Windows Remote VPN no DNS

VPN no DNS KB ID 0001402

Problem

I’ve been setting up a VPN solution on the test bench as I’m looking at Always On VPN. When I noticed that I had a problem with my remote VPN connections on Windows. They would connect fine but I could not resolve any FQDNs for my domain?

VPN no DNS Solution

By default, all (Windows) VPN connections are ‘Force Tunnel’ (this means they have the option ‘Use default gateway on remote network’ selected). This also means that, (unless your RAS server is the default Gateway for your network,) you usually don’t have internet access when connected to the VPN. 

Now I connected fine, and I could ping IP addresses on my corporate network, but I could not ping my servers by their domain name, in fact Windows was trying to resolve my domain name to a public IP?

Google this problem and you’re simply told to ‘Disable IPv6 on your network card, and this works, (if you want to keep your remote users Force-Tunnelled). But disabling IPv6 is hardly a fix is it?

Also If you want internet access for your remote clients, (Commonly referred to as ‘Split Tunnel’), then even with IPv6 disabled, the problem comes back!

Why is this happening? Well even with Force Tunnel enabled, you can still use your local LAN (Connect to your VPN, and ping your home gateway, or printer or wireless access point if you don’t believe me!) This connection takes precedence over your remote VPN connection, to prove it run a netstat -rn command. 

From the above you can see my Ethernet Adaptor has a metric of 6, and my VPN connector, (in this case called Connection Template) has metric of 23. AND THE LOWEST ONE WINS, so your DNS queries are going out of your local internet connection NOT down the VPN tunnel!

How Do I Fix this VPN no DNS?

Well until Microsoft fixes this in Windows 10, (it’s fine on Windows 8 and earlier), you have to manipulate the metrics yourself, like so;

VPN no DNS On Your Physical Adapter;

Start > ncpa.cpl {enter}  > Right click your NIC > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 20 > OK > OK >OK.

On Your VPN Connector;

Start > ncpa.cpl {enter}  > Right click your VPN Connector > Properties > Internet Protocol Version 4 > Properties.

Advanced > Untick ‘Automatic Metric’ > Set the Interface Metric to 10 > OK > OK >OK. 

Now your DNS look-ups should behave!

Related Articles, References, Credits, or External Links

NA

Cisco ASA Static (One to One) NAT Translation

KB ID 0000691

Problem

Note: This is for Cisco ASA 5500, 5500-x, and Cisco Firepower devices running ASA Code.

If you have a spare/available public IP address you can statically map that IP address to one of your network hosts, (i.e. for a mail server, or a web server, that needs public access).

This is commonly referred to as a ‘Static NAT’, or a ‘One to One translation’. Where all traffic destined for public address A, is sent to private address X.

Note: This solution is for firewalls running versions above version 8.3. If you are unsure what version you are running use the following article.

Find out your Cisco ASA version (Operating system and ASDM)

If you only have one public IP address you would need to carry out port forwarding instead.

Cisco ASA 5500 (and PIX) Port Forwarding

Solution

In the following example I will statically NAT a public IP address of 81.81.81.82 to a private IP address behind the ASA of 172.16.254.1. Finally I will allow traffic to it, (in this example I will allow TCP Port 80 HTTP/WWW traffic as if this is a web server).

Create a Static NAT and allow web traffic via ASDM

Note for the command line alternative see below.

1. Connect to the ADSM.

2. Configuration > Firewall > NAT Rules > Add > Add “Network Object” NAT Rule.

3. Give the ‘object’ a name (I usually prefix them with obj-{name}) > It’s a Host > Type in it’s PRIVATE IP address > Tick the NAT section (press the drop-down if its hidden) > Static > Enter it’s PUBLIC IP address > Advanced > Source = Inside > Destination > Outside > Protocol TCP. Note: You could set this to IP, but I’m going to allow HTTP with an ACL in a minute, so leave it on TCP > OK > OK > Apply.

4. Now navigate to Firewall > Access Rule > Add > Add Access Rule.

5. Interface = outside > Permit > Source = any > Destination = PRIVATE IP of the host > Service > Press the ‘more’ button > Locate TCP/HTTP > OK > OK > Apply.

6. Then save your work with a File > Save Running Configuration to Flash.

Create a Static NAT and allow web traffic via Command Line

1. Connect to the ASA via Command Line.

2. Log In > Go to enable mode > Go to configure terminal mode.

[box]

User Access Verification

Password:*******
 
Type help or '?' for a list of available commands.
 PetesASA> enable
 Password: *******
 PetesASA# conf t
 PetesASA(config)
[/box]

3. First I’m going to allow the traffic to the host (Note: after version 8.3 we allow traffic to the private (per-translated IP address). This assumes you don’t have an inbound access list if you are unsure execute a “show run access-group” and if you have one applied substitute that name for the word ‘inbound’.

Warning before carrying out applying the ‘access-group’ command, see the following article;

Cisco ASA – ‘access-group’ Warning

[box]

PetesASA(config)# access-list inbound permit tcp any host 172.16.254.1
PetesASA(config)# access-group inbound in interface outside[/box]

4. Then to create the static translation.

[box]

PetesASA(config)# object network obj-172.16.254.1 
PetesASA(config-network-object)# host 172.16.254.1 
PetesASA(config-network-object)# nat (inside,outside) static 81.81.81.82 
PetesASA(config-network-object)# exit 
PetesASA(config)#
[/box]

5. Then save the changes.

[box]
PetesASA(config)# wr mem 

Building configuration... 
Cryptochecksum: 89faae4b 7480baa4 bf634e87 470d2d30 
6224 bytes copied in 1.10 secs (6224 bytes/sec) 
[OK]
[/box]

Static NAT Commands to Copy & Paste

[box]

access-list inbound permit tcp any host 172.16.254.1
access-group inbound in interface outside
object network obj-172.16.254.1
 host 172.16.254.1
 nat (inside,outside) static 81.81.81.82
[/box]

Note: Check and change the values in bold as appropriate

Related Articles, References, Credits, or External Links

NA

Cisco ASA – DNS Doctoring

KB ID 0001113

Problem

Cisco DNS doctoring is a process that intercepts a DNS response packet as it comes back into the network, and changes the IP address in the response.

Why Would you want to do this? Well lets say you have a web server on your network, and its public IP is 111.111.111.111, and on your LAN its internal IP address is 192.168.1.100, its public DNS name, (or URL) is www.yoursite.com. When a user types www.yoursite.com into their browser, DNS will respond with the public IP of 111.111.111.111, and not the IP address thats on your LAN (192.168.1.100). The client can’t send the traffic out of the firewall, ‘hairpin’ it though 180 degrees and send the traffic back in again. So it fails. What DNS does is look for DNS response packets that have 111.111.111.111 in them and dynamically changes the ip in the packet to 192.168.1.100.

Are there any prerequisites? Only that the DNS server sending the response sends it response though the ASA, i.e. if you have your own DNS server onsite that serves the request (without a forward lookup or a root hint). then the DNS response does not go though the ASA so it can’t doctor it. This happens if you public website and your internal domain have the same name, or if your DNS server is authoritative for a domain with an IP address outside your network. To solve that problem your best bet is to setup ‘Split DNS’

Windows Setting up Split DNS

How to Setup DNS Doctoring

If you read the preamble you know that the DNS response needs to go though the firewall, and the public IP that gets resolved needs to be on your network. This can be either a host on your network with a public IP, or a host in your DMZ that has a public IP (both examples are shown below).

It takes longer to explain what DNS doctoring is, than it does to actually set it up. Essentially you simply add the ‘dns’ keyword to the end of the static nat statement for the internal host to its public address.

Option 1 – DNS Doctoring for a host on your LAN

This is simply a one-to-one static nat with the dns keyword added onto it, so using the example above (on the left), lets take a look at our NATs.

[box]

Petes-ASA# show run nat
!
object network obj_any
 nat (inside,outside) dynamic interface
object network Obj-Static-128.65.98.44
 nat (inside,outside) static 128.65.98.44

[/box]

You may have a lot more output, but this tells me theres a dynamic NAT for all network traffic (PAT everything to the outside interface dynamically). And a static translation for your internal host, that’s the one we need to add the dns keyword to.

[box]

Petes-ASA# configure terminal 
Petes-ASA(config)# object network Obj-Static-128.65.98.44
Petes-ASA(config-network-object)# nat (inside,outside) static 128.65.98.44 dns
Petes-ASA(config-network-object)# exit
Petes-ASA(config)# write mem
Building configuration...
Cryptochecksum: de650019 1f1583f7 70121512 e1d093e8 

15724 bytes copied in 3.430 secs (5241 bytes/sec)
[OK]
Petes-ASA(config)# 

[/box]

How Do I Set Up DNS Doctoring In The ASDM?

Testing DNS Doctoring

Heres an example of what happened before we setup DNS doctoring, (or where DNS doctoring is not working).

And once its been configured do the same and note the difference;

Option 2 – Host in the DMZ

The process is identical to above only the NAT stamens is different, i.e.

Note: I’m assuming the object host already exists, if NOT then add the line in BLUE.

[box]

Petes-ASA# configure terminal 
Petes-ASA(config)# object network Obj-Static-128.65.98.44
Petes-ASA(config)# host 172.16.1.1
Petes-ASA(config-network-object)# nat (DMZ,outside) static 128.65.98.44 dns

[/box]

Option 3 – Split DNS

Windows – Setting Up Split DNS

Related Articles, References, Credits, or External Links

Original Article Written 09/12/15

Hyper-V Creating a NAT Network and vSwitch

KB ID 0001384

Problem

I’m without access to all my test equipment at the moment, so when I needed to do some testing, I thought I’d use Hyper-V on my new work laptop. I needed to ‘knock up’ a quick vSwitch that would NAT my test machines, to my laptops connected NIC.

Solution

Open an administrative PowerShell window, and execute the following three commands. Note: You can change the values in RED to suit your own requirements, or leave them as they are to copy my network setup.

[box]

New-VMSwitch -SwitchName "NAT-Switch" -SwitchType Internal

New-NetIPAddress -IPAddress 192.168.200.1 -PrefixLength 24 -InterfaceAlias "vEthernet (NAT-Switch)"

New-NetNAT -Name "NAT-Network" -InternalIPInterfaceAddressPrefix 192.168.200.0/24

[/box]

As far as Hyper-V is concerned that’s it! Now simply connect your virtual machines to the new switch.

Remember you have a NAT switch, it’s not doing DHCP, you will need to assign your virtual machines static IP addresses, though you can of course configure a DHCP server on one of your virtual machines.

 

Related Articles, References, Credits, or External Links

NA

Assign Public IP Address (No NAT) on a Thompson Speedtouch ST510

Bridged Mode – Thompson Speedtouch ST510

KB ID 0000210 

Problem

You have a device either a PC, or In my case a Cisco firewall you want to have the public IP address assigned by your ISP, rather than the translated private IP address given out by the speedtouch router/modem.

Solution

1. Once you have your Speedtouch up and running, connect your devices to the back of it (it only has one internal Ethernet port so you may need to plug in a switch to get your laptop/PC, and the item in question on – though you can plug them in one at a time if your pushed). Select “Home Network” > “Devices” > all being well you should see the device you are after on the list > Select it.

2. Here’s my firewall listed, currently with a private IP address via DHCP (192.168.1.65 in this case). At the bottom select “Assign the public IP address of a connection to a device.”

3. At present nothing is set you need to click “Edit”.

4. Change the drop down section so that your device is listed and > Apply.

5. Now you should see it listed, if you mistakenly assigned it to the wrong device you can click “Unassign”.

6. Note on the device you will need to reboot or refresh the IP address before it will get the public IP address.

Firewall Notice

If you are deploying a firewall behind this router – you might find that your VPN’s work but your port forwarding and remote management does not. You will need to disable the Speedtouch’s internal firewall. Select Firewall > Configure > Select “Disabled” > Apply.

Related Articles, References, Credits, or External Links

NA

ZyXEL – Router Setup (Public IP Range)

KB ID 0000331 

Problem

You have a ZyXEL router (In my case a P-600R-D1) and you want to put a device behind it with a public IP.

Note: I’m assuming you have agreed with your ISP that you will receive a range of public IP addresses. With some ASDL packages the first IP in the range usually gets allocated to the router, confirm this with your ISP.

BT Business Broadband Note: If you are a BT Business customer, your setup will be slightly different, I’ll point that out as we go along.

Solution

1. Connect up to the router, and you should get an IP address from it, open your web browser and proceed to http://192.168.1.1 the default password is “1234”

2. You will be prompted to change the default password, do so, then select the option to go to ‘Advanced Setup’.

3. Expand Network > WAN > Enter the ADSL details provided by your ISP (i.e. ADSL username and ADSL password). If you are having a static IP on the outside of the router you can also set that here.

Note: If you have only been given TWO IP addresses you may need to set BOTH the WAN and LAN IP address to the SAME IP (and disable NAT).

BT Business Broadband Note: Even if you have been allocated a range of public IP addresses, you LEAVE the routers outside IP address option set to, ‘Obtain an IP address automatically’

4. Disable NAT ONLY IF YOU ARE SETTING THE LAN AND WAN TO THE SAME IP: Select NAT > General > Un-tick “Active Network Address Translation (NAT)” > Apply.

4. Disable DHCP: Select LAN > DHCP Setup > Change DHCP to “None” > Apply.

5. Set the inside IP: Set this to the IP address allocated to your Router – (Note: this may be the SAME as the address allocated to the outside IP, don’t panic it will not conflict (NAT is disabled).

BT Business Broadband Note: This is typically the highest IP address in the range, BT have given you.

6. You can now connect your internal device/firewall (Note: You may need to reboot the device AND the router as the MAC address may have changed if you have been testing from your laptop/PC.) Or simply allocate another public IP address to device, then make its default route, (or default gateway) the IP address you set on the LAN port of the ZyXEL, (in our example above 123.123.123.124).

Factory Reset ZyXEL Router

If things break and you want to reset the router,

1. Power off the router.

2. Depress the reset button on the rear of the router.

3. Power on the device until the ethernet light, flashes amber.

4. Now DHCP will be turned on and the router will use 192.168.1.1 internally and the default password will be reset to 1234.

Related Articles, References, Credits, or External Links

ZyXEL Firmware downloads (Look under DSL Technology)

Original Article Written 28/09/10

BT Business ADSL – Configure a 2Wire Router to Allocate a Static (Public) IP Address

KB ID 0000760 

Problem

I know BT are now shipping the BT Business Hub, to their business ADSL clients, but there’s still a few 2Wire routers out there in the wild. Essentially if you have a range of public IP addresses, this is how to allocate one of the public IP addresses to one of your devices. In my case its a Cisco ASA firewall that I need to have a public IP.

Solution

Firstly I’m going to assume the router is working and connected to the internet, if there’s a problem and you need to reset it you will need the following pieces of information.

1. The BT ADSL Username and password.

2. The public IP address range allocated to you by BT (and the IP allocated to the router).

Note: Plug your device into the router before you start, and set it to get its address via DHCP.

1. Connect to the web interface of the 2Wire router (normally http://192.168.1.254) > Settings > Broadband > Link Configuration > Scroll down the page.

2. Locate the ‘Add additional network’ section > Add in the IP address that BT have told you to allocate to the router, the subnet mask will be provided by BT also, but you can work it out with my subnet calculator if you don’t know > Save >Enter the router password if prompted.

Note: By default the password will be the Serial Number of the router, (on the white sticker). If you have forgotten you can reset it.

3. Select the LAN tab > NAT & Address Allocation > Locate your device > Set the firewall to disabled > Address Assignment = Public (Select WAN IP Mapping) > WAN IP Mapping = Public Fixed {The IP address you want to assign} > Save > Enter the password if prompted.

4. This relies on the router providing DHCP, which it will do by default, though you can check on the Private Network tab.

5. Finally either reboot the device you are assigning the IP address to, (or ‘reload’ if it’s a Cisco ASA).

Related Articles, References, Credits, or External Links

NA

BT Business Hub 3 – And Cisco ASA 5500

KB ID 0000762 

Problem

Warning: If your ASA is running version 8.3(4) or above you are going to have problems assigning public IP addresses from your allocated BT Range (jump to the bottom of the article for a resolution).

You have a pool of public IP addresses and you wish to allocate one of these IP addresses to your Cisco ASA Firewall. Note: This is for customers using BOTH ADSL and BT Infinity

Solution

For this procedure I was running an ASA5505 (Unlimited) with version 8.4(5). You will need to know the public IP address range allocated to you by BT (and the IP allocated to the router/hub).

