clock timezone KXXTime 8 0
ip dhcp excluded-address 172.168.1.1 172.168.1.110
!
ip dhcp pool vlan172
network 172.168.1.0 255.255.255.0
default-router 172.168.1.252
dns-server 192.168.1.x 8.8.8.8
domain-name xxx.com.sg
lease 0 0 30
!
ip dhcp pool vlan172-static-laptop
host 172.168.1.111 255.255.255.0
client-identifier 01xx.02xx.03xx.xx
client-name laptop172
default-router 172.168.1.252
dns-server 192.168.1.x 8.8.8.8
domain-name xxx.com.sg
lease 0 0 10
!
ip dhcp pool vlan172-static-host
host 172.168.1.112 255.255.255.0
client-identifier 01xx.15xx.01xx.xx
client-name hostxxx
default-router 172.168.1.252
dns-server 192.168.1.x 8.8.8.8
domain-name xxx.com.sg
lease 0 0 10
!
!
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
license udi pid CISCOXXXX/XX sn FGLXXXXXXCQ
!
!
username xxx privilege 15 secret 4 cFMxxxxKH9Vxxxxa1BxxxxDkbXb0xxxxZt3HB.5xxxx
!
!
ip ssh version 2
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 2XX.XX.XX.XX 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.172
description “vlan for 172 network”
encapsulation dot1Q 172
ip address 172.168.1.252 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.192
description “vlan for 192 network”
encapsulation dot1Q 192
ip address 192.168.1.252 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 2XX.XX.XX.XX 3
ip route 0.0.0.0 0.0.0.0 192.168.1.254 4
ip route 0.0.0.0 0.0.0.0 192.168.1.1 5
ip route 192.168.2.0 255.255.255.0 192.168.1.254
ip route 192.168.5.0 255.255.255.0 192.168.1.254
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 172.168.1.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 720 0
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end
Good console setting
! ip access-list standard VTY_ACL permit x.x.x.x log permit 123.123.123.123 log permit 192.168.1.0 0.0.0.255 log permit 10.123.0.0 0.0.255.255 log permit 11X.X.X.X 0.0.0.31 log ! line con 0 login local stopbits 1 line aux 0 stopbits 1 line vty 0 4 access-class VTY_ACL in exec-timeout 5 0 login local transport input ssh line vty 5 15 access-class VTY_ACL in exec-timeout 5 0 login local transport input ssh !
Port forwarding
ip nat inside source static tcp 192.168.x.x 22 interface gi0/0 22 ip nat inside source static tcp 192.168.x.x 3389 interface gi0/0 3389
Port forwarding with security
ip nat inside source static tcp 192.168.x.x 3389 interface WAN0/0 3389 ip nat inside source static udp 192.168.x.x 3389 interface WAN0/0 3389
R# conf t R(config)# ip access-list extended OUTSIDE_IN R(config-ext-nacl)# permit tcp any any established R(config-ext-nacl)# permit icmp any any R(config-ext-nacl)# permit ospf any any R(config-ext-nacl)# permit udp host 8.8.8.8 any R(config-ext-nacl)# permit udp host 8.8.4.4 any # range /27 R(config-ext-nacl)# permit ip 116.xx.xx.xx 0.0.0.31 any # range /28 R(config-ext-nacl)# permit ip 111.xx.xx.xx 0.0.0.15 any # single host R(config-ext-nacl)# permit ip host PUBLIC.CLIENT.IP any R(config-ext-nacl)# permit tcp host PUBLIC.CLIENT.IP any eq 3389
R(config)# interface WAN0/0 R(config-if)# ip access-group OUTSIDE_IN in R(config-if)# exit
Port forwarding with two ISPs
ip nat inside source static 192.168.1.1 111.111.111.111 extendable
ip nat inside source static 192.168.1.1 222.222.222.222 extendable