07-16-2010 03:40 AM - edited 03-04-2019 09:05 AM
Dear all,
i have cisco router 2821 and switch-3560G.
for 2821 using internet connection and connect to switch 3560G.
for switch 3560G create 2 Vlan ( one for Server and other one for client)
on 2821.
Gi0/0: 203189.12.10
Gi0/1: 10.10.101
on switch 3560G
G0/1: 10.10.10.2 connect to router 2821.
Vlan: 20.20.20.1 Vlan server
Vlan: 30.30.30.1 Vlan client
So i would like to allow remote from desktop and smtp, pop3 from outside to inside ( 20.20.20.10)?
1- How can we configure on router?
2- how about switch 3560G we just routing only or need to add ip nat .......?
Best Regards,
Rechard
Solved! Go to Solution.
07-16-2010 07:24 AM
Hello,
I am assuming that you have not configured CBAC or ZBF on the router. With that assumption, I would suggest you to configure access-lists that allow returnt traffic from internet to your internal hosts (if they are browsing via the router). Also, the access-list is slightly off in that the source port will not be SMTP or POP3 when you are accessing the servers.
p nat inside source static tcp 20.20.20.10 interface f0/0 25 extendable
ip nat inside source static tcp 20.20.20.10 interface f0/0 110 extendable
access-list 103 permit tcp any host
access-list 103 permit tcp any host
access-list 103 permit tcp any any ack
access-list 103 deny tcp any any syn
access-list 103 permit ip any any
With this, all the return traffic will be allowed (even though this allows UDP/ICMP seamlessly, you can restrict them also if you like) without any issues. Hope this helps.
Regards,
NT
07-16-2010 03:46 AM
Dear all,
i have cisco router 2821 and switch-3560G.
for 2821 using internet connection and connect to switch 3560G.
for switch 3560G create 2 Vlan ( one for Server and other one for client)
on 2821.
Gi0/0: 203189.12.10
Gi0/1: 10.10.101
on switch 3560G
G0/1: 10.10.10.2 connect to router 2821.
Vlan: 20.20.20.1 Vlan server
Vlan: 30.30.30.1 Vlan client
So i would like to allow remote from desktop and smtp, pop3 from outside to inside ( 20.20.20.10)?
1- How can we configure on router?
2- how about switch 3560G we just routing only or need to add ip nat .......?
Best Regards,
Rechard
Hi Rechard,
Nat the server (20.20.20.10) in router with public ip with allowing rdp,smtp and pop3 ports open.
Hope to help !!
Ganesh.H
Remember to rate the helpful post
07-16-2010 04:07 AM
Dear Ganesh.H,
it should like this?
ip nat inside source static tcp 20.20.20.10 interface f0/0 25 extendable
ip nat inside source static tcp 20.20.20.10 interface f0/0 110 extendable
access-list 103 permit tcp any eq smtp host 20.20.20.10 eq smtp
access-list 103 permit tcp any eq pop3 host 20.20.20.10 eq pop3
Best Regards,
Rechard
07-16-2010 04:24 AM
Dear Ganesh.H,
it should like this?
ip nat inside source static tcp 20.20.20.10 interface f0/0 25 extendable
ip nat inside source static tcp 20.20.20.10 interface f0/0 110 extendable
access-list 103 permit tcp any eq smtp host 20.20.20.10 eq smtp
access-list 103 permit tcp any eq pop3 host 20.20.20.10 eq pop3Best Regards,
Rechard
Hi Rechard,
Following configuration will be done for user to access local lan server on port smtp/pop3 as it will be from the internet that mean any body can connect to your server i dont think a ACL is required.
ip nat inside source static 20.20.20.10 172.16.131.1 (public ip)
interface e 0
ip address 20.20.20.254 255.255.255.0
ip nat inside
interface s 0
ip address 172.16.130.2 255.255.255.0
ip nat outside
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml
Hope to help !!
Ganesh.H
Remember to rate the helpful post
07-16-2010 07:24 AM
Hello,
I am assuming that you have not configured CBAC or ZBF on the router. With that assumption, I would suggest you to configure access-lists that allow returnt traffic from internet to your internal hosts (if they are browsing via the router). Also, the access-list is slightly off in that the source port will not be SMTP or POP3 when you are accessing the servers.
p nat inside source static tcp 20.20.20.10 interface f0/0 25 extendable
ip nat inside source static tcp 20.20.20.10 interface f0/0 110 extendable
access-list 103 permit tcp any host
access-list 103 permit tcp any host
access-list 103 permit tcp any any ack
access-list 103 deny tcp any any syn
access-list 103 permit ip any any
With this, all the return traffic will be allowed (even though this allows UDP/ICMP seamlessly, you can restrict them also if you like) without any issues. Hope this helps.
Regards,
NT
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide