RE: [TCLUG:9401] Cisco 675 questions

To: tclug-list@mn-linux.org
Subject: RE: [TCLUG:9401] Cisco 675 questions
From: "J. Raney (Mailing list account)" <mlists@mad-seumas.net>
Date: Thu, 28 Oct 1999 15:14:37 -0500 (CDT)
In-Reply-To: <A0AE096498F6D1119F2A00104B62748C4EC527@epex>
Reply-To: "J. Raney (Mailing list account)" <mlists@mad-seumas.net>

On Thu, 28 Oct 1999, Unni Nambiar wrote:

> > If you haven't gotten one yet that means when you do it'll be 
> > running the
> > newest code release which can do what's called "wildcard NAT" 
> > where you
> > specify what IP internally all ports are forwarded to.  
> > That'd probably
> > work ok with the firewall setup where you just forward all 
> > ports to your
> > firewall and let it sort everything out. And yes, all the 
> > forwarding is
> > transparent.
> > 
> 
> Could you elaborate on this please ?
> 
> I don't know the code release for the one i have, but the CBOS doc. talks
> about this syntax.
> 
> set nat entry add <ip-inside> <port-inside> <ip-outside> <port-outside>
> <protocol>
> 
> and you _can_ use 0.0.0.0/0.0.0.0 to match any ip address (wildcard NAT ?).
> 
> What i'm not sure about is, is this entry directional ?  That is, are we
> talking about packets coming in or going out or both ?
> 
> Can i then, use the following to access my web server.
> 
> set nat entry add 10.0.0.2 80 63.123.123.243 80 tcp
> 
> where,
> 10.0.0.2       is the non-routable address of an internal web server machine
> 63.123.123.243 is some ISP assigned DHCP address of my router's wan0
> interface
> 
> and give 63.123.123.243 as the URL ?  How will this effect access to the
> router's internal web server ?
> 
> Eventually i would like to use this setup to access my machine from outside
> using ssh.
> 
> I'll be playing around with this pretty soon.  Thought i'd check if anyone
> else has already done something similar.
> 
> BTW, i got my Cisco 675 recently and it is in PPP mode, not bridging.
> 
> Thanks in advance.
> 
> -Unni
> 

The CBOS release capable of wildcard NAT is 2.2.0.  It should be shipping
now or soon, and you can download the release from Cisco if you have a CCO
account.  If you don't check with your ISP to see if they can provide a
copy.

The syntax for the wildcard NAT entry is:

set nat entry add <inside ip address>

Then all ports forward automatically and transparently to the ip
specified.

As far as the direction/internal web server on the 675 goes I believe that
the port forwarding occurs on the external interface only.  So when you
access port 80 on the internal interface it should still show only the
675's web server and not forward to whichever machine you have port
forwarded 80 to.

Another big difference in 2.2.0 is that one also doesn't need to specify
the outside ip address in the NAT entry - this is automatically done since
in most cases (even when the ISP assigns you a static IP) the address is
negotiated during the PPP login.  Before 2.2.0 you couldn't really do NAT
with a dynamically assigned IP without reconfiguring the NAT table after
your address changed.  Now it should be seamless.

 --
James Raney
Please send all mail to this address minus
the "spamthis"
<seumas@spamthismad-seumas.net>

References:
- RE: [TCLUG:9401] Cisco 675 questions
  - From: Unni Nambiar <unambiar@Legato.COM>

Prev by Date: Re: [TCLUG:9522] Dingbat fonts for X?
Next by Date: IPCHAINS, Firewall and Masquerading
Prev by thread: RE: [TCLUG:9401] Cisco 675 questions
Next by thread: RE: [TCLUG:9401] Cisco 675 questions
Index(es):
- Date
- Thread