[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Port Forwarding on a Cisco 1721 router with 2 WAN interfaces

Posted on 2005-04-25
4
Medium Priority
?
960 Views
Last Modified: 2012-06-27
Thanks in advance for your help.

The short version of this question is: Can anyone help me set up a CISCO 1721 router to have two WAN connections on Ethernet WICS to different ISPs, and to  able to port forward to an internal mail server, with each WAN interface being able to do the forwarding in case the other goes down,  And also I would like to be able to set up site to site VPNs to other offices  that will be using PIX506E firewalls. I could also put a PIX506E firewall in the main office with the 1721 router if necessary.


Here is the long explanation (sorry for the length):

I work for a non-profit agency that currently has one main office and several branch offices.

At our main office we have one DSL internet connection and one RoadRunner Cable connection.  Each is obviously from a different ISP.  We have one public static IP address with each account.  In this office we have an Exchange server.  All of our branch offices have RoadRunner Cable with Dynamic IP addresses (although they rarely change, some never have).

I now have a Symantec 200R Firewall/VPN router at the main office and a Symantec 100 Firewall/VPN router at one of the branch offices.  The 200R has two WAN ports, so the connections to the two ISPs both go through it.  I can manually do some load balancing (for example set WAN1 for 60% usage and WAN2 for 40%).  I have port forwarding (they call it Virtual Servers) set up for ports 25,110, and 80 to go to the exchange server (80 is for Outlook Web Access).  I also have a Site to Site VPN set up between the 200R and the model 100 at the branch office.

This all works quite well except for one thing – the VPN drops a few times a day, usually requiring a reboot of one of the Symantec Devices.  I have updated the firmware on both devices and worked with Symantec troubleshooting this problem with no success.  One thing that does work quite well is the port forwarding.  For example, the MX record for my domain name lists the static IP for both the DSL and RoadRunner accounts, so if I pull the cable out of the router for either one, email still comes though.

Now, I want to add  VPNs for a two more of the Branch offices, but want to get away from the Symantec products since they seem so unreliable.   The good news is that I have a CISCO 1721 router and four CISCO PIX 506E Firewall devices, so I thought I was all set to upgrade our hardware, correcting the connection problem and adding two more VPNs to branch offices.  However, at this point I can’t get the 1721 to work the way I want it to, replacing the 200R device in the main office.

The 1721 has one Fast Ethernet LAN port and two 10MB Ethernet WICs.  I was able to get both the DSL and Roadrunner accounts to connect on the 10MB interfaces, but I can only seem to set up port forwarding on one interface at a time.  Also, when I had both accounts running at he same time, even without the port forwarding, Internet access was slow.  Worse than 56k dial-up.  When I tried to do port forwarding on both interfaces, it would seem to work intermittently.

Again, thanks to anyone who is patient enough to try to give me a hand.
Following is the last config I had.



!This is the running config of the router: 192.168.0.1
!----------------------------------------------------------------------------
!version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service compress-config
!
hostname Cisco1721
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxxxxxx
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxx
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
ip audit po max-events 100
no ip domain lookup
no ftp-server write-enable
!
!
!
!
!
!
!
interface Ethernet0
 description DSL DSL$ETH-WAN$
 no ip address
 half-duplex
 pppoe enable
 pppoe-client dial-pool-number 1
 no cdp enable
!
interface Ethernet1
 description Road Runner$ETH-WAN$$FW_OUTSIDE$
 ip address 888.888.888.10 255.255.255.252
 ip access-group 102 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect DEFAULT100 out
 half-duplex
 no cdp enable
!
interface FastEthernet0
 description $FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip tcp adjust-mss 1452
 speed auto
 half-duplex
 no cdp enable
!
interface Dialer6
 description $FW_OUTSIDE$
 ip address 999.999.999.11 255.255.0.0
 ip access-group 101 in
 ip mtu 1452
 ip nat outside
 ip inspect DEFAULT100 out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxxx
 ppp chap password 0 zzzzzzzz
 ppp pap sent-username xxxxxxxxxxxx password 0 zzzzzzz
!
ip nat inside source list 1 interface Dialer6 overload
ip nat inside source list 2 interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.4 80 999.999.999.11 80 extendable
ip nat inside source static tcp 192.168.0.4 25 999.999.999.11 25 extendable
ip nat inside source static tcp 192.168.0.4 110 999.999.999.11 110 extendable
ip nat inside source static tcp 192.168.0.4 80 888.888.888.10 80 extendable
ip nat inside source static tcp 192.168.0.4 25 888.888.888.10 25 extendable
ip nat inside source static tcp 192.168.0.4 110 888.888.888.10 110 extendable

ip classless
ip route 0.0.0.0 0.0.0.0 999.999.999.1 permanent
ip route 0.0.0.0 0.0.0.0 888.888.888.77 permanent
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
access-list 1 remark INSIDE_IF=FastEthernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 888.888.106.76 0.0.0.3 any
access-list 100 deny   ip 999.999.0.0 0.0.255.255 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark allow all
access-list 101 permit ip any any log
access-list 101 permit tcp any any eq domain
access-list 101 permit tcp any host 999.999.999.11 eq www
access-list 101 permit tcp any host 999.999.999.11 eq smtp
access-list 101 permit tcp any host 999.999.999.11 eq pop3
access-list 101 permit udp host 999.999.131.9 eq domain host 999.999.144.11
access-list 101 permit udp host 999.999.130.9 eq domain host 999.999.144.11
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 101 permit icmp any host 999.999.999.11echo-reply
access-list 101 permit icmp any host 999.999.999.11time-exceeded
access-list 101 permit icmp any host 999.999.999.11unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any log
access-list 101 deny   ip any any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any any eq domain
access-list 102 remark Allow POP3
access-list 102 permit tcp any host 888.888.888.10 eq pop3
access-list 102 remark Allow SMTP
access-list 102 permit tcp any host 888.888.888.10 eq smtp
access-list 102 remark Allow www
access-list 102 permit tcp any host 888.888.888.10 eq www
access-list 102 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 102 permit icmp any host 888.888.888.10 echo-reply
access-list 102 permit icmp any host 888.888.888.10 time-exceeded
access-list 102 permit icmp any host 888.888.888.10 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any log
access-list 102 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
snmp-server community zxzxxzxzxz RO
snmp-server enable traps tty
!
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 privilege level 15
 password xxxxxxxxxxxxx
 login local
 transport input telnet ssh
!
ntp server 192.168.0.1 prefer
end
0
Comment
Question by:misgci
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13862860
>to  able to port forward to an internal mail server, with each WAN interface being able to do the forwarding in case the other goes down,
Short answer - no.
You cannot map two different public IP's/ports to a single internal host/port

>but I can only seem to set up port forwarding on one interface at a time.
Correct..

Outbound failover is pretty straighforward.
Inbound failover is not a pretty sight. For it to work "properly" you need your own BGP AS number and your own public IP block that you can advertise through both ISP's, and have only one IP address mapped to your public servers.

One thing that you can do is to bind two different private IP addresses to the server (all Windows servers can take at least 5), and map a different public IP to each private IP.
i.e.
 Server = 192.168.0.4 + 192.168.0.5

ip nat inside source static tcp 192.168.0.4 80 999.999.999.11 80 extendable
ip nat inside source static tcp 192.168.0.4 25 999.999.999.11 25 extendable
ip nat inside source static tcp 192.168.0.4 110 999.999.999.11 110 extendable
ip nat inside source static tcp 192.168.0.5 80 888.888.888.10 80 extendable
ip nat inside source static tcp 192.168.0.5 25 888.888.888.10 25 extendable
ip nat inside source static tcp 192.168.0.5 110 888.888.888.10 110 extendable

Also, try enabling Cisco Express Forwarding. This will help load-balance. The reason you see slowdowns is because the way you have it setup now uses per-packet load balancing. With every other packet going out through a different ISP, you can imagine the issues.. Enable CEF and the behavior changes to a default of per-connection load-sharing. I think you'll be much happier with it. It's so simple:
  ip cef

I would encourage you to migrate to the PIX 506's. Update them first to the latest 6.3(4) OS and the PDM 3.02 GUI. The GUI makes the VPN's a snap and gives you great real-time monitoring capabilities.
0
 

Author Comment

by:misgci
ID: 13868662
OK, so 2 IP addresses on the exchange server and change the nat commands as shown, and enable CEF.  I have to wait until after hours or a weekend to try it out but it looks good.

Do you recommend using the 1721 router as the endppoint for the VPNs at the main office, or should I use a PIX there?
If using the PIX, do I put it in the private network, and also use port forwarding on the 1721 to the PIX?

Thanks for your answer above - it seems so obvious now!

0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 13868724
I still encourage you to go for the PIX.
Then you can remove all the inspect, nat and everything else off the router and let it concentrate on what it does best - route packets from interface to interface as fast as possible.
Then you can let the PIX do what it does best - NAT, inspection, and VPN

0
 

Author Comment

by:misgci
ID: 14262208
Sorry for letting this hang out there so long.  Thanks for your help.
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question