Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2472
Views
0
Helpful
20
Replies

Access Forwarded Port from Another Vlan

mustafa.chapal
Level 1
Level 1

‎03-31-2020 05:01 AM - edited ‎03-31-2020 05:04 AM

Hi,

I have a Cisco 897VA IOS router. I am unable to access port forwarded of IP in Vlan10 from Vlan20. I am unable to access a SSH port on IP 10.0.0.2 from IP 192.168.0.2.

There is no problem connecting to the SSH port from the same Vlan10 or through the public IP. I want to access the SSH port from Vlan20 using the internal IP instead of the public IP.

Please let me know if I have any issue in the following configuration.

interface GigabitEthernet8
 ip address 99.80.10.233 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 ip verify unicast reverse-path
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan10
 ip address 10.0.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat enable
 ip verify unicast reverse-path
 no autostate
!
interface Vlan20
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat enable
 ip verify unicast reverse-path
 no autostate
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat source static tcp 10.0.0.2 22 interface GigabitEthernet8 22
ip nat source route-map 1 interface GigabitEthernet8 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
ipv6 ioam timestamp
!
route-map 1 permit 10
 match ip address 1 2
 match interface GigabitEthernet8
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255

Labels:
0 Helpful
20 Replies 20

Cristian Matei
VIP Alumni
VIP Alumni
In response to mustafa.chapal

‎04-04-2020 09:58 AM

Hi,

 

     What is the exact requirement, why do you need this to be functional his way? You need some IP's to reach it via private and some other IP's via public? With the given request, i don't see any functional solution. If the inside NAT IP was not connected to the router, there was a solution, but this is not your case.

 

Regards,

Cristian Matei.

0 Helpful

paul driver
VIP
VIP
In response to Cristian Matei

‎04-04-2020 01:51 PM

Hello @Cristian Matei 

As I stated a previously I thought a mixture of nvi and hairpining should work regards the OP request - Anyway since @mustafa.chapal @confirmed the request i have managed to lab this up got a working solution ( in my last post)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to paul driver

‎04-05-2020 05:58 AM

Hi,

 

    @paul driver I understood what you were trying to do, but when the 10.0.0.2 replies to the SSH session to its real port, 22, on return traffic is still looks like 10.0.0.2 is getting NAT'ed which breaks the session. Or maybe i misunderstood what you were trying to achieve.

 

Regards,

Cristian Matei.

0 Helpful

mustafa.chapal
Level 1
Level 1
In response to Cristian Matei

‎04-05-2020 08:30 AM

Hi @paul driver ,

 

The configuration you provided is working. I appreciate your help.

 

Following is the reason I required this kind of setup.

 

For example if someone is working remotely and had is softphone connected through public natted IP to one of the IP PBX. At the same time there was someone working locally at the office with his desk phone connected through the private IP to the same IP PBX. This same scenario goes for other applications like ssh for management, rdp, sql etc.

 

Thank you

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to mustafa.chapal

‎04-06-2020 09:14 AM

Hi,

 

   I understand that, but for this ti happen, the service needs to be visible via the private IP on the LAN side and via the public IP on the WAN side. I still don't see when would that service need to be accessible via both private and public from the LAN, or via both private and public via the WAN.

 

Regards,

Cristian Matei.

0 Helpful

paul driver
VIP
VIP
In response to mustafa.chapal

‎04-14-2020 06:33 AM

Hello

Glad to hear it is now working as you required it to be.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents