Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2578
Views
3
Helpful
4
Replies

How to set up NVI on router

speedy2003
Level 1
Level 1

‎10-02-2012 04:04 AM - edited ‎03-07-2019 09:13 AM

Hello,

I have one server (web application) with IP 10.1.1.2 . It's located in the internal network. But on the router "newROUTER" is deployed NAT 10.1.1.2 to one of our global address 83.15.52.165 (dns entry: app.example.com) , thus is accessible from the Internet.

If I want to open app.example.com address from inside the network is not available. If you enter the IP address 10.1.1.2 is the applications available. When I open the address app.example.com from another network or the Internet, app.example.com is available. I need advice on how to make address 83.15.52.165 (app.example.com) , that it was available on the internal network. Thanks

INTERNET -------- [newPORTAL router] --------- [newROUTER router] ---------- [switch] ------ [switch] -------  [server 10.1.1.2](VLAN4)

                                                                                                                  |

                                                                                                        PC 192.168.254.102 (VLAN1)

-------------------------------------- newROUTER ------------------------------------------------------------------------

!

hostname newROUTER

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local group radius

aaa authentication login console none

aaa authentication login HTTPLOGIN local group radius

aaa authentication login USER_VLAN4VPN local group radius

aaa authentication ppp default if-needed local group radius

aaa authorization network default local group radius

aaa authorization network GROUP_VLAN4VPN local group radius

!

aaa session-id common

!

clock timezone CET 1 0

clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 3:00

!

no ipv6 cef

ip source-route

no ip cef

!

no ip dhcp use vrf connected

!

!

no ip domain lookup

ip name-server 192.168.254.2

ip dhcp-server 192.168.254.2

vlan ifdescr detail

!

multilink bundle-name authenticated

!

vpdn enable

vpdn logging

vpdn logging user

vpdn history failure table-size 50

vpdn session-limit 300

!

vpdn-group pptp

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

l2tp tunnel timeout no-session 15

!

!

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 15

encr 3des

hash md5

authentication pre-share

group 2

lifetime 28800

crypto isakmp client configuration group TECH_NET

key argus

dns 10.1.1.2

wins 10.1.1.2

pool VLAN4VPN-POOL

!

crypto isakmp client configuration group INTRANET

key argus

dns 192.168.254.2

wins 192.168.254.2

pool VLAN1VPN-POOL

acl EzVPN_INTRANET

save-password

!

!

crypto ipsec transform-set TS_ESP_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TS_ESP_MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set TS_ESP_MD5t esp-3des esp-md5-hmac

!

crypto ipsec profile GCCBB_VPN

set transform-set TS_ESP_MD5

!

!

crypto dynamic-map INT_MAP 1

set security-association lifetime kilobytes 530000000

set security-association lifetime seconds 14400

set transform-set TS_ESP_MD5

!

!

crypto map Birkart_VPNmap 100 ipsec-isakmp

set peer 65.151.211.222

set transform-set TS_ESP_MD5

match address ipsec_to_Birkart

!

crypto map INT_MAP client authentication list USER_VLAN4VPN

crypto map INT_MAP isakmp authorization list GROUP_VLAN4VPN

crypto map INT_MAP client configuration address respond

crypto map INT_MAP 30000 ipsec-isakmp dynamic INT_MAP

!

crypto map 3O_VPNmap 20 ipsec-isakmp

set peer 195.230.196.146

set transform-set TS_ESP_MD5

match address ipsec_to_3O

!

crypto map ORKS_VPNmap 20 ipsec-isakmp

set peer 212.150.207.28

set transform-set TS_ESP_MD5

match address ipsec_to_OR

!

crypto map PPSVPNmap 20 ipsec-isakmp

set peer 211.80.15.13

set transform-set TS_ESP_SHA

match address ipsec_to_PPS

!

crypto map ESS_VPNmap 20 ipsec-isakmp

set peer 194.160.82.4

set transform-set TS_ESP_SHA

match address ipsec_to_ESS

!

interface Loopback1

no ip address

!

interface Loopback2

ip address 83.15.52.173 255.255.255.255

ip nat outside

ip virtual-reaESSmbly in

crypto map PPSVPNmap

!

interface Loopback3

ip address 83.15.52.172 255.255.255.255

ip nat outside

ip virtual-reaESSmbly in

crypto map ORKS_VPNmap

!

interface Loopback4

description Birkart

ip address 83.15.52.177 255.255.255.255

ip nat inside

ip virtual-reaESSmbly in

crypto map Birkart_VPNmap

!

interface Loopback5

description ESS

ip address 83.15.52.171 255.255.255.255

ip nat outside

ip virtual-reaESSmbly in

crypto map ESS_VPNmap

!

interface Loopback6

description 3O

ip address 83.15.52.176 255.255.255.255

ip nat outside

ip virtual-reaESSmbly in

crypto map 3O_VPNmap

!

interface Tunnel0

description APN GCC.corp

ip address 83.15.52.179 255.255.255.254

ip nat inside

ip virtual-reaESSmbly in

tunnel source 83.15.52.179

tunnel destination 213.151.216.200

!

interface Tunnel1

description Tunnel BA-BB

ip address 172.16.1.1 255.255.255.0

tunnel source 83.15.52.166

tunnel mode ipsec ipv4

tunnel destination 176.61.240.48

tunnel protection ipsec profile GCCBB_VPN

!

interface Tunnel3

ip address 172.16.0.2 255.255.255.252

ip nat outside

ip virtual-reaESSmbly in

tunnel source Vlan1

tunnel destination 83.15.52.161

!

interface Tunnel4

ip address 172.16.0.5 255.255.255.252

tunnel source Vlan1

tunnel destination 192.168.253.73

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/1

description Internet interface

no ip address

duplex auto

speed auto

!

interface GigabitEthernet0/2

description EKSlovakia (Vlan3) interface

ip address 192.168.251.1 255.255.255.0

ip nat inside

ip virtual-reaESSmbly in

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/1/0

switchport mode trunk

no ip address

!

interface GigabitEthernet0/1/1

switchport access vlan 11

no ip address

!

interface GigabitEthernet0/1/2

switchport access vlan 3

no ip address

!

interface GigabitEthernet0/1/3

no ip address

!

interface GigabitEthernet0/1/4

no ip address

!

interface GigabitEthernet0/1/5

no ip address

!

interface GigabitEthernet0/1/6

no ip address

!

interface GigabitEthernet0/1/7

no ip address

!

interface Virtual-Template1

ip unnumbered Vlan1

ip nat inside

ip virtual-reaESSmbly in

peer default ip address pool VPN-POOL

no keepalive

compress mppc

ppp encrypt mppe auto

ppp authentication ms-chap ms-chap-v2

ppp eap refuse callin

interface Vlan1

ip address 192.168.254.1 255.255.255.0

ip accounting output-packets

ip nat inside

ip virtual-reaESSmbly in

!

interface Vlan2

no ip address

ip access-group vlan2_acl_out out

ip accounting output-packets

ip virtual-reaESSmbly in

shutdown

!

interface Vlan3

ip address 192.168.251.1 255.255.255.0

ip nat inside

ip virtual-reaESSmbly in

!

interface Vlan4

ip address 10.1.1.1 255.255.0.0

ip access-group vlan4_acl_in in

ip access-group vlan_acl_out out

ip accounting output-packets

ip nat inside

ip virtual-reaESSmbly in

!

interface Vlan11

ip address 83.15.52.166 255.255.255.248

ip nat outside

ip virtual-reaESSmbly in

!

!

router eigrp 1

network 192.168.128.0

network 192.168.253.0

network 192.168.254.0

!

ip local pool VLAN4VPN-POOL 10.1.1.128 10.1.1.254

ip local pool VLAN1VPN-POOL 192.168.250.2 192.168.250.255

ip local pool VPN-POOL 192.168.254.240 192.168.254.253

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat pool PPSPOOL 10.100.26.29 10.100.26.30 netmask 255.255.255.252

ip nat pool DEMOPOOL 10.1.1.5 10.1.1.5 netmask 255.255.0.0

ip nat pool 3OPOOL 172.24.31.65 172.24.31.65 netmask 255.255.255.192

ip nat pool ipool 83.15.52.163 83.15.52.163 netmask 255.255.255.248

ip nat inside source list 100 interface Tunnel3 overload

ip nat inside source route-map MAP-DEF pool ipool overload

ip nat inside source route-map 3OVPN pool 3OPOOL overload

ip nat inside source route-map ORVPN pool ipool overload

ip nat inside source route-map PPSVPN pool PPSPOOL overload

ip nat inside source route-map ESSVPN pool ipool overload

ip nat inside source static tcp 192.168.254.2 995 83.15.52.162 995 extendable

ip nat inside source static tcp 192.168.254.3 81 83.15.52.162 8080 extendable

ip nat inside source static tcp 192.168.254.3 82 83.15.52.162 8081 extendable

ip nat inside source static tcp 192.168.254.3 14510 83.15.52.162 8082 extendable

ip nat inside source static tcp 192.168.254.7 8443 83.15.52.162 8443 extendable

ip nat inside source static 192.168.254.2 83.15.52.162

ip nat inside source static 10.1.1.2 83.15.52.165

ip nat inside source static 192.168.254.18 83.15.52.175

ip route 0.0.0.0 0.0.0.0 83.15.52.161

ip route 10.1.3.0 255.255.255.0 Loopback4

ip route 10.8.30.0 255.255.254.0 Loopback3

ip route 10.12.15.20 255.255.255.255 Loopback5

ip route 10.12.24.11 255.255.255.255 Loopback5

ip route 10.100.7.74 255.255.255.255 Loopback2

ip route 10.100.7.96 255.255.255.255 Loopback2

ip route 10.106.85.0 255.255.255.224 192.168.254.18

ip route 10.106.85.10 255.255.255.255 192.168.254.18

ip route 10.106.225.2 255.255.255.255 Loopback6

ip route 83.15.52.162 255.255.255.255 83.15.52.161

ip route 83.15.52.164 255.255.255.255 Tunnel3

ip route 83.15.52.174 255.255.255.255 Tunnel4

ip route 172.18.1.12 255.255.255.255 192.168.253.73

ip route 172.18.1.13 255.255.255.255 192.168.253.73

ip route 172.18.1.15 255.255.255.255 192.168.253.73

ip route 172.19.1.14 255.255.255.255 192.168.253.73

ip route 192.168.128.0 255.255.255.0 Tunnel1

ip route 192.168.252.0 255.255.255.0 Tunnel0

ip route 192.168.253.73 255.255.255.255 192.168.254.15

ip route 215.151.216.200 255.255.255.255 Vlan11

ip route 219.151.216.200 255.255.255.255 83.15.52.161

!

ip access-list extended EzVPN_INTRANET

permit ip any 192.168.250.0 0.0.0.255

permit ip any any

ip access-list extended INTERNET

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 10.0.0.0 0.255.255.255 any log

remark BEGIN Data traffic for VPN PPSVPN

permit ip host 10.100.7.96 10.100.26.28 0.0.0.3

permit ip host 10.100.7.74 10.100.26.28 0.0.0.3

remark END Data traffic for VPN PPSVPN

remark BEGIN Data traffic for VPN 3OVPN

permit ip host 10.106.225.2 171.23.30.65 0.0.0.63

remark END Data traffic for VPN 3OVPN

permit ipinip any any

permit icmp any any

evaluate INTERNET_OUT

permit ip any host 83.15.52.166

ip access-list extended ipsec_to_Birkart

permit ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255

ip access-list extended ipsec_to_GCCBB

permit ip 192.168.254.0 0.0.0.255 192.168.128.0 0.0.0.255

ip access-list extended ipsec_to_3O

permit ip 171.23.30.65 0.0.0.63 host 10.106.225.2

ip access-list extended ipsec_to_OR

permit ip host 83.15.52.163 10.8.30.0 0.0.1.255

ip access-list extended ipsec_to_ESS

permit ip host 83.15.52.163 10.12.0.0 0.0.255.255

ip access-list extended ipsec_to_PPS

permit ip 10.100.26.28 0.0.0.3 10.100.0.0 0.0.255.255

ip access-list extended vlan4_acl_in

remark pristup do tech siete IT a BIELYR na intelex BEGIN

permit ip host 10.1.1.10 host 192.168.254.3

permit ip host 10.1.1.10 host 192.168.254.100

permit ip host 10.1.1.4 host 192.168.254.3

permit ip host 10.1.1.4 host 192.168.254.100

remark pristup do tech siete  IT na intelex END

permit ip host 10.1.1.2 192.168.254.0 0.0.0.255

permit ip 192.168.252.0 0.0.0.255 10.1.0.0 0.0.255.255 log

permit ip 192.168.254.0 0.0.0.255 192.168.254.0 0.0.0.255

permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255

permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255

permit ip 10.1.0.0 0.0.255.255 10.2.0.0 0.0.255.255

permit ip 10.1.0.0 0.0.255.255 192.168.252.0 0.0.0.255

permit ip host 10.1.1.2 83.168.174.160 0.0.0.15

permit ip host 10.1.1.2 any

ip access-list extended vlan4_acl_out

remark pristup do tech siete IT a BIELYR na intelex a PTZ  BEGIN

permit ip host 192.168.254.3 host 10.1.1.10

permit ip host 192.168.254.3 host 10.1.1.4

permit ip host 192.168.254.100 host 10.1.1.4

permit ip host 192.168.254.100 host 10.1.1.10

remark pristup do tech siete IT na intelex PTZ END

permit ip 192.168.254.0 0.0.0.255 192.168.254.0 0.0.0.255

permit ip 192.168.254.0 0.0.0.255 host 10.1.1.2

permit ip 192.168.252.0 0.0.0.255 host 10.1.1.2

permit ip 10.1.0.0 0.0.255.255 192.168.252.0 0.0.0.255 log

permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255

permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255

permit ip any host 10.1.1.2

!

logging history size 100

logging history notifications

logging facility local0

logging 192.168.254.47

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 23 permit 192.168.254.0 0.0.0.255

access-list 100 permit ip 192.168.254.0 0.0.0.255 83.15.52.160 0.0.0.7

access-list 100 permit ip 192.168.128.0 0.0.0.255 83.15.52.160 0.0.0.7

access-list 100 permit ip 192.168.250.0 0.0.0.255 83.15.52.160 0.0.0.7

access-list 100 permit ip 192.168.252.0 0.0.0.255 83.15.52.160 0.0.0.7

access-list 100 permit ip 192.168.253.0 0.0.0.255 83.15.52.160 0.0.0.7

access-list 102 deny   gre host 192.168.254.13 host 83.15.52.161

access-list 102 deny   ip any host 10.8.30.240

access-list 102 deny   ip any host 10.8.30.241

access-list 102 deny   ip any host 10.8.31.250

access-list 102 deny   ip any host 10.8.31.251

access-list 102 deny   ip any host 10.8.31.252

access-list 102 deny   ip any host 10.8.31.253

access-list 102 deny   ip any host 10.8.31.225

access-list 102 deny   ip any host 10.100.31.253

access-list 102 deny   ip any host 10.1.9.11

access-list 102 deny   ip any host 10.12.15.20

access-list 102 deny   ip any host 10.12.24.11

access-list 102 deny   ip any host 10.100.7.74

access-list 102 deny   ip any host 10.100.14.1

access-list 102 deny   ip any host 10.100.14.2

access-list 102 deny   ip any host 10.97.108.90

access-list 102 deny   ip any host 10.97.108.91

access-list 102 deny   ip any host 10.97.108.94

access-list 102 deny   ip any host 172.18.1.12

access-list 102 deny   ip any host 172.18.1.13

access-list 102 deny   ip any host 10.106.225.2

access-list 102 deny   ip 192.168.250.0 0.0.0.255 192.168.250.0 0.0.0.255

access-list 102 deny   udp any eq domain any eq domain

access-list 102 permit ip 192.168.128.0 0.0.0.255 any

access-list 102 permit ip 192.168.250.0 0.0.0.255 any

access-list 102 permit ip 192.168.251.0 0.0.0.255 any

access-list 102 permit ip 192.168.252.0 0.0.0.255 any

access-list 102 permit ip 192.168.254.0 0.0.0.255 any

access-list 102 permit ip 10.1.1.0 0.0.0.255 any

access-list 176 deny   ip any host 10.8.30.240

access-list 176 deny   ip any host 10.8.30.241

access-list 176 deny   ip any host 10.8.30.250

access-list 176 deny   ip any host 10.8.31.250

access-list 176 deny   ip any host 10.8.31.251

access-list 176 deny   ip any host 10.8.31.252

access-list 176 deny   ip any host 10.8.31.253

access-list 176 deny   ip any host 10.8.31.225

access-list 176 deny   ip any host 10.97.108.90

access-list 176 deny   ip any host 10.97.108.91

access-list 176 deny   ip any host 10.97.108.94

access-list 176 deny   ip any host 172.18.1.12

access-list 176 deny   ip any host 172.18.1.13

access-list 176 deny   ip any host 10.100.7.74

access-list 176 deny   ip any host 10.100.14.1

access-list 176 deny   ip any host 10.100.14.2

access-list 176 permit ip any host 10.12.24.11

access-list 176 permit ip any host 10.12.15.20

access-list 178 deny   ip any host 10.8.30.240

access-list 178 deny   ip any host 10.8.30.241

access-list 178 deny   ip any host 10.8.30.250

access-list 178 deny   ip any host 10.8.31.250

access-list 178 deny   ip any host 10.8.31.251

access-list 178 deny   ip any host 10.8.31.252

access-list 178 deny   ip any host 10.8.31.253

access-list 178 deny   ip any host 10.8.31.225

access-list 178 deny   ip any host 10.97.108.90

access-list 178 deny   ip any host 10.97.108.91

access-list 178 deny   ip any host 10.97.108.94

access-list 178 deny   ip any host 172.18.1.12

access-list 178 deny   ip any host 172.18.1.13

access-list 178 permit ip any host 10.100.7.74

access-list 178 permit ip any host 10.100.14.1

access-list 178 permit ip any host 10.100.14.2

access-list 179 permit ip any host 10.8.30.240

access-list 179 permit ip any host 10.8.30.241

access-list 179 permit ip any host 10.8.30.250

access-list 179 permit ip any host 10.8.31.250

access-list 179 permit ip any host 10.8.31.251

access-list 179 permit ip any host 10.8.31.252

access-list 179 permit ip any host 10.8.31.253

access-list 179 permit ip any host 10.8.31.225

access-list 184 permit ip any host 10.106.225.2

!

route-map ESSVPN permit 10

match ip address 176

match interface Loopback5

set interface Loopback5

!

route-map PPSVPN permit 10

match ip address 178

match interface Loopback2

set interface Loopback2

!

route-map 3OVPN permit 50

match ip address 184

match interface Loopback6

set interface Loopback6

!

route-map MAP-DEF permit 20

match ip address 102

match interface Vlan11

!

route-map ORVPN permit 10

match ip address 179

match interface Loopback3

set interface Loopback3

Labels:
136057-newROUTERlog.txt.zip
0 Helpful
4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

‎10-02-2012 04:21 AM

Hi,

take a look at this, it may help: http://tech.jocke.no/2010/09/24/cisco-ios-nat-virtual-interface/

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

speedy2003
Level 1
Level 1
In response to cadet alain

‎10-02-2012 04:33 AM

Thank you for your reply, I read more resources, but I would need help in my particular situation. Since the server has the address 10.1.1.2 and is connected to the switch and then to the router, I insert the command "ip nat enable" on interface VLAN4 or I have to create a loopback. When I create a loopback, then I can not paste the address 10.1.1.2, because I get "% 10.1.1.2 overlaps with Vlan4". How should I proceed?

0 Helpful

Harish Balakrishnan
Spotlight
Spotlight
In response to speedy2003

‎10-02-2012 04:50 AM

Hello Peter,

The best solution to your scenario is to setup you local DNS server mapped to the private IP. But still if you do not want to use it, then you have may workarounds. Please find the below link

https://supportforums.cisco.com/thread/2003063

Harish.

0 Helpful

speedy2003
Level 1
Level 1
In response to Harish Balakrishnan

‎10-02-2012 05:03 AM

Hello Harish,

dns record not solve my problem, because I can not ping the address of 83.15.52.165 on the local PC (192.168.254.102)

The application is accessible by specifying the address 10.1.1.2. I need to access via http://83.15.52.165 (dns record app.example.com).

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card