! Listing 8.12: Backup router configuration using NAT
!
!Copyright (C) 2001 by Vincent C Jones. All Rights Reserved.


version 11.2
!
hostname BackupRouter
!
username ServiceProvider password sharedsecret
!
interface Ethernet0/0
 description Backup Data Center LAN
 ip address 10.200.40.1 255.255.255.0
 ip access-group 103 in
 ip nat inside
!
interface BRI0
 no ip address
 encapsulation ppp
 isdn spid1 21255512120101
 isdn spid2 21255512130101
 dialer pool-member 11
 ppp authentication chap
!
interface Dialer1
 description Dial Out to Service Provider
 ip address 192.168.0.5 255.255.255.252
 ip access-group 101 in
 ip access-group 102 out
 ip nat outside
 encapsulation ppp
 dialer remote-name ServiceProvider
 dialer string 19735551212
 dialer hold-queue 10
 dialer pool 11
 dialer-group 1
 ppp authentication chap
!
router ospf 123
 redistribute static metric 100 metric-type 2 subnets
 network 10.200.40.0 0.0.0.255 area 1
!
ip nat pool creditcard 10.230.0.2 10.230.255.254 netmask 255.255.0.0
ip nat inside source static 10.200.20.55 10.230.0.1
ip nat inside source list 99 pool creditcard
ip route 172.17.30.55 255.255.255.255 192.168.0.6 200
!
! Define addresses to be dynamically NATed
access-list 99 permit 10.220.0.30 0.0.255.1
access-list 99 permit 10.220.0.32 0.0.255.15
access-list 99 permit 10.220.0.48 0.0.255.1
access-list 99 deny   any
! Define traffic permitted back from the service bureau
access-list 101 permit tcp host 172.17.30.55 eq 3306 10.230.0.0 0.0.255.255 established
access-list 101 permit icmp host 172.17.30.55 host 10.230.0.1
access-list 101 permit icmp 192.168.0.0 0.0.0.3 host 10.230.0.1
access-list 101 deny   ip any any log
! Define traffic permitted out to the service bureau
access-list 102 permit icmp host 10.230.0.1 host 172.17.30.55
access-list 102 permit udp host 10.230.0.1 host 172.17.30.55
access-list 102 deny   ip host 10.230.0.1 any log
access-list 102 permit tcp 10.230.0.0 0.0.255.255 host 172.17.30.55 eq 3306
access-list 102 deny   ip any any log
! Prevent spoofing of NATed addresses
access-list 103 deny   ip 10.230.0.0 0.0.255.255 any log
access-list 103 permit ip any any
!
dialer-list 1 protocol ip permit
!
end