12-04-2011 11:32 AM - edited 03-04-2019 02:30 PM
Hey guys,
hoping to get a bit help on a problem that we have had crop up on a Cisco 867 ADSL Router, running version 15.0
One of the guys has a wireless tablet and it sends information to our static public IP address. This is not a problem when the device is outside of the LAN but when he connects internally it does not communicate.
The software transmits on a specific port so we have a mapping from outside in and that works fine but I don't know the best way to go about redirecting the traffic back into the internal server when operating on the LAN.
Any help would be appreciated
Many thanks
12-04-2011 12:47 PM
Try to do the following
Let's say the public ip is 1.1.1.1 and I am assuming you already applied the com and ip nat outside to the outside interface
Create a dummy loopback interface
Interface loopback 1
Ip address 10.10.10.10 255.255.255.255
Ip nat outside
Create a policy based routing to be applied on the LAN interface to send the traffic destined to your public ip to the loopback interface one it hit the LAN interface to get it translated back to the server ip
Access-list 100 permit ip any to host 1.1.1.1
Route-map map1
Match ip address 100
Set interface loopback 1
Interface x/x. --- LAN interface
Policy map map1
Hope this help
12-04-2011 01:15 PM
Hi marwanshawi,
Thanks for the quick response.
I have tried to implement the above but the stumbling block I have is in the final section for setting the map of the LAN interface.
The Internal interface in Vlan1 and has the default gateway IP address set. When I go to add the "policy map map 1" command it is not recognised.
The policy command is not valid, any other advise that you could provide?
Many thanks
12-04-2011 01:58 PM
Try
Interface vlan 1
ip policy route-map map1
12-05-2011 03:28 AM
I have followed the instructions as above but unfortunately it still isnt working, so I'm obviously missing a trick somewhere.
interface Loopback1
ip address 10.10.10.10 255.255.255.255
ip nat outside
ip virtual-reassembly
interface Vlan1
ip address 192.168.50.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map map1
access-list 100 permit ip any host 1.1.1.1 (my public ip)
route-map map permit 1
match ip address 100
set interface Loopback1
Just looking over the original feedback I have assigned the ip nat outside command to my Dialer0 but I dont know what the com part is, could this be the problem?
Many thanks again
12-05-2011 06:50 AM
Can you post your nat config
12-05-2011 06:56 AM
ip nat inside source static tcp 192.168.50.1 25 interface Dialer0 25
ip nat inside source static tcp 192.168.50.1 443 interface Dialer0 443
ip nat inside source list 10 interface Dialer0 overload
ip nat inside source static tcp 192.168.50.1 2001 interface Dialer0 2001
ip nat inside source static udp 192.168.50.1 2001 interface Dialer0 2001
ip route 0.0.0.0 0.0.0.0 Dialer0
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ***
ppp chap password 0 ***
ppp ipcp dns request
no cdp enable
interface Loopback1
ip address 10.10.10.10 255.255.255.255
ip nat outside
interface Vlan1
ip address 192.168.50.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map map1
Hope that is all that you need. Thanks again
12-06-2011 04:07 AM
Can you try this config after you backup your current cofnig
Access-list 110 deny ip any host 1.1.1.1. Where 1.1.1.1 is the public ip of your server
Access-list 110 permit ip any any
No ip nat inside source list 10 interface dialer0
Ip nat inside source list 110 interface dialer0 overload
Then do clear ip nat translation *
Hope this help
12-07-2011 08:41 AM
I have done the above but still no joy.
Any other useful things or anywhere I may have missed something out?
Many thanks
12-07-2011 08:52 AM
Hi marwanshawi,
just a thought but is there not a command that I could use that would direct traffic with the public IP address and port across to the internal host?
For example if the communication comes from 192.168.50.0/24 and destined for 1.1.1.1:25 then transfer to 192.168.50.100:25
Thanks
12-07-2011 09:02 AM
Well it's an option
You can try it by removing the set interface loopback
And make it set next hope 192.168.50.100
Once it works then update ACL 100 to make it more specific to match source destination ip and tcp/udp port
12-08-2011 07:24 AM
Hi, made the change but as things stand it still isnt working. Here is the current config. Thanks again
interface Vlan1
ip address 192.168.50.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map map1
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname ***
ppp chap password 0 ***
ppp ipcp dns request
no cdp enable
ip forward-protocol nd
ip nat inside source static tcp 192.168.50.1 25 interface Dialer0 25
ip nat inside source static tcp 192.168.50.1 443 interface Dialer0 443
ip nat inside source list 110 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 100 permit ip any host 1.1.1.1
access-list 110 deny ip any host 1.1.1.1
access-list 110 permit ip any any
route-map map permit 1
match ip address 100
set ip next-hop 192.168.50.100
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide