I'm trying to setup a Cisco 837 to have firewall, IPSec VPN to my office and port forwarding.
Using SDM I was able to first get the connection to the DSL provider, then using the VPN area setup the IPSec VPN. I then used the NAT area to setup port forwarding, but it does not appear to work. I think it must require the firewall/ACL area to be setup as well, but I thought the NAT tool would do the ACL automatically.
I have posted my setup, I would appreciate some pointers on what I should do to get it working.
Can you tell me using which public ip address you are trying to access your internal resources ?
Since you have mapped interface dialer onto your lan ips using which public ip you are accessing the internal resources ?
I feel the ip assignment by your SP to you is on a dynamic mode which actually keeps on changing whenever you get connected to the SP network so in this case you wont have a single common public ip all the time to access your internal lan resources..
My suggestion would be to get a public ip and map all your resources to that common ip so that it remains the same throughout..
I have a public static IP for my home network provided by the DSL provier. Call it xxx.xxx.xxx.5
I am trying to get portforwarding working on this public static IP.
I also need the IPSEC VPN to my office to remain working and to permit traffic routing between my office and home networks.
Is it possible for you to assign the public ip address on your router ?
Lets say you create a loopback ip and assign the same onto it..
Once you are done you need to change the current mappings which you have done with your dialer interface to the loopback interface or to the ip address it self..
currently my router will connect to the DSL provider and the VPN works correctly. What does not work is the port forwarding. I attached my setup with the first post. I would appreciate comments on how to fix this setup. I do not think loopback is the answer.
I am trying to emphasis that the ip assignment from the SP is dynamic in nature and i don't think you will get the same ip every time..
Though you have done the config for port forwarding i dont think you will have defined ip address to use and access the internal lan resources..
Thats where i have suggested to check out for a static one so that you can have the same ip being used for all the time whenever you want to access your lan resources..
Thank you for your help.
How can I say clearly that my external WAN IP from the DSL provider is a STATIC public IP. It does not change each time I restart the DSL connection because I am paying for a STATIC IP.
I appreciate your comments.
I used the SDM tool and the config file was created by it. I'm not an expert with the 837 and the SDM tool appeared to be the best approach. I would appreciate a new config that would do what I need.
The typical config will be like this ...
ip nat inside source static tcp 192.168.2.24 3389 x.x.x.x 3389
ip nat inside source static tcp 192.168.2.23 1723 x.x.x.x 1723
ip nat inside source static tcp 192.168.2.23 443 x.x.x.x 443
ip nat inside source static tcp 192.168.2.23 80 x.x.x.x 80
ip nat inside source static udp 192.168.2.23 53 x.x.x.x 53
ip nat inside source static tcp 192.168.2.23 53 x.x.x.x 53
ip nat inside source static tcp 192.168.2.23 25 ix.x.x.x 25
where x.x.x.x is the public static ip which you say that you are getting from the SP..
You need to do a clear ip nat translation * in order to change the nat config lines..
this did not work.
I reset the running-config using SDM and changed the entries to that which you suggest and I still cannot connect to any of the redirected ports from the WAN.