Despite being all but EOL the Cisco 1800 line has some extremely versatile little devices with a good price point, which explains why you’ll see a fair number of them still kicking around. Sure they don’t have all the bells and whistle of some other manufactures, but the Cisco 1800 (and now 1900) stays true to the ‘simple is reliable’ credo. Before you ask, ‘Why bother discussing an old piece of hardware?’ Don’t worry it gets worse, we’re also covering IOS 12.4. Truthfully there’s a million reasons why a firewall “can’t” be upgraded and if it provides the functionality you require then why change it. This is not a from-scratch walk through for setting up an 1800, instead an overview of syntax to implement NAT’d traffic through this device.
Firstly we’ll define the outside interface. Aside from the usual fare we also define the NAT object used for traffic traversing this interface, as well as something called virtual-reassembly. Now IOS adds this line automatically when you attach a NAT statement to an interface. As per Cisco’s documentation it goes something like this:
A buffer overflow attack can take the form of a large number of incomplete IP fragments being send to a host. As part of its job, the firewall takes time and resources to fruitlessly reassemble these bogus fragments to determine whether the traffic should be permitted or dropped. Virtual Reassembly is design to create a timeout defining how long the firewall will work on reassembling a IP datagram. If the all the IP fragments are not received within the time frame, the firewall will simply drop the datagram and associated fragments. For those interested, the docs can be found here.
interface FastEthernet0 ip address 10.10.0.2 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto
With the outside interface defined, we create two Vlans to carry our internal traffic. We’ll define Vlans 10 and 20 and also assign a NAT. Once again you’ll see the virtual-reassembly rule.
interface Vlan10 ip address 172.16.0.1 255.255.255.0 ip nat inside ip virtual-reassembly interface Vlan20 ip address 172.17.0.1 255.255.255.0 ip nat inside ip virtual-reassembly
Using the newly created Vlans we assign them each to a FastEthernet port.
interface FastEthernet1 switchport access vlan 10 ! interface FastEthernet2 switchport access vlan 20
Next we need to define the NAT we referenced on our interfaces, which warrants a bit of an explanation.
We first need to create a NAT pool which requires a NAT name, start address, end address as well as the netmask. For our example we’ll call our NAT pool simply natpool. Being that we want to NAT traffic outside our exsting external address and not use another, we use our outside interface’s IP address for both the start and end addresses.
Secondly we need to define the traffic that will use the NAT pool. To do so, we specify that traffic on the inside interface, matching access-list 10 should be overloaded with the addressing of the nat pool. Overloading simply means that all devices permitted by our ACL will use the same outside address.
ip nat pool natpool 10.10.0.2 10.10.0.2 netmask 255.255.255.0 ip nat inside source list 10 pool natpool overload
We next need to create the ACL referenced in the NAT. For this we allow all traffic from our two Vlan subnets.
access-list 10 permit 172.16.0.0 0.0.0.255 access-list 10 permit 172.17.0.0 0.0.0.255
Last, but not least we create a default route to send traffic out the outside interface.
ip route 0.0.0.0 0.0.0.0 10.10.0.1
That’s it, the Cisco 1800 will NAT traffic from our internal to the external network.