Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 857 Portforwarding / VPNs

Status
Not open for further replies.
g0at

g0at

Technical User
Oct 18, 2004
27
GB
Hi,

First off, i have very very limited knowledge of cisco routers, I'd like to know how to address the below issue via cisco sdm interface rather than command line as I dont have a clue where to start via command line..

As it stands there is a node on our network (192.168.0.226) that accesses a another node which is on the other end of a VPN. Sending data and recieving data inbetween these two boxes is fine.

We want to be able to feed the 226 box with data to send through the VPN from an external source and back again to the originating external source

i.e

External source -> hits the 192.168.0.226 box -> feeds data through VPN to end box -> Response back from endpoint of VPN hits 192.168.0.226 box -> Back out to the external source

From what I can gather we need a port forward of sorts setup on the router that will mean any data that originates on port XYZ redirects to 192.168.0.226, the 226 box will then forward the request through the VPN and passes the response back out to the originating box..

Does this sound plausable, and, if so how the hell do you go about setting it up?
 
Sort by date Sort by votes
Can you console in? If so, please post the config so we can see the interfaces and such. Post "x.x.x.x" for the public IP's and passwords...
router>en
router#sh run

It is only a few lines that will accomplish what you need. I don't work with SDM much at all---mainly command line.

Burt
 
Upvote 0 Downvote

Building configuration...

Current configuration : 4111 bytes
!
! Last configuration change at 15:46:17 PCTime Mon Jul 9 2007 by admin
! NVRAM config last updated at 13:59:58 PCTime Thu Dec 27 2007 by admin
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxx
!
username admin privilege 15 secret 5 xxxxxxxxx
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
!
!
ip cef
ip tcp synwait-time 10
no ip domain lookup
ip domain name yourdomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXXXXXXX address 149.254.XXX.XXX
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to149.254.XXX.XXX
set peer 149.254.XXX.XXX
set transform-set ESP-3DES-SHA
match address rule
!
!
!
interface ATM0
no ip address
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.253 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
ip address 217.45.XXX.XX 255.255.255.224
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname A557473@hg23.btclick.com
ppp chap password 0 XXXXXX
ppp pap sent-username A557473@hg23.btclick.com password 0 XXXXXX
crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended ipsecrule
remark SDM_ACL Category=4
permit ip host 192.168.0.226 host 149.254.251.XX
permit ip host 192.168.0.226 host 149.254.251.ZZ
ip access-list extended rule
remark SDM_ACL Category=4
permit ip host 192.168.0.226 host 149.254.251.XX
permit ip host 192.168.0.226 host 149.254.251.ZZ
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 deny ip host 192.168.0.226 host 149.254.251.XX
access-list 101 remark IPSec Rule
access-list 101 deny ip host 192.168.0.226 host 149.254.251.ZZ
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip host 192.168.0.226 host 149.254.251.XX
access-list 102 permit ip host 192.168.0.226 host 149.254.251.ZZ
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 
Upvote 0 Downvote
so, just to clarify what I'm after...

1) External box fires a request at the router
2) Port forward kicks in and 192.168.0.226 box picks up request
3) 192.168.0.226 box sends request through VPN to endpoint
4) Response from endpoint at VPN
5) 192.168.0.226 box sends back out through router to originating source?

 
Upvote 0 Downvote
can somebody please help?

I'm guessing i'm just after a port forward for ssl (443)??
 
Upvote 0 Downvote
Why not just port forward (static NAT) to the other end of the vpn, and skip the .226 altogether?

Burt
 
Upvote 0 Downvote
thanks for your response..

have managed to get around it by

ip nat inside source static tcp 192.168.0.226 443 interface Dialer0 443

is there a better way?
 
Upvote 0 Downvote
sorry, the 226 box cannot be omitted as it's running a webservice which facilitates the request through the vpn - the data coming in has to be 'converted' through the webservice before it goes through the vpn..
 
Upvote 0 Downvote
That IS how you do it...
So the outside box hits the .226, and it in turn sends data to the other end of the vpn, whatever that box is...right?
Are you still having problems?
Also, is this a site-to-site or a remote access vpn?

Burt
 
Upvote 0 Downvote
nope, all sorted. thanks for your help.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
230
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
214
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
210
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
215
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
271
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top