Re: More 1841 config questions

mjames_wdd · ‎03-21-2011

All -

Thanks to those of you who helped out last week with my previous configuration issues. Now that I have things up and running, I have two new issues that I need to solve.

First, I have setup a site-to-site VPN between our network and another network (192.168.10.0/25). That VPN is up and running and can talk to most of the machines on our network. The exception is those machines that are using a different gateway (in this case, 192.168.2.1). I need to leave these machines in place because they are related to our phone system, which is still under contract with the ISP provider who is on the outside of this gateway. However, I can't get these machines talking down the VPN. I tried adding a route on 2.1 to send all traffic bound for 10.* to 3.1, but that didn't help. Unfortunately, 2.1 is a non-cisco device, so I can't get a show run to post. So, in general, what might I be missing on that router? Is there anything that I need to change in the config below (from 3.1 - the 1841) to make this work? 2.1 used to be the connection point for the VPN, so I could still have a setting in place on it that is getting me in trouble - what should I look for to get rid of?

Second, I have put a number of NAT definitions in place. These work fine from the outside world. However, if I try to go to http://a.b.c.179 from inside our network, I cannot reach it. What am I missing to make this work?

Thanks again for the help,

Matt

===== config for 1841 (192.168.3.1) =====

Building configuration...

Current configuration : 5211 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname wddrouter

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

no ip cef

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

username wddadmin privilege 15 secret 5 $1$P2Ca$TdpPUbunAaR0TtAHAM7NF.

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key <omitted> address w.x.y.z

!

crypto ipsec transform-set aesset esp-3des esp-sha-hmac

!

crypto map aesmap 10 ipsec-isakmp

set peer w.x.y.z

set transform-set aesset

set pfs group2

match address acl_vpn

!

interface FastEthernet0/0

ip address a.b.c.178 255.255.255.240

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map aesmap

!

interface FastEthernet0/1

description $ES_LAN$

ip address 192.168.3.1 255.255.254.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0/0

bandwidth 1536

no ip address

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation ppp

no ip mroute-cache

shutdown

service-module t1 timeslots 1-24

service-module t1 remote-alarm-enable

service-module t1 fdl both

no cdp enable

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 a.b.c.177

ip route 10.50.0.0 255.255.0.0 192.168.2.67

ip route 192.168.2.0 255.255.254.0 FastEthernet0/1

ip route 192.168.10.0 255.255.255.128 FastEthernet0/0

ip route 192.168.24.0 255.255.248.0 192.168.2.120

!

ip http server

ip http access-class 23

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 100 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.2.7 20 a.b.c.178 20 extendable

ip nat inside source static tcp 192.168.2.7 21 a.b.c.178 21 extendable

ip nat inside source static tcp 192.168.3.1 23 a.b.c.178 23 extendable

ip nat inside source static tcp 192.168.2.7 3389 a.b.c.178 3389 extendable

ip nat inside source static tcp 192.168.2.7 3690 a.b.c.178 3690 extendable

ip nat inside source static tcp 192.168.2.7 5002 a.b.c.178 5002 extendable

ip nat inside source static tcp 192.168.2.10 80 a.b.c.179 80 extendable

ip nat inside source static tcp 192.168.2.10 99 a.b.c.179 99 extendable

ip nat inside source static tcp 192.168.2.102 3389 a.b.c.179 3389 extendable

ip nat inside source static tcp 192.168.2.80 80 a.b.c.180 80 extendable

ip nat inside source static tcp 192.168.2.32 3389 a.b.c.180 3389 extendable

ip nat inside source static tcp 192.168.2.104 80 a.b.c.181 80 extendable

ip nat inside source static tcp 192.168.2.104 443 a.b.c.181 443 extendable

ip nat inside source static tcp 192.168.2.104 902 a.b.c.181 902 extendable

ip nat inside source static tcp 192.168.2.104 903 a.b.c.181 903 extendable

ip nat inside source static tcp 192.168.2.36 3389 a.b.c.181 3389 extendable

ip nat inside source static tcp 192.168.2.32 80 a.b.c.182 80 extendable

ip nat inside source static tcp 192.168.2.34 3389 a.b.c.182 3389 extendable

ip nat inside source static tcp 192.168.2.87 3389 a.b.c.183 3389 extendable

ip nat inside source static tcp 192.168.2.39 3389 a.b.c.184 3389 extendable

ip nat inside source static tcp 192.168.2.52 3389 a.b.c.185 3389 extendable

ip nat inside source static tcp 192.168.2.51 3389 a.b.c.186 3389 extendable

ip nat inside source static tcp 192.168.2.64 3389 a.b.c.187 3389 extendable

ip nat inside source static tcp 192.168.3.11 25 a.b.c.189 25 extendable

ip nat inside source static tcp 192.168.3.11 53 a.b.c.189 53 extendable

ip nat inside source static tcp 192.168.3.11 80 a.b.c.189 80 extendable

ip nat inside source static tcp 192.168.3.11 88 a.b.c.189 88 extendable

ip nat inside source static tcp 192.168.3.11 110 a.b.c.189 110 extendable

ip nat inside source static tcp 192.168.3.11 135 a.b.c.189 135 extendable

ip nat inside source static tcp 192.168.3.11 143 a.b.c.189 143 extendable

ip nat inside source static tcp 192.168.3.11 389 a.b.c.189 389 extendable

ip nat inside source static tcp 192.168.3.11 443 a.b.c.189 443 extendable

ip nat inside source static tcp 192.168.3.11 993 a.b.c.189 993 extendable

ip nat inside source static tcp 192.168.3.11 995 a.b.c.189 995 extendable

ip nat inside source static tcp 192.168.3.11 3268 a.b.c.189 3268 extendable

!

ip access-list extended acl_vpn

permit ip 192.168.2.0 0.0.1.255 192.168.10.0 0.0.0.127

permit udp host w.x.y.z any eq isakmp

permit esp host w.x.y.z any

!

access-list 100 deny ip 192.168.2.0 0.0.1.255 192.168.10.0 0.0.0.127

access-list 100 permit ip 192.168.2.0 0.0.1.255 any

no cdp run

!

control-plane

!

line con 0

login local

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet

!

scheduler allocate 20000 1000

end

mjames_wdd · ‎03-22-2011

I found an answer to the first question, regarding my VPN setup. That still leaves the NAT issue unanswered.

"I have put a number of NAT definitions in place. These work fine from the outside world. However, if I try to go to http://a.b.c.179 from inside our network, I cannot reach it. What am I missing to make this work?"

Thanks,
Matt

cadet alain · ‎03-22-2011

Hi,

Why would you want to do that, if your in the internal subnet why try to communicate with the public IP?

If it's working from outside then your static NAT is working as it should.

Regards.

Alain.

Don't forget to rate helpful posts.

mjames_wdd · ‎03-22-2011

The biggest reason is for people with laptops who come in and out of the internal network. When they are offsite, they need to be able to communicate with certain machines, and when they come back inside, it is most convenient for them to be able to use the same IP/DNS entry. The best example is the mail server. It would be pretty inconvenient if everytime they come back to the office, they have to change they're Outlook settings to use the internal IP address of the Exchange server, rather than continuing to use mail.domain.com, which is what they do outside the office.

Thanks,

Matt

cadet alain · ‎03-22-2011

Hi,

ok so did you try with the fully qualified name instaed of IP? doesn't work too?

Regards.

Alain.

Don't forget to rate helpful posts.

mjames_wdd · ‎03-22-2011

That's correct, the name does not work either. It is translated by the application (the browser, Outlook, etc) into its IP address, which then does not work properly.

Matt

cadet alain · ‎03-22-2011

Hi,

That's correct, the name does not work either. It is translated by the application (the browser, Outlook, etc) into its IP address, which then does not work properly.

What happens if you flush clients DNS cache? Is it still failing?

Regards.

Alain.

Don't forget to rate helpful posts.

mjames_wdd · ‎03-22-2011

Really, I would expect it fail. If the IP address isn't working, I would not expect the name (which is resolving to the proper IP address) to work either. Flushing the DNS on my client isn't going to have any effect, since it is resolving to the proper IP.

Matt

cadet alain · ‎03-22-2011

Hi,

if TTL of your DNS A records are very long and if you had done the test with the FQDN while the cache was already populated then until the TTL expires there is no more DNS query to the DNS server and so there can't be any DNS doctoring that is the reason I asked this because I read that DNS doctoring was enabled by default since IOS 12.2 and if it is so then the communication should work by name if I'm not mistaken as the DNS reply will be transformed by the Cisco router to give the inside address.

Regards.

Alain

Don't forget to rate helpful posts.

johnlloyd_13 · ‎03-22-2011

Hi Matt,

Looking at your config, it seems you've assigned multiple private IPs for the a.b.c.179. If you're doing static NAT, you'll need to assign 1 private IP to your a.b.c.179. Lastly, I noticed this on your 192.168.2.x network and don't find it's default gateway on your 1841. Is the host on the remote VPN side? Could you post a traceroute? Have you also check your DNS server if zone records are correct?

Sent from Cisco Technical Support iPhone App

mjames_wdd · ‎03-22-2011

I've used other routers (non-Cisco) in the past and done NAT this way, where each port on the outside of the router is redirected to a different IP address on the inside. If I haven't implemented that portion properly, it could be causing the rest of the issues.

This router is the default gateway for 192.168.2.0/23. It passes all messages up to a.b.c.177, which is a properly routeable IP address.

Not sure which host you are referring to. Any machine on the inside of the network (192.168.2.0/23) can't reach a.b.c.179 on port 80. Any machine outside the network, including on the other side of the VPN, can reach it.

Do you have a specific traceroute that you'd like to see? From where and to where?

Which DNS records are you concerned about? If I ping the DNS record that we have for a.b.c.179, it does resolve to the proper IP address. Yes, it doesn't get through the router to the same place, but it does resolve properly, so I expect that DNS is not the base of this issue.

Matt