01-24-2008 02:21 AM - edited 03-03-2019 08:24 PM
Hello,
We have a cisco 1721 having one "FastEthernet 0" and one "Eth 0" interfaces; connecting a DSL line to our internal LAN.
FastEthernet 0 interface is connected to the DSL line via ADSL modem (Zyxel) which is configured as bridge mode.
Eth 0 is connected to our LAN.
The router is configured primarily for IPSec and internet access.
We are able to access internet site from our internal network however the incoming traffic from the internet to our internal LAN (say for a web server hosted in our LAN) access fails.
Please find the configuration on our router as shown below.
I would appreciate if you could help us in configuring for incoming traffic.
Thank you
Ramie
My present router sh run details are as follows :--
sh run
Building configuration...
Current configuration : 1942 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
--More-- ip subnet-zero
!
!
no ip dhcp use vrf connected
!
!
ip cef
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key b001 address 111.x.x.20
!
--More-- !
crypto ipsec transform-set VF_GPRS esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map VF_B 10 ipsec-isakmp
set peer 111.x.x.20
set transform-set VF_GPRS
match address b_VF
!
!
!
interface Ethernet0
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
half-duplex
!
interface FastEthernet0
ip address 130.x.x..49 255.255.255.0 secondary
ip address 130.x.x..44 255.255.255.0
ip nat outside
ip virtual-reassembly
speed auto
--More-- no cdp enable
crypto map VF_B
!
ip default-gateway 130.x.x..1
ip classless
ip route 0.0.0.0 0.0.0.0 130.x.x..1
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface FastEthernet0 overload
ip nat inside source static 172.16.0.6 130.x.x..49
!
!
!
ip access-list extended b_VF
permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip any any
ip access-list extended telnet
permit ip host 111.x.x.130 any
permit ip 172.16.0.0 0.0.0.255 any
deny ip any any
access-list 101 deny ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
--More-- access-list 101 permit ip 172.16.0.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class telnet in
login local
!
end
01-24-2008 04:48 AM
Hi Ramie,
does your Zyxel device perform any kind of NAT/PAT?
If yes, you would need to do some port mapping on it to your server address you are natting on your router.
If not, i guess 130.x.x..49 should be the public address of your server, right?
Is this (130.x.x..49) address known by ISP and reachable from internet?
You can make just a simple test if you would like and so to interchange the addresses:
interface FastEthernet0
ip address 130.x.x..49 255.255.255.0
ip address 130.x.x..44 255.255.255.0 secondary
ip nat inside source list 101 interface FastEthernet0 overload
ip nat inside source static 172.16.0.6 130.x.x..44
btw: is your server able to reach internet addresses?
Chceck if the the translation is correct using:
sh ip nat translations
HTH
Ivan
01-24-2008 05:14 AM
Ramie
I agree with Ivan that some clarification of the situation would be helpful. Would I be correct that the 130.x.x.49 is the address that the server is using? If so why is it defined as a secondary address on the router? The effect of this is that anything from outside that is directed to 130.x.x.49 will be sent to the router instead of being sent to the server.
My first suggestion is to remove the secondary address and see if the situation improves.
If that is not the case then can you tell us what address the server is using?
HTH
Rick
01-25-2008 01:11 AM
Hi Ivan,
Thanks for your prompt response.
Zyxel does not have any configurations exists,it's configured as bridged mode as an ethernet converter,converting RJ 11 DSL line to RJ 45.
yes,130.x.x.49 is the public IP of our server.
yes,130.x.x.49 address known by ISP and it is reachable from the internet.
I tried configuring the above mentioned
ip nat inside source static 172.16.0.6 130.x.x..44 configuration,IP forwarding went through fine but this configuration changes made IPSec stop functioning.
Yes,our internet server able to reach internet addresses.
Thanks,
Ramie
01-25-2008 01:36 AM
Ramie,
so in this case, have you tried to modify "set peer 130.x.x..44" on your IPsec peer router to "set peer 130.x.x..49"?
and "crypto isakmp key b001 address 130.x.x..49" as well.
If you says this is the only thing that doesn't work, this should correct it.
HTH
Ivan
[pls rate all helpful posts]
01-29-2008 02:06 AM
Ivan,
There is no "set peer 130.x.x..44" configured in the above mentioned sh run details.We are actually looking to configure IPforwarding (request comes from 130.x.x.49 has to be forwarded to 172.16.0.6 without bring down any other configurations(IPsec or Internet access)
Set peer is configured for a different static IP which is for IPSec "set peer 111.x.x..20".
Kindly Advice
Thanks,
Ramie
01-29-2008 04:38 AM
Ramie
I raised an issue about the configuration of the secondary address. Can you tell us whether the router configuration still has the secondary address configured?
HTH
Rick
01-29-2008 05:44 AM
Rick
I have removed the secondary address,still it is not working.
Thanks,
Ramie
01-29-2008 05:52 AM
Ramie
Thanks for the update. In this case perhaps an updated posting of the config would be helpful.
HTH
Rick
01-31-2008 10:28 PM
sh run
Building configuration...
Current configuration : 1942 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
boot-start-marker
boot-end-marker
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
--More-- ip subnet-zero
!
!
no ip dhcp use vrf connected
!
!
ip cef
no ip ips deny-action ips-interface
!
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
lifetime 3600
crypto isakmp key b001 address 111.x.x.20
!
--More-- !
crypto ipsec transform-set VF_GPRS esp-des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto map VF_B 10 ipsec-isakmp
set peer 111.x.x.20
set transform-set VF_GPRS
match address b_VF
!
!
!
interface Ethernet0
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
half-duplex
!
interface FastEthernet0
ip address 130.x.x..44 255.255.255.0
ip nat outside
ip virtual-reassembly
speed auto
--More-- no cdp enable
crypto map VF_B
!
ip default-gateway 130.x.x..1
ip classless
ip route 0.0.0.0 0.0.0.0 130.x.x..1
no ip http server
no ip http secure-server
!
ip nat inside source list 101 interface FastEthernet0 overload
ip nat inside source static 172.16.0.6 130.x.x..49
!
!
!
ip access-list extended b_VF
permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
deny ip any any
ip access-list extended telnet
permit ip host 111.x.x.130 any
permit ip 172.16.0.0 0.0.0.255 any
deny ip any any
access-list 101 deny ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255
--More-- access-list 101 permit ip 172.16.0.0 0.0.0.255 any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
access-class telnet in
login local
!
end
01-31-2008 10:40 PM
Rick,
Attached latest configuration details above.please advise.
Thanks,
Ramie
02-01-2008 10:40 AM
Ramie
I have looked at the config that you posted and I do not see a problem that would prevent access. Can you confirm that address that people from outside will use to try to get to the server and confirm that address that the server has on the inside of your network?
HTH
Rick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: