Re: Allow public access to VPN and SSH service

MickeMan1985 · ‎02-20-2014

Hello, we have a 2911 router, connected directly to our ISP. Our ISP grants us 5 public IP addresses in a 255.255.255.248 subnet, from IP 217.xxx.xxx.250 to 217.xxx.xxx.254.

Gateway to internet is 217.xxx.xxx.249

My idea was that the router, through gigabitethernet 0/0, with IP 217.xxx.xxx.250, gets the WAN connection for internet access, and that we could then use 217.xxx.xxx.251 primarily for VPN connections going into the office, currently in an openvpn server with ip 192.168.0.17. So first I thought I could just setup a NAT from 217.xxx.xxx.251 to go directly to 192.168.0.17, just to test, with ssh, port 22.

The problem is that I can ping the IP 217.xxx.xxx.251, but when running nmap on that IP it turns out its the router itself, which is strange to me.

So heres what I want:

217.xxx.xxx.250 -> the routers WAN IP on gigabitethernet 0/0 (works)

192.168.0.17 -> the routers LAN IP on gigabitethernet 0/2 (works)

NAT 217.xxx.xxx.251 port 22 to internal server 192.168.0.17 (not working)

Heres the relevant part of my configuration:

interface GigabitEthernet0/0

description WAN interface

ip address 217.xxx.xxx.250 255.255.255.248

ip nat outside

no ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

interface GigabitEthernet0/1

no ip address

shutdown

!

interface GigabitEthernet0/2

description LAN interface

ip address 192.168.0.21 255.255.255.0

ip nat inside

no ip virtual-reassembly in

duplex auto

speed auto

no cdp enable

!

ip default-gateway 217.xxx.xxx.249

ip forward-protocol nd

!

ip http server

ip http authentication local

!

ip dns server

ip dns spoofing

ip nat source static 192.168.0.17 217.xxx.xxx.251 extendable

ip nat inside source list inside interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.0.17 22 217.xxx.xxx.251 22 extendable

ip nat inside source static 192.168.0.17 217.xxx.xxx.251 extendable

ip route 0.0.0.0 0.0.0.0 217.xxx.xxx.249

!

ip access-list extended TerminalAccess

permit tcp host 192.168.0.0 any eq telnet

permit tcp any any eq 22

deny tcp any any

ip access-list extended inside

permit ip 192.168.0.0 0.0.0.255 any

permit ip any any

!

no service-routing capabilities-manager

access-list 100 permit ip any any

access-list 101 permit tcp any host 217.xxx.xxx.251 eq 22

no cdp run

!

snmp-server community public RO

snmp-server enable traps entity-sensor threshold

!

control-plane

!

MickeMan1985 · ‎02-21-2014

Nobody has any ideas what the problem is?

Why doesnt traffic get forwarded from my router to the local server 192.168.0.17?

And why is the traffic destined for 217.xxx.xxx.251 end up to my router and not forwarded as I have specified the NAT rule to do?

I'd appreciate any help I can get.

paul driver · ‎02-21-2014

Hello

You config doesn't look correct to me.try this:

No ip nat source static 192.168.0.17 217.xxx.xxx.251 extendable
No ip nat inside source static 192.168.0.17 217.xxx.xxx.251 extendable
No ip default-gateway xxxx.249

ip access-list extended inside
No 20
5 deny host 192.168.0.17

Ip nat inside source list inside interface GigabitEthernet0 overload
ip nat inside source static tcp 192.168.0.17 22 217.xxx.xxx.251 22
Or
ip nat inside source static 192.168.0.17 217.xxx.xxx.251

Also is this host192.168.0.17 - ssh enabled.and does it have any software fw that can prohibit connection

Res
Paul

Sent from Cisco Technical Support iPad App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MickeMan1985 · ‎02-21-2014

Thanks for your reply.

I'm able to ssh to the host from inside of the network, so thats no problem.

Heres the changes I made:

ip nat inside source list inside interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.0.17 22 217.xxx.xxx.251 22 extendable

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 217.xxx.xxx.249

!

ip access-list extended TerminalAccess

permit tcp host 192.168.0.0 any eq telnet

permit tcp any any eq 22

deny tcp any any

ip access-list extended inside

permit ip 192.168.0.0 0.0.0.255 any

permit ip any any

!

no service-routing capabilities-manager

access-list 100 permit ip any any

no cdp run

!

Still get connection refused on 217.xxx.xxx.251, and I'm certain that the connection attempt is made on the router itself, not the host located at 192.168.0.17. Any ideas why?

paul driver · ‎02-21-2014

Hello

Where are these applied
ip access-list extended TerminalAccess
access-list 100

also
ip access-list extended inside
deny ip host 192.168.0.17 any (as you have a static entry)
permit ip 192.168.0.0 0.0.0.255 any
permit ip any any ( not required)

ip nat inside source static tcp 192.168.0.17 22 217.xxx.xxx.251 22 extendable (not requried)
ip default-gateway xxxx.249 ( not required as you are routing and this router isnt running as a host)

can you cnfirm you have reacblity to thjis host inside your LAN - 192.168.0.17 - and is ssh enabled.and does it have any software fw that can prohibit connection

res
Paul

Please don't forget to rate any posts that have been helpful.

Thanks.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MickeMan1985 · ‎02-21-2014

these:

ip access-list extended TerminalAccess

access-list 100

are not applied to any interface

This command:

ip access-list extended inside

deny ip host 192.168.0.17 ( as you have a static entry)

can not be executed:

(config-ext-nacl)#deny ip host 192.168.0.17

% Incomplete command.

paul driver · ‎02-22-2014

Hello

Typo....try

deny ip host 192.168.0.17 any

Res
Paul

Sent from Cisco Technical Support iPad App

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul