Cisco 2600/2800 NAT, Static Translation, ACL, and Net Flow all together

The configuration below is for my own use but if you find it helpful, please feel free to use it. If you could leave a comment, I’ll know I helped someone.

In that case my FastEthernet 0/1 is my outside interface, FastEthernet 0/0 is the inside interface. I’m permitting printing from any Internet IP address to internal IP address 172.16.3.21.

Building configuration…

Current configuration : 3638 bytes
!
! Last configuration change at 11:33:21 PDT Sat Jul 3 2010 by admin
! NVRAM config last updated at 11:33:22 PDT Sat Jul 3 2010 by admin
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SD-DH3-DSL-Router
!
boot-start-marker
boot system flash c2600-io3-mz.123-26.bin
boot-end-marker
!
enable password *&%@$^%!@*^%$!@$
!
clock timezone PST -8
clock summer-time PDT recurring
no aaa new-model
ip subnet-zero
ip flow-cache timeout active 1
ip cef
!
!
!
ip inspect audit-trail
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect udp idle-time 60
ip inspect dns-timeout 10
ip inspect name inter tcp
ip inspect name inter udp
ip inspect name inter ftp
ip inspect name inter http
ip inspect name inter smtp
ip inspect name inter tftp
ip inspect name inter cuseeme
ip inspect name inter h323
ip inspect name inter rcmd
ip inspect name inter realaudio
ip inspect name inter sqlnet
ip inspect name inter streamworks
ip inspect name inter vdolive
ip audit po max-events 100
!
username admin privilege 15 password &*%#$_)#*^$()@#%^*%$#
!
!
!
!
interface FastEthernet0/0
description SD PR LAN admin
ip address 172.16.0.5 255.255.240.0
ip nat inside
ip flow ingress
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0/1
description SD PR DHB aDSL admin modem
ip address 192.168.16.253 255.255.255.0
ip access-group 121 in
ip nat outside
ip flow ingress
ip inspect inter out
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static 172.16.3.21 192.168.16.21
no ip http server
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 172.20.0.12 9996
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.16.254
ip route 10.14.6.0 255.255.255.0 172.16.0.3
ip route 10.100.50.0 255.255.255.0 172.16.0.2
ip route 64.206.226.33 255.255.255.255 172.16.0.3
ip route 64.206.232.160 255.255.255.224 172.16.0.9
ip route 172.16.16.0 255.255.254.0 172.16.0.3
ip route 172.18.0.0 255.255.240.0 172.16.0.3
ip route 172.18.16.0 255.255.254.0 172.16.0.3
ip route 172.19.0.0 255.255.240.0 172.16.0.3
ip route 172.19.16.0 255.255.254.0 172.16.0.3
ip route 172.20.0.0 255.255.240.0 172.16.0.3
ip route 172.20.16.0 255.255.254.0 172.16.0.3
ip route 172.22.0.0 255.255.240.0 172.16.0.3
ip route 172.22.16.0 255.255.254.0 172.16.0.3
ip route 172.23.0.0 255.255.240.0 172.16.0.3
ip route 172.23.16.0 255.255.254.0 172.16.0.3
ip route 172.24.0.0 255.255.240.0 172.16.0.3
ip route 172.24.16.0 255.255.254.0 172.16.0.3
ip route 192.168.10.0 255.255.255.0 172.16.0.3
ip route 192.168.24.0 255.255.255.0 172.16.0.3
!
!
access-list 1 permit 172.16.0.0 0.0.15.255
access-list 121 remark inbound internet acl
access-list 121 permit icmp any any administratively-prohibited
access-list 121 permit icmp any any echo
access-list 121 permit icmp any any echo-reply
access-list 121 permit icmp any any packet-too-big
access-list 121 permit icmp any any time-exceeded
access-list 121 permit icmp any any unreachable
access-list 121 remark lib_prn
access-list 121 permit tcp any host 192.168.16.21 eq 9100
access-list 121 deny ip any any log
no cdp run
snmp-server community public RO
!
line con 0
privilege level 15
password &*%^*%@#$&#$
login local
line aux 0
privilege level 15
password &*(%#$*%#@$
login local
line vty 0 4
privilege level 15
password (&%^#$&%#$#$
login local
!
ntp clock-period 17180670
ntp server 172.16.0.27
!
end

Bridging Cisco Router Interfaces

This article is a guide to configure bridging on Cisco Routers. This is something I never knew was possible until after making a few phone calls to Cisco. Using bridging saved our company money by not requiring us to purchase a new switch. Bridging can also be very useful in smaller environments to help save on wasting IPs. The implementation I will be using for the example is this: A single T1 comes into a router. This router needs to hand off directly to a set of Redundant Firewalls without a switch between them. We need to make sure both firewalls can plug into the router and use the same IP address for their next hop. The commands used here are all entered from a Cisco 2811 running IOS version 12.3(8)T5. Bridging is available in many other IOS versions and from what I have personally seen the commands have not changed. So with all of that out of the way let’s get into the router.

First connect to the router via the console. We will be changing IP addresses and disabling interfaces which will cause your telnet sessions to disconnect.

After you connected you will need to be in “enable” mode so that you can make changes to the router.

Next we enter config mode, configure terminal

Now you should be sitting at a prompt similar to the one below:

Router01(config)#

There are three commands that we will enter to ensure that bridging is enabled.

Router01(config)#bridge irb
Router01(config)#bridge 1 protocol ieee
Router01(config)#bridge 1 route ip

Those commands are global commands, the next commands we will enter are to create the new bridged interface. But in order to do that we have to take the IP address off of the old interface. In this example FastEthernet0/0 has the IP assigned and we will be adding FastEthernet0/1 to the group.

Router01(config)#interface fa0/0
Router01(config)#no ip address

Router01(config)#interface BVI1
Router01(config)#ip address X.X.X.X Y.Y.Y.Y (IP Address and Subnet Mask)

Now we go back to the interfaces and add them to the bridge group

Router01(config)#int fa0/0
Router01(config)#bridge-group 1
Router01(config)#int fa0/1
Router01(config)#bridge-group 1
Router01(config)#exit

Now if you were to plug in a device that is configured on the same network as entered on the BVI1 Interface you would be able to ping the address. Through bridging we have effectively turned the to FastEthernet interfaces on our 2811 into a small switch. This will allow you to run an active/active firewall system behind a single router with minimal hassle. There are number of other uses for bridging as well I hope this article will help people realize the potential and use this new skill.