02-01-2012 02:57 AM
HI.......
We have Cisco router 2851 and asa firewall. We configured on he router for IP phones and ISP connected. The ISP directly connected on the router and asa firewall connected to the router. We have plan to configure VPN on the router. We have available public ip address. if i configure the VPN on the firewall we need to configure firewall local ip address to public ip address. SO how to configure firewall local ip to public ip ? Where we can configure , mean on the router or firewall. please see my firewall and router configuration ...
Please help .....
Solved! Go to Solution.
02-01-2012 07:47 AM
Hello Nisar,
You would need static translation on your router which is facing the internet, to push the remote vpn client traffic to your intside firewall and since you want to keep your FW as your Remote VPN server, you can go ahead config your FW as your Remote VPN Server.
follow this translations on your router.
ip nat inside source static esp 192.168.255.2 esp interface FastEthernet0/0/0 esp
ip nat inside source static udp 192.168.255.2 isakmp interface FastEthernet0/0/0 isakmp
ip nat inside source static tcp 192.168.255.2 443 interface FastEthernet0/0/0 443
ip nat inside source static udp 192.168.255.2 10000 interface FastEthernet0/0/0 10000
ip nat inside source static tcp 192.168.255.2 10000 interface FastEthernet0/0/0 10000
ip nat inside source static udp 192.168.255.2 non500-isakmp interface FastEthernet0/0/0 non500-isakmp
Thanks
Rizwan Rafeek
02-01-2012 03:06 AM
sorry......we need to configure vpn on the firewall not in the router..
02-01-2012 07:47 AM
Hello Nisar,
You would need static translation on your router which is facing the internet, to push the remote vpn client traffic to your intside firewall and since you want to keep your FW as your Remote VPN server, you can go ahead config your FW as your Remote VPN Server.
follow this translations on your router.
ip nat inside source static esp 192.168.255.2 esp interface FastEthernet0/0/0 esp
ip nat inside source static udp 192.168.255.2 isakmp interface FastEthernet0/0/0 isakmp
ip nat inside source static tcp 192.168.255.2 443 interface FastEthernet0/0/0 443
ip nat inside source static udp 192.168.255.2 10000 interface FastEthernet0/0/0 10000
ip nat inside source static tcp 192.168.255.2 10000 interface FastEthernet0/0/0 10000
ip nat inside source static udp 192.168.255.2 non500-isakmp interface FastEthernet0/0/0 non500-isakmp
Thanks
Rizwan Rafeek
02-01-2012 10:01 PM
Thanks rizwan.....i have confuse if i configure vpn on the firewall , which ip can give client side for connecting vpn from out side ?
Thanks
Nisar
02-02-2012 05:52 AM
"Thanks rizwan.....i have confuse if i configure vpn on the firewall , which ip can give client side for connecting vpn from out side ?"
Brother Nisar,
It is natually the public address on the interface FastEthernet0/0/0 which is routed via public internet cloud.
I assume, this the interface down below on the public addresss.
interface FastEthernet0/0/0
WAN interface
ip address xxx.xxx.xxx.154 255.255.255.252
ip access-group RTP-BLOCK in
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
!
Thanks
Rizwan Rafeek
02-02-2012 07:46 AM
HI.....
Thanks for u r support.... now i cleared the configuration which one send send before. my ip address is xxx.xxx.xxx.154 for giving vpn client .....so i can configure all type of vpn on the firewall means ipsec vpn, ssl vpn etc....is it righrt ??
Thanks
Nisar
02-02-2012 08:00 AM
"so i can configure all type of vpn on the firewall means ipsec vpn, ssl vpn etc....is it righrt ??"
Answer is yes, as long as you have respective ports are translated to: from public to private address on your FW.
thanks
Rizwan Rafeek
02-02-2012 08:36 AM
hi....
Thanks lot....pls see my wan interface i configured access group...its block some ports....before we faced problem our ip phones someone hack our router and they are using our pstn line for their calling ,,, we got big invoice from our pstn provider..so thats why we block the ports...so please help me how to edit my access-list which one i configure my wan interface ...pls give me commandsss....persionally asking you r from whr ?? your sound and name like from india ...am from india, kerala.....if u dont mind give me contact detail...
Nisar
02-02-2012 10:49 AM
hello Nisar,
You need to entre in between below highlited entires to existing ACL RTP-BLOCK.
ip access-list extended RTP-BLOCK
permit ip host xxx.xxx.xxx.102 any
permit tcp host xxx.xxx.xxx.102 any
permit udp host xxx.xxx.xxx.102 any
permit ip host xxx.xxx.xxx.203 any
permit tcp host xxx.xxx.xxx.203 any
permit udp host xxx.xxx.xxx.203 any
permit esp any host xxx.xxx.xxx.154
permit udp any host xxx.xxx.xxx.154 eq isakmp
permit tcp any host xxx.xxx.xxx.154 eq 443
permit udp any host xxx.xxx.xxx.154 eq 10000
permit tcp any host xxx.xxx.xxx.154 eq 10000
permit udp any host xxx.xxx.xxx.154 eq non500-isakmp
deny tcp any host xxx.xxx.xxx.154 eq 22 <<<<
when you VPN access is up running, you maybe able lock telnet acceess to outisde pubic addres, so that you will able to access the router via the inside ip address through vpn client.
deny udp any host xxx.xxx.xxx.154 range 1024 65535
permit ip any any
permit tcp any any
permit udp any any
thanks
My contact info is on my Cisco profile.
02-03-2012 06:04 AM
hi Nisar,
at last, I just want to tell you that on your outside ACL name: RTP-BLOCK, there are three lines below are security threat.
permit ip any any
permit tcp any any
permit udp any any
FYI.. You may want to consider enabling a Firewall feature on your router (SMS-RYD-RTR), such as CBAC or ZoneBase Firewall.
config CBC.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a0080094e8b.shtml
Config Zone Base Firewall.
http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml
Take care
Thanks
Rizwan Rafeek
02-03-2012 08:53 AM
Thanks fo your supports and responds...
we have any security issues if i enable three line permit ip any any, permit udp any any , permit tcp any any ... ?
how can i solve my security threats ?? please help me ...which one u send the link i couldnt understand ...i am entry level in cisco ... i am trying to get more my maximum level...
02-03-2012 09:31 AM
Brother Nisar,
"we have any security issues if i enable three line permit ip any any, permit udp any any , permit tcp any any ... ?"
Well, you have allowed preety much any and everything into your network by those three lines.
"how can i solve my security threats ??"
I posted above links to configure CBAC or Zone-Based Policy Firewall (ZFW), so please read it and understand it and it test and config it.
"the link i couldnt understand ...i am entry level in cisco"
I understand your position however if you read those documentation from top to bottom, you will know they are very easy to understand, you just have to put time and effort to learn it, test it and implement it.
Thanks
Rizwan Rafeek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide