h1

Cisco 2600/2800 NAT, Static Translation, ACL, and Net Flow all together

July 3, 2010

The configuration below is for my own use but if you find it helpful, please feel free to use it. If you could leave a comment, I’ll know I helped someone.

In that case my FastEthernet 0/1 is my outside interface, FastEthernet 0/0 is the inside interface. I’m permitting printing from any Internet IP address to internal IP address 172.16.3.21.

Building configuration…

Current configuration : 3638 bytes
!
! Last configuration change at 11:33:21 PDT Sat Jul 3 2010 by admin
! NVRAM config last updated at 11:33:22 PDT Sat Jul 3 2010 by admin
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname SD-DH3-DSL-Router
!
boot-start-marker
boot system flash c2600-io3-mz.123-26.bin
boot-end-marker
!
enable password *&%@$^%!@*^%$!@$
!
clock timezone PST -8
clock summer-time PDT recurring
no aaa new-model
ip subnet-zero
ip flow-cache timeout active 1
ip cef
!
!
!
ip inspect audit-trail
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect udp idle-time 60
ip inspect dns-timeout 10
ip inspect name inter tcp
ip inspect name inter udp
ip inspect name inter ftp
ip inspect name inter http
ip inspect name inter smtp
ip inspect name inter tftp
ip inspect name inter cuseeme
ip inspect name inter h323
ip inspect name inter rcmd
ip inspect name inter realaudio
ip inspect name inter sqlnet
ip inspect name inter streamworks
ip inspect name inter vdolive
ip audit po max-events 100
!
username admin privilege 15 password &*%#$_)#*^$()@#%^*%$#
!
!
!
!
interface FastEthernet0/0
description SD PR LAN admin
ip address 172.16.0.5 255.255.240.0
ip nat inside
ip flow ingress
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
interface Serial0/0
no ip address
shutdown
no cdp enable
!
interface FastEthernet0/1
description SD PR DHB aDSL admin modem
ip address 192.168.16.253 255.255.255.0
ip access-group 121 in
ip nat outside
ip flow ingress
ip inspect inter out
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static 172.16.3.21 192.168.16.21
no ip http server
ip flow-export source FastEthernet0/0
ip flow-export version 5
ip flow-export destination 172.20.0.12 9996
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.16.254
ip route 10.14.6.0 255.255.255.0 172.16.0.3
ip route 10.100.50.0 255.255.255.0 172.16.0.2
ip route 64.206.226.33 255.255.255.255 172.16.0.3
ip route 64.206.232.160 255.255.255.224 172.16.0.9
ip route 172.16.16.0 255.255.254.0 172.16.0.3
ip route 172.18.0.0 255.255.240.0 172.16.0.3
ip route 172.18.16.0 255.255.254.0 172.16.0.3
ip route 172.19.0.0 255.255.240.0 172.16.0.3
ip route 172.19.16.0 255.255.254.0 172.16.0.3
ip route 172.20.0.0 255.255.240.0 172.16.0.3
ip route 172.20.16.0 255.255.254.0 172.16.0.3
ip route 172.22.0.0 255.255.240.0 172.16.0.3
ip route 172.22.16.0 255.255.254.0 172.16.0.3
ip route 172.23.0.0 255.255.240.0 172.16.0.3
ip route 172.23.16.0 255.255.254.0 172.16.0.3
ip route 172.24.0.0 255.255.240.0 172.16.0.3
ip route 172.24.16.0 255.255.254.0 172.16.0.3
ip route 192.168.10.0 255.255.255.0 172.16.0.3
ip route 192.168.24.0 255.255.255.0 172.16.0.3
!
!
access-list 1 permit 172.16.0.0 0.0.15.255
access-list 121 remark inbound internet acl
access-list 121 permit icmp any any administratively-prohibited
access-list 121 permit icmp any any echo
access-list 121 permit icmp any any echo-reply
access-list 121 permit icmp any any packet-too-big
access-list 121 permit icmp any any time-exceeded
access-list 121 permit icmp any any unreachable
access-list 121 remark lib_prn
access-list 121 permit tcp any host 192.168.16.21 eq 9100
access-list 121 deny ip any any log
no cdp run
snmp-server community public RO
!
line con 0
privilege level 15
password &*%^*%@#$&#$
login local
line aux 0
privilege level 15
password &*(%#$*%#@$
login local
line vty 0 4
privilege level 15
password (&%^#$&%#$#$
login local
!
ntp clock-period 17180670
ntp server 172.16.0.27
!
end

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: