CISCO CONFIGS
Welcome visitor number:
This site contains many typical configurations and tips for Cisco devices:
(routers and switches)
For any comments please send
mail to osama.
Config for routers
Config for switches
Software/Monitoring
tools/Articles
To ensure your IP addressing schema
is good make sure you respect the Osama 4 rules:
Rule1:
IP subnets in local and
remote LANs must be different: N1≠ N2
Rule2:
Router LAN address must
belong to the subnet of local computers : L1 must belong to N1 and L2
must belong to N2
Rule3:
2 adjacents WANs must belong
to the same subnet: W1 and W2 are in the same subnet
Rule4:
2 physical interfaces in any
router can't belong to the same subnet: L1 and W1 can't be in the same subnet
Config t
no service pad
no service dhcp
no service tcp-small-servers
no service udp-small-servers
no service finger
no service config
no ip finger
no ip bootp server
no ip source-route
no tftp-server
service tcp-keepalives-in
service
tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
security authentication failure rate 3
!
username user1 password password1
username webuser privilege 15 password webpassword
!
Enable secret mysecret
Enable password mypassword
!
ip tcp synwait-time
10
!
Hostname internet-router
!
Interface FastEthernet 0/0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache
no ip mroute-cache
no ip redirects
no ip mask-reply
no ip proxy-arp
no ip directed-broadcast !make sure you don't need it
!
no banner motd
banner login ^
###### WARNING ! ######
You have accessed a Computer system.
You are required to have a personal authorization from the System Administrator before you use this
system.
Unauthorized access of a computer constitutes an offence.
You must ensure your User password conforms to the guidelines specified in
the Security Manual.
If you understand this message and have been authorized to use this system
please enter your username and password below to continue this session.
Otherwise, you must disconnect from this session immediately.
^
!
Logging 192.168.1.2
Logging trap debug
Logging on
!
!restrict web access to access list 1
ip http access-class 1
ip http server
ip http authentication local
access-list 1 permit 192.168.1.2
!
no snmp-server community private RW
no snmp-server community public RO
snmp-server community my-SNMP-RW RW 1
snmp-server community my-SNMP-RO RO 1
snmp-server host 192.168.1.2 traps my-SNMP-RO
snmp-server location server room
snmp-server contact cisco administrator (Mr hammadi tounsi)
!
line con 0
logging sync
login local
exec-timeout 10 0
exit
!
line vty 0 4
logging sync
login local
access-class 1 in
exec-timeout 10 0
exit
!
Wr m
PPP
PPP-Auth-PAP
PPP-Auth-CHAP PPP using
E1 Multilink
IP over frame
relay Mark DE bit FR switching FRTS Mark FECN/BECN
x25
switching X25OverIP
(XoT) IP
over X25
Shared
PSTN connection to internet
Connect 2
remote sites via BRI Connect many remote sites via PRI ISDN callback
VPN-Site-to-Site GRE Tunnel IPv6IP
Tunnel
NAT:
NAT dynamic
one-to-one NAT
static Policy NAT NAT
overload NAT load distribution
NAT in both directions PAT Port forwarding
QoS:
Routing
STOP SMOKING
or you will …
router1 |
router2 |
interface FastEthernet0 ip address 192.168.1.254 255.255.255.0 ! interface Serial0 ip address 192.1.1.1 255.255.255.0 encapsulation ppp ! no ip classless ip route 192.168.2.0 0.0.0.0 192.1.1.2 ! |
interface FastEthernet0 ip address 192.168.2.254 255.255.255.0 ! interface Serial0 ip address 192.1.1.2 255.255.255.0 encapsulation ppp ! no ip classless ip route 192.168.1.0 0.0.0.0 192.1.1.1 ! |
This is an example of unidirectionnel authentication |
|
router1(server) |
router2(client) |
Username remote password
cisco interface Serial1/0 ip address 192.168.1.1 255.255.255.0 encapsulation ppp ppp authentication pap |
interface Serial1/0 ip address 192.168.1.2 255.255.255.0 encapsulation ppp ppp pap sent-username remote password 0
cisco |
router1 |
router2 |
Hostname r1 Username r2 password cisco interface Serial1/0 ip address 192.168.1.1 255.255.255.0 encapsulation ppp ppp authentication chap |
Hostname r2 Username r1 password cisco interface Serial1/0 ip address 192.168.1.2 255.255.255.0 encapsulation ppp ppp authentication chap |
Router1 |
card type e1 5 0 ! controller E1 5/0/1 framing NO-CRC4 channel-group 0 timeslots 1-31 ! interface Serial5/0/1:0 description ## E1 connected to sfax
gremda km 4## ip address 192.168.111.5
255.255.255.252 encapsulation ppp ! |
router1 |
interface Multilink1 ip address 192.168.0.1 255.255.255.0 ppp multilink ppp multilink group 1 ! interface Serial1/0 no ip address encapsulation ppp ppp multilink ppp multilink group 1 no shut ! interface Serial1/1 no ip address encapsulation ppp ppp multilink ppp multilink group 1 no shut ! |
Method 1 |
Method 2 |
! interface Ethernet0 ip address 194.147.160.254 255.255.255.0 ! interface Serial0 ip address 192.1.1.1 255.255.255.0 encapsulation x25 x25 address 133014389 x25 htc 2 x25 idle 1 x25 nvc 2 x25 suppress-calling-address x25 map ip 192.1.1.2 112010132
(remote wan) (remote x25) x25 map ip 192.1.1.3 112010167 ! ip route 193.1.1.0
255.255.255.0 192.1.1.2 ip route 193.2.1.0
255.255.255.0 192.1.1.3 ! |
! interface Serial0 no ip address encapsulation x25 x25 htc 2 ! Interface serial 0.1 Ip address 192.1.1.1 255.255.255.0 x25 map ip 192.1.1.2
112010132 ! Interface serial 0.2 Ip address 193.1.1.1 255.255.255.0 x25 map ip 193.1.1.2 112233441 ! |
X25 switcher |
X25 routing ! interface Serial0 no ip address encapsulation x25 dce clock rate 64000 ! interface Serial1 no ip address encapsulation x25 dce clock rate 64000 ! x25 route 4321 interface Serial0 x25 route 1234 interface Serial1 ! |
X25 host—x25
network—router1—IP/PPP—router2—x25 host |
Hostname router1 x25 routing ! interface Serial0 ip address 170.1.1.2
255.255.255.0 encapsulation ppp ! interface Serial1 no ip address encapsulation x25 x25 address 1234 ! X25 route 1111 ip 170.1.1.1 x25 route 4321 interface
serial 1 ! |
HQ |
Remote site |
interface Ethernet0 ip address 10.1.1.1 255.0.0.0 ! interface Serial0 no ip address encapsulation frame-relay frame-relay lmi-type ansi ! interface Serial0.16
point-to-point description Frame Relay avec agence1 ip address 192.168.1.1 255.255.255.0 frame-relay interface-dlci 16 ! interface Serial0.17
point-to-point description Frame Relay avec agence 2 ip address 192.168.2.1 255.255.255.0 frame-relay interface-dlci 17 ! ip route 20.0.0.0 255.0.0.0
192.168.1.2 ip route 30.0.0.0 255.0.0.0
192.168.2.2 |
interface Ethernet0 ip address 20.1.1.1 255.0.0.0 ! interface Serial0 no ip address encapsulation frame-relay frame-relay lmi-type ansi ! interface Serial0.16
point-to-point description Frame Relay avec
siège ip address 192.168.1.2 255.255.255.0 frame-relay interface-dlci 16 ! ip route 10.0.0.0 255.0.0.0
192.168.1.1 |
|
Mark DE bit for
non interresting traffic |
frame-relay
de-list 1 protocol ip
list 150 ! interface
serial 0.1 point-to-point ip
address 192.168.1.5 255.255.255.252 frame-relay
interface-dlci 100 frame-relay
de-group 1 100 ! access-list 150
permit tcp any any eq www |
|
|
Router1(dlci30)—(s1)FR
switcher(s2)—(dlci20)router2 |
frame-relay switching ! interface Serial1 encapsulation frame-relay frame-relay policing frame-relay lmi-type ansi frame-relay intf-type dce frame-relay interface-dlci 30 switched class agence1 ! interface Serial2 encapsulation frame-relay frame-relay lmi-type ansi frame-relay intf-type dce frame-relay interface-dlci 20 switched class agence1 ! connect 30-20 Serial1 30
Serial2 20 ! map-class frame-relay agence1 frame-relay cir 64000 frame-relay bc 64000 frame-relay be 0 |
|
|
Frame relay traffic shaping to avoid data loss due
to switch policing |
interface
Serial0/0 no ip address encapsulation frame-relay frame-relay
traffic-shaping ! interface Serial0/0.1
point-to-point ip address 10.1.1.1 255.255.255.0 frame-relay
interface-dlci 16 frame-relay class agence1 ! map-class frame-relay agence1 frame-relay
cir 16000
frame-relay
mincir 16000 frame-relay bc 16000 frame-relay
be 0 |
|
|
FECN and BECN Marking at the Class Level and Interface Level |
match
fr-dlci 100 |
|
bridge1 |
interface Ethernet0 ip address 10.10.10.254 255.255.255.0 bridge-group 1 ! interface Serial0 ip address 192.168.0.1 255.255.255.0 bridge-group 1 ! no ip classless bridge 1 protocol ieee ! |
IRB The configuration allows bridging IP
between two Ethernet interfaces, and routing IP from bridged interfaces using
a Bridged Virtual Interface (BVI). |
hostname R1 ! ip subnet-zero no ip domain-lookup bridge irb ! interface Ethernet0 no ip address no ip directed-broadcast bridge-group 1 ! Interface Ethernet1 no ip address no ip directed-broadcast bridge-group 1 ! Interface Serial0 ip address 10.10.20.1 255.255.255.0 ! interface BVI1 ip address 10.10.10.1 255.255.255.0 ! ip route 10.10.30.0 255.255.255.0 10.10.20.2 ! bridge 1 protocol ieee bridge 1 route ip |
Shared PSTN connection to internet
chat-script modem
"" "atdt\T" TIMEOUT 60 CONNECT \c ! interface Ethernet0 ip address 192.168.1.1 255.255.255.0 ip nat inside ! interface Serial0 physical-layer async no ip address ip nat outside encapsulation ppp dialer in-band dialer rotary-group 1 dialer-group 1 async mode dedicated no cdp enable |
interface Dialer1 ip address negotiated no ip directed-broadcast ip nat outside encapsulation ppp dialer in-band dialer idle-timeout 300 dialer string 1616 modem-script modem dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname myname ppp chap password mypasswd ! ip nat inside source list 1
interface Dialer1 overload ip route 0.0.0.0 0.0.0.0
Dialer1 ! access-list 1 permit
192.168.1.0 0.0.0.255 dialer-list 1 protocol ip
permit |
line 1 modem InOut transport input all stopbits 1 flowcontrol hardware speed 115200 |
Connect 2
remote sites via BRI
HQ |
Remote site |
hostname siege ! username agence1 password
AZERTY username agence2 password
AZERTY ! isdn switch-type basic-net3 ! interface Dialer 1 description connected to agence1 ip address 190.1.1.1 255.255.255.252 encapsulation ppp dialer in-band dialer idle-timeout 120 dialer string 1111 dialer remote-name agence1 dialer-group 5 dialer pool 1 ppp authentication chap no ppp multilink no cdp enable ! interface Dialer 2 description connected to agence2 ip address 191.1.1.1 255.255.255.252 encapsulation ppp dialer in-band dialer idle-timeout 120 dialer string 4187 dialer remote-name agence2 dialer-group 5 dialer pool 1 ppp authentication chap no ppp multilink no cdp enable ! interface BRI 0 description connected to
agence1,agence2 no ip address encapsulation ppp dialer pool-member 1 ! Ip route 192.168.1.0 255.255.255.0
Dialer1 Ip route 192.168.2.0 255.255.255.0
Dialer2 ! dialer-list 5 protocol ip permit |
hostname agence1 ! username siege password
AZERTY ! isdn switch-type basic-net3 ! interface Dialer 1 description connected to siege ip address 190.1.1.2 255.255.255.252 encapsulation ppp dialer in-band dialer idle-timeout 120 dialer hold-queue 10 dialer map ip 190.1.1.1 name siege
speed 64 4321 dialer-group 6 ppp authentication chap no ppp multilink no cdp enable ! interface BRI 0 no shutdown description connected to siege no ip address dialer rotary-group 1 ! dialer-list 6 protocol ip permit ! Ip route 180.1.1.0
255.255.255.0 Dialer1 |
Connect many remote sites via PRI
HQ |
Remote site |
Hostname cisco3620 ! card type e1 3 ! username Cisco801_1 password test username Cisco801_2 password test !! isdn switch-type primary-net5 ! controller E1 1/0 no shutdown framing crc4 linecode hdb3 pri-group timeslots 1-31 ! interface Dialer 1 description connected to Cisco801_1 ip address 10.10.1.1 255.255.255.252 no ip split-horizon encapsulation ppp dialer in-band dialer idle-timeout 120 dialer remote-name Cisco801_1 dialer-group 1 dialer pool 1 ppp authentication chap no ppp multilink no cdp enable ! interface Dialer 2 description connected to Cisco801_2 ip address 10.10.2.1 255.255.255.252 no ip split-horizon encapsulation ppp dialer in-band dialer idle-timeout 120 dialer remote-name Cisco801_2 dialer-group 1 dialer pool 2 ppp authentication chap no ppp multilink no cdp enable ! interface Ethernet 0/0 no shutdown description connected to EthernetLAN ip address 192.168.0.1 255.255.255.0 ! interface Serial 1/0:15 no shutdown description connected to Cisco801_1,Cisco801_2 no ip address encapsulation ppp dialer pool-member 2 dialer pool-member 1 ! dialer-list 1 protocol ip permit !
ip classless ip route 192.168.1.0 255.255.255.0 10.10.1.2 ip route 192.168.2.2 255.255.255.0 10.10.2.2 ! |
hostname Cisco801_1 username Cisco3620 password test ! isdn switch-type basic-net3 ! interface Dialer 1 description connected to siege ip
address 10.10.1.2 255.255.255.252 encapsulation ppp dialer
in-band dialer
idle-timeout 120 dialer
hold-queue 10 dialer
map ip 10.10.1.2 name siege speed 64 4321 dialer-group 1 ppp
authentication chap no cdp
enable ! interface BRI 0 no
shutdown description connected to siege no ip
address dialer
rotary-group 1 ! dialer-list 1 protocol ip permit ! Ip route 192.168.0.0 255.255.255.0 Dialer1 |
Callback server |
Callback client |
! interface bri 0 ip address 7.1.1.7 255.255.255.0 encapsulation ppp dialer callback-secure dialer enable-timeout 2 dialer map ip 7.1.1.8 name atlanta
class dial1 81012345678901 dialer-group 1 ppp callback accept ppp authentication chap ! map-class dialer dial1 dialer callback-server username |
! interface bri 0 ip address 7.1.1.8 255.255.255.0 encapsulation ppp dialer map ip 7.1.1.7 name dallas
81012345678902 dialer-group 1 ppp callback request ppp authentication chap dialer hold-queue timeout 30 ! |
RAS via PSTN (AUX port) |
hostname Cisco1720 ! username pc1 password pc1 ! interface Dialer 1 description connected to
Dial-inPCs(modem) ip
unnumbered FastEthernet 0 ip tcp
header-compression passive encapsulation ppp dialer in-band dialer-group 1 ppp
authentication chap no cdp
enable peer
default ip address pool Cisco1720-Group-1 ! interface FastEthernet 0 no
shutdown description connected to EthernetLAN ip
address 192.168.0.1 255.255.255.0 no
keepalive ! interface Async 5 no
shutdown description connected to
Dial-inPCs(modem) ip
unnumbered FastEthernet 0 async
mode dedicated dialer
rotary-group 1 ! ip local pool Cisco1720-Group-1 192.168.0.100
192.168.0.100 ip classless ! line aux 0 exec autoselect ppp autoselect during-login login
local modem
InOut transport input all stopbits
1 speed
38400 flowcontrol hardware ! end |
RAS via PRI |
username user1 password pass1 ! isdn switch-type primary-net5 ! controller E1 3/0 framing NO-CRC4 pri-group
timeslots 1-31 ! interface FastEthernet0/0 ip
address 10.15.20.1 255.255.0.0 ! interface Serial3/0:15 ip
unnumbered FastEthernet0/0 encapsulation ppp dialer-group 1 isdn
switch-type primary-net5 isdn
incoming-voice modem peer default
ip address pool default compress
predictor ppp
authentication chap ! interface Group-Async3 ip
unnumbered FastEthernet0/0 encapsulation ppp ip tcp
header-compression passive async
mode dedicated peer
default ip address pool default ppp authentication
chap pap group-range 129 158 ! ip local pool default 10.15.100.1 10.15.100.100 ! line 129 158 modem
Dialin transport preferred all transport output all autoselect during-login autoselect ppp ! |
We need to make a site to site VPN. All traffic from
172.25.0.0 to 172.24.0.0 will be encrypted. When paquet exits wan interface,
the source IP address will become 192.168.1.121 and destination will be
changed to 192.168.1.12. Data is encrypted. |
|
router1 |
router2 |
! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key mykey
address 192.168.1.12 ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto map mymap 1
ipsec-isakmp description Tunnel to192.168.1.12 set peer 192.168.1.12 set transform-set myset match address 100 ! interface FastEthernet0/0 ip address 172.25.0.0 255.255.0.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.1.121 255.255.255.0 duplex auto speed auto crypto map mymap ! ip classless ip route 172.24.0.0
255.255.0.0 192.168.1.12 ! access-list 100 permit ip 172.25.0.0 0.0.255.255
172.24.0.0 0.0.255.255 |
! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key mykey
address 192.168.1.121 ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto map mymap 1
ipsec-isakmp description Tunnel to192.168.1.121 set peer 192.168.1.121 set transform-set myset match address 100 ! interface FastEthernet0/0 ip address 172.24.0.0 255.255.0.0 duplex auto speed auto ! interface FastEthernet0/1 ip address 192.168.1.12 255.255.255.0 duplex auto speed auto crypto map mymap ! ip classless ip route 172.25.0.0
255.255.0.0 192.168.1.121 ! access-list 100 permit ip 172.24.0.0 0.0.255.255
172.25.0.0 0.0.255.255 |
Generic Routing Encapsulation (GRE) tunnels are the
simplest form of VPNs handling the transportation of multiprotocol and IP
multicast (example: routing updates.). |
|
router1 |
router2 |
Interface fastethernet0 Ip address 10.0.0.1
255.255.255.0 ! Interface s0 Ip address 92.68.1.1
255.255.255.0 Encapsulation PPP ! interface tunnel 0 tunnel source 92.68.1.1 255.255.255.0 tunnel
destination 17.2.2.5 255.255.255.0 tunnel
mode gre ip ip mtu 1400 ip tcp adjust-mss 1360 no shutdown ! Ip
route 17.2.2.0 255.255.255.0 serial 0 ip route 20.0.0.0
255.255.255.0 tunnel 0 |
Interface fastethernet0 Ip address 20.0.0.1
255.255.255.0 ! Interface s0 Ip address 17.2.2.5
255.255.255.0 Encapsulation PPP ! interface tunnel 0 tunnel source 17.2.2.5 255.255.255.0 tunnel
destination 92.68.1.1 255.255.255.0 tunnel
mode gre ip ip mtu 1400 ip tcp adjust-mss 1360 no shutdown ! Ip
route 92.68.1.0 255.255.255.0 serial 0 ip route 10.0.0.0
255.255.255.0 tunnel 0 |
IPv6IP tunnel can be used to connect 2 IPv6 networks
via one IPv4 network IPv6 Network1---DualStack Router1----IPv4 cloud----
DualStack Router2----- IPv6 Network2 |
|
DualStack router1 |
DualStack router2 |
ipv6 unicast-routing ! Interface fastethernet0 ipv6 address 2001:410:1:20::/64 eui-64 ! Interface s0 Ip address 92.68.1.1
255.255.255.0 ipv6
address 2001:410:1:10::/64 eui-64 Encapsulation PPP ! interface tunnel 0 ipv6 address
2001:410:1:50::/64 eui-64 tunnel source 92.68.1.1 255.255.255.0 tunnel
destination 17.2.2.5 255.255.255.0 tunnel
mode ipv6ip no shutdown ! Ip
route 17.2.2.0 255.255.255.0 serial 0 Ipv6 route 2001:410:1:30::/64 tunnel 0 |
ipv6
unicast-routing ! Interface fastethernet0 ipv6 address 2001:410:1:30::/64 eui-64 ! Interface s0 Ip address 17.2.2.5
255.255.255.0 ipv6
address 2001:410:1:10::/64 eui-64 Encapsulation PPP ! interface tunnel 0 tunnel source 17.2.2.5 255.255.255.0 tunnel
destination 92.68.1.1 255.255.255.0 tunnel
mode ipv6ip no shutdown ! Ip
route 92.68.1.0 255.255.255.0 serial 0 Ipv6 route 2001:410:1:20::/64
tunnel 0 |
Dynamic NAT one to one |
|
!define what addresses
are to be converted access-list 1 permit 10.0.0.1
0.0.0.255 !define the pool of
addresses to use for translation and what interfaces and addresses to use ip nat pool simple-nat-pool
123.123.123.1 123.123.123.254 netmask 255.255.255.0 ip nat inside source list 1
pool simple-nat-pool !declare inside
interfaces interface e0 ip address 10.0.0.1
255.255.255.0 ip nat inside !declare outside
interface interface s0 ip address 144.144.144.1
255.255.255.0 ip nat outside |
|
Static NAT |
access-list 1 permit 10.0.0.0
0.0.0.255 ip nat pool natpool
222.12.12.2 222.12.12.254
netmask 255.255.255.0 ip nat inside source static
10.0.0.1 222.10.10.1 ip nat inside source list 1
pool natpool !declare inside
interfaces interface e0 ip address 10.0.0.1
255.255.255.0 ip nat inside !declare outside
interface interface s0 ip address 144.14.14.1
255.255.255.0 ip nat outside |
Policy NAT If host 10.1.1.15 will go to 209.165.0.1 it will be
translated to 193.1.1.1 If host 10.1.1.15 will go to 145.125.4.2 it will be
translated to 193.1.1.2 |
access-list 101 permit ip
host 10.1.1.15 host 209.165.0.1 access-list 102 permit ip
host 10.1.1.15 host 145.125.4.2 ! route-map company-A permit
10 match ip address 101 ! route-map company-B permit
10 match ip address 102 ! ip nat inside source static
10.1.1.15 193.1.1.1
route-map Company-A ip nat inside source static
10.1.1.15 193.1.1.2
route-map Company-B |
Overload |
!define what addresses
are to be converted access-list 1 permit 10.0.0.1
0.0.0.255 !define the pool of
addresses to use for translation and what interfaces and addresses to use ip nat pool natpool 123.123.123.1
123.123.123.2 netmask 255.255.255.0 ip nat inside source list 1
pool natpool overload !declare inside
interfaces interface e0 ip address 10.0.0.1 255.255.255.0 ip nat inside !declare outside
interface interface s0 ip address 144.14.14.1 255.255.255.0 ip nat outside |
Load distribution |
!declare the pool ip nat pool company-A
188.88.88.1 188.88.88.4 prefix-length 24 !declare the translation ip nat outside destination
list 1 pool company-A rotary !declare the access-list
for translation candidates access-list 1 permit
188.88.88.88 0.0.0.0 !declare the interfaces interface S0 ip nat outside interface E0 ip nat inside |
We need that PC1 can connect to PC2 using its
internal address : 10.18.1.2 and vice versa PC1(10.95.1.2)---(10.95.1.1)router1-------Internet----------router2(10.18.1.1)-----(10.18.1.2)PC2 193.95.40.82
193.95.21.31 |
|
interface FastEthernet0 ip address 10.95.1.1 255.255.255.0 ip nat inside ! interface Serial0 ip address 192.168.1.2 255.255.255.0 ip nat outside encapsulation ppp ! ip nat inside source static
10.95.1.2 193.95.40.82 ip nat outside source
static 193.95.21.31 10.18.1.2 |
interface FastEthernet0 ip address 10.18.1.1 255.255.255.0 ip nat inside ! interface Serial0 ip address 192.168.1.1 255.255.255.0 ip nat outside encapsulation ppp ! ip nat inside source static
10.18.1.2 193.95.21.31 ip nat outside source
static 193.95.40.82 10.95.1.2 |
We need to hide the real TCP port that server is
listening on Internal server(172.16.10.8) listening on port
8080---Fe0/S0-----outside client connects to server on port 80 |
interface FastEthernet0 ip address 172.16.10.1
255.255.255.0 ip nat inside ! interface Serial0 ip address 200.200.200.5
255.255.255.252 ip nat outside encapsulation ppp ! ip nat inside source
static tcp 172.16.10.8 8080 172.16.10.8 80 |
We need to publish many internal services (web,
smtp, ftp…) using just one public IP address (171.68.1.1) |
interface Ethernet0 ip address 192.168.0.254 255.255.255.0 ip nat inside ! interface Serial0 ip address 171.68.1.1 255.255.255.240 ip nat outside ! access-list 1 permit 192.168.0.0 0.0.0.255 ip nat inside source list 1
interface serial0 overload ! ip nat inside
source static tcp 192.168.0.5 80 171.68.1.1 80 extendable ip nat inside
source static tcp 192.168.0.6 25 171.68.1.1 25 extendable ! ip route 0.0.0.0 0.0.0.0 171.68.1.254 |