IP forwarding

remeshkt · ‎01-24-2008

Hello,

We have a cisco 1721 having one "FastEthernet 0" and one "Eth 0" interfaces; connecting a DSL line to our internal LAN.

FastEthernet 0 interface is connected to the DSL line via ADSL modem (Zyxel) which is configured as bridge mode.

Eth 0 is connected to our LAN.

The router is configured primarily for IPSec and internet access.

We are able to access internet site from our internal network however the incoming traffic from the internet to our internal LAN (say for a web server hosted in our LAN) access fails.

Please find the configuration on our router as shown below.

I would appreciate if you could help us in configuring for incoming traffic.

Thank you

Ramie

My present router sh run details are as follows :--

sh run

Building configuration...

Current configuration : 1942 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

--More-- ip subnet-zero

!

no ip dhcp use vrf connected

!

ip cef

no ip ips deny-action ips-interface

!

no ftp-server write-enable

!

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key b001 address 111.x.x.20

!

--More-- !

crypto ipsec transform-set VF_GPRS esp-des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map VF_B 10 ipsec-isakmp

set peer 111.x.x.20

set transform-set VF_GPRS

match address b_VF

!

interface Ethernet0

ip address 172.16.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

half-duplex

!

interface FastEthernet0

ip address 130.x.x..49 255.255.255.0 secondary

ip address 130.x.x..44 255.255.255.0

ip nat outside

ip virtual-reassembly

speed auto

--More-- no cdp enable

crypto map VF_B

!

ip default-gateway 130.x.x..1

ip classless

ip route 0.0.0.0 0.0.0.0 130.x.x..1

no ip http server

no ip http secure-server

!

ip nat inside source list 101 interface FastEthernet0 overload

ip nat inside source static 172.16.0.6 130.x.x..49

!

ip access-list extended b_VF

permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255

deny ip any any

ip access-list extended telnet

permit ip host 111.x.x.130 any

permit ip 172.16.0.0 0.0.0.255 any

deny ip any any

access-list 101 deny ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255

--More-- access-list 101 permit ip 172.16.0.0 0.0.0.255 any

!

control-plane

!

line con 0

line aux 0

line vty 0 4

access-class telnet in

login local

!

end

nordick26 · ‎01-24-2008

Hi Ramie,

does your Zyxel device perform any kind of NAT/PAT?

If yes, you would need to do some port mapping on it to your server address you are natting on your router.

If not, i guess 130.x.x..49 should be the public address of your server, right?

Is this (130.x.x..49) address known by ISP and reachable from internet?

You can make just a simple test if you would like and so to interchange the addresses:

interface FastEthernet0

ip address 130.x.x..49 255.255.255.0

ip address 130.x.x..44 255.255.255.0 secondary

ip nat inside source list 101 interface FastEthernet0 overload

ip nat inside source static 172.16.0.6 130.x.x..44

btw: is your server able to reach internet addresses?

Chceck if the the translation is correct using:

sh ip nat translations

HTH

Ivan

Richard Burts · ‎01-24-2008

Ramie

I agree with Ivan that some clarification of the situation would be helpful. Would I be correct that the 130.x.x.49 is the address that the server is using? If so why is it defined as a secondary address on the router? The effect of this is that anything from outside that is directed to 130.x.x.49 will be sent to the router instead of being sent to the server.

My first suggestion is to remove the secondary address and see if the situation improves.

If that is not the case then can you tell us what address the server is using?

HTH

Rick

HTH

Rick

remeshkt · ‎01-25-2008

Hi Ivan,

Thanks for your prompt response.

Zyxel does not have any configurations exists,it's configured as bridged mode as an ethernet converter,converting RJ 11 DSL line to RJ 45.

yes,130.x.x.49 is the public IP of our server.

yes,130.x.x.49 address known by ISP and it is reachable from the internet.

I tried configuring the above mentioned

ip nat inside source static 172.16.0.6 130.x.x..44 configuration,IP forwarding went through fine but this configuration changes made IPSec stop functioning.

Yes,our internet server able to reach internet addresses.

Thanks,

Ramie

nordick26 · ‎01-25-2008

Ramie,

so in this case, have you tried to modify "set peer 130.x.x..44" on your IPsec peer router to "set peer 130.x.x..49"?

and "crypto isakmp key b001 address 130.x.x..49" as well.

If you says this is the only thing that doesn't work, this should correct it.

HTH

Ivan

[pls rate all helpful posts]

remeshkt · ‎01-29-2008

Ivan,

There is no "set peer 130.x.x..44" configured in the above mentioned sh run details.We are actually looking to configure IPforwarding (request comes from 130.x.x.49 has to be forwarded to 172.16.0.6 without bring down any other configurations(IPsec or Internet access)

Set peer is configured for a different static IP which is for IPSec "set peer 111.x.x..20".

Kindly Advice

Thanks,

Ramie

Richard Burts · ‎01-29-2008

Ramie

I raised an issue about the configuration of the secondary address. Can you tell us whether the router configuration still has the secondary address configured?

HTH

Rick

HTH

Rick

remeshkt · ‎01-29-2008

Rick

I have removed the secondary address,still it is not working.

Thanks,

Ramie

Richard Burts · ‎01-29-2008

Ramie

Thanks for the update. In this case perhaps an updated posting of the config would be helpful.

HTH

Rick

HTH

Rick

remeshkt · ‎01-31-2008

sh run

Building configuration...

Current configuration : 1942 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

--More-- ip subnet-zero

!

no ip dhcp use vrf connected

!

ip cef

no ip ips deny-action ips-interface

!

no ftp-server write-enable

!

crypto isakmp policy 1

hash md5

authentication pre-share

lifetime 3600

crypto isakmp key b001 address 111.x.x.20

!

--More-- !

crypto ipsec transform-set VF_GPRS esp-des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto map VF_B 10 ipsec-isakmp

set peer 111.x.x.20

set transform-set VF_GPRS

match address b_VF

!

interface Ethernet0

ip address 172.16.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

half-duplex

!

interface FastEthernet0

ip address 130.x.x..44 255.255.255.0

ip nat outside

ip virtual-reassembly

speed auto

--More-- no cdp enable

crypto map VF_B

!

ip default-gateway 130.x.x..1

ip classless

ip route 0.0.0.0 0.0.0.0 130.x.x..1

no ip http server

no ip http secure-server

!

ip nat inside source list 101 interface FastEthernet0 overload

ip nat inside source static 172.16.0.6 130.x.x..49

!

ip access-list extended b_VF

permit ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255

deny ip any any

ip access-list extended telnet

permit ip host 111.x.x.130 any

permit ip 172.16.0.0 0.0.0.255 any

deny ip any any

access-list 101 deny ip 172.16.0.0 0.0.0.255 192.168.0.0 0.0.0.255

--More-- access-list 101 permit ip 172.16.0.0 0.0.0.255 any

!

control-plane

!

line con 0

line aux 0

line vty 0 4

access-class telnet in

login local

!

end

remeshkt · ‎01-31-2008

Rick,

Attached latest configuration details above.please advise.

Thanks,

Ramie

Richard Burts · ‎02-01-2008

Ramie

I have looked at the config that you posted and I do not see a problem that would prevent access. Can you confirm that address that people from outside will use to try to get to the server and confirm that address that the server has on the inside of your network?

HTH

Rick

HTH

Rick