Allocating a Public IP address to an Internal Client with the BT Business Hub

1. Log into the router, (the password initially is on the pull out plastic tab on top of the router). Set the IP to the one allocated to the router by BT (from the IP range they have given you). Note: The router actually gets a different IP address externally, this is normal, don’t panic.

2. Apply > Wait for the changes to apply.

3. Under business Network > Devices> You should see your device listed > Select it.

4. Assign the public IP as shown, you need to select the two radio buttons before the drop-down list of IP addresses will work > Apply.

5. Note: additionally if you are installing a firewall you might want to disable the Business Hubs internal firewall. Settings >Port Forwarding > Firewall > “Allow all traffic…” > Apply.

Problem with Cisco ASA (Now Resolved: See below)

My firewall (after a reload) picked up the correct IP address, but was unable to connect to the internet. My laptop (also connected to the BT Business Hub) connected fine to the internet (both with an allocated public address, and using the public address of the router). The ASA could not get out at all, nor could it ping the IP address of the Business Hub. The ASA showed as disconnected for a while, then disappeared from the ‘Devices’ tab, even though it continued to get the correct IP address leased to it from the Business Hub, this persisted after a reload of the firewall – so the hub COULD see it. I tried giving the ASA the correct IP address statically, I also locked the speed and duplex of the ethernet interface (in case it was simply an auto-negotiation error), this did not resolve the problem. BT told me they had no record of anyone having the same problem, but that they would take a note in case it came up again. Luckily the client had his old 2Wire router as soon as I plugged that in everything worked fine.  

 

Update 210414 (and resolution)

Got an email from Nate Morris this week who had been working on this very problem, while debugging the ARP traffic he saw;

[box]

arp-in: request at external from 192.168.1.254 c0ac.54e4.d8d8 for 123.123.123.123 
0000.0000.0000 arp-in: Arp packet received from 192.168.1.254 which is in different subnet 
than the connected interface 123.123.123.123/255.255.255.248 

[/box]

This pointed to a known problem with Cisco ASA introduced in version 8.3(4). Cisco identified this as bug CSCty95468 (Cisco CCO Login required to view). To resolve this problem you need to allow the ASA to populate its ARP table from a non connected subnet. To do this you need to issue an arp permit-nonconnected command.

[box]

User Access Verification Password: 
Type help or '?' for a list of available commands. 
Petes-ASA> enable 
Password: ******** 
Petes-ASA# configure terminal 
Petes-ASA(config)# arp permit-nonconnected 
Petes-ASA(config)# exit 
Petes-ASA# write mem 
Building configuration... Cryptochecksum: 28790e0e 91da681e 7cf92e8a 85efb7ea 9449 bytes copied in 1.310 secs (9449 bytes/sec) [OK] 
Petes-ASA# 

[/box]

Update 260213

Got an Email from Andrew Joubert, to say that he had the same problem, and he was using the BT business hub via BT Infinity not ADSL.

Related Articles, References, Credits, or External Links

Original Article Written 26/02/13

Credit to: Nate Morris, for finding the resolution to the original problem.

Special thanks to Steve at BT, who rang me back on my mobile so I didn’t have wait in a queue, and then followed up afterwards to see what the outcome was, if I knew his surname I would publish it! He did a grand job, and does not get paid enough!

Also thanks to Chris at BT who pitched in and did as much as he could.

Juniper (JUNOS) SRX – Static ‘One-to-One’ NAT

KB ID 0000995 

Problem

Setting up ‘Static NAT’ is the process of taking one of your ‘spare’ public IP addresses, and permanently mapping that public IP to a private IP address on your network.

In the example above I want to give my web sever which has an internal IP address of 192.168.1.10/24, the public IP address of 1.1.1.5/24. So if someone out on the Internet wants to view my website, they can browse to http://1.1.1.5 (or a URL that I’ve pointed to 1.1.1.5 like http://www.mywebsite.com). Then that traffic will be NATTED, on the firewall for me.

Solution

1. Create a rule-set from the ‘untrust’ zone. Then add a rule to that rule-set, that has a destination of 1.1.1.5/32, and finally set it to NAT that traffic to 192.168.1.10/32.

[box]login: root
Password: *******

— JUNOS 12.1X44-D30.4 built 2014-01-11 03:56:31 UTC

root@FW-02% cli
root@FW-02> configure
Entering configuration mode

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST from zone untrust

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 match destination-address 1.1.1.5/32

[edit]
root@FW-02# set security nat static rule-set UNTRUST-TO-TRUST rule NAT-RULE-1 then static-nat prefix 192.168.1.10/32

[/box]

2. Set the firewall to proxy-arp (advertise your pubic IP address with is MAC address), then add the web server to the global address book.

Note: ge-0/0/0.0 is the physical address you are advertising the new IP address from, on firewalls in a failover cluster you would use the Reth address i.e. reth0.0

[box] [edit]
root@FW-02# set security nat proxy-arp interface ge-0/0/0.0 address 1.1.1.5/32

[edit]
root@FW-02# set security address-book global address WEB-SERVER 192.168.1.10/32

[/box]

3. Allow traffic OUT from the web server. Here I’m letting out all ports, if you wanted just web traffic then use the keyword junos-http (TCP Port 80 (http)).

[box]

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match source-address WEB-SERVER

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match destination-address any

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT match application any

[edit]
root@FW-02# set security policies from-zone trust to-zone untrust policy WEB-SERVER-OUT then permit

[/box]

4. Then allow traffic IN to the web server, (here I’m locking it down to just http).

[box] [edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match source-address any

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match destination-address WEB-SERVER

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN match application junos-http

[edit]
root@FW-02# set security policies from-zone untrust to-zone trust policy WEB-SERVER-IN then permit

[/box]

5. Save the changes.

[box][edit]
root@FW-02# commit
commit complete[/box]

Juniper Allowing Traffic To Custom Ports And Applications

1. Although Juniper have a lot of built in ‘applications’ you can allow, what if you want to create your own? Below I’ll create a custom application for Remote Desktop Protocol (TCP port 3389).

[box] [edit]
root@FW-A# set applications application APP-RDP protocol tcp

[edit]
root@FW-A# set applications application APP-RDP destination-port 3389

[/box]

2. You could now use this application in your security policies e.g.

[box] [edit]
root@FW-A#set security policies from-zone untrust to-zone trust policy TERMINAL-SERVER-IN match application APP-RDP[/box]

 

Related Articles, References, Credits, or External Links

NA

 

Cisco Router – Configure NAT (NAT Overload)

KB ID 0000971 

Problem

NAT is the process of taking one or more IP adresses and tranlsating it/them into differnet IP addreses. You may require your router to translate all your internal IP addresses to your public (ISP allocated) IP address. To do that we use a process called NAT Overload.

Solution

1. Connect to the router, and got to enable mode, then global configuration mode.

[box]

PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#

[/box]

2. Setup the WAN (outside facing) interface.

[box]

PetesRouter(config)#interface GigabitEthernet0/0
PetesRouter(config-if)#ip address 123.123.123.123 255.255.255.0
PetesRouter(config-if)#ip nat outside
PetesRouter(config-if)#no shutdown
PetesRouter(config-if)#exit

[/box]

3. Setup the LAN (inside facing) interface.

[box]

PetesRouter(config)#interface GigabitEthernet0/1
PetesRouter(config-if)#ip address 192.168.1.1 255.255.255.0
PetesRouter(config-if)#ip nat inside
PetesRouter(config-if)#no shutdown
PetesRouter(config-if)#exit

[/box]

4. You will need a ‘default route’ which will be the routers ‘next hop’ towards the internet.

[box]

PetesRouter(config)#ip route 0.0.0.0 0.0.0.0 123.123.123.2

[/box]

5. Create an ACL that wil match any trafic coming from inside (remember permit means match).

[box]

PetesRouter(config)#access-list 100 remark NAT-ACL
PetesRouter(config)#access-list 100 permit ip 192.168.1.0 0.0.0.255 any

[/box]

6. Then tie it all together with the following command;

[box]

PetesRouter(config)#ip nat inside source list 100 interface GigabitEthernet 0/0 overload

[/box]

7. Save the changes.

[box]

PetesRouter(config)#exit
PetesRouter#write mem
Building configuration...
[OK]
PetesRouter#

[/box]

 

Related Articles, References, Credits, or External Links

NA