cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3787
Views
0
Helpful
16
Replies

Can it be done on Cisco router?

thnguyen2011
Level 1
Level 1

Hi All,

Can this scenario be done one the cisco 877 router?

I have VPN Ipsec up and runing on both site. How can to configure the port forwarding to the remote server over the tunnel?

http://www.sirkit.ca/wiki/2012/03/port-forwarding-through-an-ipsec-tunnel-to-a-remote-serverpc-with-fortinet/

Thanks,

Thai

16 Replies 16

That can easily be done. The address- and port-translation is done before the traffic is sent to the tunnel. So just configure your NAT as you want and specify the translated address in your crypto-ACL.

handoko wiyanto
Level 3
Level 3

hi,

is that nat hairpinning (like a "u" turn) that you want to achieve?

as in 877 cisco page, its allready end of sale.

but lets try to find out, what ios version and feature set are you using?

regards,

My Cisco 877 using c870-advipservicesk9-mz.124-20.T.bin image.

Here is the diagram of my scenario: I would like to access to the printer and server inside site B from the internet using the static WAN IP of the site A.

I have VPN tunnel is up and running between cisco 877 (ADSL2+) and SRP 527w (using 3G). Both Lan can ping each other.

I have configure the NAT as below but it only work on RDP.

Bellow is my configuration on the Cisco 877:

Building configuration...

Current configuration : 5425 bytes
!

! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
!

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!

hostname Laverton
!

boot-start-marker
boot-end-marker
!

logging message-counter syslog
no logging buffered
!

aaa new-model
!

!
aaa authentication login default local
aaa authorization exec default local
!

!
aaa session-id common
clock timezone PCTime 10
!

crypto pki trustpoint TP-self-signed-1119949081
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1119949081
revocation-check none
rsakeypair TP-self-signed-1119949081
!

!
crypto pki certificate chain TP-self-signed-1119949081
certificate self-signed 01
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
69666963 6174652D 31313139 39343930 3831301E 170D3132 30363135 30343032
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31313939

quit
dot11 syslog
ip source-route
!

!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!

ip dhcp pool DHCP_LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 61.9.134.49
lease infinite
!

!
ip cef
!

no ipv6 cef
multilink bundle-name authenticated
!

!
!

object-group network VPN
description ---Port Forward to vpn Turnnel---
host 192.168.2.99
!

username admin01 privilege 15 secret 5 $1$6pJE$ngWtGp051xpSXLAizsX6B.
!

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mypasswordkey address 0.0.0.0 0.0.0.0
!

!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!

crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 100
!

!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!

archive
log config
hidekeys
!

!
no ip ftp passive
!

!
!

interface ATM0
description ---Telstra ADSL---
no ip address
no atm ilmi-keepalive
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!

dsl operating-mode auto
!

interface FastEthernet0
!

interface FastEthernet1
!

interface FastEthernet2
switchport access vlan 10
shutdown
!

interface FastEthernet3
!

interface Vlan1
description ---Ethernet LAN---
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
!

interface Vlan10
ip dhcp relay information trusted
ip dhcp relay information check-reply none
no ip dhcp client request tftp-server-address
no ip dhcp client request netbios-nameserver
no ip dhcp client request vendor-specific
no ip dhcp client request static-route
ip address dhcp
ip nat outside
ip virtual-reassembly
!

interface Dialer0
description ---ADSL Detail---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname myusername@isp.com
ppp chap password 0 mypassword
crypto map SDM_CMAP_1
!

ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!

!
ip dns server
ip nat inside source static tcp 192.168.2.99 80 interface Dialer0 8000
ip nat inside source static tcp 192.168.2.99 9100 interface Dialer0 9100
ip nat inside source static tcp 192.168.0.51 3389 interface Dialer0 3389
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
!

ip access-list extended NAT
remark CCP_ACL Category=16
remark IPSec Rule
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!

access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
!

!
!

!
route-map SDM_RMAP_1 permit 1
match ip address NAT
!

route-map SDM_RMAP_2 permit 1
match ip address 101
!

!
control-plane
!

!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!

scheduler max-task-time 5000
end

hi Thai,

yes, this scenario that you want to achieve is called nat hairpinning.

if you want to compare fortinet apple to apple with cisco, i believe the product that you looking for is Cisco ASA Firewall.

Cisco ASA firewall and bigger cisco router platform have this nat hairpinning feature. i need some time to check if your 877 support this.

regards,

With this diagram I also understand what you wan't to achieve. Yes that can be done with IOS, but it's just disgusting ...

To make this work you have to make sure that your traffic flows symetrically (at least when you enable the missing firewall-functionality):

PC -> Internet -> R-left -> VPN -> R-right -> Server -> R-right -> VPN -> R-left -> Internet -> PC

Without any care your traffic will flow the following way:

PC -> Internet -> R-left -> VPN -> R-right -> Server -> R-right -> Internet -> PC

To send the return-traffic back through the tunnel you need the mentioned "nat hairpinning". When the traffic enters R-left on the dialer, the source is translated to an address you know. This adress has to be part of your encryption domain.

The downside is, that on your servers you only see this IP connecting and not the real IP of the internet-PC.

How to implement nat-hairpinning (on the traditional way, there are more ways to achieve that):

1) you add a loopback-interface with "ip nat inside".

2) on the dialer-interface you configure PBR that sends the interesting traffic (which should be sent to the site B) to one IP-address of the ip-net of the Loopback.

3) traffic is routed back to the VPN, but this time the traffic is coming from an interface that has "ip nat inside" enabled. So we can translate the traffic to the known IP address that should be used for this traffic.

Do you really want to do that? When my customers are asking me to configure something like that, I allways tell them that it's possible, but anytime in the future it will break something else because of the added complexity.

So better go the clean way, get a fixed IP for site B and connect directly to that IP and implement proper access-control.

Thanks Karsten and Handoko for your reply.

I am not familiar with cisco router and cli. I am using CCP to configure the VPN on the cisco 877. So "nat hairpin" is the solution that i am looking. Is it support on the cisco 877? Is there anyway to make it work without spend more money on new hardware?

It is only the temporary solution for about six months to waiting for the static IP.I really want to do that and make it works asap.

That would be great if you could tell how to configure it.

@karsten

good explanation what you have there

@Thai,

ive been looking for this kind of deployment for 877, but not found it yet. perhaps you can try what karsten have explain.

anyway, if you only want to use the printer on site B, perhaps you can provide one pc in site b, and run (you can do without install) teamviewer on both pc. if youre familiar with teamviewer, it can do file sharing too. but i dont know if it can satisfy your server access too. or you might want to try using dydns account.

regards,

Hi Handoko,

Thanks for your advise. But the teamviewer solution does not work for me.

The main goal of my scenario is get the printer working with the static IP address and able to printer from the cloud. That why i need the static ip address and port forwading to the printer.

The printer is setup in another system sitting on the cloud which i do not have access. And the system need to print to the printer on the site B as the diagram shows.

Would you please advise the configuration as @Karsten explain. As i am not a cisco expert, i am not sure which command should i use?

hi,

perhaps you want to read about DDNS. i think its suitable for you because site B have dynamic ip, so by having an account (for example dyn.com) it doesnt matter anymore what ip on site b. it is almost like having a static ip.

if this DDNS not working for you, then perhaps we can try what karsten have explain.

regards,

I have tried with the Dynamic DNS but it does not work in the cloud system. It works when you installed the printer locally with the DNS name.

As i mentioned, i do not have access to the cloud system. So DDNS is not work for me

Would you please advise the configuration, Karsten?

hi,

do you have access to SRP527? because if you want to try the config, you need to add the new network address on site A that must be permitted, so that the packet from site B can enter the tunnel.

because this is a production network and youre not really familiar with cisco devices, do you realize the risk of having difficulties to check/troubleshooting? if its ok with you, then i would not mind giving the config.

regards,

Hi handoko,

Yes, i have access to SRP527 on site A. But please note that it does not have iso. It is the normal small business router. it is ok with me as it only temporary solution.

Thanks in advance!

before that, let me ask you some question regarding your current config

object-group network VPN

description ---Port Forward to vpn Turnnel---

host 192.168.2.99

!

ip nat inside source static tcp 192.168.2.99 80 interface Dialer0 8000

ip nat inside source static tcp 192.168.2.99 9100 interface Dialer0 9100

do you use these config above? if not, you might want to remove them

object-group...

i am not using this. i will remove it.

ip nat....

doing the port forwarding but it is not working over tunnel need to remote also.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: