The teleworker's IP settings are unchangeable for the public facing side. The Teleworker must have connectivity to an unfiltered public connection with no firewall.

I've tried assigning Fa0/1 the same IP that the teleworker server uses for its default gateway and it still doesn't work. How do I configure the router to simply forward all traffic destined for the teleworker's public IP address?

Why is the teleworker public IP address so unchangeable?  That requirement is driving the design into a corner that's not so supportable. 

Router config aside it creates an environment where the server must carry it's own routing table; this always results in misery.

Concept:  Let the network route and servers serve.

My recommendation is to get rid of the separate physical public interface on the teleworker server.  NAT this traffic on the router to the private LAN address of the teleworker server. 

If your T1 multilink has a /30 for connectivity that routes another net block representing your public IP's then you can create a DMZ of sorts that would enable the teleworker server to keep the public IP address.  If the teleworker sever keeps the public IP then get ride of the separate LAN interface; see concept above.

If the routeable public netblock is in the same subnet as the multilink interface then NAT is the only reasonable option.


Chris

The teleworker server is a proprietary Mitel platform that I cannot change. I am not a VOIP engineer, nor do I particularly want to start digging around in a system I know absolutely nothing about either. This was working before on an Edgewater 4500T4 router that we were leasing from our ISP. I can't believe that of all the capabilities this Cisco 3725 has, the ability to simply forward packets destined for a specific public IP to a specific interface on the device isn't one of them.

There is a way to force a /32 (host) route out an interface.  It's a terrible design and without seeing the complete router config I'd not recommend it.  My point is there has to be a better solution that will grow and scale with your organization. 

Edit:  I havent touched on the security problems with a host straddling public and private networks, which are numerous.

Chris

The entire Mitel system is terribly designed, to be honest, and we're going to be moving away from an in-house voip system anyway. Case in point, I don't care how bad the design is or how it's "not recommended". I want the Cisco device to forward traffic coming in on my multilink T1 bundle to the public IP address that the Teleworker has assigned to it and I want the Cisco to take packets from the teleworker's public IP address and shove it back out the same way. So if you know of a way to make that happen, I would be exceedingly grateful for the insight. I've been working on this all day today and have come up with nothing. The public IP address my teleworker machine has assigned to it is 206.15.67.23 and it's default gateway is 206.15.67.17. Here is my current router config:

Building configuration...

Current configuration : 6791 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname TYR

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5

enable password 7

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authorization exec local_author local

!

aaa session-id common

no ip source-route

ip cef

!

!

!

!

no ip bootp server

ip domain name e-dsi.com

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

username privilege 15 secret 5

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 1

!

!

!

!

!

interface Null0

no ip unreachables

!

interface Multilink1

description TWTC MLPPP Link Bundle$FW_OUTSIDE$

ip address 207.67.92.202 255.255.255.252

ip access-group 101 in

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

no cdp enable

ppp multilink

ppp multilink fragment delay 500

ppp multilink group 1

!

interface FastEthernet0/0

description Inside interface to LAN network.

ip address 192.168.100.2 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

no mop enabled

!

interface Serial0/0

description TWTC MultiLink Interface #1

no ip address

encapsulation ppp

service-module t1 timeslots 1-24

ppp multilink

ppp multilink group 1

!

interface FastEthernet0/1

description Teleworker server interface.$ETH-WAN$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

duplex auto

speed auto

no mop enabled

!

interface Serial0/1

description TWTC MultiLink Interface #2

no ip address

encapsulation ppp

service-module t1 timeslots 1-24

ppp multilink

ppp multilink group 1

!

interface Serial0/2

description TWTC MultiLink Interface #3

no ip address

encapsulation ppp

service-module t1 timeslots 1-24

ppp multilink

ppp multilink group 1

!

router rip

network 207.67.92.0

no auto-summary

!

no ip classless

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 207.67.92.201

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool Public_IP_Pool 206.15.67.20 206.15.67.23 netmask 255.255.255.248

ip nat inside source list 1 interface Multilink1 overload

ip nat inside source static tcp 192.168.100.8 1723 interface Multilink1 1723

!

logging trap debugging

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip 207.67.92.200 0.0.0.3 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark Allowance for Teleworker Server

access-list 101 permit ip any host 206.15.67.23

access-list 101 permit tcp any host 207.67.92.202 eq 1723

access-list 101 permit gre any host 207.67.92.202

access-list 101 deny   ip 192.168.100.0 0.0.0.255 any

access-list 101 permit icmp any host 207.67.92.202 echo-reply

access-list 101 permit icmp any host 207.67.92.202 time-exceeded

access-list 101 permit icmp any host 207.67.92.202 unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

no cdp run

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!

^C

!

line con 0

login authentication local_authen

speed 115200

line aux 0

login authentication local_authen

line vty 0 4

password 7

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

scheduler allocate 4000 1000

!

end

This worked perfectly. Many thanks for your insight. Would you mind sharing how you came up with that solution? I'm curious for the sake of expanding my own knowledge into Cisco hardware.

Chris

If the Mitel server has a default-gateway of 205.15.67.17   then it will send all packets to this address. So that was what i meant when i said allocate an IP to the fa0/1 interface on your router. In fact you said in your original reply to me -

I've tried assigning Fa0/1 the same IP that the teleworker server uses for its default gateway and it still doesn't work. How do I configure the router to simply forward all traffic destined for the teleworker's public IP address?

but this seems to be exactly the solution that worked for you.

Have i misunderstood ?

Jon

Perhaps Chris T. had a bad subnet mask on fa0/1 the first time he attempted to put the teleworker servers default gateway address on it.

Chris T,

My approach to your problem was to first determine how NAT works in your environment. These are the pertinent commands from your config:


interface Multilink1
ip nat outside

interface FastEthernet0/0
ip nat inside

ip nat pool Public_IP_Pool 206.15.67.20 206.15.67.23 netmask 255.255.255.248
ip nat inside source list 1 interface Multilink1 overload
ip nat inside source static tcp 192.168.100.8 1723 interface Multilink1 1723

I was specifically looking for static nat that may conflict with your teleworker netblock; I found none.

There is only dynamic NAT and that is for hosts behind fa0/0 destined to the internet via Mu1.  These hosts assume the address of the Mu1 interface so no conflict there.

I did notice a nat pool that not only overlaps with the teleworker netblock but it contains the teleworker server address.  This pool is not invoked anywhere so it's no factor.  In fact this pool should be deleted to avoid confusion in the future.

no ip nat pool Public_IP_Pool 206.15.67.20 206.15.67.23 netmask 255.255.255.248

At this point it was clear the teleworker netblock is isolated and should be assigned to the fa0/1 interface.  For some reason this interface had an address of 192.168.1.1.  The 192.168.1.1 address didn't fit the scenario and it seemed an acceptable risk to replace it.  You told us the teleworker server had an IP address of 206.15.67.23 and a default gateway of 206.15.67.17.  The only question left; what's the subnet mask?



Evaluating the host and gateway addresses it appeared the smallest subnet possible was a /28 (255.255.255.240).  If a /29 was selected the teleworkder address would represent the broadcast address of the subnet; therefore it shouldn't be a /29.

Something to keep in mind in the future.  These days public IPv4 space is sparse and folks want to use it very efficiently.  Assigning an address to a ethernet interface will render two addresses unusable; the network and broadcast addresses.  In this case 206.15.67.16 and 206.15.67.31.  In order to use all 16 addresses in a /28 NAT can be utilized instead of allowing a physical interface to participate in the public netblock.

Chris