Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
0
Helpful
4
Replies

Reaching Server over own WAN trough own LAN

javdakker
Level 1
Level 1

‎03-26-2013 07:46 AM - edited ‎03-04-2019 07:24 PM

Hi there,

I want to know if it is possible to reach a server via own WAN ip address on dialer, using a internal LAN device.

So lets say Y is wan and X is LAN. I am a client in X i want to reach Y on port 80, not internal but external. so i browse to Y:80.

This is not accepted by out cisco router, tough i do understand why, i was wondering if there was a way to make it work. See below for the configuration of

our cisco router. I read about NAT on a Stick, but i dont realy understand how that works.

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname xxxxxxxxx_RTR001

!

boot-start-marker

boot-end-marker

!

!

logging buffered 52000

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

!

!

!

!

aaa session-id common

!

!

no ipv6 cef

ip source-route

ip cef

!

!

!

ip dhcp excluded-address xxxxxxxxx.1 xxxxxxxxx.20

ip dhcp excluded-address xxxxxxxxx.240 xxxxxxxxx.254

!

ip dhcp pool VdR_xxxxxxxxx

network xxxxxxxxx.0 255.255.255.0

default-router xxxxxxxxx.254

dns-server xxxxxxxxx

lease infinite

!

!

no ip domain lookup

ip domain name xxxxxxxxx.nl

!

multilink bundle-name authenticated

!

license udi pid CISCO1921/K9 sn xxxxxxxxx

!

!

username xxxxxx privilege 15 secret 4 xxxxxxxxxxxxx

!

!

redundancy

!

!

!

!

!

policy-map custom-shaper-20000kbps

class class-default

  shape average 18800000

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxxx address xxxxxxxxx

!

crypto isakmp client configuration group VDR-VPN

key xxxxxxxxx

pool SDM_POOL_1

acl 102

include-local-lan

max-users 15

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group VDR-VPN

   client authentication list ciscocp_vpn_xauth_ml_2

   isakmp authorization list ciscocp_vpn_group_ml_2

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA2

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel toxxxxxxxxx

set peer xxxxxxxxx

set transform-set ESP-3DES-SHA

match address 100

!

!

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description WAN_DATA

bandwidth 20000

no ip address

no ip route-cache

load-interval 30

duplex full

speed 100

pppoe enable group global

pppoe-client dial-pool-number 1

no keepalive

no cdp enable

service-policy output custom-shaper-20000kbps

!

interface GigabitEthernet0/1

no ip address

no ip route-cache

duplex full

speed 1000

!

interface GigabitEthernet0/1.X

description DATA_VLANX

encapsulation dot1Q X native

ip address xxxxxxxxx.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip verify unicast reverse-path

no ip route-cache

ip tcp adjust-mss 1452

no keepalive

no cdp enable

!

interface GigabitEthernet0/1.XX

description VOICE_VLANXX

encapsulation dot1Q XX

ip address xxxxxxxxx.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip verify unicast reverse-path

no ip route-cache

ip tcp adjust-mss 1452

no keepalive

no cdp enable

!

interface Virtual-Template1 type tunnel

ip unnumbered Dialer1

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Dialer1

description DIALER_YYYYYYYY

mtu 1492

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

ip verify unicast reverse-path

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username xxxxxxxxx password xxxxxxxxx

no cdp enable

crypto map SDM_CMAP_1

!

ip local pool SDM_POOL_1 xxxxxxxxx.10 xxxxxxxxx.25

ip forward-protocol nd

!

no ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

no ip nat service sip udp port 5060

!

ip nat inside source static tcp xxxxxxxxx.75 4096 interface Dialer1 80

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

ip nat inside source static tcp xxxxxxxxx.185 21 yyyyyyyyyy.58 21 extendable

ip nat inside source static tcp xxxxxxxxx.185 80 yyyyyyyyyy.58 80 extendable

ip nat inside source static tcp xxxxxxxxx.185 5800 yyyyyyyyyy.58 5800 extendable

ip nat inside source static tcp xxxxxxxxx.185 5900 yyyyyyyyyy.58 5900 extendable

ip nat inside source static tcp xxxxxxxxx.185 5901 yyyyyyyyyy.58 5901 extendable

ip nat inside source static tcp xxxxxxxxx.122 80 yyyyyyyyyy.59 80 extendable

ip nat inside source static tcp xxxxxxxxx.140 21 yyyyyyyyyy.60 21 extendable

ip nat inside source static tcp xxxxxxxxx.140 80 yyyyyyyyyy.60 80 extendable

ip nat inside source static tcp xxxxxxxxx.212 21 yyyyyyyyyy.61 21 extendable

ip nat inside source static tcp xxxxxxxxx.212 25 yyyyyyyyyy.61 25 extendable

ip nat inside source static tcp xxxxxxxxx.213 80 yyyyyyyyyy.61 80 extendable

ip nat inside source static xxxxxxxxx.50 yyyyyyyyyy.62

!

!

ip route 0.0.0.0 0.0.0.0 Dialer1

!

access-list 23 permit xxxxxxxxxxxx

access-list 23 permit xxxxxxxxxxxx

access-list 23 permit xxxxxxxxxxxx

access-list 23 permit xxxxxxxxxxxx 0.0.0.7

access-list 23 remark acl_remote_management

access-list 23 permit xxxxxxxxxxxx 0.0.0.255

access-list 23 permit xxxxxxxxxxxx 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip xxxxxxxxxxxx 0.0.0.255 xxxxxxxxxxxx 0.0.0.255

access-list 101 remark CCP_ACL Category=4

access-list 101 permit ip xxxxxxxxxxxx 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip xxxxxxxxxxxx 0.0.0.255 any

access-list 110 remark CCP_ACL Category=16

access-list 110 remark IPSec Rule

access-list 110 deny   ip xxxxxxxxxxxx 0.0.0.255 xxxxxxxxxxxx 0.0.0.255

access-list 110 permit ip xxxxxxxxxxxx 0.0.0.255 any

access-list 110 permit ip xxxxxxxxxxxx 0.0.0.255 any

dialer-list 1 protocol ip permit

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 110

!

!

snmp-server community RSO RO 23

!

!

!

control-plane

!

!

banner motd ^CCC

****BANNER MOTD****

^C

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

transport input all

line vty 5 15

access-class 23 in

transport input telnet ssh

!

scheduler allocate 20000 1000

Labels:
0 Helpful
4 Replies 4

blau grana
Level 7
Level 7

‎03-30-2013 10:00 AM

Hello Jan,

I was testing NAT on Stick configuration today, here is thread with topology and configuration:

https://supportforums.cisco.com/thread/2207031

Here is nice explanation:

http://ccietobe.blogspot.sk/2009/01/nat-on-stick.html

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
0 Helpful

javdakker
Level 1
Level 1
In response to blau grana

‎04-02-2013 08:02 AM

Hi Blau grana,

Your post does not seem te relate to mine very well. And i still do not know how we can make this possible..

The problem: Client has a server that can not be reached internally (security) thus must be reached from the outside..

0 Helpful

paul driver
VIP
VIP
In response to javdakker

‎04-02-2013 08:51 AM

Hello

Just to clarify you wish to access a server via port 80 which has a public ip address from a host residing in your LAN?

Tryand nat the outside public ip of this server to an internal lan ip -
ip nat outside source static tcp (public ip) 80 (lan ip) 80

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

javdakker
Level 1
Level 1
In response to paul driver

‎04-02-2013 09:01 AM

Paul,

That's not the problem. I allready did the NAT statements. and the server IS reachable from another external ip adres not port of this clients subnet. Only problem is from inside to outside and that outside routes back to inside.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card