timeout 10 0

exit

!

Wr m

 


Configs for routers   

WAN:

PPP   PPP-Auth-PAP   PPP-Auth-CHAP    PPP using E1   Multilink     

IP over frame relay  Mark DE bit  FR switching   FRTS   Mark FECN/BECN

x25 switching  X25OverIP (XoT)   IP over X25

Bridging    IRB  VRF  MPLS

Shared PSTN connection to internet 

Connect 2 remote sites via BRI   Connect many remote sites via PRI   ISDN  callback

RAS via PSTN        RAS via PRI     

VPN-Site-to-Site   GRE Tunnel   IPv6IP Tunnel

 

NAT:

NAT dynamic one-to-one   NAT static   Policy NAT     NAT overload    NAT load distribution         NAT in both directions    PAT  Port forwarding

 

QoS:

QoS

 

Routing

Routing

STOP SMOKING  or you will … Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: Description: D:\personal\html\smoke2.bmp

 

PPP

router1

router2

interface FastEthernet0

 ip address 192.168.1.254    255.255.255.0

 !

interface Serial0

 ip address 192.1.1.1 255.255.255.0

 encapsulation   ppp

!

no ip classless

ip route 192.168.2.0  0.0.0.0 192.1.1.2

!

interface FastEthernet0

 ip address 192.168.2.254    255.255.255.0

!

interface Serial0

 ip address 192.1.1.2 255.255.255.0

 encapsulation   ppp

 !

no ip classless

ip route 192.168.1.0  0.0.0.0 192.1.1.1

!

 

PPP Auth PAP

This is an example of unidirectionnel authentication

router1(server)

router2(client)

Username remote password cisco

interface Serial1/0

 ip address 192.168.1.1 255.255.255.0

 encapsulation ppp

 ppp authentication pap

interface Serial1/0

 ip address 192.168.1.2 255.255.255.0

 encapsulation ppp

 ppp pap sent-username remote password 0 cisco

 

PPP Auth CHAP

router1

router2

Hostname r1

Username r2 password cisco

interface Serial1/0

 ip address 192.168.1.1 255.255.255.0

 encapsulation ppp

 ppp authentication chap

Hostname r2

Username r1 password cisco

interface Serial1/0

 ip address 192.168.1.2 255.255.255.0

 encapsulation ppp

 ppp authentication chap

 

PPP using E1

Router1

card type e1 5 0

!

controller E1 5/0/1

 framing NO-CRC4

 channel-group 0 timeslots 1-31

!

interface Serial5/0/1:0

 description ## E1 connected to sfax gremda km 4##

 ip address 192.168.111.5 255.255.255.252

 encapsulation ppp

!

 

Multilink

router1

interface Multilink1

 ip address 192.168.0.1 255.255.255.0

 ppp multilink

 ppp multilink group 1

!

interface Serial1/0

 no ip address

 encapsulation ppp

 ppp multilink

 ppp multilink group 1

 no shut

!

interface Serial1/1

 no ip address

 encapsulation ppp

 ppp multilink

 ppp multilink group 1

 no shut

!

 

IP over X25

Method  1

Method 2

!

interface Ethernet0

 ip address 194.147.160.254     255.255.255.0

!

interface Serial0

 ip address 192.1.1.1 255.255.255.0

 encapsulation x25

 x25 address 133014389

 x25 htc 2

 x25 idle 1

 x25 nvc 2

 x25 suppress-calling-address

 x25 map ip 192.1.1.2      112010132

                    (remote wan)  (remote x25)

x25 map ip 192.1.1.3      112010167

!

ip route 193.1.1.0 255.255.255.0 192.1.1.2

ip route 193.2.1.0 255.255.255.0 192.1.1.3

!

 

!

interface Serial0

 no ip address

encapsulation x25

x25 htc 2

!

Interface serial 0.1

Ip address 192.1.1.1    255.255.255.0

x25 map ip 192.1.1.2 112010132

!

Interface serial 0.2

Ip address 193.1.1.1    255.255.255.0

x25 map ip 193.1.1.2   112233441

!

 

 

 

X25 switching

X25 switcher

X25 routing

!

interface Serial0

  no ip address

  encapsulation x25 dce

  clock rate 64000

 !

 interface Serial1

  no ip address

 encapsulation x25 dce

 clock rate 64000

!

 x25 route 4321 interface Serial0

 x25 route 1234 interface Serial1

 !

 

X25OverIP (XoT)

X25 host—x25 network—router1—IP/PPP—router2—x25 host

Hostname router1

x25 routing

!

interface Serial0

ip address 170.1.1.2 255.255.255.0

 encapsulation ppp

!

interface Serial1

no ip address

encapsulation x25

x25 address 1234

!

X25 route 1111  ip 170.1.1.1

x25 route 4321 interface serial 1

!

 

IP over frame relay

HQ

Remote site

interface Ethernet0

 ip address 10.1.1.1 255.0.0.0

!

interface Serial0

 no ip address

 encapsulation frame-relay

 frame-relay lmi-type ansi

!

interface Serial0.16 point-to-point

 description Frame Relay avec agence1

 ip address 192.168.1.1 255.255.255.0

 frame-relay interface-dlci 16

!

interface Serial0.17 point-to-point

 description Frame Relay avec agence 2

  ip address 192.168.2.1 255.255.255.0

 frame-relay interface-dlci 17

!

ip route 20.0.0.0 255.0.0.0 192.168.1.2

ip route 30.0.0.0 255.0.0.0 192.168.2.2

 

interface Ethernet0

 ip address 20.1.1.1 255.0.0.0

!

interface Serial0

 no ip address

 encapsulation frame-relay

 frame-relay lmi-type ansi

!

interface Serial0.16 point-to-point

 description Frame Relay avec siège

 ip address 192.168.1.2 255.255.255.0

 frame-relay interface-dlci 16

!

ip route 10.0.0.0 255.0.0.0 192.168.1.1

 

 

Mark DE bit

 

Mark DE bit for  non interresting traffic

frame-relay de-list 1 protocol ip list 150

!

interface serial 0.1 point-to-point

ip address 192.168.1.5 255.255.255.252

frame-relay interface-dlci 100

frame-relay de-group 1 100

!

access-list 150 permit tcp any any eq www

 

 

FR switching

 

Router1(dlci30)—(s1)FR switcher(s2)—(dlci20)router2

frame-relay switching

!

interface Serial1

 encapsulation frame-relay

 frame-relay policing

 frame-relay lmi-type ansi

 frame-relay intf-type dce

 frame-relay interface-dlci 30 switched

      class agence1

!

interface Serial2

 encapsulation frame-relay

 frame-relay lmi-type ansi

 frame-relay intf-type dce

 frame-relay interface-dlci 20 switched

       class agence1

!

connect 30-20 Serial1 30 Serial2 20

!

map-class frame-relay agence1

    frame-relay cir 64000

    frame-relay bc 64000

    frame-relay be 0

FRTS

 

Frame relay traffic shaping to avoid data loss due to switch policing

interface Serial0/0

 no ip address

 encapsulation frame-relay

 frame-relay traffic-shaping

!

interface Serial0/0.1 point-to-point

 ip address 10.1.1.1 255.255.255.0

 frame-relay interface-dlci 16 

 frame-relay class agence1

!

map-class frame-relay agence1

   frame-relay cir 16000 

   frame-relay mincir 16000

   frame-relay bc 16000

   frame-relay be 0

 

Mark FECN/BECN

 

FECN and BECN Marking at the Class Level and Interface Level

class-map match-all dlci-100

match fr-dlci 100

!

policy-map output-policy

    class dlci-100

      bandwidth 250

      queue-limit 10

      set fr-fecn-becn 30

!

interface Serial2/1

    service-policy output output-policy

 

Bridging

bridge1

interface Ethernet0

 ip address 10.10.10.254 255.255.255.0

  bridge-group 1

!

interface Serial0

 ip address 192.168.0.1 255.255.255.0

bridge-group 1

!

no ip classless

bridge 1 protocol ieee

!

 

IRB

 

IRB

The configuration allows bridging IP between two Ethernet interfaces, and routing IP from bridged interfaces using a Bridged Virtual Interface (BVI).

hostname R1

!

ip subnet-zero

no ip domain-lookup

bridge irb

!

interface Ethernet0

no ip address

no ip directed-broadcast

bridge-group 1

!

Interface Ethernet1

no ip address

no ip directed-broadcast

bridge-group 1

!

Interface Serial0

ip address 10.10.20.1 255.255.255.0

!

interface BVI1

ip address 10.10.10.1 255.255.255.0

!

ip route 10.10.30.0 255.255.255.0 10.10.20.2

!

bridge 1 protocol ieee

bridge 1 route ip

 

 

Shared PSTN connection to internet

chat-script modem "" "atdt\T" TIMEOUT 60 CONNECT \c

!

interface Ethernet0

 ip address 192.168.1.1 255.255.255.0

ip nat inside

!

interface Serial0

 physical-layer async

 no ip address

 ip nat outside

 encapsulation ppp

 dialer in-band

 dialer rotary-group 1

 dialer-group 1

 async mode dedicated

 no cdp enable

 

 interface Dialer1

 ip address negotiated

 no ip directed-broadcast

 ip nat outside

 encapsulation ppp

 dialer in-band

 dialer idle-timeout 300

 dialer string 1616 modem-script modem

 dialer-group 1

 no cdp enable

 ppp authentication chap callin

 ppp chap hostname myname

 ppp chap password mypasswd

!

ip nat inside source list 1 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

access-list 1 permit 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

 

 

 

line 1

 modem InOut

 transport input all

 stopbits 1

 flowcontrol hardware

speed  115200

 

 

 

Connect 2 remote sites via BRI

 

HQ

Remote site

hostname siege

!

username agence1 password AZERTY

username agence2 password AZERTY

!

isdn switch-type basic-net3

!

interface Dialer 1

 description connected to agence1

 ip address 190.1.1.1 255.255.255.252

 encapsulation ppp

 dialer in-band

 dialer idle-timeout 120

 dialer string 1111

 dialer remote-name agence1

 dialer-group 5

 dialer pool 1

 ppp authentication chap

 no ppp multilink

 no cdp enable

!

interface Dialer 2

 description connected to agence2

 ip address 191.1.1.1 255.255.255.252

 encapsulation ppp

 dialer in-band

 dialer idle-timeout 120

 dialer string 4187

 dialer remote-name agence2

 dialer-group 5

 dialer pool 1

 ppp authentication chap

 no ppp multilink

 no cdp enable

!

interface BRI 0

 description connected to agence1,agence2

 no ip address

 encapsulation ppp

 dialer pool-member 1

 !

Ip route 192.168.1.0      255.255.255.0 Dialer1

Ip route 192.168.2.0      255.255.255.0 Dialer2

!

dialer-list 5 protocol ip permit

 

hostname agence1

!

username siege password AZERTY

!

isdn switch-type basic-net3

!

interface Dialer 1

 description connected to siege

 ip address 190.1.1.2 255.255.255.252

 encapsulation ppp

 dialer in-band

 dialer idle-timeout 120

 dialer hold-queue 10

 dialer map ip 190.1.1.1 name siege speed 64 4321

 dialer-group 6

 ppp authentication chap

 no ppp multilink

 no cdp enable

!

interface BRI 0

 no shutdown

 description connected to siege

 no ip address

 dialer rotary-group 1

!

dialer-list 6 protocol ip permit

!

Ip route 180.1.1.0 255.255.255.0 Dialer1

 

 

 

 

 

 

Connect many remote sites via PRI

HQ

Remote site

Hostname cisco3620

!

card type e1 3

! 

username Cisco801_1 password test
username Cisco801_2 password test
!!
isdn switch-type primary-net5
!
controller E1 1/0
 no shutdown
 framing crc4
 linecode hdb3
 pri-group timeslots 1-31
!
interface Dialer 1
 description connected to Cisco801_1
 ip address 10.10.1.1 255.255.255.252
 no ip split-horizon
 encapsulation ppp
 dialer in-band
 dialer idle-timeout 120
 dialer remote-name Cisco801_1
 dialer-group 1
 dialer pool 1
 ppp authentication chap
 no ppp multilink
 no cdp enable
!
interface Dialer 2
 description connected to Cisco801_2
 ip address 10.10.2.1 255.255.255.252
 no ip split-horizon
 encapsulation ppp
 dialer in-band
 dialer idle-timeout 120
 dialer remote-name Cisco801_2
 dialer-group 1
 dialer pool 2
 ppp authentication chap
 no ppp multilink
 no cdp enable
!
interface Ethernet 0/0
 no shutdown
 description connected to EthernetLAN
 ip address 192.168.0.1 255.255.255.0
!
interface Serial 1/0:15
 no shutdown
 description connected to Cisco801_1,Cisco801_2
 no ip address
 encapsulation ppp
 dialer pool-member 2
 dialer pool-member 1
!
dialer-list 1 protocol ip permit
!

ip classless

ip route 192.168.1.0   255.255.255.0  10.10.1.2 

ip route 192.168.2.2   255.255.255.0  10.10.2.2 

!

 

hostname Cisco801_1

username Cisco3620 password test

!

isdn switch-type basic-net3

!

interface Dialer 1

 description connected to siege

 ip address 10.10.1.2 255.255.255.252

encapsulation ppp

 dialer in-band

 dialer idle-timeout 120

 dialer hold-queue 10

 dialer map ip 10.10.1.2 name siege speed 64 4321

 dialer-group 1

 ppp authentication chap

 no cdp enable

!

interface BRI 0

 no shutdown

 description connected to siege

 no ip address

 dialer rotary-group 1

!

dialer-list 1 protocol ip permit

!

Ip route 192.168.0.0    255.255.255.0 Dialer1

 

 

 

 

 

 

 

ISDN Callback

Callback server

Callback client

!

interface bri 0

 ip address 7.1.1.7 255.255.255.0

 encapsulation ppp

 dialer callback-secure

 dialer enable-timeout 2

 dialer map ip 7.1.1.8 name atlanta class dial1 81012345678901

 dialer-group 1

 ppp callback accept

 ppp authentication chap

!

 map-class dialer dial1

 dialer callback-server username

!

interface bri 0

 ip address 7.1.1.8 255.255.255.0

 encapsulation ppp

 dialer map ip 7.1.1.7 name dallas 81012345678902

 dialer-group 1

 ppp callback request

 ppp authentication chap

 dialer hold-queue timeout 30

!

 

 

 

 

 

RAS via PSTN 

 

RAS via PSTN (AUX port)

hostname Cisco1720

!

username pc1 password pc1

!

interface Dialer 1

 description connected to Dial-inPCs(modem)

 ip unnumbered FastEthernet 0

 ip tcp header-compression passive

 encapsulation ppp

 dialer in-band

 dialer-group 1

 ppp authentication chap

 no cdp enable

 peer default ip address pool Cisco1720-Group-1

!

interface FastEthernet 0

 no shutdown

 description connected to EthernetLAN

 ip address 192.168.0.1 255.255.255.0

 no keepalive

!

interface Async 5

 no shutdown

 description connected to Dial-inPCs(modem)

 ip unnumbered FastEthernet 0

 async mode dedicated

 dialer rotary-group 1

!

ip local pool Cisco1720-Group-1 192.168.0.100 192.168.0.100

ip classless

!

line aux 0

 exec

 autoselect ppp

 autoselect during-login

 login local

 modem InOut

 transport input all

 stopbits 1

 speed 38400

 flowcontrol hardware

!

end

 

RAS via PRI

RAS via PRI

username user1 password pass1

!

isdn switch-type primary-net5

!

controller E1 3/0

framing NO-CRC4

 pri-group timeslots 1-31

!

interface FastEthernet0/0

 ip address 10.15.20.1 255.255.0.0

 !

interface Serial3/0:15

 ip unnumbered FastEthernet0/0

 encapsulation ppp

 dialer-group 1

 isdn switch-type primary-net5

 isdn incoming-voice modem

 peer default ip address pool default

 compress predictor

 ppp authentication chap

 

!

interface Group-Async3

 ip unnumbered FastEthernet0/0

 encapsulation ppp

 ip tcp header-compression passive

 async mode dedicated

 peer default ip address pool default

 ppp authentication chap pap

 group-range 129 158

!

ip local pool default 10.15.100.1 10.15.100.100

!

line 129 158

 modem Dialin

 transport preferred all

 transport output all

 autoselect during-login

 autoselect ppp

!

 

VPN-Site-to-Site

 

 

We need to make a site to site VPN. All traffic from 172.25.0.0 to 172.24.0.0 will be encrypted. When paquet exits wan interface, the source IP address will become 192.168.1.121 and destination will be changed to 192.168.1.12. Data is encrypted.

router1

router2

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key mykey address 192.168.1.12

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map mymap 1 ipsec-isakmp

 description Tunnel to192.168.1.12

 set peer 192.168.1.12

 set transform-set myset

 match address 100

!

interface FastEthernet0/0

 ip address 172.25.0.0  255.255.0.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 192.168.1.121 255.255.255.0

 duplex auto

 speed auto

 crypto map mymap

!

ip classless

ip route 172.24.0.0 255.255.0.0 192.168.1.12

!

access-list 100 permit ip 172.25.0.0 0.0.255.255 172.24.0.0 0.0.255.255

 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key mykey address 192.168.1.121

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto map mymap 1 ipsec-isakmp

 description Tunnel to192.168.1.121

 set peer 192.168.1.121

 set transform-set myset

 match address 100

!

interface FastEthernet0/0

 ip address 172.24.0.0  255.255.0.0

 duplex auto

 speed auto

!

interface FastEthernet0/1

 ip address 192.168.1.12 255.255.255.0

 duplex auto

 speed auto

 crypto map mymap

!

ip classless

ip route 172.25.0.0 255.255.0.0 192.168.1.121

!

access-list 100 permit ip 172.24.0.0 0.0.255.255 172.25.0.0 0.0.255.255

 

 

GRE Tunnel

 

Generic Routing Encapsulation (GRE) tunnels are the simplest form of VPNs

handling the transportation of multiprotocol and IP multicast (example: routing updates.).

router1

router2

Interface fastethernet0

Ip address 10.0.0.1 255.255.255.0

!

Interface s0

Ip address 92.68.1.1 255.255.255.0

Encapsulation PPP

interface tunnel 0
     ip address 172.16.1.1    255.255.255.0

     tunnel source  92.68.1.1 255.255.255.0

     tunnel destination 17.2.2.5 255.255.255.0

     tunnel mode gre ip

     ip mtu 1400

     ip tcp adjust-mss 1360

     no shutdown

!

Ip route 17.2.2.0 255.255.255.0 serial 0

ip route 20.0.0.0 255.255.255.0 tunnel 0

 

Interface fastethernet0

Ip address 20.0.0.1 255.255.255.0

!

Interface s0

Ip address 17.2.2.5 255.255.255.0

Encapsulation PPP

interface tunnel 0
     ip address 172.16.1.2    255.255.255.0

     tunnel source  17.2.2.5 255.255.255.0

     tunnel destination 92.68.1.1 255.255.255.0

     tunnel mode gre ip

     ip mtu 1400

     ip tcp adjust-mss 1360

     no shutdown

!

Ip route 92.68.1.0 255.255.255.0 serial 0

ip route 10.0.0.0 255.255.255.0 tunnel 0

 

 

 

IPv6IP Tunnel

 

IPv6IP tunnel can be used to connect 2 IPv6 networks via one IPv4 network

IPv6 Network1---DualStack Router1----IPv4 cloud---- DualStack Router2----- IPv6 Network2

DualStack router1

DualStack router2

ipv6 unicast-routing

!

Interface fastethernet0

ipv6 address 2001:410:1:20::/64 eui-64

!

Interface s0

Ip address 92.68.1.1 255.255.255.0

ipv6 address 2001:410:1:10::/64 eui-64

Encapsulation PPP

interface tunnel 0

     ipv6 address 2001:410:1:50::/64 eui-64

     tunnel source  92.68.1.1 255.255.255.0

     tunnel destination 17.2.2.5 255.255.255.0

     tunnel mode ipv6ip

     no shutdown

!

Ip route 17.2.2.0 255.255.255.0 serial 0

Ipv6 route 2001:410:1:30::/64 tunnel 0

 

ipv6 unicast-routing

!

Interface fastethernet0

ipv6 address 2001:410:1:30::/64 eui-64

!

Interface s0

Ip address 17.2.2.5 255.255.255.0

ipv6 address 2001:410:1:10::/64 eui-64

Encapsulation PPP

interface tunnel 0
     ipv6 address 2001:410:1:50::/64 eui-64

     tunnel source  17.2.2.5 255.255.255.0

     tunnel destination 92.68.1.1 255.255.255.0

     tunnel mode ipv6ip

     no shutdown

!

Ip route 92.68.1.0 255.255.255.0 serial 0

Ipv6 route  2001:410:1:20::/64 tunnel 0

 

 

 

 

 

NAT dynamic one-to-one

 

Dynamic NAT one to one

!define what addresses are to be converted

access-list 1 permit 10.0.0.1 0.0.0.255

!define the pool of addresses to use for translation and what interfaces and addresses to use

ip nat pool simple-nat-pool 123.123.123.1 123.123.123.254 netmask 255.255.255.0

ip nat inside source list 1 pool simple-nat-pool

!declare inside interfaces

interface e0

   ip address 10.0.0.1 255.255.255.0

   ip nat inside

!declare outside interface

interface s0

   ip address 144.144.144.1 255.255.255.0

   ip nat outside

 

 

 

NAT static

Static NAT

access-list 1 permit 10.0.0.0 0.0.0.255

ip nat pool natpool 222.12.12.2  222.12.12.254 netmask 255.255.255.0

ip nat inside source static 10.0.0.1 222.10.10.1

ip nat inside source list 1 pool natpool

!declare inside interfaces

interface e0

   ip address 10.0.0.1 255.255.255.0

   ip nat inside

!declare outside interface

interface s0

   ip address 144.14.14.1 255.255.255.0

   ip nat outside

 

Policy NAT  

Policy NAT

 

If host 10.1.1.15 will go to 209.165.0.1 it will be translated to 193.1.1.1

If host 10.1.1.15 will go to 145.125.4.2 it will be translated to 193.1.1.2

access-list 101 permit ip host 10.1.1.15 host 209.165.0.1

access-list 102 permit ip host 10.1.1.15 host 145.125.4.2

!

route-map company-A permit 10

 match ip address 101

!

route-map company-B permit 10

 match ip address 102

!

ip nat inside source static 10.1.1.15   193.1.1.1 route-map Company-A

ip nat inside source static 10.1.1.15   193.1.1.2 route-map Company-B

 

NAT overload

Overload

!define what addresses are to be converted

access-list 1 permit 10.0.0.1 0.0.0.255

!define the pool of addresses to use for translation and what interfaces and addresses to use

ip nat pool natpool 123.123.123.1 123.123.123.2 netmask 255.255.255.0

ip nat inside source list 1 pool natpool overload

!declare inside interfaces

interface e0

  ip address 10.0.0.1 255.255.255.0

  ip nat inside

!declare outside interface

interface s0

  ip address 144.14.14.1 255.255.255.0

  ip nat outside

 

Use NAT to load distribution

Load distribution

!declare the pool

ip nat pool company-A 188.88.88.1 188.88.88.4 prefix-length 24

!declare the translation

ip nat outside destination list 1 pool company-A rotary

!declare the access-list for translation candidates

access-list 1 permit 188.88.88.88 0.0.0.0

!declare the interfaces

interface S0

ip nat outside

interface E0

ip nat inside

 

NAT in both directions

 

We need that PC1 can connect to PC2 using its internal address : 10.18.1.2 and vice versa

PC1(10.95.1.2)---(10.95.1.1)router1-------Internet----------router2(10.18.1.1)-----(10.18.1.2)PC2

193.95.40.82                    193.95.21.31

interface FastEthernet0

 ip address 10.95.1.1 255.255.255.0

 ip nat inside

!

interface Serial0

 ip address 192.168.1.2 255.255.255.0

 ip nat outside

 encapsulation ppp

!

ip nat inside source static 10.95.1.2 193.95.40.82

ip nat outside source static 193.95.21.31 10.18.1.2

interface FastEthernet0

 ip address 10.18.1.1 255.255.255.0

 ip nat inside

!

interface Serial0

 ip address 192.168.1.1 255.255.255.0

 ip nat outside

 encapsulation ppp

 !

ip nat inside source static 10.18.1.2 193.95.21.31

ip nat outside source static 193.95.40.82 10.95.1.2

 

PAT

We need to hide the real TCP port that server is listening on

Internal server(172.16.10.8) listening on port 8080---Fe0/S0-----outside client connects to server on port 80

interface FastEthernet0

 ip address 172.16.10.1         255.255.255.0

 ip nat inside

!

interface Serial0

 ip address 200.200.200.5      255.255.255.252

 ip nat outside

 encapsulation ppp

!

ip nat inside source static  tcp 172.16.10.8   8080  172.16.10.8     80

 

 

Port forwarding

We need to publish many internal services (web, smtp, ftp…) using just one public IP address (171.68.1.1)

interface Ethernet0

ip address 192.168.0.254 255.255.255.0

ip nat inside

!

interface Serial0

ip address 171.68.1.1 255.255.255.240

ip nat outside

!

access-list 1 permit 192.168.0.0 0.0.0.255

ip nat inside source list 1 interface serial0 overload

!

ip nat inside source static tcp 192.168.0.5 80 171.68.1.1 80 extendable

ip nat inside source static tcp 192.168.0.6 25 171.68.1.1 25 extendable

!

ip route 0.0.0.0 0.0.0.0 171.68.1.254