|
Routing - How to
The full syntax for set NAT entry, specifying source and destination
addresses, port, and protocol: set nat entry add {inside address} {port}
{outside PAT address} {port} {ip protocol}.
For IP protocols TCP, UDP, and ICMP, the keywords tcp, udp, and icmp are
defined for the IP protocol tag. For example, the TCP port of 25 is
specified as both the inside and outside port: set nat entry add
10.0.0.50 25 103.1.1.1 25 tcp.
For an IP protocol other than TCP, UDP, or ICMP, use the protocol number
and set the port values to 0. For example, the Generic Routing Encapsulation
(GRE) IP protocol (protocol number 47) is added to the table: set nat
entry add 10.0.0.50 0 103.1.1.1 0 47.
You can use a wildcard method in which only the inside IP address, port,
and IP protocol are defined. Using this method, the default outside IP
address is assumed as the outside NAT address. Also, the outside port and IP
protocol are the same as the inside port and IP protocol defined.
This method is especially useful when the default outside IP address
changes due to a user running PPPoA and obtaining a new address from the
service provider. For example, set nat entry add 10.0.0.2 25 200.1.1.1 25
tcp can be set nat entry add 10.0.0.2 25 tcp
In Cisco Broadband Operating System (CBOS) versions 2.4(1) and later, you
can use port ranges. The ports do not have to be the same, but the range of
ports must be consistent. For example,
set nat entry add {inside address} {port range} {outside NAT address} {port range} {protocol}
set nat entry add 10.0.0.2 10-20 200.1.1.1 30-40 tcp
To remove an entry, issue the set nat entry delete command. The
following options are available:
set nat entry delete all
set nat entry delete {inside address} – match entries with same inside address
set nat entry delete {outside address} – match entries with same outside address
set nat entry delete {inside address} {port} {protocol} – match inside address, port, and protocol
set nat entry delete {inside address} {port} {outside address} {port} {protocol} – match entire entry
To allow Telnetting to a device behind the Cisco 600, add one of the
following commands: set nat entry add {internal device address} 23
{outside NAT address} 23 tcp or set nat entry add {internal device
address} 23 tcp.
Point-to-Point Tunneling Protocol ( PPTP) uses TCP Port 1723 and IP
Protocol 47 GRE.
Issue the set nat entry add command using the following syntax:
set nat entry add {internal device address} 0 {outside NAT address} 0 47
set nat entry add {internal device address} 1723 {outside NAT address} 1723 tcp
L2TP and L2F both use UDP port 1701.
To allow an L2TP or L2F session through PAT, use the set nat entry add
command with the following values:
set nat entry add {internal device address} 1701 {outside NAT address} 1701 udp
There are many implementations of IP Security (IPsec) but not all of them
can be used with PAT on the Cisco 600.
The following examples have been tested only with Cisco's VPN solution;
success with other vendors' solutions is not guaranteed.
Some Cisco VPN clients can embed the IPsec packets into a UDP/TCP port
that is specified on the client and server sides. In this scenario, a static
PAT entry can be added that matches the ports used. For example, if the VPN
client and server are set to embed IPsec packets within UDP packets of port
8000, the following command would be added:
set nat entry add {inside client address} 8000 {outside PAT address} 8000 udp
To configure the Automatic Metric on XP feature manually, go to
properties of network Connections>Internet Protocol
(TCP/IP)>Properties>General>Advanced.
To specify a metric, on the IP Settings tab, click to clear
the Automatic metric check box, and then enter the metric
that you want in the Interface Metric field.
RRAS is installed under w2k server by default, but not activated. To setup
Windows 2000 as a router for a LAN, you need to two network adapters.
To setup Windows 2000/2003 as a router for a LAN, you need to two
network adapters. To enable LAN routing. go to Administrative Tools>Routing
and Remote Access>Action>Configure
and Enable Routing and Remote Access, and then complete the
wizard. Right-click the server for which you want to enable routing, and
then click Properties>General>Router,
check Local area network (LAN) routing only,
and then click OK.
To display the routing table, 1) use netstat -r command; 2) or route
print.
To disable IP routing, go to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters,
Set 'IPEnableRouter' to 0.
Depending on your OS, you may have two options. 1) If you have w2k
server, Install Routing and Remote Access. 2) If you are running w2k/xp
pro, set IPEnableRouter=0x01 in the registry HKLM\System\CurrentControlSet\Services\TCPIP\Parameters.
Note: the default value is 0.
Symptom:
When attempting to connect to a VPN server on the outside of the PIX it
returns error 721, the computer failed to respond.
Resolution:
In order to PPTP through a PIX, you must have a one-to-one mapping from the
external IP to an internal IP for type 47 GRE packets and port 1723. Add for
pptp: conduit permit gre host x.x.x.197
any AND conduit permit tcp host x.x.x.197 eq 1723. For l2tp over ipsec:
conduit permit esp host x.x.x.197 any, conduit permit udp host x.x.x.197 eq
1701 any AND conduit permit udp host x.x.x.197 eq 500 any.
Q: I have a W2K server at work with two nic
cards hooked to two different networks. I have turned on IP forwarding in
the registry but when I try to ping an address on the 2nd network the ping
gets routed thru the gateway for the 1st network. How can I fix this? Here
is the route table.
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 02 55 1a 71 38 ...... Intel 8255x-based Integrated Fast
Ethernet
0x3000004 ...00 02 2a f1 3e 6f ...... NDIS 5.0 driver
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.175.140.1 130.175.140.102 1
0.0.0.0 0.0.0.0 10.219.217.1 10.219.217.252 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.175.140.0 255.255.255.0 192.175.140.102 192.175.140.102 1
192.175.140.102 255.255.255.255 127.0.0.1 127.0.0.1 1
192.175.255.255 255.255.255.255 192.175.140.102 192.175.140.102 1
10.219.217.0 255.255.255.0 10.219.217.252 10.219.217.252 1
10.219.217.252 255.255.255.255 127.0.0.1 127.0.0.1 1
10.219.255.255 255.255.255.255 10.219.217.252 10.219.217.252 1
224.0.0.0 224.0.0.0 192.175.140.102 192.175.140.102 1
224.0.0.0 224.0.0.0 10.219.217.252 10.219.217.252 1
255.255.255.255 255.255.255.255 192.175.140.102 192.175.140.102 1
Default Gateway: 192.175.140.1
===========================================================================
Persistent Routes:
None
A: Assuming you don't have a router
connecting to the Internet, you should delete the following line:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 130.175.140.1 130.175.140.102 1
0.0.0.0 0.0.0.0 143.219.217.1 143.219.217.252 1
Default Gateway: 130.175.140.1
In other words, you should not have multiple default gateways ( 0.0.0.0 ) in
the same network and don't assign gateway IPs on both nics.
|
|
