From: Jason T. Rohm (jtrohm@xxxxxxxxxxx)
Date: Mon Sep 25 2000 - 07:53:11 GMT-3
Ok Mike,
It took about three hours of screwing with it (I know you can do this, but I
never actually tried until tonight). I got it going. The abridged code is
below....
My network is screwy, the 192.168.1.x numbers are the outside and the
137.20.x.x are the inside (I was in the middle of CCIE Prep lab #3 when I
started on this tangent).
I don't have SSL anywhere, so I just assumed that a normal telnet would
operate similarly.
137.20.63.4, 137.20.30.5, and 137.20.96.6 represent my fictitious SSL
(telnet) UNIX servers.
OUTGLOBALPOOL is a large pool of NON-ROTARY private internal addresses (in
your case 10.x.x.x numbers).
192.168.1.122 is the public outside address that you are manually
overloading to get multiple SSL servers on the outside address.
There might be a better way to do this... but this is what I came up with at
4:00AM.
Let me know if this works for you.
-Jason
Begin Code --->
!
version 12.0
!
interface Ethernet1
ip address 137.20.2.1 255.255.255.0 secondary
ip address 192.168.1.104 255.255.255.0
no ip directed-broadcast
ip nat outside
!
interface Serial0
ip address 137.20.31.2 255.255.255.0
no ip directed-broadcast
ip nat inside
encapsulation frame-relay
!
ip nat pool OUTGLOBALPOOL 137.20.2.2 137.20.7.254 netmask 255.255.248.0
ip nat inside source static tcp 137.20.63.4 23 192.168.1.122 8024 extendable
ip nat inside source static tcp 137.20.30.5 23 192.168.1.122 8023 extendable
ip nat inside source static tcp 137.20.96.6 23 192.168.1.122 8025 extendable
ip nat outside source list 110 pool OUTGLOBALPOOL
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
access-list 110 permit ip any host 192.168.1.122
!
end
<--- End Code
-----Original Message-----
From: Mike Chase [mailto:mchase@broadcom.com]
Sent: Monday, September 25, 2000 2:43 AM
To: Jason T. Rohm
Subject: RE: Proxy ?
cool thanks..
if I was doing static NAT, the destination IP is what gets NAT'd .. from
the
external IP that was hit to the internal IP that the service is really on.
The
problem is the source address doesn't change and it's on the Internet and my
normal path to the Internet is not this router that I want to do this on so
then
I wind up in an asymetric routing loop that breaks the whole NAT thing to
begin
with. I need to make traffic from the Internet hitting that external IP &
port
on S0/0, when it exits the router on E0/0 look like it's coming from E0/0 so
that the traffic from the internal host it hits comes back to the router
then
follows the reverse path back out to the Internet and everything would then
work
just fine.
Mike L. Chase
Sr. Network Architect
ISG: Information Services Group
Broadcom Corporation World Headquarters, BLDG A-1050
16215 Alton Parkway, Irvine, California 92618-3616
OFFICE:949-585-6057|CELL:949-283-4254|FAX:949-585-6227
"Courage is not the absence of fear, but rather the judgment
that something else is more important than fear."
-- Ambrose Redmoon
-----Original Message-----
From: Jason T. Rohm [mailto:jtrohm@athenet.net]
Sent: Monday, September 25, 2000 12:34 AM
To: Mike Chase
Subject: RE: Proxy ?
I'll setup a test on my equipment and e-mail you the code in the morning...
is that okay?
-Jason
-----Original Message-----
From: Mike Chase [mailto:mchase@broadcom.com]
Sent: Monday, September 25, 2000 12:50 AM
To: Jason T. Rohm
Subject: RE: Proxy ?
double NAT? show me how! ;-)
Mike L. Chase
Sr. Network Architect
ISG: Information Services Group
Broadcom Corporation World Headquarters, BLDG A-1050
16215 Alton Parkway, Irvine, California 92618-3616
OFFICE:949-585-6057|CELL:949-283-4254|FAX:949-585-6227
"Courage is not the absence of fear, but rather the judgment
that something else is more important than fear."
-- Ambrose Redmoon
-----Original Message-----
From: Jason T. Rohm [mailto:jtrohm@athenet.net]
Sent: Sunday, September 24, 2000 10:42 PM
To: Mike Chase; Ccielab@Groupstudy. Com
Subject: RE: Proxy ?
This is just a spit-wad answer (its 12:30am, no flames please)...
But, couldn't you NAT it both ways (inside pub/private and outside
pub/private) so that the internal UNIX servers are presented with a unique
private address for the client which has a route anounced by the NAT router?
That way you are guaranteed a symetrical route w/o screwing with any of the
other routers.
-Jason
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Mike Chase
Sent: Sunday, September 24, 2000 11:28 PM
To: Ccielab@Groupstudy. Com
Subject: Proxy ?
I am wondering if anyone knows how to do the following on a Cisco router.
I have some Unix users who want to use SSH to get into the corporate LAN via
the
Internet.
The SSH servers however will sit in various spots in the world on our
private
10.x network.
What I would like to do is put a Cisco router on a T1 facing the Internet
(S0/0)
and have it proxy several port #'s on it's IP address on S0/0 (the Internet
T1),
each of which will be mapped to represent a given SSH server on the internal
LAN
(E0/0).
I am thinking of Proxy and not NAT because if I use NAT, it will create
asymetric routing (thus won't work) as this is not the usual path to the
Internet which is served by a T3 out another path in the LAN.
Thanks/
Mike L. Chase
Sr. Network Architect
ISG: Information Services Group
Broadcom Corporation World Headquarters, BLDG A-1050
16215 Alton Parkway, Irvine, California 92618-3616
OFFICE:949-585-6057|CELL:949-283-4254|FAX:949-585-6227
"Courage is not the absence of fear, but rather the judgment
that something else is more important than fear."
-- Ambrose Redmoon
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 08:25:01 GMT-3