Solved: Re: New router config...

rudepeople · ‎08-16-2019

Hello, my company is expanding into a now colo and we've decided to build the network around a cisco ISR4321k9.

I have experience with configuring cisco switches (mostly catalyst) so I have some foundation knowledge, but when it comes to routing, I'm a little out of my depth. I'm learning this as fast as I can, but I don't have much time to get it done.

Basically, I'm trying to configure the router with an 8 port nim (just acting like a switch in the rack) and dual wan connections. One wan is connected to the internet while the other will be a hard connection to another (future) colo with a nearly identical config to this one. On the lan side of things, we'll have two servers with maybe 6 network connections between them.

The physical layout is this (obviously fakes IPs are fake):

Gi0/0/0 - ip address 172.16.10.2/29 -> WAN interface
Gi0/0/1 - ip address 10.10.10.2/29 -> inter-colo interface
Vlan1 - ip address 192.168.1.1/24
Gi0/1/0 -> appserver1 port1 with IP 192.168.1.10/24
Gi0/1/1 -> appserver1 port2 with IP 192.168.1.11/24
Gi0/1/2 -> appserver1 port3 with IP 192.168.1.12/24
Gi0/1/3 -> appserver2 port1 with IP 192.168.1.20/24
Gi0/1/4 -> appserver2 port2 with IP 192.168.1.21/24
Gi0/1/5 -> appserver2 port3 with IP 192.168.1.22/24

I have all this configured and it appears to be working correctly (I can plug in a laptop to any of the above ports with the specified IPs and watch me some netflix).

Now I need to assign public IPs to each of the server network ports (so that the servers are visible from the internet). If I read the documentation correctly all I need to do is run the following:

# ip nat inside source static 172.16.10.2 192.168.1.10
# ip nat inside source static 172.16.10.3 192.168.1.11
# ip nat inside source static 172.16.10.4 192.168.1.12
# ip nat inside source static 172.16.10.5 192.168.1.20
# ip nat inside source static 172.16.10.6 192.168.1.21
# ip nat inside source static 172.16.10.7 192.168.1.22
# ip nat outside source static 192.168.1.10 172.16.10.2
# ip nat outside source static 192.168.1.11 172.16.10.3
# ip nat outside source static 192.168.1.12 172.16.10.4
# ip nat outside source static 192.168.1.20 172.16.10.5
# ip nat outside source static 192.168.1.21 172.16.10.6
# ip nat outside source static 192.168.1.22 172.16.10.7

Is this correct? or am I just looking at this backwards and upside down?

The biggest problem is the fact I presently have the router connected to a temporary internet connection at our HQ office and I don't have multiple IP's assigned from our ISP so I cant actually test my config until everything goes live, and if I get this wrong, someone's going to have to GO to the colo to fix it... I'd like NOT to have to do that...

Georg Pauwen · ‎08-20-2019

Hello,

I think OpenVPN by default uses UDP port 1194, and if that fails, TCP port 1194. Try and add:

ip nat inside source static udp 192.168.60.11 1194 interface GigabitEthernet0/0/0 1194

to your configuration.

View solution in original post

Giuseppe Larosa · ‎08-17-2019

Hello,

if you want the servers to be reachable / contacted from the internet you need to add the keyword extendable to each ip nat static command

example:

ip nat inside source static 172.16.10.2 192.168.1.10

becomes

ip nat inside source static 172.16.10.2 192.168.1.10 extendable

This allows the NAT translation to be started when a client from the internet attempts to connect to public IP address of the server.

To make a test now with a single public IP address you can try to make your nat statement more specific adding a TCP and port to the statement

ip nat inside source static tcp 172.16.10.2 8080  192.168.1.10 8080 extendable

Check the correct syntax because I have written it on the fly.

You should be able to use a different TCP port for each server for testing purposes.

Hope to help

Giuseppe

rudepeople · ‎08-20-2019

Thank you! I believe this is *mostly* what I needed... that said, I still am having issues in the test env.

Presently I'm connected to a cable ISP with a single IP address (because that's all I have), I've got everything configured and working fine for one of the app servers and a laptop. the server has a dev page serving on port 10000 and it's visible to the outside world, but I'm not able to open a vpn connection to the server...

I have the server configured with openvpn talking on udp port 1194. from the laptop I can start a connection which will attempt to connect but fail (as expected while on the same network) and the connection attempt is logged by the server (indicating the server IS configured correctly). but when I take the laptop off the network and connect to the HQ net (different ISP) I am still able to open the admin/test webpage on port 10000, but my openvpn client times out, and the server logs nothing...

this is the pertinent config:

!
interface GigabitEthernet0/0/0
 description WAN000
 ip address [WAN-IP] 255.255.255.252
 ip nat outside
 negotiation auto
!


!
interface Vlan1
 ip address 192.168.60.1 255.255.255.0
 ip nat inside
!
ip nat inside source static tcp 192.168.60.11 10000 interface GigabitEthernet0/0/0 10000
ip nat inside source static tcp 192.168.60.11 1194 interface GigabitEthernet0/0/0 1194
ip nat inside source list 1 interface GigabitEthernet0/0/0 overload
ip forward-protocol nd
ip http server
ip http secure-server
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 [WAN-GW]
!
!
access-list 1 permit 192.168.60.0 0.0.0.255
!

Georg Pauwen · ‎08-20-2019

Hello,

I think OpenVPN by default uses UDP port 1194, and if that fails, TCP port 1194. Try and add:

ip nat inside source static udp 192.168.60.11 1194 interface GigabitEthernet0/0/0 1194

to your configuration.

rudepeople · ‎08-20-2019

That was it! thanks!