John Here is a basic example of NAT with overload using just two interfaces and one public IP address.
This is home set up for cable on a 2514 interface Ethernet0 description Cable Modem ip address dhcp ip access-group 199 in no ip redirects no ip unreachables no ip proxy-arp ip nat outside no ip route-cache no ip mroute-cache no cdp enable ! interface Ethernet1 description private inside network ip address 192.168.1.1 255.255.255.0 ip broadcast-address 68.48.210.x ip nat inside no ip route-cache no ip mroute-cache no cdp enable ip access-list 1 permit ip 192.168.1.0 0.0.0.255 ip nat inside source list 1 interface ethernet 0 overload A good start for an access list for perimeter protection would be to prevent spoofing which is to prevent any access through your public interface by spoofed private address range Example is access-list 1 permit 192.168.1.0 0.0.0.255 access-list 199 deny ip host 0.0.0.0 any log access-list 199 deny ip any host 0.0.0.0 log access-list 199 deny ip host 10.1.1.1 any log access-list 199 deny ip 127.0.0.0 0.255.255.255 any log access-list 199 deny ip 169.254.0.0 0.0.255.255 any log access-list 199 deny ip 172.16.0.0 0.15.255.255 any log access-list 199 deny ip 192.168.0.0 0.0.255.255 any log access-list 199 deny ip 224.0.0.0 31.255.255.255 224.0.0.0 31.255.255.255 log access-list 199 deny ip any 255.255.255.0 0.0.0.255 log access-list 199 permit ip any any Also to forward ftp or web traffic to certain private address you would use a forward list something like this ip nat inside source static tcp 192.168.1.4 80 interface Ethernet0 80 There is bunch of other stuff you can do with access lists to permit or deny certain types of traffic. If you want more examples please let me know. HTH Randy Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=53130&t=53042 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
