09-22-2016 02:16 AM - edited 03-05-2019 07:07 AM
Hello everyone!
I have Cisco Router 892 (c890-universalk9-mz.154-3.M4.bin) with Zone-Based Firewall and Policy-based routing.
Everything works fine, but now I need to have ability access outside router interface IP adresses from LAN.
For example, I have PAT from 192.168.4.1 port 8443 to outside interface IP (93.93.93.2 for example) and I need to check 93.93.93.2:8443 from LAN.
! PAT:
ip nat inside source static tcp 192.168.4.1 8443 93.93.93.1 8443 route-map SDM_RMAP_1 extendable
! DynNat to internet:
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
! Policy-routing
route-map SDM_RMAP_1 permit 10
match ip address 101
match interface GigabitEthernet0! ACL 101 for Policy-routing
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.192.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.177.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 172.16.61.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 172.17.19.0 0.0.0.255
access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255
access-list 101 deny ip 192.168.3.0 0.0.0.255 host 172.16.194.100
access-list 101 deny ip 192.168.3.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 192.168.4.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 deny ip 192.168.4.0 0.0.0.255 host 172.31.255.1
access-list 101 deny ip 192.168.4.0 0.0.0.255 host 172.16.194.100
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.0.255 any! ACL on outside interface:
ip access-list extended gi0-in
permit ip any any
permit icmp any any! Outside interface
interface GigabitEthernet0
description $ETH-WAN$
ip address 93.93.93.1 255.255.255.240
ip access-group gi0-in in
ip nat outside
ip virtual-reassembly in
zone-member security WAN
ip tcp adjust-mss 1452
duplex auto
speed auto
crypto map SDM_CMAP_2! Inside DMZ interface-vlan:
interface Vlan4
ip address 192.168.4.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
ip tcp adjust-mss 1452! Allow outgoing traffic from DMZ to Internet:
ip access-list extended Allow_All_ACL-DMZ
permit esp any any
permit tcp host 192.168.4.1 host 192.168.111.2 eq 1521
deny ip 192.168.4.0 0.0.0.255 192.168.111.0 0.0.0.255
deny ip 192.168.4.0 0.0.0.255 172.17.19.0 0.0.0.255
permit icmp 192.168.4.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any! Allow ingoing traffic from Internet to DMZ:
ip access-list extended WAN_DMZ_ACL
permit tcp any any established
permit tcp any any eq ftp
permit tcp any any eq 990
permit tcp any any range 51000 53000
permit tcp any any eq 995
permit tcp any any eq 465
permit tcp any any eq www
permit tcp any any eq 443
permit icmp any any
permit esp any any
permit udp any any eq non500-isakmp
permit ip host 212.98.162.139 192.168.4.0 0.0.0.255
permit ip 81.30.80.0 0.0.0.255 any
permit ip 192.168.111.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 172.17.19.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip host 172.16.194.100 192.168.4.0 0.0.0.255
permit ip host 172.31.255.1 192.168.4.0 0.0.0.255
permit ip host 172.31.255.1 host 172.17.193.100
deny ip any any! Zone-Based Firewall:
class-map type inspect match-any DMZ_WAN_CLASS
match access-group name Allow_All_ACL-DMZclass-map type inspect match-any WAN_DMZ_CLASS
match access-group name WAN_DMZ_ACLpolicy-map type inspect DMZ_WAN_POLICY
class type inspect DMZ_WAN_CLASS
inspect
class class-default
droppolicy-map type inspect WAN_DMZ_POLICY
class type inspect WAN_DMZ_CLASS
inspect
class class-default
dropzone security DMZ
zone security WANzone-pair security WAN_DMZ source WAN destination DMZ
service-policy type inspect WAN_DMZ_POLICY
zone-pair security DMZ_WAN source DMZ destination WAN
service-policy type inspect DMZ_WAN_POLICY
May be somebody can help me make Cisco to allow outside NATed ports from LAN?
I made this on Mikrotik easily =|
Solved! Go to Solution.
10-01-2016 04:40 AM
It's due to the fact they do not allow 'hair pinning' by default, once this is configured it will work.
Martin
09-25-2016 11:22 AM
UP!
Access to router's outside interface from inside LAN..
Why it's so difficult on cisco routers, ASA and PIX????(
10-01-2016 04:40 AM
It's due to the fact they do not allow 'hair pinning' by default, once this is configured it will work.
Martin
10-02-2016 12:18 AM
I really appreciate for your reply, Martin Carr!
Tonight I tried to setup Hairpinning (based on NVI) as discribed here. Then I needed to remake NAT rules from this (examlpe):
ip nat inside source static tcp 192.168.4.1 22 7.10.20.30 22 route-map SDM_RMAP_1 extendable
to this:
ip nat source static tcp 192.168.4.1 22 7.10.20.30 22 extandable
I cannot use Policy-routing in NVI NAT =( So I can access 7.10.20.30:22 from LAN, but now I unable to access 192.168.4.1:22.
192.168.4.0/24 it's DMZ zone, I checked it drom LAN zone 192.168.3.0/24.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide