Hi , Share me show version of

Eduardo Guerra · ‎08-07-2014

I have to access to a Medical Security Service Provider App. MSSP cable is connected to a switchport 7 (Cisco Ç892FSP ours). MSSP told that just one IP direction is allowed to connect to their app. I assigned vlan 7 to port 7 and assigned ip allowed to this vlan. Can i create a pool where my entire network can access to this app via this port?

SANTHOSHKUMAR SARAVANAN · ‎08-07-2014

Hi ,

Share me your router config , i can help you with the config .

HTH

Sandy

Eduardo Guerra · ‎08-07-2014

This nat and access to MSSP Access, must not affect other traffic (between network 192.169.0.0 and other networks)

Here's the config

Current configuration : 5469 bytes
!
! Last configuration change at 15:30:01 UTC Thu Aug 7 2014 by eguerra
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname RouterHQFCH
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.153-3.M.bin
boot-end-marker
!
aqm-register-fnf
!
enable secret 4 82aZraQKBdT4NJ8KLNGZbJYw4qrCbDIsgF9OWdYlnRg
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1580540949
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1580540949
revocation-check none
rsakeypair TP-self-signed-1580540949
!
!
crypto pki certificate chain TP-self-signed-1580540949
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353830 35343039 3439301E 170D3134 30343134 31393433
30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35383035
34303934 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BC61 7D5F7F47 65203EC9 1207B83F 19EC7AC3 00404F99 A89FD64B 1F0F659F
E99062C2 3BB1E517 075BAF59 D361FFC9 4F872A14 A7528061 CF936F40 D03F234B
5641147F D2B4AB7D 9E10F36A 087F511B F68ABC6E 98F96C74 8EF5084B F490D91B
0EC05671 D8C5B7DD EE8F48C2 CD76F7C9 B8405DD6 42375B3C 8D04FDEF 555D0FA0
0FDF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14FCB587 54EE2C1B 2B6DB648 A6FC0ECF 85062C8F 6A301D06
03551D0E 04160414 FCB58754 EE2C1B2B 6DB648A6 FC0ECF85 062C8F6A 300D0609
2A864886 F70D0101 05050003 81810033 A196E361 A273E890 146EF605 D7AB9235
52BA28F8 A526D8AE CD903257 E4E81C76 C85FBCD4 201DFF90 11FB1617 9210037E
B66299B3 FB2173D2 AFEC9B52 D2221BEA 9B8CC180 BE36F3AB D5811F9F 401043B0
4BDA8647 897D8FE7 6D753C4F 3C76A493 2C260C22 24E966EB BEE54A2A 51D58F21
23080B9D 9C5FD690 62C6B0C9 30C3AA
quit
!
!
!
!

!
!
!
!
ip flow-cache timeout active 1
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C892FSP-K9 sn FTX180484TB
!
!
username SERVICIOS privilege 15 password 7 123806471C0F5D077B7B2A29376562
username EGUERRA privilege 15 password 7 0025571655495A085C354D
username ADMINISTRADOR privilege 15 password 7 012056140B19125C22644F1F1C1F
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
switchport access vlan 2
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
switchport access vlan 3
no ip address
!
interface GigabitEthernet8
ip address 172.16.1.1 255.255.255.0
duplex auto
speed auto
!
interface GigabitEthernet9
ip address 172.16.2.1 255.255.255.0
duplex auto
speed auto
!
interface Vlan1
ip address 192.168.2.2 255.255.255.0
ip flow ingress
!
interface Vlan2
ip address 192.168.101.200 255.255.255.0
!
interface Vlan3
ip address 192.168.200.2 255.255.255.0
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
ip flow-export source Vlan1
ip flow-export version 5 peer-as
ip flow-export destination 192.168.0.55 9996
!
ip route 172.16.30.0 255.255.255.0 192.168.200.1
ip route 172.16.31.0 255.255.255.0 192.168.2.1
ip route 192.168.0.0 255.255.255.0 192.168.2.1
ip route 192.168.18.0 255.255.255.0 192.168.2.248
ip route 192.168.20.0 255.255.255.0 172.16.1.25
ip route 192.168.21.0 255.255.255.0 172.16.1.22
ip route 192.168.22.0 255.255.255.0 172.16.1.13
ip route 192.168.23.0 255.255.255.0 172.16.1.15
ip route 192.168.24.0 255.255.255.0 172.16.1.6
ip route 192.168.25.0 255.255.255.0 172.16.1.16
ip route 192.168.26.0 255.255.255.0 172.16.1.10
ip route 192.168.27.0 255.255.255.0 172.16.1.5
ip route 192.168.28.0 255.255.255.0 172.16.1.18
ip route 192.168.29.0 255.255.255.0 172.16.1.14
ip route 192.168.30.0 255.255.255.0 172.16.1.19
ip route 192.168.31.0 255.255.255.0 172.16.1.17
ip route 192.168.32.0 255.255.255.0 172.16.2.6
ip route 192.168.33.0 255.255.255.0 172.16.1.20
ip route 192.168.35.0 255.255.255.0 172.16.2.8
ip route 192.168.37.0 255.255.255.0 172.16.1.23
ip route 192.168.39.0 255.255.255.0 172.16.2.7
ip route 192.168.40.0 255.255.255.0 172.16.2.5
ip route 192.168.41.0 255.255.255.0 172.16.1.9
ip route 192.168.42.0 255.255.255.0 172.16.1.4
ip route 192.168.43.0 255.255.255.0 172.16.1.24
ip route 192.168.44.0 255.255.255.0 172.16.1.26
ip route 192.168.45.0 255.255.255.0 172.16.1.21
ip route 192.168.100.0 255.255.255.0 192.168.2.3
ip route 192.168.150.0 255.255.255.0 192.168.2.252
ip route 193.168.1.0 255.255.255.0 192.168.2.249
!
!
snmp-server ifindex persist
access-list 101 permit ip any any
access-list 101 permit icmp any any
access-list 110 permit udp any any range 5000 6000
access-list 199 permit ip host 192.168.100.22 host 192.168.2.1
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
password 7 0227070B05025E221D1E07180147
login
no modem enable
line aux 0
line vty 0 4
password 7 096D4D59170146115A5C0A2B2F74
login local
transport input all
!
scheduler allocate 20000 1000
!
end

Leo Laohoo · ‎08-07-2014

Catalyst switches cannot do NAT.

Eduardo Guerra · ‎08-08-2014

This is not a switch, is a router

Leo Laohoo · ‎08-09-2014

Mea culpa.

SANTHOSHKUMAR SARAVANAN · ‎08-09-2014

Hi ,

Share me show version of your device .

1) which is interface is connecting to your MSSP

2) Which is your LAN interface/Segment

3) What is your PAT IP given by your MSSP

HTH

Sandy

Eduardo Guerra · ‎08-09-2014

Hi, answers in order

1) which is interface is connecting to your MSSP

Switch port 7 (interface GigabitEthernet7, int VLAN 3)

2) Which is your LAN interface/Segment

Ok, This router is an intermediate device between HQ Office and branch offices. Interface VLAN 1 connects this router to an ASA 5510 that has HQ LAN segment (192.168.0.0/24)

3) What is your PAT IP given by your MSSP

I should Nat everything by IP 192.168.200.2 that is the only IP that can connect to 192.168.200.1 (this IP is located at MSSP's side)

The idea is that traffic between HQs and Branch Offices flows normally like now and Add connectivity to MSSP by natting every network i have at the company throught 192.168.200.2 (we are adding this new service to sell some product of our MSSP)

If need more clarifyinig, please tell me

SANTHOSHKUMAR SARAVANAN · ‎08-09-2014

Hi ,

What is destination network subnet inside MSSP cloud ?? If understand your requirement correctly your MSSP want to see only traffic from NAT IP address 192.168.200.2 , for their destination network x.x.x.x ??

From your system configuration i could see destination network is route via gateway IP address 192.168.200.1 , is this alone subnet or do you have many ??

ip route 172.16.30.0 255.255.255.0 192.168.200.1

Let me know on this , else open Webex connectvity to fix it

HTH

Sandy

Eduardo Guerra · ‎08-09-2014

Sandy, I do not know MSSP network i just know that must point to 192.168.200.1 (This IP is located on MSSP side. This is suppoused to be their DNS). Also i know that App is located on IP 172.16.30.12 that must be accessed via http:

http://172.16.32.12/AlianzaNet/

192.168.200.1 just allow traffic from IP 192.168.200.2, that's because i must to nat everything from my nets to this IP

SANTHOSHKUMAR SARAVANAN · ‎08-10-2014

Hi ,

I dont see route for destination IP address /subnet (172.16.32.12) on your routing table ,

Host route

ip route 172.16.32.12 255.255.255.255 192.168.200.1

or for Subnet route

ip route 172.16.32.0 255.255.255.0 192.168.200.1

Similalry SVI interface can support only inside NAT, not outside nat ( SVI is typically used as a NAT inside interface) , Over here you need to terminate your MSSP link directly on interface not as SVI interface , do the below following

! Moving link from SVI to directly on L3 interface

no interface Vlan3

! suspend your MSSP link on GigEthernet 7

interface GigabitEthernet7
no switchport access vlan 3
ip address 192.168.200.2 255.255.255.0
ip nat outside

interface Vlan1
ip nat inside
ip address 192.168.2.2 255.255.255.0
ip flow ingress

! NAT is configured only for your HQ office subnet 192.168.0.0/24 towards destination subnet 172.16.32.0/24 , traffic for other destination will not be encrypted.if you want to add branch office subnet add on below ACL and add ip nat inside towards SVI VLAN

access-list 101 permit ip 192.168.2.0 0.0.0.255 172.16.32.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 172.16.32.0 0.0.0.255

! PAT configuration on MSSP link with IP address (192.168.200.2)

ip nat inside source list 101 interface GigabitEthernet7 overload

!

HTH

Sandy

For any support contact on my mail ID given on my profile .

Can i create a NAT overload on a switch vlan port?