10-19-2010 03:07 PM - edited 03-04-2019 10:10 AM
I have a Cisco Catalyst 3725 router running IOS 12.4 and I am having substantial difficulties trying to get the router to forward traffic from a public IP address to an interface. I have two bonded T1's in a multilink group and one public IP assigned to the multilink interface. I have a private LAN IP assigned to FastEthernet0/0 which connects our office network to the internet.
Our teleworker server has two network connections. One connection has a static LAN IP which responds fine on our network. The other interface that is supposed to be public facing has a hardcoded, unchangeable public IP address. I have connected this public facing interface to FastEthernet0/1. Our public IP block includes multiple addresses, of which the teleworker has one. Our remote phones are supposed to connect to the public IP address of the teleworker server to function correctly. FastEthernet0/1 does not have any ip address assigned to it at this time.
What I need to have happen here is to have the router pick up any traffic coming in on our teleworker public IP address and forward it through FastEthernet0/1 to the teleworker server. I also need to have the teleworker server send traffic back out. The teleworker server's hardcoded public IP address must be on a public facing connection with no firewall between it and the outside world (apparently it has it's own internal firewall).
How do I configure the router to do this?
Solved! Go to Solution.
10-19-2010 05:23 PM
I think the following may work with your config:
int fa0/1
ip address 206.15.67.17 255.255.255.240
exit
This should not conflict with your dynamic NAT and route the teleworker's properly.
Chris
10-19-2010 03:12 PM
brainboy17 wrote:
I have a Cisco Catalyst 3725 router running IOS 12.4 and I am having substantial difficulties trying to get the router to forward traffic from a public IP address to an interface. I have two bonded T1's in a multilink group and one public IP assigned to the multilink interface. I have a private LAN IP assigned to FastEthernet0/0 which connects our office network to the internet.
Our teleworker server has two network connections. One connection has a static LAN IP which responds fine on our network. The other interface that is supposed to be public facing has a hardcoded, unchangeable public IP address. I have connected this public facing interface to FastEthernet0/1. Our public IP block includes multiple addresses, of which the teleworker has one. Our remote phones are supposed to connect to the public IP address of the teleworker server to function correctly. FastEthernet0/1 does not have any ip address assigned to it at this time.
What I need to have happen here is to have the router pick up any traffic coming in on our teleworker public IP address and forward it through FastEthernet0/1 to the teleworker server. I also need to have the teleworker server send traffic back out. The teleworker server's hardcoded public IP address must be on a public facing connection with no firewall between it and the outside world (apparently it has it's own internal firewall).
How do I configure the router to do this?
If the public interface of the teleworker server is connected to fa0/1 then configure fa0/ with an IP from the same public IP range, otherwise how will router and teleworker server commuicate ?
Edit - Chris is the problem that you have allocated the outside interface from that public IP range ?? If so can the teleworker server actually have a private IP on it's "public" facing interface and then you can NAT that on the router using one of your public IPs ?
Jon
10-19-2010 03:51 PM
The teleworker's IP settings are unchangeable for the public facing side. The Teleworker must have connectivity to an unfiltered public connection with no firewall.
I've tried assigning Fa0/1 the same IP that the teleworker server uses for its default gateway and it still doesn't work. How do I configure the router to simply forward all traffic destined for the teleworker's public IP address?
10-19-2010 04:21 PM
Why is the teleworker public IP address so unchangeable? That requirement is driving the design into a corner that's not so supportable.
Router config aside it creates an environment where the server must carry it's own routing table; this always results in misery.
Concept: Let the network route and servers serve.
My recommendation is to get rid of the separate physical public interface on the teleworker server. NAT this traffic on the router to the private LAN address of the teleworker server.
If your T1 multilink has a /30 for connectivity that routes another net block representing your public IP's then you can create a DMZ of sorts that would enable the teleworker server to keep the public IP address. If the teleworker sever keeps the public IP then get ride of the separate LAN interface; see concept above.
If the routeable public netblock is in the same subnet as the multilink interface then NAT is the only reasonable option.
Chris
10-19-2010 04:30 PM
The teleworker server is a proprietary Mitel platform that I cannot change. I am not a VOIP engineer, nor do I particularly want to start digging around in a system I know absolutely nothing about either. This was working before on an Edgewater 4500T4 router that we were leasing from our ISP. I can't believe that of all the capabilities this Cisco 3725 has, the ability to simply forward packets destined for a specific public IP to a specific interface on the device isn't one of them.
10-19-2010 04:38 PM
There is a way to force a /32 (host) route out an interface. It's a terrible design and without seeing the complete router config I'd not recommend it. My point is there has to be a better solution that will grow and scale with your organization.
Edit: I havent touched on the security problems with a host straddling public and private networks, which are numerous.
Chris
10-19-2010 05:07 PM
The entire Mitel system is terribly designed, to be honest, and we're going to be moving away from an in-house voip system anyway. Case in point, I don't care how bad the design is or how it's "not recommended". I want the Cisco device to forward traffic coming in on my multilink T1 bundle to the public IP address that the Teleworker has assigned to it and I want the Cisco to take packets from the teleworker's public IP address and shove it back out the same way. So if you know of a way to make that happen, I would be exceedingly grateful for the insight. I've been working on this all day today and have come up with nothing. The public IP address my teleworker machine has assigned to it is 206.15.67.23 and it's default gateway is 206.15.67.17. Here is my current router config:
Building configuration...
Current configuration : 6791 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname TYR
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name e-dsi.com
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Multilink1
description TWTC MLPPP Link Bundle$FW_OUTSIDE$
ip address 207.67.92.202 255.255.255.252
ip access-group 101 in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
no cdp enable
ppp multilink
ppp multilink fragment delay 500
ppp multilink group 1
!
interface FastEthernet0/0
description Inside interface to LAN network.
ip address 192.168.100.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface Serial0/0
description TWTC MultiLink Interface #1
no ip address
encapsulation ppp
service-module t1 timeslots 1-24
ppp multilink
ppp multilink group 1
!
interface FastEthernet0/1
description Teleworker server interface.$ETH-WAN$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
duplex auto
speed auto
no mop enabled
!
interface Serial0/1
description TWTC MultiLink Interface #2
no ip address
encapsulation ppp
service-module t1 timeslots 1-24
ppp multilink
ppp multilink group 1
!
interface Serial0/2
description TWTC MultiLink Interface #3
no ip address
encapsulation ppp
service-module t1 timeslots 1-24
ppp multilink
ppp multilink group 1
!
router rip
network 207.67.92.0
no auto-summary
!
no ip classless
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 207.67.92.201
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool Public_IP_Pool 206.15.67.20 206.15.67.23 netmask 255.255.255.248
ip nat inside source list 1 interface Multilink1 overload
ip nat inside source static tcp 192.168.100.8 1723 interface Multilink1 1723
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 207.67.92.200 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark Allowance for Teleworker Server
access-list 101 permit ip any host 206.15.67.23
access-list 101 permit tcp any host 207.67.92.202 eq 1723
access-list 101 permit gre any host 207.67.92.202
access-list 101 deny ip 192.168.100.0 0.0.0.255 any
access-list 101 permit icmp any host 207.67.92.202 echo-reply
access-list 101 permit icmp any host 207.67.92.202 time-exceeded
access-list 101 permit icmp any host 207.67.92.202 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
no cdp run
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
login authentication local_authen
speed 115200
line aux 0
login authentication local_authen
line vty 0 4
password 7
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 4000 1000
!
end
10-19-2010 05:23 PM
I think the following may work with your config:
int fa0/1
ip address 206.15.67.17 255.255.255.240
exit
This should not conflict with your dynamic NAT and route the teleworker's properly.
Chris
10-20-2010 09:54 AM
This worked perfectly. Many thanks for your insight. Would you mind sharing how you came up with that solution? I'm curious for the sake of expanding my own knowledge into Cisco hardware.
10-20-2010 10:05 AM
Chris
If the Mitel server has a default-gateway of 205.15.67.17 then it will send all packets to this address. So that was what i meant when i said allocate an IP to the fa0/1 interface on your router. In fact you said in your original reply to me -
I've tried assigning Fa0/1 the same IP that the teleworker server uses for its default gateway and it still doesn't work. How do I configure the router to simply forward all traffic destined for the teleworker's public IP address?
but this seems to be exactly the solution that worked for you.
Have i misunderstood ?
Jon
10-20-2010 05:55 PM
Perhaps Chris T. had a bad subnet mask on fa0/1 the first time he attempted to put the teleworker servers default gateway address on it.
Chris T,
My approach to your problem was to first determine how NAT works in your environment. These are the pertinent commands from your config:
interface Multilink1
ip nat outside
interface FastEthernet0/0
ip nat inside
ip nat pool Public_IP_Pool 206.15.67.20 206.15.67.23 netmask 255.255.255.248
ip nat inside source list 1 interface Multilink1 overload
ip nat inside source static tcp 192.168.100.8 1723 interface Multilink1 1723
I was specifically looking for static nat that may conflict with your teleworker netblock; I found none.
There is only dynamic NAT and that is for hosts behind fa0/0 destined to the internet via Mu1. These hosts assume the address of the Mu1 interface so no conflict there.
I did notice a nat pool that not only overlaps with the teleworker netblock but it contains the teleworker server address. This pool is not invoked anywhere so it's no factor. In fact this pool should be deleted to avoid confusion in the future.
no ip nat pool Public_IP_Pool 206.15.67.20 206.15.67.23 netmask 255.255.255.248
At this point it was clear the teleworker netblock is isolated and should be assigned to the fa0/1 interface. For some reason this interface had an address of 192.168.1.1. The 192.168.1.1 address didn't fit the scenario and it seemed an acceptable risk to replace it. You told us the teleworker server had an IP address of 206.15.67.23 and a default gateway of 206.15.67.17. The only question left; what's the subnet mask?
Evaluating the host and gateway addresses it appeared the smallest subnet possible was a /28 (255.255.255.240). If a /29 was selected the teleworkder address would represent the broadcast address of the subnet; therefore it shouldn't be a /29.
Something to keep in mind in the future. These days public IPv4 space is sparse and folks want to use it very efficiently. Assigning an address to a ethernet interface will render two addresses unusable; the network and broadcast addresses. In this case 206.15.67.16 and 206.15.67.31. In order to use all 16 addresses in a /28 NAT can be utilized instead of allowing a physical interface to participate in the public netblock.
Chris
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: