ryanak
IS-IT--Management
- Dec 5, 2008
- 50
I have a Cisco 861 router. I am needing to allow port 443 and 80 to allow external traffic to two separate internal systems. We have 2 external IP addresses with the intention that one IP will be dedicated to services on one system and the second IP to the second system.
The first IP's port forwarding is working without issue. The second is not.
Here is the config with certain information removed. IPs for the first connection (the one that is working) are changed to A.A.A.A
IPs for the second connection it has been changed to B.B.B.B
Internal IPs are
C.C.C.A for the forwarding that is working
C.C.C.B for the forwarding that is NOT working
C.C.C.x For the internal network
C.C.C.C for a Terminal Server
Our two external IPs are on the same subnet provided by the ISP. The contain the same Gateway.
AncrEyakCpeRtr-1#show version
Cisco IOS Software, C860 Software (C860-UNIVERSALK9-M), Version 15.0(1)M8, RELEASE SOFTWARE (fc1)
Technical Support: Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 16-Feb-12 03:23 by prod_rel_team
ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
AncrEyakCpeRtr-1 uptime is 3 days, 21 hours, 53 minutes
System returned to ROM by power-on
System restarted at 11:59:58 UTC Mon Jan 2 2006
System image file is "flash:c860-universalk9-mz.150-1.M8.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 861 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.
Processor board ID FTX1641829K
5 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
256K bytes of non-volatile configuration memory.
125440K bytes of ATA CompactFlash (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO861-K9 FTX1641829K
License Information for 'c860-data'
License Level: advsecurity Type: Permanent
Next reboot license Level: advsecurity
Configuration register is 0x2102
AncrEyakCpeRtr-1#show run
Building configuration...
Current configuration : 3290 bytes
!
! Last configuration change at 09:52:47 UTC Fri Jan 6 2006 by truadmin
! NVRAM config last updated at 09:52:56 UTC Fri Jan 6 2006 by truadmin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 861
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
!
ip source-route
!
!
!
!
ip cef
ip domain name domain.local
!
!
license udi pid CISCO861-K9 sn ######
!
!
username USERNAME privilege 15 secret 5 ENCRYPTEDPASSWORD
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key PASSWORDFORVPN address VPN ADDRESS
crypto isakmp key PASSWORDFORVPN address VPN ADDRESS
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CMAP_1 1 ipsec-isakmp
description Tunnel toVPN ADDRESS
set peer VPN ADDRESS
set transform-set ESP-3DES-SHA
match address 101
crypto map CMAP_1 2 ipsec-isakmp
description Tunnel toVPN ADDRESS
set peer VPN ADDRESS
set transform-set ESP-3DES-SHA
match address 102
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address B.B.B.B 255.255.255.0 secondary
ip address A.A.A.A 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP_1
!
interface Vlan1
ip address C.C.C.x 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source route-map RMP_1 interface FastEthernet4 overload
ip nat inside source static tcp C.C.C.B 443 206.174.41.23 443 extendable
ip nat inside source static C.C.C.B B.B.B.B
ip nat inside source static tcp C.C.C.A 25 206.174.41.81 25 extendable
ip nat inside source static tcp C.C.C.A 47 206.174.41.81 47 extendable
ip nat inside source static tcp C.C.C.A 80 206.174.41.81 80 extendable
ip nat inside source static tcp C.C.C.A 110 206.174.41.81 110 extendable
ip nat inside source static tcp C.C.C.A 143 206.174.41.81 143 extendable
ip nat inside source static tcp C.C.C.A 389 206.174.41.81 389 extendable
ip nat inside source static tcp C.C.C.A 443 206.174.41.81 443 extendable
ip nat inside source static tcp C.C.C.A 987 206.174.41.81 987 extendable
ip nat inside source static tcp C.C.C.A 1723 206.174.41.81 1723 extendable
ip nat inside source static tcp C.C.C.C 3389 206.174.41.81 3389 extendable
ip nat inside source static tcp C.C.C.A 8080 206.174.41.81 8080 extendable
ip route 0.0.0.0 0.0.0.0 GATEWAYADDRESS
access-list 100 deny ip INTERNAL SUBNET 0.0.0.255 REMOTESITESUBNET.0 0.0.0.255
access-list 100 deny ip INTERNAL SUBNET 0.0.0.255 REMOTESITESUBNET 0.0.0.255
access-list 100 permit ip INTERNAL SUBNET 0.0.0.255 any
access-list 101 permit ip INTERNAL SUBNET 0.0.0.255 REMOTESITESUBNET 0.0.0.255
access-list 102 permit ip INTERNAL SUBNET 0.0.0.255 REMOTESITESUBNET 0.0.0.255
route-map RMP_1 permit 10
match ip address 100
!
!
control-plane
!
banner login ^CC NNNNNNNNN123456789NNNNNNNNN ^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
end
The first IP's port forwarding is working without issue. The second is not.
Here is the config with certain information removed. IPs for the first connection (the one that is working) are changed to A.A.A.A
IPs for the second connection it has been changed to B.B.B.B
Internal IPs are
C.C.C.A for the forwarding that is working
C.C.C.B for the forwarding that is NOT working
C.C.C.x For the internal network
C.C.C.C for a Terminal Server
Our two external IPs are on the same subnet provided by the ISP. The contain the same Gateway.
AncrEyakCpeRtr-1#show version
Cisco IOS Software, C860 Software (C860-UNIVERSALK9-M), Version 15.0(1)M8, RELEASE SOFTWARE (fc1)
Technical Support: Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 16-Feb-12 03:23 by prod_rel_team
ROM: System Bootstrap, Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1)
AncrEyakCpeRtr-1 uptime is 3 days, 21 hours, 53 minutes
System returned to ROM by power-on
System restarted at 11:59:58 UTC Mon Jan 2 2006
System image file is "flash:c860-universalk9-mz.150-1.M8.bin"
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco 861 (MPC8300) processor (revision 1.0) with 236544K/25600K bytes of memory.
Processor board ID FTX1641829K
5 FastEthernet interfaces
1 Virtual Private Network (VPN) Module
256K bytes of non-volatile configuration memory.
125440K bytes of ATA CompactFlash (Read/Write)
License Info:
License UDI:
-------------------------------------------------
Device# PID SN
-------------------------------------------------
*0 CISCO861-K9 FTX1641829K
License Information for 'c860-data'
License Level: advsecurity Type: Permanent
Next reboot license Level: advsecurity
Configuration register is 0x2102
AncrEyakCpeRtr-1#show run
Building configuration...
Current configuration : 3290 bytes
!
! Last configuration change at 09:52:47 UTC Fri Jan 6 2006 by truadmin
! NVRAM config last updated at 09:52:56 UTC Fri Jan 6 2006 by truadmin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 861
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
!
ip source-route
!
!
!
!
ip cef
ip domain name domain.local
!
!
license udi pid CISCO861-K9 sn ######
!
!
username USERNAME privilege 15 secret 5 ENCRYPTEDPASSWORD
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key PASSWORDFORVPN address VPN ADDRESS
crypto isakmp key PASSWORDFORVPN address VPN ADDRESS
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map CMAP_1 1 ipsec-isakmp
description Tunnel toVPN ADDRESS
set peer VPN ADDRESS
set transform-set ESP-3DES-SHA
match address 101
crypto map CMAP_1 2 ipsec-isakmp
description Tunnel toVPN ADDRESS
set peer VPN ADDRESS
set transform-set ESP-3DES-SHA
match address 102
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address B.B.B.B 255.255.255.0 secondary
ip address A.A.A.A 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map CMAP_1
!
interface Vlan1
ip address C.C.C.x 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source route-map RMP_1 interface FastEthernet4 overload
ip nat inside source static tcp C.C.C.B 443 206.174.41.23 443 extendable
ip nat inside source static C.C.C.B B.B.B.B
ip nat inside source static tcp C.C.C.A 25 206.174.41.81 25 extendable
ip nat inside source static tcp C.C.C.A 47 206.174.41.81 47 extendable
ip nat inside source static tcp C.C.C.A 80 206.174.41.81 80 extendable
ip nat inside source static tcp C.C.C.A 110 206.174.41.81 110 extendable
ip nat inside source static tcp C.C.C.A 143 206.174.41.81 143 extendable
ip nat inside source static tcp C.C.C.A 389 206.174.41.81 389 extendable
ip nat inside source static tcp C.C.C.A 443 206.174.41.81 443 extendable
ip nat inside source static tcp C.C.C.A 987 206.174.41.81 987 extendable
ip nat inside source static tcp C.C.C.A 1723 206.174.41.81 1723 extendable
ip nat inside source static tcp C.C.C.C 3389 206.174.41.81 3389 extendable
ip nat inside source static tcp C.C.C.A 8080 206.174.41.81 8080 extendable
ip route 0.0.0.0 0.0.0.0 GATEWAYADDRESS
access-list 100 deny ip INTERNAL SUBNET 0.0.0.255 REMOTESITESUBNET.0 0.0.0.255
access-list 100 deny ip INTERNAL SUBNET 0.0.0.255 REMOTESITESUBNET 0.0.0.255
access-list 100 permit ip INTERNAL SUBNET 0.0.0.255 any
access-list 101 permit ip INTERNAL SUBNET 0.0.0.255 REMOTESITESUBNET 0.0.0.255
access-list 102 permit ip INTERNAL SUBNET 0.0.0.255 REMOTESITESUBNET 0.0.0.255
route-map RMP_1 permit 10
match ip address 100
!
!
control-plane
!
banner login ^CC NNNNNNNNN123456789NNNNNNNNN ^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
end