Configure Cisco 1941 with Routed subnet

avwoudenberg · ‎02-14-2013

I have some questions about how to configure my Cisco 1941 with a routed subnet from my ISP to forward them to 1 or more servers in my LAN.

The situation is:

1 Cisco 1941 (with the default 2 Gigabit ethernet ports)

So I can use 1 for the connection to my NTU and 1 to my VLAN supported gigabit LAN switch.

1 Routed subnet /29 from my ISP (over a fiber connection).

In my LAN I have (at the moment) 3 servers, and about 15 clients

I would like to use the first ip address from the routed subnet for internet traffic from all the clients in the LAN.

I would like to use the second ip address from the routed subnet for server1 so that server1 accept some allowed connections and that server1 connects to the internet with the second ip address from the routed subnet

I would like to use the thirth ip address from the routed subnet for server2 so that server2 accept some allowed connections and that server2 connects to the internet with the thirth ip address from the routed subnet

I would like to use the fourth ip address from the routed subnet for server3 so that server3 accept some allowed connections and that server3 connects to the internet with the fourth ip address from the routed subnet

Below you find the script what I am using at the moment. The clients have internet, but via the first ip address of the routed subnet.

I hope someone can help me because my experience to little.

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

no ip address

duplex full

speed 100

!

interface GigabitEthernet0/0.1

description First EVC 50Mb

encapsulation dot1Q 1 native

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface GigabitEthernet0/1

description SW01_Port25

no ip address

duplex full

speed 1000

!

interface GigabitEthernet0/1.10

description Data_VLAN10

encapsulation dot1Q 10

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

no cdp enable

!

interface GigabitEthernet0/1.20

description Voice_VLAN20

encapsulation dot1Q 20

ip address 172.16.1.1 255.255.255.0

ip tcp adjust-mss 1452

no cdp enable

!

interface GigabitEthernet0/1.50

description DMZ_VLAN50

encapsulation dot1Q 50

ip address 192.168.2.1 255.255.255.0

ip tcp adjust-mss 1452

no cdp enable

!

interface Dialer1

mtu 1492

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap callin

ppp pap sent-username XXXXX password XXXXX

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat inside source list 101 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 172.16.11.0 255.255.255.0 192.168.1.254

!

access-list 23 remark TTY security

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 101 remark allow nat

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

John Blakley · ‎02-14-2013

It sounds like you're wanting to use static nat for your servers. Assuming a server on your lan is addressed at 192.168.1.50 and you want people from the outside to access it with 1.1.1.50, you'd simply put a static nat in your config:

ip nat inside source static 192.168.1.50 1.1.1.50

The 1.1.1.50 is going to be a public address from the block that your isp assigned to you.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

avwoudenberg · ‎02-15-2013

Hi John,

Yes, that's right. I want to use static nat for some servers.

I added:

ip nat inside source static 192.168.1.50 1.1.1.50

and now it works I like. Thanks.

But now I have the problem that all ports are forwarded to the server.

I would like only port 443 to be forwarded to the server.

How can I avoid other ports are forwarded, or are blocked by ACL?

Thanks,

Albert

John Blakley · ‎02-15-2013

You can allow the ones that you want through acl, or you can statically set those as well:

ip nat inside source static tcp 192.168.1.50 443 1.1.1.50 443

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

avwoudenberg · ‎02-15-2013

Hi John,

This didn't work for me, because I would like to use the specific ip address from the ISP's subnet to go to the internet.

When I use the ip nat inside you last suggest, the server goes to the internet over the first ip address of the subnet and not the thirth.

So I think I have to do something with ACL.

I already did the following, but it didn't work the way I want.

access-list 110 remark ACL - VLAN10

access-list 110 permit gre any host 192.168.1.2

access-list 110 permit tcp any host 192.168.1.2 eq 1723

access-list 110 permit tcp any host 192.168.1.242 eq 443

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

int gi0/1.10

ip access-group 110 in

I hope you can give me a good advise.

Regards,

Albert

John Blakley · ‎02-15-2013

In this case, yes, the only time you'd be using that static address is when it would be ssl based. You'd do a 1-1 nat like the original case and then block traffic inbound.

You'll want to apply it to your wan side interface on the dialer.

Try this. NAT happens after the acl is checked, so you'll allow traffic into your public address. For the example above, the following should work:

access-list 110 permit any host 1.1.1.50 eq 443

access-list 110 deny ip any any

This allows people from the outside to connect to 1.1.1.50 (your natted addres) on 443, but denies everything else. There are some caveats though in that return traffic would need to be allowed etc, or you could use cbac or zone-based firewalls. It looks like, by the acl above, that you're also wanting to restrict 192.168.1.0 from being able to talk to 192.168.2.0? If that's the case, you're going to need a different acl on the 192.168.1.0 interface.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

avwoudenberg · ‎02-15-2013

Hi John,

Yes, your right, I want to block traffic coming from vlan 192.168.1.0 to vlan 192.168.1.0. That's were access-list 110 is for.

Thank you for your last post. I am almost there now.

Incoming traffic is restricted to only port 443

But now, de server can't access to the internet. So I add this one: access-list 190 permit ip host 1.1.1.51 any, but that didn't help.

These are the access-list's I am using now:

access-list 110 remark ACL - VLAN10

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 190 remark ACL - DIALER1

access-list 190 permit gre any host 1.1.1.50

access-list 190 permit tcp any host 1.1.1.50 eq 1723

access-list 190 permit tcp any host 1.1.1.51 eq 443

access-list 190 permit ip host 1.1.1.51 any

access-list 190 deny ip any any

int gi0/1.10

ip access-group 110 in

int dialer1

ip access-group 190 in

Regards,

Albert

John Blakley · ‎02-16-2013

Albert,

With an acl on the outside interface (dialer1), you'll need to allow a couple of other things to let internet traffic back in. Try adding:

!! Copy below this line !!!

no access-list 190

access-list 190 remark ACL - DIALER1

access-list 190 permit gre any host 1.1.1.50

access-list 190 permit tcp any host 1.1.1.50 eq 1723

access-list 190 permit tcp any host 1.1.1.51 eq 443

access-list 190 permit tcp any any established

access-list 190 permit udp any eq 53 any

access-list 190 deny ip any any

!! Copy above this line !!

Paste these lines into your console or retype them exactly.

That should help with the internet issue. (You can remove the "permit ip host 1.1.1.51 any" line).

As far as 110, the sequence is out of order. You're allowing the 192.168.1.0 into everything, but then denying to 192.168.2.0. It's never going to hit the second line though, so delete that acl and recreate in the opposite order:

!!! Copy below this line ***

no access-list 110

access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 permit ip any any

!!! copy above this line ***

Paste the above lines in as well.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

avwoudenberg · ‎02-19-2013

Hi John,

Thank you for your reply.

The good news is that the access-list 110 works fine now. Thanks about that!

The other news is that I have internet traffic with the access-list 190 on the dialer1. But strange is that a traceroute to a host on the internet not end successful.

See below the traceroute with no ip access-group 190 in on dialer1

Traceren van de route naar www-nu-nl.gl.sanomaservices.nl [62.69.166.15]

via maximaal 30 hops:

1 <1 ms <1 ms <1 ms 192.168.1.15

2 3 ms 3 ms 3 ms 212.121.121.183

3 5 ms 3 ms 5 ms 4-2-bcs2-dc2.routit.net [84.246.25.180]

4 4 ms 3 ms 3 ms te13.core2.tc2.routit.net [84.246.25.136]

5 3 ms 3 ms 3 ms 1-2-inet1-tc2.routit.net [84.246.25.46]

6 10 ms 11 ms 11 ms br1.ams.terremark.net [195.69.145.48]

7 4 ms 4 ms 4 ms 85.112.0.129

8 5 ms 4 ms 4 ms 62-69-166-15.ptr.as24646.net [62.69.166.15]

De trace is voltooid.

And this what happend with ip access-group 190 in on dialer1

Traceren van de route naar www-nu-nl.gl.sanomaservices.nl [62.69.166.18]

via maximaal 30 hops:

1 <1 ms 2 ms 1 ms 192.168.1.15

2 * * * Time-out bij opdracht.

3 * * * Time-out bij opdracht.

4 * * * Time-out bij opdracht.

5 * * * Time-out bij opdracht.

28 * * * Time-out bij opdracht.

29 * * * Time-out bij opdracht.

30 * * * Time-out bij opdracht.

De trace is voltooid.

CIT-FW01#sh users

Line User Host(s) Idle Location

*132 vty 0 cit idle 00:00:00 192.168.150.129

Interface User Mode Idle Peer Address

Vi2 PPPoE 00:00:00 212.121.121.183

So, with the ip access-group 190 in on dialer1 the ip address on the Vi2 interface is not reachable.

Any idea?

Thanks a lot.

John Blakley · ‎02-19-2013

Try adding "permit icmp any any echo-reply" to you acl...

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

avwoudenberg · ‎02-21-2013

Hi John,

We are almost there!

I added permit icmp any any echo-reply, and now I get this result:

Traceren van de route naar www-nu-nl.gl.sanomaservices.nl [62.69.166.18]

via maximaal 30 hops:

1 <1 ms <1 ms <1 ms 192.168.1.15

2 * * * Time-out bij opdracht.

3 * * * Time-out bij opdracht.

4 * * * Time-out bij opdracht.

5 * * * Time-out bij opdracht.

6 * * * Time-out bij opdracht.

7 * * * Time-out bij opdracht.

8 4 ms 4 ms 4 ms 62-69-166-18.ptr.as24646.net [62.69.166.18]

De trace is voltooid.

Also, from the router interface an traceroute did not work. When I remove the ip access-group 190 in from dialer1 is works well.

Regards,

Albert

John Blakley · ‎02-21-2013

The router will use UDP and not icmp when using traceroute. Try adding "permit udp any any" and see if that resolves the issue.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

avwoudenberg · ‎03-08-2013

Hi John,

Unfortunately it didn't work.

When I remove the ip access-group 190 in from dialer1, it works fine.

Thanx,

Albert

ALIAOF_ · ‎02-15-2013

You can do something like this then:

ip nat inside source static tcp 192.168.1.50 443 1.1.1.50 443

If you use the ports in the NAT like this you can then use the same IP for other NAT's for instance if you need to forward port 22 to another server you can use the same IP

ip nat inside source static tcp 192.168.1.60 22 1.1.1.50 22

So the benefit is that you can use a single public IP for multiple purposes.