Cisco CISCO2921/K9 NAT Problem (port forwarding) and VPN

zstpro · ‎01-10-2018

Good morning, we have at CISCO2921, and some problems ...
Configuration:

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname X-01
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 XX
!
no aaa new-model
!
clock timezone CET 1 0
!
no ipv6 cef
ip source-route
ip cef
!
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 172.16.200.1 172.16.200.199
!
ip dhcp pool vl40
 import all
 network 192.168.0.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 192.168.0.1
 lease 7
!
ip dhcp pool vl20
 import all
 network 192.168.1.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 192.168.1.1
 lease 7
!
ip dhcp pool vl30
 import all
 network 192.168.2.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 192.168.2.1
 lease 7
!
ip dhcp pool vl10
 import all
 network 172.16.200.0 255.255.255.0
 dns-server 8.8.8.8
 default-router 172.16.200.1
!
ip dhcp pool X
 host 172.16.200.201 255.255.255.0
 hardware-address 7010.6fc5.df70
 default-router 172.16.200.1
 dns-server 8.8.8.8
!
!
ip domain name XX
ip name-server 8.8.8.8
!
multilink bundle-name authenticated
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2921/K9 sn XX
hw-module usb disable
!
!
username admin privilege 15 secret 4 XX
!
redundancy
!
!
!
!
ip ssh port 9922 rotary 1
ip ssh version 2
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description WAN_MM
 ip address XX.XX.XX.XX 255.255.255.248 secondary
 ip address XX.XX.XX.YY 255.255.255.252
 ip nat enable
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/1.10
 description XX
 encapsulation dot1Q 10
 ip address 172.16.200.1 255.255.255.0
 ip nat enable
!
interface GigabitEthernet0/1.20
 description XX
 encapsulation dot1Q 20
 ip address 192.168.1.1 255.255.255.0
 ip nat enable
!
interface GigabitEthernet0/2
 no ip address
 duplex auto
 speed auto
!
interface GigabitEthernet0/2.30
 description XX
 encapsulation dot1Q 30
 ip address 192.168.2.1 255.255.255.0
 ip nat enable
!
interface GigabitEthernet0/2.40
 description XX
 encapsulation dot1Q 40
 ip address 192.168.0.1 255.255.255.0
 ip nat enable
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source list 1 interface GigabitEthernet0/0 overload
ip nat source static tcp 192.168.1.98 22 interface GigabitEthernet0/0 22
ip nat source static tcp 192.168.1.99 23 interface GigabitEthernet0/0 23
ip nat source static tcp 192.168.1.98 80 interface GigabitEthernet0/0 80
ip nat source static tcp 192.168.1.99 443 interface GigabitEthernet0/0 443
ip nat source static tcp 192.168.1.98 9001 interface GigabitEthernet0/0 9001
ip nat source static tcp 192.168.1.98 9002 interface GigabitEthernet0/0 9002
ip nat source static tcp 172.16.200.200 3389 interface GigabitEthernet0/0 5003
ip nat source static udp 172.16.200.200 161 interface GigabitEthernet0/0 201
ip nat source static tcp 192.168.0.11 3391 XX.XX.XX.XX 3391 extendable
ip route 0.0.0.0 0.0.0.0 XX.XX.XX.XX
!
ip access-list extended DenyStandardSSH
 deny   tcp any any eq 22
 permit ip any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 172.16.200.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
!
!
snmp-server community XXX RO
snmp-server location XXX
snmp-server contact XXX
!
control-plane
!
!
!
line con 0
 logging synchronous
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 access-class DenyStandardSSH in
 password 7 XXXX
 login local
 rotary 1
 transport input ssh
line vty 5 15
 access-class DenyStandardSSH in
 login
 rotary 1
 transport input all
!
scheduler allocate 20000 1000
end

Problem number 1.

in vlan 40 the computer is trying to connect to the bank PPTP connection (vpn) unfortunately the connection can not be set for any reason ...

Problem number 2.

in vlan 20 with the IP address 192.168.1.99 and 192.168.1.98 are service servers with available applications on ports 80 and 443 (http / https). When I am plugged in 10,30,40 and enter the external address XX.XX.XX.YY in the browser, the connection to the application servers is correct, while in the channel 20 after entering XX.XX.XX.YY the connection is rejected ...

can someone tell me what I'm doing wrong ...?

Julio E. Moisa · ‎01-10-2018

Hi

You must specify the inside/outside NAT side, for example

interface G0/0

ip nat outside

and the rest of interface used for internal networks should be ip nat inside.

Now to verify you can use: show ip nat translations or debug ip nat

Hope it is useful

:-)

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

paul driver · ‎01-10-2018

Hello

Are you trying to access these servers from the internal network to their external public address?

Where does 10,30,40.x reside it doesn't look like it internal, Also channel 20 is what?

I see you are using NVI nat and if the above is correct try the following:

int gig0/0
no ip redirects
end

sh ip nat nvi translations

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul