cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4907
Views
0
Helpful
15
Replies

SRP527w site to site port forwarding issue

thnguyen2011
Level 1
Level 1

Screen Shot 2011-12-09 at 10.37.28 PM.png

Hi,

I have problem with setting up the port forwarding on the VPN between two cisco 527w.

Scenario where a Site to Site VPN tunnel has been established between Site A and Site B; a Printer behind Site B needs to be accessed by using the WAN IP address of Site A.

As the picture above:

- From site A, I am able to ping printer and access to printer locally and via 120.146.x.x with port forwarding setup on site A to the printer.

- From site B, I am able to ping site A gateway but not able to access to the printer via 120.146.x.x. The printer can be access via 129.203.x.x if the port forwarding is setup on site B to the printer.

Does Cisco SRP 527w support port forwarding over site to site VPN from site A to printer on site B?

Is there any suggest or other solution for this scenario?

Some help would be highly appreciated.

Regards,

Thai

1 Accepted Solution

Accepted Solutions

Hi Thai,

I'm not entirely sure - I suspect that an IOS based router, such as the 800 series, would allow you to do this with an appropriate configuration.

I would suggest that remote access to a printer or server like this is possibly not the most secure solution though.  A better approach might be to use a router that supports both site to site and remote access VPN.  With this, you would be able to use a VPN client to access the site with the static IP, then tunnel to the other site where the device is.  You could consider the RV series of device as well as the IOS routers for this.

Regards,

Andy

View solution in original post

15 Replies 15

thainx2009
Level 1
Level 1

From the Diagnostics-> Ping test: I am not able to ping LAN subnet of the remote site.

Static routes also so have been added on the site A router as following:

Destination subnet: 192.168.2.0

Subnet Mask: 255.255.255.0

Gateway: WAN address of site A

Interface: PVC0

It is still not working!

Is there any help please?

Hello Thai,

Thank you for participating in the Small Business support community. My name is Nico Muselle from Cisco Sofia SBSC.

Basically the only thing you would need to be able to print from one side to the other is the VPN tunnel, no forwarding is needed. Let's say you want to print from Site A to a printer installed on Site B.

You just configure the VPN site-to-site connection on both sites with the correct subnets. Afterwards, on site A, you just add the printer with the TCP IP Port of the IP address it has on site B.

If you can ping the printer to the tunnel, you can print to it, unless you set up some security policies in your network to prevent that from happening.

Hope this helps, if you need any assistance on the configuration, please do not hesitate to contact your local Small Business Support Center. We will be happy to assist you !

Best regards,

Nico Muselle

Sr. Network Engineer - CCNA - CCNA Security

Hi Nico,

Thank you for your assistance!

The IPsec is actually work and I can print locally from Site A to the printer at Site B.

But in my case, If I am on the Internet and would like to print to the printer over the WAN IP address of site A (as it is static IP). Is this possible?

I am sorry to not make it clear at the beginning and ask the wrong question.

Hopefully this screenshot make more clear: As I would like to access Server in Site A over the WAN IP address of the site B. The IPsec tunnel has been established.

Hello Thai,

I'm afraid this is not supported by the SRP527W (product limitation). A workaround however could be to connect through PPTP or SSL VPN to site A to be able to print to the local printer there.

Does that solution work for you ?

Best regards,

Nico Muselle

Sr. Network Engineer - CCNA - CCNA Security

Hi Nico,

Would you please advise how to configure PPTP between 2 SRP? Is there any documents or instruction you can provide?

In the case of SRP527w does not support, would you please advise the other device that are support that function and how to configure it?

Many Thanks,

Thai

Hello Thai,

The PPTP is not set up between the 2 SRP527, but between your PC and the SRP527 hosting the network that has the printer. You just need enable it on the router and create a user (PPTP instead of QuickVPN). Then with the built-in PPTP client on your PC or MAC you can establish the connection and be able to print to your printer within the network.

Best regards,

Nico Muselle

Sr. Network Engineer - CCNA - CCNA Security

Hi Nico,

Thank you for your help but it is actually not solve my problem yet.

The real problem behind the scene is We need to print from the application to that printer. That application only work on the other private network (that we do not have control) and we have use VPN client on the laptop to connect to that network to use the application then print to the printer at our site B.

The printer has to setup the unix print queue with the static IP address to able to print from the Application. Because we do not have control on that site, and the site have printer do not have static ip address (we have to use 3G card). It is very painful for us when the IP is change, we have to request to update the print queue which take a lot of time.

That why i come up with an idea to setup the VPN from site B to site A which have static ip address to easy control on our site.

Sorry about my English and hopefully it is make sense to you!

If you have any suggestion for this scenario, please help!

Regards,

Thai

Te-Kai Liu
Level 7
Level 7

>Does Cisco SRP 527w support port forwarding over site to site VPN from  site A to printer on site B?

When site A and site B are connected by a VPN tunnel, site A should be able to access the printers through the tunnel without configuing port forwarding rule.

Thank tekliu, it true that I can access printer over LAN when tunnel is up. But is this posible to access printer from WAN address of site A when you are over internet? How to config static route to make it hapen?

I do not have a SRP router. But conceptually you could forward the "print service" and configure firewall access rules to restrict the service to the WAN IP of site A.

Thanks tekliu, but the SRP527w is WEB GUI not the IOS and i have disable SPI Firewall Protection.

How can I get the trafic from WAN of site A going to the tunnel to site B printer? Does SRP support that function?

Hi Thai,

I've just been taking a look at this in my lab and unfortunately, this configuration is not possible with the SRP520.  There are a number of reasons why, but one important factor is that the SRP520 is not able to NAT traffic from any IP subnet other than those directly connected via its VLAN interfaces.

Regards,

Andy

Thanks Andrew,

Would you please recommend which router should do that job?

And how the config looks like?

Regards,

Thai

Hi Thai,

I'm not entirely sure - I suspect that an IOS based router, such as the 800 series, would allow you to do this with an appropriate configuration.

I would suggest that remote access to a printer or server like this is possibly not the most secure solution though.  A better approach might be to use a router that supports both site to site and remote access VPN.  With this, you would be able to use a VPN client to access the site with the static IP, then tunnel to the other site where the device is.  You could consider the RV series of device as well as the IOS routers for this.

Regards,

Andy