×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

source ip for outgoing traffic

Unanswered Question
Mar 15th, 2008
User Badges:

Hi,


i have a 2821 hooked up to my isp and my lan. the isp interface is configured with a ip only routed inside the isp network. the inside ip is routed worldwide. now when i try to connect to a network outside the isp directly from the router the package get dropped at the isp border router.

can i tell the ios to use insides interface ip for source ip of outgoing connection? normaly you dont need that but i have a webvpn running on the box and no outside http servers are reachable because of that.


any hints, regards Martin

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joseph W. Doherty Sat, 03/15/2008 - 08:17
User Badges:
  • Super Bronze, 10000 points or more

If you mean you want to do something like ping from the router itself, you can specify a different address or interface for the source IP.


If you mean you have devices behind your router, and their addresses aren't valid, you'll need to activate NAT.

m.hierling Sun, 03/16/2008 - 04:11
User Badges:

i want to initiate traffic from the router itself. not the networks behind the router, they are working well.

i know that i can choose the source address while using the ping command. but other traffic initiated by the router, in my case webvpn, should also have the inside ip as source addresse.


Basically it looks like this:


inet -> provider -[transfernet] -> my router -> my lan


My webvpn is running on inside interface, when a client connects from the internet and initiates a http connection to the internet my router uses the outside ip as source address. but the transfernetwork is only routed inside the provider backbone. so the packages get dropped at the edge. my lan networks are routed propper, also from the internet.


Martin

Joseph W. Doherty Sun, 03/16/2008 - 05:38
User Badges:
  • Super Bronze, 10000 points or more

Think I understand. Your problem is webvpn not permitting Internet traffic to work correctly to the remote client (bouncing off your internal network). I'm unfamiliar with webvpn, but its solution might be allowance of split tunneling from the remote host. However, I can see reasons for doing what you want, such as additional security to/from the Internet.


Again, unfamiliar with webvpn. If I've stated the problem correctly, and no one else responds on this forum, you might try a post in the VPN forum.


[edit]

PS:

Some other traffic types, from the router, can be told to have a specified source address.

e.g.

ip ftp source-interface

etc.

cisco24x7 Sun, 03/16/2008 - 06:17
User Badges:
  • Silver, 250 points or more

I think I can help with this. assuming

on your router, F0/0 is the ouside interface

and F0/1 is the inside interface. Here

we go:


int F0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

int F0/0

ip address 4.2.2.2

ip nat outside


ip nat inside source static tcp 192.168.1.1 80 interface FastEthernet0/0 80

ip nat inside source static tcp 192.168.1.1 443 interface FastEthernet0/0 443


Now Internet users will hit the outside

router IP and then router will translate

it into the internal IP.


Keep in mind that these things are designed

to work with hosts that sit behind the

router, NOT something that designs

to nat the outside ip of the router to

inside ip of the router, but you can

give that a try and see it its works for you.


CCIE Security

m.hierling Sun, 03/16/2008 - 08:18
User Badges:

thanks for pointing out the direction, but i didnt get it 100%. can we play this through with real values:


! Inside / officaly routed ip network

int gi 0/0

ip address 60.16.112.225 255.255.255.224

ip address 60.16.112.229 255.255.255.224 secondary


! Outside / network to provider, only routed inside provider network

int gi 0/1

ip address 188.0.124.129 255.255.255.252


ip route 0.0.0.0 188.0.124.130


Webvpn is running on 60.16.112.229


Connections initiated from the router to outside should be rewritten to 60.16.112.229 while leaving int gi0/1.


Martin

cisco24x7 Sun, 03/16/2008 - 08:29
User Badges:
  • Silver, 250 points or more

"Connections initiated from the router to outside should be rewritten to 60.16.112.229 while leaving int gi0/1."


Who is the one initiating the connection first?

Must be some users over the internet right?

For example, user(s) come from 4.2.2.2 hitting ip 188.0.124.129 on port 80/443? is that a

a correct assumption?


If the router is the one initiates connection

first, then I don't think it is possible.



m.hierling Sun, 03/16/2008 - 08:50
User Badges:

A Client on the internet authenticates at webvpn running on 112.229. Requesting a website 20.0.0.1, the router gets the website from 20.0.0.1 over his outside interface 188.0.124.129 and delivers the page to the client on the internet. Some sort of proxy. The router is the client for the webserver, initiating the connection to the webserver, rewriting the http content and sends it to to the client.


the client ip has not to be modified, it is the routers ip address while getting the http content from the internet.


Martin

Actions

This Discussion