03-26-2013 07:46 AM - edited 03-04-2019 07:24 PM
Hi there,
I want to know if it is possible to reach a server via own WAN ip address on dialer, using a internal LAN device.
So lets say Y is wan and X is LAN. I am a client in X i want to reach Y on port 80, not internal but external. so i browse to Y:80.
This is not accepted by out cisco router, tough i do understand why, i was wondering if there was a way to make it work. See below for the configuration of
our cisco router. I read about NAT on a Stick, but i dont realy understand how that works.
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxxx_RTR001
!
boot-start-marker
boot-end-marker
!
!
logging buffered 52000
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address xxxxxxxxx.1 xxxxxxxxx.20
ip dhcp excluded-address xxxxxxxxx.240 xxxxxxxxx.254
!
ip dhcp pool VdR_xxxxxxxxx
network xxxxxxxxx.0 255.255.255.0
default-router xxxxxxxxx.254
dns-server xxxxxxxxx
lease infinite
!
!
no ip domain lookup
ip domain name xxxxxxxxx.nl
!
multilink bundle-name authenticated
!
license udi pid CISCO1921/K9 sn xxxxxxxxx
!
!
username xxxxxx privilege 15 secret 4 xxxxxxxxxxxxx
!
!
redundancy
!
!
!
!
!
policy-map custom-shaper-20000kbps
class class-default
shape average 18800000
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address xxxxxxxxx
!
crypto isakmp client configuration group VDR-VPN
key xxxxxxxxx
pool SDM_POOL_1
acl 102
include-local-lan
max-users 15
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group VDR-VPN
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA2
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel toxxxxxxxxx
set peer xxxxxxxxx
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description WAN_DATA
bandwidth 20000
no ip address
no ip route-cache
load-interval 30
duplex full
speed 100
pppoe enable group global
pppoe-client dial-pool-number 1
no keepalive
no cdp enable
service-policy output custom-shaper-20000kbps
!
interface GigabitEthernet0/1
no ip address
no ip route-cache
duplex full
speed 1000
!
interface GigabitEthernet0/1.X
description DATA_VLANX
encapsulation dot1Q X native
ip address xxxxxxxxx.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
no ip route-cache
ip tcp adjust-mss 1452
no keepalive
no cdp enable
!
interface GigabitEthernet0/1.XX
description VOICE_VLANXX
encapsulation dot1Q XX
ip address xxxxxxxxx.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
no ip route-cache
ip tcp adjust-mss 1452
no keepalive
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dialer1
description DIALER_YYYYYYYY
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxxxx password xxxxxxxxx
no cdp enable
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 xxxxxxxxx.10 xxxxxxxxx.25
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
no ip nat service sip udp port 5060
!
ip nat inside source static tcp xxxxxxxxx.75 4096 interface Dialer1 80
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
ip nat inside source static tcp xxxxxxxxx.185 21 yyyyyyyyyy.58 21 extendable
ip nat inside source static tcp xxxxxxxxx.185 80 yyyyyyyyyy.58 80 extendable
ip nat inside source static tcp xxxxxxxxx.185 5800 yyyyyyyyyy.58 5800 extendable
ip nat inside source static tcp xxxxxxxxx.185 5900 yyyyyyyyyy.58 5900 extendable
ip nat inside source static tcp xxxxxxxxx.185 5901 yyyyyyyyyy.58 5901 extendable
ip nat inside source static tcp xxxxxxxxx.122 80 yyyyyyyyyy.59 80 extendable
ip nat inside source static tcp xxxxxxxxx.140 21 yyyyyyyyyy.60 21 extendable
ip nat inside source static tcp xxxxxxxxx.140 80 yyyyyyyyyy.60 80 extendable
ip nat inside source static tcp xxxxxxxxx.212 21 yyyyyyyyyy.61 21 extendable
ip nat inside source static tcp xxxxxxxxx.212 25 yyyyyyyyyy.61 25 extendable
ip nat inside source static tcp xxxxxxxxx.213 80 yyyyyyyyyy.61 80 extendable
ip nat inside source static xxxxxxxxx.50 yyyyyyyyyy.62
!
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
access-list 23 permit xxxxxxxxxxxx
access-list 23 permit xxxxxxxxxxxx
access-list 23 permit xxxxxxxxxxxx
access-list 23 permit xxxxxxxxxxxx 0.0.0.7
access-list 23 remark acl_remote_management
access-list 23 permit xxxxxxxxxxxx 0.0.0.255
access-list 23 permit xxxxxxxxxxxx 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip xxxxxxxxxxxx 0.0.0.255 xxxxxxxxxxxx 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip xxxxxxxxxxxx 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip xxxxxxxxxxxx 0.0.0.255 any
access-list 110 remark CCP_ACL Category=16
access-list 110 remark IPSec Rule
access-list 110 deny ip xxxxxxxxxxxx 0.0.0.255 xxxxxxxxxxxx 0.0.0.255
access-list 110 permit ip xxxxxxxxxxxx 0.0.0.255 any
access-list 110 permit ip xxxxxxxxxxxx 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 110
!
!
snmp-server community RSO RO 23
!
!
!
control-plane
!
!
banner motd ^CCC
****BANNER MOTD****
^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
transport input all
line vty 5 15
access-class 23 in
transport input telnet ssh
!
scheduler allocate 20000 1000
03-30-2013 10:00 AM
Hello Jan,
I was testing NAT on Stick configuration today, here is thread with topology and configuration:
https://supportforums.cisco.com/thread/2207031
Here is nice explanation:
http://ccietobe.blogspot.sk/2009/01/nat-on-stick.html
Best Regards
Please rate all helpful posts and close solved questions
04-02-2013 08:02 AM
Hi Blau grana,
Your post does not seem te relate to mine very well. And i still do not know how we can make this possible..
The problem: Client has a server that can not be reached internally (security) thus must be reached from the outside..
04-02-2013 08:51 AM
Hello
Just to clarify you wish to access a server via port 80 which has a public ip address from a host residing in your LAN?
Tryand nat the outside public ip of this server to an internal lan ip -
ip nat outside source static tcp (public ip) 80 (lan ip) 80
res
Paul
Please don't forget to rate any posts that have been helpful.
Thanks.
04-02-2013 09:01 AM
Paul,
That's not the problem. I allready did the NAT statements. and the server IS reachable from another external ip adres not port of this clients subnet. Only problem is from inside to outside and that outside routes back to inside.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide