7. Set up NAT
You now need to set up NAT to translate
addresses between the internal
192.168.100.0/24 network and the public
Internet. First, set up an access list to be
used only for NAT:
ip access-list standard 10
permit 192.168.100.0 0.0.0.255
deny any
exit
As before, the first line places the router in
access list configuration mode. Note that
the access list here is standard and not
extended. Standard access lists allow only
traffic from specific IP addresses or networks
to be permitted or denied. They don’t let
you specify the destination or type of traffic
as extended access lists do. The second
line identifies the traffic that you want to
translate. The above code allows any traffic
on the internal LAN to be translated for the
Internet. The third line prevents any other
traffic from being translated, and the fourth
line takes the router out of access list configuration
mode.
Next, you identify to IOS which interfaces
will participate in NAT:
interface BVI1
ip nat inside
exit
interface FastEthernet4
ip nat outside
exit
These lines tell IOS that the LAN interface,
BVI1, will contain the addresses
that need to be translated, while the
WAN interface, FastEthernet4, contains
the external addresses to which the internal
addresses will be translated.
Finally, you enter the actual NAT statement
(all on one line):
ip nat inside source list 10
interface FastEthernet4 overload
This command tells IOS to translate any address identified in access list 10 to the
address assigned to FastEthernet4. The overload
keyword allows one public address to
be shared among several internal private
addresses.
8. Enable interfaces, and
disable STP
You’re almost ready to test your configuration.
First, though, you need to
ensure that each interface is not in a shutdown
state. To do so for FastEthernet4,
type:
interface FastEthernet4
no shutdown
exit
You’ll want to do this for every physical interface
on your router.
At this point, you can disconnect the
console cable and connect the PC to a LAN
port on the router with an Ethernet cable.
You can then access the router by opening a
Telnet connection (preferably secured with
SSH) to the router’s LAN IP address. Keep
the console cable handy, though, in case you
make a configuration change that prohibits
Telnet access. A Telnet client is included with
most OSs.
You also might want to disable Spanning
Tree Protocol (STP) on your internal LAN
interface(s) if your router allows that. If you
plan on setting up a complex network of
switches on your network, then don’t disable
STP; but for a small network, disabling STP
lets your internal LAN devices connect to
your router up to 30 seconds faster. For each
LAN interface (in my case, FastEthernet0
through FastEthernet3), enter
interface FastEthernet0
spanning-tree portfast
exit
9. Test your
configuration
Now is a good time to save your configuration.
Type
copy running-config startup-config
to save your work to nonvolatile memory and
ensure that your configuration is retained
across router restarts, power outages, and
so on.
You should also enter the command
show running-config
to output a copy of the configuration you
just created to your screen. You can copy
and paste this configuration to a text editor
for later reference. You can also edit the
configuration in a text editor and paste it
into a terminal session to make changes to
the router. Your configuration should look
similar to Listing 2 at this point. Note that Listing 2 omits many configuration lines that
are automatically inserted or included by
default. Listing 2 focuses on the commands
that you entered
above.
You can now
connect an Ethernet
cable to the router’s
WAN port, and try to
get on the Internet.
Note that your internal
LAN hosts will
need to use static
IP addressing if you
don’t have a DHCP
server present.
What’s Next?
The possibilities
from here are endless.
You will most
certainly want to set
up usernames and
passwords for access
to your router, set
up Telnet and/or
SSH access (if you
haven’t already), and
limit that access to
various IP addresses. You should also consider modifying your
access lists to deny private, non-routable (aka bogon) IP ranges from being able to reach
your network.
You can also make your router a DHCP
server, set up VPN access with the router as
an endpoint, add NAT statements and access
list entries to access a Web server on your
internal network from the Internet, or put an
ISA Server firewall between your router and
your LAN clients. Over time, I’ve tweaked
my setup to become much more complex
than the one presented in this article. Don’t
be afraid to read some additional documentation
(I highly suggest the Cisco Field
Manual series published by Cisco Press), ask
questions of your resident Cisco gurus, and
experiment!
)
)
Register
also one should refer Cisco's ICND Books (2 Books) if this article doesnt helps
PrinceKanago June 02, 2008 (Article Rating: