06-08-2005 08:03 PM - edited 03-03-2019 09:46 AM
Hi all
I have a 837 ADSL router running at the moment connecting to corporate network via a VPN connection. The current VPN setup only permit certain IP address ranges (from corporate hub site)to reach this ADSL router. What I needed to do now is to enable some http traffic (from the Internet) to reach certain STATIC devices behind this ADSL router. Below is the config (or part of it)
interface Dialer0
description $FW_OUTSIDE$
bandwidth 1500
ip address negotiated
ip access-group 102 in
no ip redirects
no ip proxy-arp
ip mtu 1452
ip nbar protocol-discovery
ip nat outside
ip inspect DEFAULT100 out
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Auto generated by SDM for NTP (123) 192.189.54.33
access-list 102 permit udp host 192.189.54.33 eq ntp any eq ntp
access-list 102 permit ip 10.95.51.0 0.0.0.127 10.218.3.0 0.0.0.63
access-list 102 permit ip 203.110.x.0 0.0.0.31 10.218.3.0 0.0.0.63
access-list 102 permit ip 10.95.3.0 0.0.0.255 10.218.3.0 0.0.0.63
access-list 102 permit ip 10.108.0.0 0.0.255.255 10.218.3.0 0.0.0.63
access-list 102 permit udp host 203.110.136.131 eq domain any
access-list 102 permit udp host 203.110.136.142 eq domain any
access-list 102 permit udp host 192.231.203.3 eq domain any
access-list 102 permit ahp host 203.110.x.x any
access-list 102 permit esp host 203.110.x.x any
access-list 102 permit udp host 203.110.x.x any eq isakmp
access-list 102 permit udp host 203.110.x.x any eq non500-isakmp
access-list 102 deny ip 10.218.3.0 0.0.0.63 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Auto generated by SDM for NTP (123) 192.189.54.33
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Auto generated by SDM for NTP (123) 192.189.54.33
The static devices behind the router have IP addresses 10.218.3.6 and 10.218.3.7 respectively. The required configuration is for vendor to be able to reach those static devices for troubleshooting and upgrade purposes. What I would like to happen is from the Internet, if I type:
1. http://Dialer0-Public-IP 10000 - this will be forwarded to the device 10.218.3.6 with port 10000 unchaged
2. http://Dialero-Public-IP 10001 - this will be forwarded to the device 10.218.3.7 with port 10000
Thanks in advance for your help.
06-14-2005 12:39 PM
The Cisco 827 router is usually a DSL customer premises equipment (CPE). In this sample configuration, the Cisco 827 is configured for Point-to-Point Protocol over Ethernet (PPPoE) and is used as a peer in a LAN-to-LAN IPSec tunnel with a Cisco 3600 router. The Cisco 827 is also doing Network Address Translation (NAT) overloading to provide Internet connection for its internal network.
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009475c.shtml
http://www.cisco.com/en/US/tech/tk648/tk361/tk438/tsd_technology_support_sub-protocol_home.html
06-14-2005 04:47 PM
The sample config that you provided does NAT/PAT for internal network devices going OUT to the Internet. It does not provide NAT/PAT in the reverse direction though. What I need to do is two folds:
1. The first is to provide site-site VPN from the 837 router to the corporate network which I've achieved already.
2. The second part is to enable NAT/PAT from the Internet to reach some of my internal devices on the inside of the 837 router and this is the part that I'm having problem with.
thanks for your reply.
06-22-2005 12:08 AM
Hi vincent
I see you are in trouble with static NAT/PAT in configuration on your 837 Router. I have an equal constellation with a 837 Router in UK and a Pix 515E
here in germany. Dynamic VPN for VP-Client's and Side-To-Side VPN between Router and Pix.
I also have to enable NAT and PAT for services like
Microsoft Remote Desktop for example to reach a Server with IP-Forwarding in trusted LAN behind the Router.
My Problem is, that when I enable PAT with
"ip nat inside source static (inside-IP)(Port) (outside-IP)(Port)" for RDP for exapmle (Port 3389),
the same service in this moment will no work in VPN
Side-To-Side or dynamic.
Also this will operate when I disable ip inspect tcp. And I don't know why !
Do you use the firewall on the router besides VPN and NAT/PAT ?
And do you have solve your problems with NAT and PAT.
Next Post you can see my configuration.
thanks and regards,
Frank
06-22-2005 12:11 AM
Hi vincent
version 12.3
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw h323 timeout 3600
ip audit notify log
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXX address 62.157.89.91
crypto isakmp client configuration address-pool local dynvpn
!
crypto isakmp client configuration group MobileVPN-UK
key XXXXXXXX
dns 192.168.7.1
domain slxuk.local
pool dynvpn
!
crypto ipsec transform-set sharks esp-3des esp-sha-hmac
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
crypto map OSNL isakmp authorization list MobileVPN-UK
crypto map OSNL client configuration address respond
crypto map OSNL 1 ipsec-isakmp dynamic dynmap
crypto map OSNL 10 ipsec-isakmp
set peer 62.157.89.91
set transform-set sharks
match address 160
!
interface Loopback0
ip address 192.168.37.254 255.255.255.0
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.7.254-255.25
5.255.0
ip address 192.168.7.254 255.255.255.0
ip nat inside
ip inspect myfw in
ip route-cache policy
ip policy route-map nonat
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXXXXXXXXx
ppp chap password 7 XXXXXXXXXXXXXXXXxx
ppp pap sent-username XXXXXXXXXXXXXXXXXX password 7 XXXXXXXXXXXXXXXXXXXXXXX
ppp ipcp dns request
ppp ipcp wins request
crypto map OSNL
hold-queue 224 in
!
ip local pool dynvpn 192.168.37.1 192.168.37.100
ip nat inside source static tcp 192.168.7.1 3389 interface Dialer1 3389
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.16.0 255.255.255.0 192.168.7.1
ip route 172.16.0.0 255.255.0.0 62.157.89.91
ip route 192.168.6.0 255.255.255.0 192.168.7.1
!
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq 2001
access-list 111 permit tcp any any eq telnet
access-list 111 deny ip any any
access-list 140 deny ip 192.168.7.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 140 deny ip 192.168.7.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 140 deny ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 140 deny ip 192.168.6.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 140 deny ip 10.1.16.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 140 deny ip 10.1.16.0 0.0.0.255 192.168.37.0 0.0.0.255
access-list 140 permit ip 192.168.7.0 0.0.0.255 any
access-list 160 permit ip 192.168.7.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 160 permit ip 192.168.6.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 160 permit ip 10.1.16.0 0.0.0.255 172.16.0.0 0.0.255.255
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 140
!
Router#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide