Static Route Question? 4

[yemaya]

Hi,

I want to check with you guys the best way to route the traffic coming from internet to a specific interface in Router-A and then to the Router-B (access server), here is the pic:

I have this NAT statement in Router-A:

ip nat inside source static 192.168.200.2 206.53.50.230

Thanks in Advance.

 

[brianinms]

Are both of them cisco routers?

 

[yemaya]

Hi,

Yes, they are.

 

[brianinms]

I am confused, do you need a static route, or do you need a static nat?

 

[yemaya]

Hi.

What i need is route traffic coming from 206.xx.xx.230 to 192.168.200.2 that is my access server, what i want is access from outside to my access server (R-B)

Thanks/

 

[brianinms]

ip nat inside source static 192.168.200.2 interface WAN

Make sure you have a route on the access server to the 192.168.200.1

 

[yemaya]

Hi brianinms,

I already have this static statement:

ip nat inside source static 192.168.200.2 206.xx.xx.230

to map the external ip to my access server ip that is 192.168.200.2, what i need is route all traffic coming from 206.xx.xx.230 to my access server (R-B).

 

[burtsbees]

Is it not working? Router A and Router B are directly connected. Is there a default route set in router a???

Burt

 

[Minue]

Hi
With this design isn't traffic already going through the Access server?I don't see any other routes.
Please clarify!
Regards

 

[plshlpme]

router B also needs a default route pointing to router a.. so it knows where the internet is...

what is your intention with this command though?

ip nat inside source static 192.168.200.2 206.xx.xx.230

it will nat to your router b... (is router B your access server)
you can instead use your servers address and nat it directly to a host...

just make sure route a and router b know about each others networks that aren't directly connected.

 

[Minue]

Hello
plshlpme router B is his Access server.I think he wants to be able to access his Access Server from remote and have control over all his lab devices.The configuration looks correct.So if he wants to telnet the router he will have to forward port 23.
What's confusing is that he said all traffic.But the router will only accept the remote protocols.
Regards

 

[yemaya]

Hi Minue,

You are on track, that is exactly what i want to do, router A is my gateway and is connected to router B that is my access server, i want to access from outside my network (Home-LAB) using ssh to work on it, i have a 8 static IP block addresses and i assigned one static for that job, that's why i NATted with the ip (192.168.200.2) in this statement:

ip nat inside source static 192.168.200.2 206.xx.xx.230

What i need to know is how can i do this?, how route this traffic (remote connection using ssh) to router B.

Hope guys you can help me with this.

Thanks in advance.

 

[Minue]

Hello
You have to configure RouterB to support SSH. Then tell RouterA to forward the SSH port to the access server with this command.

ip nat inside source static tcp 192.168.200.2 22 206.xx.xx.230 22 extendable

Regards

 

[yemaya]

Hi Minue,

I did what you told me but i can't access to my network from outside, i'm using putty and i got a error: Network Unreacheble, Do i need to do something else in the router A to permit access to router B ?,

In the router A i got this configuration:

ip nat pool IP-BLOCK 206.53.50.225 206.53.50.226 netmask 255.255.255.248
ip nat inside source list NAT pool IP-BLOCK overload
ip nat inside source static tcp 192.168.200.2 22 206.53.50.230 22 extendable
!
ip access-list standard NAT
 permit 192.168.1.0 0.0.0.255
 permit 192.168.2.0 0.0.0.255
 permit 192.168.3.0 0.0.0.255
 permit 192.168.4.0 0.0.0.255
 permit 192.168.5.0 0.0.0.255
!
ip access-list extended LAN
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
 deny   ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
 permit ip any any
ip access-list extended WAN
 deny   ip any 10.0.0.0 0.255.255.255 log-input
 deny   ip any 127.0.0.0 0.255.255.255 log-input
 deny   ip any 169.254.0.0 0.0.255.255 log-input
 deny   ip any 192.168.0.0 0.0.255.255 log-input
 deny   ip any 172.16.0.0 0.15.255.255 log-input
 deny   ip any 224.0.0.0 15.255.255.255 log-input
 deny   ip host 255.255.255.255 any log-input
 deny   ip host 0.0.0.0 any log-input
 deny   ip 192.168.1.0 0.0.0.255 any log-input
 permit udp any eq bootps any eq bootpc
 permit icmp any any net-unreachable
 permit icmp any any host-unreachable
 permit icmp any any port-unreachable
 permit icmp any any parameter-problem
 permit icmp any any packet-too-big
 permit icmp any any administratively-prohibited
 permit icmp any any source-quench
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 deny   icmp any any log-input
 permit tcp any any eq 1723 log-input
 permit tcp any any eq 4577
 permit udp any any eq 42337
 permit gre any any
 deny   ip any any log-input
!

Can you tell me what do i need to add/change in this configuration to permit access to router B?.

I already have SSH configurated in router B.

Thanks in advance.

 

[Minue]

Hello
You have quite an axtensive ACL,some were in there could be blocking the outside traffic!A quick work around would be to turn of all the access-list and then try.Cleaner would be to insert permit statement to Router B.I would also do the testing with the default Telnet and the move then on to SSH.
Can you also try to post a config.I will take a closer look tommorow and see if I can work it out.
Regards

 

[brianinms]

ip access-list extended WAN permit tcp any host 206.53.50.230 eq 22

 

[yemaya]

Hi Guys,

Here is my router config:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service compress-config
!
hostname R1760-Gateway
!
boot-start-marker
warm-reboot count 25 uptime 10
boot-end-marker
!
logging buffered 51200 warnings
no logging console
no logging monitor
enable secret XXXXXXXXXXXXXXXXXXX
!
no aaa new-model
!
resource policy
!
clock timezone EDT -5
no ip source-route
ip cef
!
!
ip inspect audit-trail
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect one-minute high 400
ip inspect tcp max-incomplete host 35 block-time 5
ip inspect name FIREWALL cuseeme timeout 3600
ip inspect name FIREWALL ftp alert on audit-trail on timeout 3600
ip inspect name FIREWALL h323 timeout 3600
ip inspect name FIREWALL icmp timeout 3600
ip inspect name FIREWALL rcmd timeout 3600
ip inspect name FIREWALL realaudio timeout 3600
ip inspect name FIREWALL rtsp timeout 3600
ip inspect name FIREWALL sqlnet timeout 3600
ip inspect name FIREWALL streamworks timeout 3600
ip inspect name FIREWALL tftp timeout 30
ip inspect name FIREWALL tcp timeout 3600
ip inspect name FIREWALL udp timeout 15
ip inspect name FIREWALL vdolive timeout 3600
ip inspect name FIREWALL fragment maximum 256 timeout 1
ip inspect name FIREWALL sip timeout 3600
ip inspect name FIREWALL http java-list 2 alert on audit-trail on timeout 3600
ip inspect name FIREWALL smtp alert on audit-trail on timeout 3600
ip inspect name FIREWALL rpc program-number 1000022 alert off audit-trail on
ip tcp selective-ack
no ip dhcp use vrf connected
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp excluded-address 192.168.2.1 192.168.2.5
ip dhcp excluded-address 192.168.3.1 192.168.3.5
ip dhcp excluded-address 192.168.4.1 192.168.4.5
ip dhcp excluded-address 192.168.5.1 192.168.5.5
!
ip dhcp pool R1760
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1 
   dns-server XXXXXXXXXXXXXXXXXXX 
   lease 2
   update arp
!
ip dhcp pool VLAN-10
   import all
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1 
   dns-server XXXXXXXXXXXXXXXXXXX 
   lease 8
   update arp
!
ip dhcp pool VLAN-20
   import all
   network 192.168.3.0 255.255.255.0
   default-router 192.168.3.1 
   dns-server XXXXXXXXXXXXXXXXXXX 
   lease 8
   update arp
!
ip dhcp pool VLAN-30
   import all
   network 192.168.4.0 255.255.255.0
   default-router 192.168.4.1 
   dns-server XXXXXXXXXXXXXXXXXXX 
   lease 8
   update arp
!
ip dhcp pool VLAN-40
   import all
   network 192.168.5.0 255.255.255.0
   default-router 192.168.5.1 
   dns-server XXXXXXXXXXXXXXXXXXX 
   lease 8
   update arp
!
ip dhcp pool MyPC
   host 192.168.2.5 255.255.255.0
   client-identifier 0100.15f2.4820.ed
   lease infinite
!
!
no ip bootp server
no ip domain lookup
login block-for 120 attempts 2 within 60
login delay 2
login on-failure log every 5
login on-success log every 10
!
!
!
!
archive
 path tftp://192.168.2.5/configs/cfg-$h
 write-memory
 time-period 1440
!
! 
!
buffers tune automatic
!
!
interface FastEthernet0/0
 description "Private LAN"
 no ip address
 ip tcp adjust-mss 1452
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.1.1 255.255.255.0
 ip access-group LAN in
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/0.10
 encapsulation dot1Q 10
 ip address 192.168.2.1 255.255.255.0
 ip access-group LAN in
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/0.20
 encapsulation dot1Q 20
 ip address 192.168.3.1 255.255.255.0
 ip access-group LAN in
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/0.30
 encapsulation dot1Q 30
 ip address 192.168.4.1 255.255.255.0
 ip access-group LAN in
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/0.40
 encapsulation dot1Q 40
 ip address 192.168.5.1 255.255.255.0
 ip access-group LAN in
 ip nat inside
 ip virtual-reassembly
 no snmp trap link-status
 no cdp enable
!
interface FastEthernet0/1
!
interface FastEthernet0/2
!
interface FastEthernet0/3
!
interface FastEthernet0/4
!
interface ATM1/0
 no ip address
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto 
!
interface ATM1/0.1 point-to-point
 no snmp trap link-status
 pvc 0/35 
  pppoe-client dial-pool-number 1
 !
!
interface Vlan1
 ip address 192.168.200.1 255.255.255.0
!
interface Dialer0
 ip address negotiated
 ip mtu 1462
 ip inspect FIREWALL out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap chap callin
 ppp chap hostname XXXXXXXXXXXXXXXXXXX
 ppp chap password XXXXXXXXXXXXXXXXXXX
 ppp pap sent-username XXXXXXXXXXXXXXXXXXX password XXXXXXXXXXXXXXXXXXX
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat pool IP-BLOCK 206.xx.xx.225 206.xx.xx.226 netmask 255.255.255.248
ip nat inside source list NAT pool IP-BLOCK overload
ip nat inside source static udp 192.168.2.5 42337 interface Dialer0 42337
ip nat inside source static tcp 192.168.2.5 4577 interface Dialer0 4577
ip nat inside source static tcp 192.168.200.2 22 206.xx.xx.230 22 extendable
!
ip access-list standard NAT
 permit 192.168.1.0 0.0.0.255
 permit 192.168.2.0 0.0.0.255
 permit 192.168.3.0 0.0.0.255
 permit 192.168.4.0 0.0.0.255
 permit 192.168.5.0 0.0.0.255
!
ip access-list extended LAN
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 deny   ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255
 deny   ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255
 deny   ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255
 permit ip any any
ip access-list extended WAN
 deny   ip any 10.0.0.0 0.255.255.255 log-input
 deny   ip any 127.0.0.0 0.255.255.255 log-input
 deny   ip any 169.254.0.0 0.0.255.255 log-input
 deny   ip any 192.168.0.0 0.0.255.255 log-input
 deny   ip any 172.16.0.0 0.15.255.255 log-input
 deny   ip any 224.0.0.0 15.255.255.255 log-input
 deny   ip host 255.255.255.255 any log-input
 deny   ip host 0.0.0.0 any log-input
 deny   ip 192.168.1.0 0.0.0.255 any log-input
 permit udp any eq bootps any eq bootpc
 permit icmp any any net-unreachable
 permit icmp any any host-unreachable
 permit icmp any any port-unreachable
 permit icmp any any parameter-problem
 permit icmp any any packet-too-big
 permit icmp any any administratively-prohibited
 permit icmp any any source-quench
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any traceroute
 deny   icmp any any log-input
 permit tcp any any eq 1723 log-input
 permit tcp any any eq 4577
 permit udp any any eq 42337
 permit gre any any
 deny   ip any any log-input
!
!
kron occurrence DAILY at 4:00 recurring
 policy-list CONFIG-BACKUP
!
kron policy-list CONFIG-BACKUP
 cli wr mem 
!
access-list 1 permit 192.168.2.5
access-list 2 remark *******JAVA_FILTERING*******
access-list 3 permit any log
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
!
line con 0
 exec-timeout 0 0
 password XXXXXXXXXXXXXXXXXXX
 logging synchronous
 login
line aux 0
line vty 0 4
!
end

Thanks in advance.

 

[plshlpme]

you just need to make sure this goes ahead of your
"deny ip any any log-input"

which is at the end of your acl...

so assuming youve made no sequence changes you could do this

conf t
ip access-list extended WAN
1 permit tcp any host 206.53.50.230 eq 22

add log to the end of it if you want to log it...
and again make sure your access-server has a default route back to your gateway.. or else the connection wont work.

 

[yemaya]

Hi plshlpme,

I added the access list you told me but still i can't get access to my access-server (R2), can you tell me how get the traffic back from R2 to R1?.

Thanks is advance?

 

[plshlpme]

ip route 0.0.0.0 0.0.0.0 192.168.200.1