source ip for outgoing traffic

Unanswered Question
Mar 15th, 2008

Hi,

i have a 2821 hooked up to my isp and my lan. the isp interface is configured with a ip only routed inside the isp network. the inside ip is routed worldwide. now when i try to connect to a network outside the isp directly from the router the package get dropped at the isp border router.

can i tell the ios to use insides interface ip for source ip of outgoing connection? normaly you dont need that but i have a webvpn running on the box and no outside http servers are reachable because of that.

any hints, regards Martin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joseph W. Doherty Sat, 03/15/2008 - 08:17

If you mean you want to do something like ping from the router itself, you can specify a different address or interface for the source IP.

If you mean you have devices behind your router, and their addresses aren't valid, you'll need to activate NAT.

m.hierling Sun, 03/16/2008 - 04:11

i want to initiate traffic from the router itself. not the networks behind the router, they are working well.

i know that i can choose the source address while using the ping command. but other traffic initiated by the router, in my case webvpn, should also have the inside ip as source addresse.

Basically it looks like this:

inet -> provider -[transfernet] -> my router -> my lan

My webvpn is running on inside interface, when a client connects from the internet and initiates a http connection to the internet my router uses the outside ip as source address. but the transfernetwork is only routed inside the provider backbone. so the packages get dropped at the edge. my lan networks are routed propper, also from the internet.

Martin

Joseph W. Doherty Sun, 03/16/2008 - 05:38

Think I understand. Your problem is webvpn not permitting Internet traffic to work correctly to the remote client (bouncing off your internal network). I'm unfamiliar with webvpn, but its solution might be allowance of split tunneling from the remote host. However, I can see reasons for doing what you want, such as additional security to/from the Internet.

Again, unfamiliar with webvpn. If I've stated the problem correctly, and no one else responds on this forum, you might try a post in the VPN forum.

[edit]

PS:

Some other traffic types, from the router, can be told to have a specified source address.

e.g.

ip ftp source-interface

etc.

cisco24x7 Sun, 03/16/2008 - 06:17

I think I can help with this. assuming

on your router, F0/0 is the ouside interface

and F0/1 is the inside interface. Here

we go:

int F0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

int F0/0

ip address 4.2.2.2

ip nat outside

ip nat inside source static tcp 192.168.1.1 80 interface FastEthernet0/0 80

ip nat inside source static tcp 192.168.1.1 443 interface FastEthernet0/0 443

Now Internet users will hit the outside

router IP and then router will translate

it into the internal IP.

Keep in mind that these things are designed

to work with hosts that sit behind the

router, NOT something that designs

to nat the outside ip of the router to

inside ip of the router, but you can

give that a try and see it its works for you.

CCIE Security

m.hierling Sun, 03/16/2008 - 08:18

thanks for pointing out the direction, but i didnt get it 100%. can we play this through with real values:

! Inside / officaly routed ip network

int gi 0/0

ip address 60.16.112.225 255.255.255.224

ip address 60.16.112.229 255.255.255.224 secondary

! Outside / network to provider, only routed inside provider network

int gi 0/1

ip address 188.0.124.129 255.255.255.252

ip route 0.0.0.0 188.0.124.130

Webvpn is running on 60.16.112.229

Connections initiated from the router to outside should be rewritten to 60.16.112.229 while leaving int gi0/1.

Martin

cisco24x7 Sun, 03/16/2008 - 08:29

"Connections initiated from the router to outside should be rewritten to 60.16.112.229 while leaving int gi0/1."

Who is the one initiating the connection first?

Must be some users over the internet right?

For example, user(s) come from 4.2.2.2 hitting ip 188.0.124.129 on port 80/443? is that a

a correct assumption?

If the router is the one initiates connection

first, then I don't think it is possible.

m.hierling Sun, 03/16/2008 - 08:50

A Client on the internet authenticates at webvpn running on 112.229. Requesting a website 20.0.0.1, the router gets the website from 20.0.0.1 over his outside interface 188.0.124.129 and delivers the page to the client on the internet. Some sort of proxy. The router is the client for the webserver, initiating the connection to the webserver, rewriting the http content and sends it to to the client.

the client ip has not to be modified, it is the routers ip address while getting the http content from the internet.

Martin

Actions

This Discussion