Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
375
Views
0
Helpful
1
Replies

Port forwarding issue on 887VA-M

nick.szilagyi
Level 1
Level 1

‎08-30-2016 02:44 AM

Hi all,

I'm having an issue with port forwarding from a remote Watchguard firewall to a Cisco Meraki MX security appliance.

We have a dsl line with a single WAN IP on 164.xxx.xxx.xxx on a 887VA-M. The Meraki MX is NAT'd behind this on 2.2.2.2 (random IP I know).

If the Meraki MX initiates phase1, I don't have any issues until the phase1 SA timer expires. The tunnel comes up and we have end to end connectivity.

To clarify, the Watchguard is continuously pinging the remote Meraki VLAN subnet, so when the tunnel expires, the interesting traffic should renegotiate phase 1 but it isn't. I don't think the port forwarding is working correctly. (enabling debugging is crashing the 887....ugh.).


Config is below. I've highlighted where I believe the issue to be in bold. In short, i'm trying to forward port 4500 and 500 to the IP of 2.2.2.2.


interface Ethernet0
no ip address
!
interface ATM0
no ip address
ip flow ingress
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
i
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan222
description MX 1
ip address 2.2.2.1 255.255.255.252
ip nat inside
ip virtual-reassembly in

interface Dialer0
ip address negotiated
ip access-group 101 in
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname 0xxxxxxxxx
ppp chap password 0 xxxxxxxxx
ppp pap sent-username xxxxx password 0 xxxx
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat pool NAT 164.xxx.xxx.xxx 164.xxx.xxx.xxx prefix-length 30
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 2.2.2.2 4500 interface ATM0 4500
ip nat inside source static udp 2.2.2.2 500 interface ATM0 500
ip route 0.0.0.0 0.0.0.0 Dialer0
!

access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 1 permit 2.2.2.0 0.0.0.3
access-list 101 deny tcp any any eq 22
access-list 101 deny tcp any any eq telnet
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
!
!
!
!
!


!
end

Many thanks

Labels:
0 Helpful
1 Reply 1

nick.szilagyi
Level 1
Level 1

‎08-30-2016 06:48 AM

please note, I also tried using the WAN IP address for the inside Global IP address instead of the interface command.

Amended the rules to:

ip nat inside source static udp 2.2.2.2 4500 interface Dialer0 4500

ip nat inside source static udp 2.2.2.2 500 interface Dialer0 500

tried this before though...hmmmmm

0 Helpful
Customers Also Viewed These Support Documents