cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1687
Views
0
Helpful
8
Replies

How to do it in CISCO

divyakolus
Level 1
Level 1

I have the following setup:

Private network <-> SW <-> CISCO VPN <-> ISP MODEM

I have configured VPN part and is working correctly. I have a computer in the private network at static address 192.168.1.100  and an application is running on it on 8100 tcp port for clients.

Now I need to connect from the Internet to the application on 192.168.1.100 on port 8100.

How to configure CISCO router to forward traffic coming in tcp port 8100 to machine 192.168.1.100??

ISP Modem is going to handover all the traffic to CISCO device.

Thank You

1 Accepted Solution

Accepted Solutions

Hello,

Correct, I said public_ip just in case you wanted to use a different IP than the outside interface of the router.

The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address.

Example taken from a post from the CSC

ip nat inside source static x.x.x.x y.y.y.y extendable

ip nat inside source static x.x.x.x z.z.z.z extendable.

When a packet is coming from outside to insde with destination

address y.y.y.y or z.z.z.z, it will be sent to x.x.x.x

Regards,

Rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

8 Replies 8

nkarthikeyan
Level 7
Level 7

Hi Srinivas,

You should do a NAT for this scenario with the public IP. So the outside users should try to access the public IP which will get NAT when they try to access through that port 8100 and translate the same to 192.168.1.100.

Please do rate if the given information helps.

By

Karthik

Hi Karthik,

I need this to work so that

I am new to CISCO and committed to setup this for a customer. I got the VPN configured correctly by reading help. If I can do this last configuration, I am saved.

Thank you for your time

My Router Configuration Follows

sh run
Building configuration...

Current configuration : 5416 bytes
!
! Last configuration change at 17:58:55 CSTime Mon Aug 20 2012 by csi
! NVRAM config last updated at 17:58:24 CSTime Mon Aug 20 2012 by csi
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$KJWP$wujENW/75bJnnoUxGXYJE0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone CSTime -6
clock summer-time CSTime date Mar 11 2012 2:00 Nov 4 2012 2:00
!
crypto pki trustpoint TP-self-signed-986700165
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-986700165
revocation-check none
rsakeypair TP-self-signed-986700165
!
!
crypto pki certificate chain TP-self-signed-986700165
certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39383637 30303136 35301E17 0D313230 38313631 38353134
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3938 36373030
  31363530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  A4AD22DF ECCB9372 C3E88024 318D7181 C2BE73E1 DB6F0B70 4A2781FF A0AB108D
  FEDD1EE5 C9C761A6 A9738299 684F25AC FC56F107 4FD43297 4D0D248B C431D0E2
  1A53D9B3 B0BCF9CF 7DF157FD 517594D0 B05FCD98 681D5A66 B48265FE BF353F47
  84FDA0C5 1A46E55D 40429810 B0A0D3A8 153FAD0A 78538AE0 657467FD FD44E6ED
  02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
  11041B30 19821750 69636179 756E652E 796F7572 646F6D61 696E2E63 6F6D301F
  0603551D 23041830 16801491 5CACBE40 0996DFCE 1B9C67C3 9316041C 40FB8130
  1D060355 1D0E0416 0414915C ACBE4009 96DFCE1B 9C67C393 16041C40 FB81300D
  06092A86 4886F70D 01010405 00038181 003F26CD 9FA486C5 F71250F6 FC7E44F8
  CC1C15AC 1364CCA1 2E23CACA D123F78B F4B933EB 73648D75 A2C0B17A 28FAAC18
  7CAAB60E 9E5A49C3 50217868 BEFA30F5 6F36A04B BE41FE65 7C684DB9 10320AA1
  77D0BBC4 7216C6F6 20564AE2 8F46A06B 85AED401 9DB59ABF 6B360531 153BA6E1
  ECBF1F55 D4AF489A 70276D39 D13AF574 C5
        quit
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.1.1 192.168.1.25
ip dhcp excluded-address 192.168.1.100
ip dhcp excluded-address 192.168.1.222
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
ip dhcp pool Internal_Network
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   dns-server 192.168.100.1
!
!
ip cef
ip domain name yourdomain.com
ip name-server 192.168.100.1
no ipv6 cef
!
!        
license udi pid CISCO881-K9 sn FTX1604828M
!
!
username csi privilege 15 secret 5 $1$G4wK$PRgc9k9omH9X8s1u37lkh1
username RemoteUser secret 5 $1$EWRQ$vPW7kG3jNhqwHTiL8IsBx0
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteAccessSupport
key Router_WWTP
pool VPN-Pool
acl VPN-Access-List
crypto isakmp profile vpn-isakmp-profile-1
   match identity group RemoteAccessSupport
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!        
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address 192.168.100.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local pool VPN-Pool 192.168.1.101 192.168.1.150
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.100.1
!
ip access-list extended VPN-Access-List
permit ip 192.168.1.0 0.0.0.255 any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 100 remark Used for Internet access to Internal N/W
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp run

!
!
!
!
!
control-plane
!
banner motd ^C----------  Router VPN Router ----------^C
!
line con 0
exec-timeout 30 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
password 7 124A50424A5E5550
transport input telnet ssh
!
scheduler max-task-time 5000
end

Any more ideas please.

Hello,

Ip nat inside source static tcp 192.168.1.100 8100 public_ip 8100

Regards,

Rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank You. I figured it out through CISCO documentation. They also added extendable at the end. What is that supposed to mean. Also instead of the public_ip, it should say the WAN port ip address.

Thank You again for the response.

Hello,

Correct, I said public_ip just in case you wanted to use a different IP than the outside interface of the router.

The extendable keyword allows the user to configure several ambiguous static translations, where an ambiguous translations are translations with the same local or global address.

Example taken from a post from the CSC

ip nat inside source static x.x.x.x y.y.y.y extendable

ip nat inside source static x.x.x.x z.z.z.z extendable.

When a packet is coming from outside to insde with destination

address y.y.y.y or z.z.z.z, it will be sent to x.x.x.x

Regards,

Rate all the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thanks for the explanation. In my case I have to use extendable because multiple port traffic is directed to one PC. I do not know how to rate a reply. Please let me know so that I can rate it.

Hello,

Sure, you just need to press the stars on the comment That should do it

Glad I could help,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC