Advertisement

05.02.2008 at 06:12AM PDT, ID: 23371427
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
8.0

Cisco 871 - NAT through to IP address on a different network?

Asked by nmxsupport in Cisco PIX Firewall, Networking Hardware Firewalls

Hello,

We have a Cisco 871 router which sits on a 192.168.10.0/24 LAN. This Cisco also has a static route to  LAN 172.17.0.0/16. From internally we can access SSL at 172.17.0.2 but creating a NAT rule for SSL on the external interface to this same address does not work. Creating a NAT rule for SSL to an IP address on the LAN works fine. Not sure where I should be going with this!
Can anyone help please?

ThanksStart Free Trial 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:
244:
245:
246:

Building configuration...
 
Current configuration : 8303 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$bfzO$oRE32PkYzY44AFpsNHonA.
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name xxxxx
ip name-server 212.135.1.36
ip name-server 195.40.1.36
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-3608959572
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3608959572
 revocation-check none
 rsakeypair TP-self-signed-3608959572
!
!
crypto pki certificate chain TP-self-signed-3608959572
 certificate self-signed 01
  3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33363038 39353935 3732301E 170D3032 30333031 30303035 
  34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36303839 
  35393537 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100C689 44472A39 5FC031B4 C9ED980E FE9BA605 5AE8745B 15287BA3 44637D4B 
  104C072E 23B63B82 04A7FA8B 478E401E 3F1CE123 D49747C3 E443B1D3 070E828B 
  26CCDA12 19D6181D 7AE74C7B 9AB769FF B6564759 B1B94CCE 730E1EE9 B2751570 
  793F5886 B0FF9E4D 7DDD664C 423107DA 1560AD2E 5C305BE6 F9F7F54D D0D774FD 
  BCCF0203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603 
  551D1104 1A301882 16636973 636F2D64 7262792E 7069636B 65766572 61726430 
  1F060355 1D230418 30168014 4CF3039D 4E9257D8 92B7B117 F6EFE209 3B31CFFA 
  301D0603 551D0E04 1604144C F3039D4E 9257D892 B7B117F6 EFE2093B 31CFFA30 
  0D06092A 864886F7 0D010104 05000381 81000E01 C8470A84 E2939644 F68FAF50 
  77E82A9C 218ED826 24273A93 99BC9F2A 9B8A5021 8EDF9835 41A1E8E3 D2D2A96D 
  7D60FA95 78FDD6F3 297C6120 2CBC07A1 FCC2E6E1 4B58C0BC 3834EA43 04CF0C64 
  A5C5AE07 715F8E99 EF986628 7B1EDBC5 7C272580 3BA66EB8 699C7B32 B9120EF6 
  FBA455FE 73ECBA21 B8279A62 812DA236 72F9
  quit
username admin privilege 15 secret 5 $1$2BBv$nlWp7WumXCzaSBuoXaF8H0
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxx address 1.2.69.234
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to1.2.69.234
 set peer 1.2.69.234
 set transform-set ESP-3DES-SHA 
 match address 102
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 1.2.156.26 255.255.255.248
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.10.200 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1400
!
ip classless
ip route 0.0.0.0 0.0.0.0 1.2.156.25
ip route 172.17.0.0 255.255.0.0 192.168.10.10
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 172.17.0.2 443 interface FastEthernet4 4443
ip nat inside source static tcp 192.168.10.1 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.10.1 3389 interface FastEthernet4 24041
ip nat inside source static tcp 192.168.10.40 3389 interface FastEthernet4 24101
ip nat inside source static tcp 192.168.10.43 3389 interface FastEthernet4 24005
ip nat inside source static tcp 192.168.10.1 25 interface FastEthernet4 25
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 1.2.156.24 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark RDP server
access-list 101 permit tcp any host 1.2.156.26 eq 24041
access-list 101 remark RDP user's PC
access-list 101 permit tcp any host 1.2.156.26 eq 24101
access-list 101 remark RDP user's PC
access-list 101 permit tcp any host 1.2.156.26 eq 24005
access-list 101 remark OWA
access-list 101 permit tcp any host 1.2.156.26 eq 443
access-list 101 remark HTTPS access to Mitel (172.17.0.2)
access-list 101 permit tcp any host 1.2.156.26 eq 4443
access-list 101 remark SMTP in
access-list 101 permit tcp any host 1.2.156.26 eq smtp
access-list 101 remark ******************************
access-list 101 permit tcp any host 192.168.10.1 eq smtp
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.0.0.0 0.0.255.255 192.168.10.0 0.0.0.255
access-list 101 remark ******************************
access-list 101 permit ip 0.0.0.0 255.255.0.0 0.0.0.0 255.255.0.0
access-list 101 permit udp host 1.2.69.234 host 1.2.156.26 eq non500-isakmp
access-list 101 permit udp host 1.2.69.234 host 1.2.156.26 eq isakmp
access-list 101 permit esp host 1.2.69.234 host 1.2.156.26
access-list 101 permit ahp host 1.2.69.234 host 1.2.156.26
access-list 101 permit udp host 195.40.1.36 eq domain host 1.2.156.26
access-list 101 permit udp host 212.135.1.36 eq domain host 1.2.156.26
access-list 101 permit icmp any host 1.2.156.26 echo-reply
access-list 101 permit icmp any host 1.2.156.26 time-exceeded
access-list 101 permit icmp any host 1.2.156.26 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 192.168.10.0 0.0.0.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 192.168.10.0 0.0.0.255 10.0.0.0 0.0.255.255
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
[+][-]05.02.2008 at 06:39AM PDT, ID: 21486511

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 7-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]05.02.2008 at 07:04AM PDT, ID: 21486727

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 7-day free trial to view this Author Comment or ask the Experts your question.

 
[+][-]05.02.2008 at 08:27AM PDT, ID: 21487441

View this solution now by starting your 7-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

 

About this solution

Zones: Cisco PIX Firewall, Networking Hardware Firewalls
Sign Up Now!
Solution Provided By: The_Warlock
Participating Experts: 1
Solution Grade: A
 
 
 
Loading Advertisement...
20080716-EE-VQP-32 / EE_QW_2_20070628