lizardqueen007
asked on
try to permit static route for remote admin with 827 cisco router
Hi,
I have a 827 cisco router and I need to configure a static route from outside IP to inside IP. Let's say outside IP is 222.222.222.222 and inside IP is 172.222.222.222 and the server to be administrated is 172.222.222.5 on port 555
Here is the current config. thank you
1 Ethernet/IEEE 802.3
set peer 222.222.222.222
1
set transform-set papabear
128
match address 106tile configuration
!e
bridge irb
interface Ethernet0
8192K bytes of
ip address 192.168.168.1 255.255.255.0 secondary
*
ip address 172.222.222.222 255.255.255.0 be 0x2102 at next reload)
ip nat inside
no cdp enable
Dea
hold-queue 32 in
!
interface ATM0
ip access-group 102 in
Name c
ip inspect inside-to-WWW out
destad
ip nat outside8, prot=50, spi
no ip route-cache)
S
no ip mroute-cachesion 12.1(1r)XB1, R
crypto map armadillo9:09.839: %CRYPTO-4-R
!V
ip classless: decaps: re
ip route 0.0.0.0 0.0.0.0 111.111.111.217Systems, Inc.
no ip http server27
s invalid spi
!r
ip nat inside source route-map nonat interface BVI1 overloadpi=0x4DB85D6(81495 510)confre g 0x2142
logging trap ere
access-list 102 permit tcp any any eq 56316.22.10
access-list 102 permit udp any any eq 5631
network 172.222.222.222 255.255.2
access-list 102 permit tcp any any eq 5632 default-router 172.222.222.1fornia 95134-17
access-list 102 permit udp any any eq 563206.13.28.12Internetwor k Operating System S
access-list 106 permit ip 172.222.222.0 0.0.0.255 207.222.222.122 0.0.0.63e (C8
ip inspect one-minute low 280C, EARLY DEPLOYMENT RELE
ip insp
access-list 152 deny ip 172.222.222.0 0.0.0.255 222.222.222.192 0.0.0.63incomplete host 30 block-time 1
TAC:Home:SW:IOS:Specials for info
access-list 152 permit ip 172.222.222.222 0.0.0.255 anyy cisco Systems, Inc.
ip inspect name inside-t
access-list 152 permit ip 192.168.168.0 0.0.0.255 anyt name inside-to-WWW ftp
Image text-ba
no cdp runpect name
route-map nonat permit 10
match ip address 152-to-WWW udp U.S. Expo
!
snmp-server community coavlesw RWme inside-
outside the United Sta
snmp-server chassis-id <<Router Serial#>>bear esp-3des esp-sha-hmac
snmp-server enable traps snmp linkdown linkup coldstart warmstart 10 ipsec-isakmp
set peer 20
snmp-server enable traps atm pvcuts
set transform-set papabear
snmp-server enable traps syslogh address 106
either b
snmp-server host 222.222.222.194 thlunlad snmprnet0
ip address 192.168.16
snmp-server managercondaryo Systems, I
bridge 1 protocol ieeeent.
ip add
bridge 1 route ip5.255.255.0Persons
banner motd ^CS. and Canada
************************** ********** ********** ********** *********q ueue 32 in
!
interface ATM0
^C
privilege exec level 5 ping
privilege exec level 5 show crypto isakmp sa
privilege exec level 5 show crypto ipsec sa
privilege exec level 5 clear crypto isakmp
privilege exec level 5 clear crypto sa
!
line con 0
exec-timeout 30 30
password 7 082B434B0D0B091219
login authentication userauthen
transport input none
stopbits 1
line vty 0 4
exec-timeout 30 30
privilege level 5
password 7 105D1A1E
login authentication userauthen
!
scheduler max-task-time 5000
end
I have a 827 cisco router and I need to configure a static route from outside IP to inside IP. Let's say outside IP is 222.222.222.222 and inside IP is 172.222.222.222 and the server to be administrated is 172.222.222.5 on port 555
Here is the current config. thank you
1 Ethernet/IEEE 802.3
set peer 222.222.222.222
1
set transform-set papabear
128
match address 106tile configuration
!e
bridge irb
interface Ethernet0
8192K bytes of
ip address 192.168.168.1 255.255.255.0 secondary
*
ip address 172.222.222.222 255.255.255.0 be 0x2102 at next reload)
ip nat inside
no cdp enable
Dea
hold-queue 32 in
!
interface ATM0
ip access-group 102 in
Name c
ip inspect inside-to-WWW out
destad
ip nat outside8, prot=50, spi
no ip route-cache)
S
no ip mroute-cachesion 12.1(1r)XB1, R
crypto map armadillo9:09.839: %CRYPTO-4-R
!V
ip classless: decaps: re
ip route 0.0.0.0 0.0.0.0 111.111.111.217Systems, Inc.
no ip http server27
s invalid spi
!r
ip nat inside source route-map nonat interface BVI1 overloadpi=0x4DB85D6(81495
logging trap ere
access-list 102 permit tcp any any eq 56316.22.10
access-list 102 permit udp any any eq 5631
network 172.222.222.222 255.255.2
access-list 102 permit tcp any any eq 5632 default-router 172.222.222.1fornia 95134-17
access-list 102 permit udp any any eq 563206.13.28.12Internetwor
access-list 106 permit ip 172.222.222.0 0.0.0.255 207.222.222.122 0.0.0.63e (C8
ip inspect one-minute low 280C, EARLY DEPLOYMENT RELE
ip insp
access-list 152 deny ip 172.222.222.0 0.0.0.255 222.222.222.192 0.0.0.63incomplete host 30 block-time 1
TAC:Home:SW:IOS:Specials for info
access-list 152 permit ip 172.222.222.222 0.0.0.255 anyy cisco Systems, Inc.
ip inspect name inside-t
access-list 152 permit ip 192.168.168.0 0.0.0.255 anyt name inside-to-WWW ftp
Image text-ba
no cdp runpect name
route-map nonat permit 10
match ip address 152-to-WWW udp U.S. Expo
!
snmp-server community coavlesw RWme inside-
outside the United Sta
snmp-server chassis-id <<Router Serial#>>bear esp-3des esp-sha-hmac
snmp-server enable traps snmp linkdown linkup coldstart warmstart 10 ipsec-isakmp
set peer 20
snmp-server enable traps atm pvcuts
set transform-set papabear
snmp-server enable traps syslogh address 106
either b
snmp-server host 222.222.222.194 thlunlad snmprnet0
ip address 192.168.16
snmp-server managercondaryo Systems, I
bridge 1 protocol ieeeent.
ip add
bridge 1 route ip5.255.255.0Persons
banner motd ^CS. and Canada
**************************
!
interface ATM0
^C
privilege exec level 5 ping
privilege exec level 5 show crypto isakmp sa
privilege exec level 5 show crypto ipsec sa
privilege exec level 5 clear crypto isakmp
privilege exec level 5 clear crypto sa
!
line con 0
exec-timeout 30 30
password 7 082B434B0D0B091219
login authentication userauthen
transport input none
stopbits 1
line vty 0 4
exec-timeout 30 30
privilege level 5
password 7 105D1A1E
login authentication userauthen
!
scheduler max-task-time 5000
end
Access-group +list + static mapping.
========================== ========== ========== ========== ========== ==========
>config t
access-group acl_out in interface outside
access-group acl_in in interface inside
from outsideip port
access-list acl_in permit tcp 222.222.222.222 255.255.255.255 host 222.221.221.221 eq 555
access-list acl_out permit tcp any any eq 555
+
outsideip port insideip port
static (inside,outside) tcp 222.221.221.221 555 192.168.2.222 555 netmask 255.255.255.255 0 0
==========================
>config t
access-group acl_out in interface outside
access-group acl_in in interface inside
from outsideip port
access-list acl_in permit tcp 222.222.222.222 255.255.255.255 host 222.221.221.221 eq 555
access-list acl_out permit tcp any any eq 555
+
outsideip port insideip port
static (inside,outside) tcp 222.221.221.221 555 192.168.2.222 555 netmask 255.255.255.255 0 0
ASKER
Thank you I will try right now
ASKER
This router does not recognize access-group.
Router(config)#access-grou p acl_out in interface outside
^
% Invalid input detected at '^' marker.
Router(config)#access-grou
^
% Invalid input detected at '^' marker.
can you do the following on the router?
no debug all
and then type show running and post the output again?
no debug all
and then type show running and post the output again?
ASKER
Yes, I can post agin with "no debug all" but I not for a day, because I am not at the location.
May I ask what we are looking for?
Also, their network is very simple. All they have is a DSL connection with 4 computers. I did not configure this thing and it seems like an unnecessarily complicated configuration. I am considering resetting the config and starting from scratch. Any opinions?
I asked the ISP how the router autenticates since it is ppoe, but no username and password that I see. He said that entering the external IP address works. Has any one used this before and is it a common way to configure PPoe/DSL?
Thanks for the help
May I ask what we are looking for?
Also, their network is very simple. All they have is a DSL connection with 4 computers. I did not configure this thing and it seems like an unnecessarily complicated configuration. I am considering resetting the config and starting from scratch. Any opinions?
I asked the ISP how the router autenticates since it is ppoe, but no username and password that I see. He said that entering the external IP address works. Has any one used this before and is it a common way to configure PPoe/DSL?
Thanks for the help
You can have connection without username password, depending on the ISP.
We need to create static NAT translation on the router itself. Since your configuration is not very clear, I don't want to give commands based on guessing
We need to create static NAT translation on the router itself. Since your configuration is not very clear, I don't want to give commands based on guessing
ASKER
Hi Naveedb,
I agree that this configuration is not very clear. I am glad to hear someone else say it. I am new to cisco and looking at that ipsec stuff really threw me. I was able to accomplish the task of permitting a static route for the remote admin with the following:
ip nat inside source static tcp 192.168.0.5 4000 171.68.1.1 4000 extendable
Where the inside IP of the host to be remotely administrated is 192.168.0.5 and the 171.68.1.1 is the outside IP. The port number is hypothetically 4000.
I also had to add a permit tcp 4000 to the access list.
I was surprised that it worked, but sometimes I get lucky.
The documents that helped me were:
http://www.exio.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml
http://www.linuxhomenetworking.com/cisco-hn/dsl-router.htm
I believe that the person that originally set it up just used some stock configuration, because the clients needs are very simple and this configurations seem way too complicated.
Thank you for the help. Any insite into what the mroute-cachesion is about please let me know. I can not find it in the ios book that I have nor cisco documents. Someday this configuration will come back to haunt me I am sure and I will probably have to clear the config and start from scratch.
I agree that this configuration is not very clear. I am glad to hear someone else say it. I am new to cisco and looking at that ipsec stuff really threw me. I was able to accomplish the task of permitting a static route for the remote admin with the following:
ip nat inside source static tcp 192.168.0.5 4000 171.68.1.1 4000 extendable
Where the inside IP of the host to be remotely administrated is 192.168.0.5 and the 171.68.1.1 is the outside IP. The port number is hypothetically 4000.
I also had to add a permit tcp 4000 to the access list.
I was surprised that it worked, but sometimes I get lucky.
The documents that helped me were:
http://www.exio.com/en/US/tech/tk175/tk15/technologies_configuration_example09186a0080093e51.shtml
http://www.linuxhomenetworking.com/cisco-hn/dsl-router.htm
I believe that the person that originally set it up just used some stock configuration, because the clients needs are very simple and this configurations seem way too complicated.
Thank you for the help. Any insite into what the mroute-cachesion is about please let me know. I can not find it in the ios book that I have nor cisco documents. Someday this configuration will come back to haunt me I am sure and I will probably have to clear the config and start from scratch.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello, Naveedb,
May I ask?
1)what is in your opinion the best book for someone starting cisco? I am looking for a book that is not necessarily aimed at becoming certified, but a good, quick(if possible), book on real-world solutions to cisco routers for someone new to cisco devices.
May I ask?
1)what is in your opinion the best book for someone starting cisco? I am looking for a book that is not necessarily aimed at becoming certified, but a good, quick(if possible), book on real-world solutions to cisco routers for someone new to cisco devices.
There are many areas in Cisco Routers, like Routing, Switching, Security, Voice and Data etc.? Which one would better describe your needs?
For very beginners, you normally start with understing IOS commands, but with the newer routers supporting Web GUIs, it might be much easier to use these tools instead of old command line. So, it is also a generation question in this respect.
For very beginners, you normally start with understing IOS commands, but with the newer routers supporting Web GUIs, it might be much easier to use these tools instead of old command line. So, it is also a generation question in this respect.
ASKER
I have to use command line do to generation issues as you said.
I have the ios in a nutshell book. I am looking for a book that can translate cisco terminology into more network+ type terminology. I suppose there is no one book, but I thought you might have a favorite for making the leap from network+ to cisco.
I have the ios in a nutshell book. I am looking for a book that can translate cisco terminology into more network+ type terminology. I suppose there is no one book, but I thought you might have a favorite for making the leap from network+ to cisco.
I have used many books for my certification and latter just to keep up with changing technologies, so would not recommend any one book, as in my experience two readers can have a different opinion about the same book. I would however suggest as my teachers have to use cisco.com for learning. It is an excelent source for training on all aspects of technology and cisco products.
To try; just have a look at the following link; and browse through NAT. Spend sometime gonig through the links and you will realize that it gives a lot of information (and an answer to your question too).
http://www.cisco.com/en/US/tech/tk648/tsd_technology_support_category_home.html
To try; just have a look at the following link; and browse through NAT. Spend sometime gonig through the links and you will realize that it gives a lot of information (and an answer to your question too).
http://www.cisco.com/en/US/tech/tk648/tsd_technology_support_category_home.html
ASKER