Solved: Re: Internet access for host

Manos · ‎08-29-2018

Hello all,

I have a router that was configured with the following commands.

I need to give access for a specific host directly to Internet (plug and play)

Could you please tell me how to proceed and what else need to be configured?

Thank you in advance!!

ip dhcp excluded-address 172.16.214.1 172.16.214.200
ip dhcp excluded-address 172.16.214.240 172.16.214.254

ip dhcp pool xxxxx
network 172.16.214.0 255.255.255.0
default-router 172.16.214.1
dns-server 195.14.130.170 195.14.130.220

interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
ip address 81.4.179.62 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description LAN_INTERFACE
ip address 172.16.214.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
no ip http server
no ip http secure-server

ip nat inside source static udp 192.168.214.71 8532 interface FastEthernet0 8532
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 81.4.179.61

Georg Pauwen · ‎08-29-2018

Hello,

try and add a secondary IP address to your Vlan 1 interface. This address needs to be the default gateway for your host. Then change the static NAT entry as below:

interface Vlan1
description LAN_INTERFACE
ip address 172.16.214.1 255.255.255.0
ip address 192.168.214.1 255.255.255.0 secondary
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip nat inside source static udp 192.168.214.71 8532 interface GigabitEthernet0

View solution in original post

Georg Pauwen · ‎08-29-2018

Hello,

You don't need any ports, just source and destination are sufficient...

View solution in original post

paul driver · ‎08-29-2018

Hello

I assume you wish for this host 192.168.214.71 to be static access? - The problem is this host inst subject to the NAT, I dont see any reference to it on any interface or any specific route towards this host or it subnet -Does this host resides internally behind your lan interface?

Lastly can you post your route-map configuration.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Manos · ‎08-29-2018

Hello Paul,

Thank you for your immediate answer. Below you may find all configuration from router(except sensitive parts.. :)

Based on the below configuration i need to give access to a host inside my Lan.

I don't mind if that host would be 192.168.214.71 or from other Lan.

Could you please inform me of what additional configuration is needed?

ip dhcp excluded-address 172.16.214.1 172.16.214.200
ip dhcp excluded-address 172.16.214.240 172.16.214.254
!
ip dhcp pool xxxx
network 172.16.214.0 255.255.255.0
default-router 172.16.214.1
dns-server 195.14.130.170 195.14.130.220

!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
ip address 81.4.179.62 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description LAN_INTERFACE
ip address 172.16.214.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source static udp 192.168.214.71 8532 interface FastEthernet0 8532
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 81.4.179.61
!
ip access-list extended NONAT
deny ip 172.16.214.0 0.0.0.255 10.0.0.0 0.0.1.255
deny ip 172.16.214.0 0.0.0.255 10.5.0.0 0.0.255.255
deny ip 172.16.214.0 0.0.0.255 172.16.0.0 0.0.1.255
deny ip 172.16.214.0 0.0.0.255 172.16.2.0 0.0.1.255
deny ip 172.16.214.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 172.16.214.0 0.0.0.255 10.0.1.0 0.0.0.255
deny ip 172.16.214.0 0.0.0.255 172.16.255.8 0.0.0.7
deny ip 172.16.214.0 0.0.0.255 10.0.16.0 0.0.7.255
deny ip 172.16.214.0 0.0.0.255 10.0.20.0 0.0.0.255
permit ip 172.16.214.0 0.0.0.255 host 81.4.175.90
permit udp host 172.16.214.71 host 213.207.156.66 eq 8532
permit udp host 172.16.214.71 any eq 8532
permit ip 172.16.214.0 0.0.0.255 host 194.30.130.185
permit ip 172.16.214.0 0.0.0.255 host 194.30.130.176
permit ip 172.16.214.0 0.0.0.255 host 81.4.175.79
permit ip 172.16.214.0 0.0.0.255 host 194.30.135.14
permit ip 172.16.214.0 0.0.0.255 host 93.109.222.238
deny ip any any log

!
access-list 23 permit 62.38.168.163
access-list 23 permit 213.249.61.82
access-list 23 permit 195.46.2.183
access-list 23 permit 195.46.3.146
access-list 23 permit 213.249.61.64 0.0.0.15
access-list 23 permit 172.16.214.0 0.0.0.255
access-list 23 permit 172.16.0.0 0.0.1.255
access-list 23 permit 10.5.9.0 0.0.0.255
access-list 23 permit 172.16.2.0 0.0.0.255
access-list 23 permit 172.16.3.0 0.0.0.255
access-list 23 permit 10.0.0.0 0.0.1.255
access-list 23 permit 81.4.179.60 0.0.0.3
access-list 23 permit 10.0.16.0 0.0.7.255
access-list 110 permit ip 172.16.214.0 0.0.0.255 10.5.0.0 0.0.255.255
!
route-map SDM_RMAP_1 permit 1
match ip address NONAT
match interface GigabitEthernet0
!

Georg Pauwen · ‎08-29-2018

Hello,

since static NAT takes precedence, the below statement should be sufficient, as long as the same traffic is being excluded from the VPN traffic.

Which access list are you using in your crypto map ?

ip nat inside source static udp 192.168.214.71 8532 interface GigabitEthernet0 8532

As Paul already asked, how is 192.168.214.71 connected to your router ?

Manos · ‎08-29-2018

Hello Georg,

Thank you for your reply!

The host will be connected with a cable directly on the router.

All i need is a configuration to give the host Internet access.

So do i need to give the host the static IP 192.168.214.71, default gateway and DNS servers?

Where should i plugged it?

What additional configuration (if needed) should i implement?

interface FastEthernet0
no ip address

interface GigabitEthernet0
ip address 81.4.179.62 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description LAN_INTERFACE
ip address 172.16.214.1 255.255.255.0
ip nat inside
ip virtual-reassembly in

ip tcp adjust-mss 1452

ip nat inside source static udp 192.168.214.71 8532 interface FastEthernet0 8532
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 81.4.179.61

route-map SDM_RMAP_1 permit 1
match ip address NONAT
match interface GigabitEthernet0

ip access-list extended NONAT

deny ip 172.16.214.0 0.0.0.255 10.0.0.0 0.0.1.255
deny ip 172.16.214.0 0.0.0.255 10.5.0.0 0.0.255.255
deny ip 172.16.214.0 0.0.0.255 172.16.0.0 0.0.1.255
deny ip 172.16.214.0 0.0.0.255 172.16.2.0 0.0.1.255
deny ip 172.16.214.0 0.0.0.255 10.0.0.0 0.0.0.255
deny ip 172.16.214.0 0.0.0.255 10.0.1.0 0.0.0.255
deny ip 172.16.214.0 0.0.0.255 172.16.255.8 0.0.0.7
deny ip 172.16.214.0 0.0.0.255 10.0.16.0 0.0.7.255
deny ip 172.16.214.0 0.0.0.255 10.0.20.0 0.0.0.255
permit ip 172.16.214.0 0.0.0.255 host 81.4.175.90
permit udp host 172.16.214.71 host 213.207.156.66 eq 8532
permit udp host 172.16.214.71 any eq 8532
permit ip 172.16.214.0 0.0.0.255 host 194.30.130.185
permit ip 172.16.214.0 0.0.0.255 host 194.30.130.176
permit ip 172.16.214.0 0.0.0.255 host 81.4.175.79
permit ip 172.16.214.0 0.0.0.255 host 194.30.135.14
permit ip 172.16.214.0 0.0.0.255 host 93.109.222.238
deny ip any any log

Please for you help!

Kind Regards

Georg Pauwen · ‎08-29-2018

Hello,

which router do you have ? Is FastEthernet0 a layer 3 interface, that is, can you assign an IP address to that interface ?

Manos · ‎08-29-2018

Hello,

The router is C890 so i can assign an IP address to it.

Kind Regards

Georg Pauwen · ‎08-29-2018

Hello,

then it should look like this:

interface FastEthernet0

ip address 192.168.214.1 255.255.255.0

ip nat inside

Also, make sure that the access list in the route map includes network 192.168.214.0/24:

ip access-list extended NONAT

permit ip 192.168.214.0 0.0.0.255

That said, there is no access list for your crypto map ? Which traffic do you want to send through the VPN ?

Georg Pauwen · ‎08-29-2018

Hello,

try and add a secondary IP address to your Vlan 1 interface. This address needs to be the default gateway for your host. Then change the static NAT entry as below:

interface Vlan1
description LAN_INTERFACE
ip address 172.16.214.1 255.255.255.0
ip address 192.168.214.1 255.255.255.0 secondary
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip nat inside source static udp 192.168.214.71 8532 interface GigabitEthernet0

Manos · ‎08-29-2018

Hello again,

I will try the latest configuration that you proposed with secondary IP address and check connectivity.

I need Internet access only so should i use any tcp protocol and other port in the below NAT statement?

ip nat inside source static udp 192.168.214.71 8532 interface GigabitEthernet0

Kind Regards

Georg Pauwen · ‎08-29-2018

Hello,

You don't need any ports, just source and destination are sufficient...