02-14-2013 08:52 AM - edited 03-07-2019 11:43 AM
I have some questions about how to configure my Cisco 1941 with a routed subnet from my ISP to forward them to 1 or more servers in my LAN.
The situation is:
1 Cisco 1941 (with the default 2 Gigabit ethernet ports)
So I can use 1 for the connection to my NTU and 1 to my VLAN supported gigabit LAN switch.
1 Routed subnet /29 from my ISP (over a fiber connection).
In my LAN I have (at the moment) 3 servers, and about 15 clients
I would like to use the first ip address from the routed subnet for internet traffic from all the clients in the LAN.
I would like to use the second ip address from the routed subnet for server1 so that server1 accept some allowed connections and that server1 connects to the internet with the second ip address from the routed subnet
I would like to use the thirth ip address from the routed subnet for server2 so that server2 accept some allowed connections and that server2 connects to the internet with the thirth ip address from the routed subnet
I would like to use the fourth ip address from the routed subnet for server3 so that server3 accept some allowed connections and that server3 connects to the internet with the fourth ip address from the routed subnet
Below you find the script what I am using at the moment. The clients have internet, but via the first ip address of the routed subnet.
I hope someone can help me because my experience to little.
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
duplex full
speed 100
!
interface GigabitEthernet0/0.1
description First EVC 50Mb
encapsulation dot1Q 1 native
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1
description SW01_Port25
no ip address
duplex full
speed 1000
!
interface GigabitEthernet0/1.10
description Data_VLAN10
encapsulation dot1Q 10
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no cdp enable
!
interface GigabitEthernet0/1.20
description Voice_VLAN20
encapsulation dot1Q 20
ip address 172.16.1.1 255.255.255.0
ip tcp adjust-mss 1452
no cdp enable
!
interface GigabitEthernet0/1.50
description DMZ_VLAN50
encapsulation dot1Q 50
ip address 192.168.2.1 255.255.255.0
ip tcp adjust-mss 1452
no cdp enable
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username XXXXX password XXXXX
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 172.16.11.0 255.255.255.0 192.168.1.254
!
access-list 23 remark TTY security
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 101 remark allow nat
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
02-14-2013 09:05 AM
It sounds like you're wanting to use static nat for your servers. Assuming a server on your lan is addressed at 192.168.1.50 and you want people from the outside to access it with 1.1.1.50, you'd simply put a static nat in your config:
ip nat inside source static 192.168.1.50 1.1.1.50
The 1.1.1.50 is going to be a public address from the block that your isp assigned to you.
HTH,
John
*** Please rate all useful posts ***
02-15-2013 12:46 PM
Hi John,
Yes, that's right. I want to use static nat for some servers.
I added:
ip nat inside source static 192.168.1.50 1.1.1.50
and now it works I like. Thanks.
But now I have the problem that all ports are forwarded to the server.
I would like only port 443 to be forwarded to the server.
How can I avoid other ports are forwarded, or are blocked by ACL?
Thanks,
Albert
02-15-2013 01:03 PM
You can allow the ones that you want through acl, or you can statically set those as well:
ip nat inside source static tcp 192.168.1.50 443 1.1.1.50 443
HTH,
John
*** Please rate all useful posts ***
02-15-2013 01:43 PM
Hi John,
This didn't work for me, because I would like to use the specific ip address from the ISP's subnet to go to the internet.
When I use the ip nat inside you last suggest, the server goes to the internet over the first ip address of the subnet and not the thirth.
So I think I have to do something with ACL.
I already did the following, but it didn't work the way I want.
access-list 110 remark ACL - VLAN10
access-list 110 permit gre any host 192.168.1.2
access-list 110 permit tcp any host 192.168.1.2 eq 1723
access-list 110 permit tcp any host 192.168.1.242 eq 443
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
int gi0/1.10
ip access-group 110 in
I hope you can give me a good advise.
Regards,
Albert
02-15-2013 02:07 PM
In this case, yes, the only time you'd be using that static address is when it would be ssl based. You'd do a 1-1 nat like the original case and then block traffic inbound.
You'll want to apply it to your wan side interface on the dialer.
Try this. NAT happens after the acl is checked, so you'll allow traffic into your public address. For the example above, the following should work:
access-list 110 permit any host 1.1.1.50 eq 443
access-list 110 deny ip any any
This allows people from the outside to connect to 1.1.1.50 (your natted addres) on 443, but denies everything else. There are some caveats though in that return traffic would need to be allowed etc, or you could use cbac or zone-based firewalls. It looks like, by the acl above, that you're also wanting to restrict 192.168.1.0 from being able to talk to 192.168.2.0? If that's the case, you're going to need a different acl on the 192.168.1.0 interface.
HTH,
John
*** Please rate all useful posts ***
02-15-2013 03:32 PM
Hi John,
Yes, your right, I want to block traffic coming from vlan 192.168.1.0 to vlan 192.168.1.0. That's were access-list 110 is for.
Thank you for your last post. I am almost there now.
Incoming traffic is restricted to only port 443
But now, de server can't access to the internet. So I add this one: access-list 190 permit ip host 1.1.1.51 any, but that didn't help.
These are the access-list's I am using now:
access-list 110 remark ACL - VLAN10
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 190 remark ACL - DIALER1
access-list 190 permit gre any host 1.1.1.50
access-list 190 permit tcp any host 1.1.1.50 eq 1723
access-list 190 permit tcp any host 1.1.1.51 eq 443
access-list 190 permit ip host 1.1.1.51 any
access-list 190 deny ip any any
int gi0/1.10
ip access-group 110 in
int dialer1
ip access-group 190 in
Regards,
Albert
02-16-2013 06:53 AM
Albert,
With an acl on the outside interface (dialer1), you'll need to allow a couple of other things to let internet traffic back in. Try adding:
!! Copy below this line !!!
no access-list 190
access-list 190 remark ACL - DIALER1
access-list 190 permit gre any host 1.1.1.50
access-list 190 permit tcp any host 1.1.1.50 eq 1723
access-list 190 permit tcp any host 1.1.1.51 eq 443
access-list 190 permit tcp any any established
access-list 190 permit udp any eq 53 any
access-list 190 deny ip any any
!! Copy above this line !!
Paste these lines into your console or retype them exactly.
That should help with the internet issue. (You can remove the "permit ip host 1.1.1.51 any" line).
As far as 110, the sequence is out of order. You're allowing the 192.168.1.0 into everything, but then denying to 192.168.2.0. It's never going to hit the second line though, so delete that acl and recreate in the opposite order:
!!! Copy below this line ***
no access-list 110
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip any any
!!! copy above this line ***
Paste the above lines in as well.
HTH,
John
*** Please rate all useful posts ***
02-19-2013 08:04 AM
Hi John,
Thank you for your reply.
The good news is that the access-list 110 works fine now. Thanks about that!
The other news is that I have internet traffic with the access-list 190 on the dialer1. But strange is that a traceroute to a host on the internet not end successful.
See below the traceroute with no ip access-group 190 in on dialer1
Traceren van de route naar www-nu-nl.gl.sanomaservices.nl [62.69.166.15]
via maximaal 30 hops:
1 <1 ms <1 ms <1 ms 192.168.1.15
2 3 ms 3 ms 3 ms 212.121.121.183
3 5 ms 3 ms 5 ms 4-2-bcs2-dc2.routit.net [84.246.25.180]
4 4 ms 3 ms 3 ms te13.core2.tc2.routit.net [84.246.25.136]
5 3 ms 3 ms 3 ms 1-2-inet1-tc2.routit.net [84.246.25.46]
6 10 ms 11 ms 11 ms br1.ams.terremark.net [195.69.145.48]
7 4 ms 4 ms 4 ms 85.112.0.129
8 5 ms 4 ms 4 ms 62-69-166-15.ptr.as24646.net [62.69.166.15]
De trace is voltooid.
And this what happend with ip access-group 190 in on dialer1
Traceren van de route naar www-nu-nl.gl.sanomaservices.nl [62.69.166.18]
via maximaal 30 hops:
1 <1 ms 2 ms 1 ms 192.168.1.15
2 * * * Time-out bij opdracht.
3 * * * Time-out bij opdracht.
4 * * * Time-out bij opdracht.
5 * * * Time-out bij opdracht.
28 * * * Time-out bij opdracht.
29 * * * Time-out bij opdracht.
30 * * * Time-out bij opdracht.
De trace is voltooid.
CIT-FW01#sh users
Line User Host(s) Idle Location
*132 vty 0 cit idle 00:00:00 192.168.150.129
Interface User Mode Idle Peer Address
Vi2 PPPoE 00:00:00 212.121.121.183
So, with the ip access-group 190 in on dialer1 the ip address on the Vi2 interface is not reachable.
Any idea?
Thanks a lot.
02-19-2013 08:06 PM
Try adding "permit icmp any any echo-reply" to you acl...
HTH,
John
*** Please rate all useful posts ***
02-21-2013 04:02 AM
Hi John,
We are almost there!
I added permit icmp any any echo-reply, and now I get this result:
Traceren van de route naar www-nu-nl.gl.sanomaservices.nl [62.69.166.18]
via maximaal 30 hops:
1 <1 ms <1 ms <1 ms 192.168.1.15
2 * * * Time-out bij opdracht.
3 * * * Time-out bij opdracht.
4 * * * Time-out bij opdracht.
5 * * * Time-out bij opdracht.
6 * * * Time-out bij opdracht.
7 * * * Time-out bij opdracht.
8 4 ms 4 ms 4 ms 62-69-166-18.ptr.as24646.net [62.69.166.18]
De trace is voltooid.
Also, from the router interface an traceroute did not work. When I remove the ip access-group 190 in from dialer1 is works well.
Regards,
Albert
02-21-2013 08:34 AM
The router will use UDP and not icmp when using traceroute. Try adding "permit udp any any" and see if that resolves the issue.
HTH,
John
*** Please rate all useful posts ***
03-08-2013 05:16 AM
Hi John,
Unfortunately it didn't work.
When I remove the ip access-group 190 in from dialer1, it works fine.
Thanx,
Albert
02-15-2013 01:09 PM
You can do something like this then:
ip nat inside source static tcp 192.168.1.50 443 1.1.1.50 443
If you use the ports in the NAT like this you can then use the same IP for other NAT's for instance if you need to forward port 22 to another server you can use the same IP
ip nat inside source static tcp 192.168.1.60 22 1.1.1.50 22
So the benefit is that you can use a single public IP for multiple purposes.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: