12-09-2011 03:48 AM
Hi,
I have problem with setting up the port forwarding on the VPN between two cisco 527w.
Scenario where a Site to Site VPN tunnel has been established between Site A and Site B; a Printer behind Site B needs to be accessed by using the WAN IP address of Site A.
As the picture above:
- From site A, I am able to ping printer and access to printer locally and via 120.146.x.x with port forwarding setup on site A to the printer.
- From site B, I am able to ping site A gateway but not able to access to the printer via 120.146.x.x. The printer can be access via 129.203.x.x if the port forwarding is setup on site B to the printer.
Does Cisco SRP 527w support port forwarding over site to site VPN from site A to printer on site B?
Is there any suggest or other solution for this scenario?
Some help would be highly appreciated.
Regards,
Thai
Solved! Go to Solution.
12-20-2011 03:30 AM
Hi Thai,
I'm not entirely sure - I suspect that an IOS based router, such as the 800 series, would allow you to do this with an appropriate configuration.
I would suggest that remote access to a printer or server like this is possibly not the most secure solution though. A better approach might be to use a router that supports both site to site and remote access VPN. With this, you would be able to use a VPN client to access the site with the static IP, then tunnel to the other site where the device is. You could consider the RV series of device as well as the IOS routers for this.
Regards,
Andy
12-17-2011 05:37 AM
From the Diagnostics-> Ping test: I am not able to ping LAN subnet of the remote site.
Static routes also so have been added on the site A router as following:
Destination subnet: 192.168.2.0
Subnet Mask: 255.255.255.0
Gateway: WAN address of site A
Interface: PVC0
It is still not working!
Is there any help please?
12-19-2011 01:29 AM
Hello Thai,
Thank you for participating in the Small Business support community. My name is Nico Muselle from Cisco Sofia SBSC.
Basically the only thing you would need to be able to print from one side to the other is the VPN tunnel, no forwarding is needed. Let's say you want to print from Site A to a printer installed on Site B.
You just configure the VPN site-to-site connection on both sites with the correct subnets. Afterwards, on site A, you just add the printer with the TCP IP Port of the IP address it has on site B.
If you can ping the printer to the tunnel, you can print to it, unless you set up some security policies in your network to prevent that from happening.
Hope this helps, if you need any assistance on the configuration, please do not hesitate to contact your local Small Business Support Center. We will be happy to assist you !
Best regards,
Nico Muselle
Sr. Network Engineer - CCNA - CCNA Security
12-19-2011 01:52 AM
Hi Nico,
Thank you for your assistance!
The IPsec is actually work and I can print locally from Site A to the printer at Site B.
But in my case, If I am on the Internet and would like to print to the printer over the WAN IP address of site A (as it is static IP). Is this possible?
I am sorry to not make it clear at the beginning and ask the wrong question.
Hopefully this screenshot make more clear: As I would like to access Server in Site A over the WAN IP address of the site B. The IPsec tunnel has been established.
12-19-2011 02:01 AM
Hello Thai,
I'm afraid this is not supported by the SRP527W (product limitation). A workaround however could be to connect through PPTP or SSL VPN to site A to be able to print to the local printer there.
Does that solution work for you ?
Best regards,
Nico Muselle
Sr. Network Engineer - CCNA - CCNA Security
12-19-2011 03:43 AM
Hi Nico,
Would you please advise how to configure PPTP between 2 SRP? Is there any documents or instruction you can provide?
In the case of SRP527w does not support, would you please advise the other device that are support that function and how to configure it?
Many Thanks,
Thai
12-19-2011 03:51 AM
Hello Thai,
The PPTP is not set up between the 2 SRP527, but between your PC and the SRP527 hosting the network that has the printer. You just need enable it on the router and create a user (PPTP instead of QuickVPN). Then with the built-in PPTP client on your PC or MAC you can establish the connection and be able to print to your printer within the network.
Best regards,
Nico Muselle
Sr. Network Engineer - CCNA - CCNA Security
12-19-2011 04:22 AM
Hi Nico,
Thank you for your help but it is actually not solve my problem yet.
The real problem behind the scene is We need to print from the application to that printer. That application only work on the other private network (that we do not have control) and we have use VPN client on the laptop to connect to that network to use the application then print to the printer at our site B.
The printer has to setup the unix print queue with the static IP address to able to print from the Application. Because we do not have control on that site, and the site have printer do not have static ip address (we have to use 3G card). It is very painful for us when the IP is change, we have to request to update the print queue which take a lot of time.
That why i come up with an idea to setup the VPN from site B to site A which have static ip address to easy control on our site.
Sorry about my English and hopefully it is make sense to you!
If you have any suggestion for this scenario, please help!
Regards,
Thai
12-17-2011 11:36 AM
>Does Cisco SRP 527w support port forwarding over site to site VPN from site A to printer on site B?
When site A and site B are connected by a VPN tunnel, site A should be able to access the printers through the tunnel without configuing port forwarding rule.
12-17-2011 04:51 PM
Thank tekliu, it true that I can access printer over LAN when tunnel is up. But is this posible to access printer from WAN address of site A when you are over internet? How to config static route to make it hapen?
12-18-2011 10:00 AM
I do not have a SRP router. But conceptually you could forward the "print service" and configure firewall access rules to restrict the service to the WAN IP of site A.
12-18-2011 04:18 PM
Thanks tekliu, but the SRP527w is WEB GUI not the IOS and i have disable SPI Firewall Protection.
How can I get the trafic from WAN of site A going to the tunnel to site B printer? Does SRP support that function?
12-19-2011 05:59 PM
Hi Thai,
I've just been taking a look at this in my lab and unfortunately, this configuration is not possible with the SRP520. There are a number of reasons why, but one important factor is that the SRP520 is not able to NAT traffic from any IP subnet other than those directly connected via its VLAN interfaces.
Regards,
Andy
12-19-2011 11:50 PM
Thanks Andrew,
Would you please recommend which router should do that job?
And how the config looks like?
Regards,
Thai
12-20-2011 03:30 AM
Hi Thai,
I'm not entirely sure - I suspect that an IOS based router, such as the 800 series, would allow you to do this with an appropriate configuration.
I would suggest that remote access to a printer or server like this is possibly not the most secure solution though. A better approach might be to use a router that supports both site to site and remote access VPN. With this, you would be able to use a VPN client to access the site with the static IP, then tunnel to the other site where the device is. You could consider the RV series of device as well as the IOS routers for this.
Regards,
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide