?
Solved

Cisco 1800 Multiple IP's on the WAN (SSL Port mapping)

Posted on 2007-10-01
2
Medium Priority
?
885 Views
Last Modified: 2012-06-27
Hello we have a Cisco 1800 series. As we understand it, it has only Port 0 as the WAN port. We want to use Cisco VPN client to connect to the network. We understand that the VPN client uses SSL. However, we also have an IIS server on the otherside using the same SSL port 443 that we want todo port fowarding from the outside to that server.

I have 5 IPs available to me publicly. I have 1 physical port on the router. I want to route the same TCP port between 2 internal IP's. Can I assign more then 1 of the Public IPs to the same interface?


Internet <-> x.x.x.x <-> 192.168.1.1 TCP Port 80
                     <-> 192.168.1.2 TCP Port 80

Can I add an y.y.y.y IP to the same port? IS that the solution?

In general it seems to me that if we enable SSL on the Cisco client, we wont be able port foward to the IIS server on the internal network.

The question is 2 fold

1. Can you assign more then 1 IP to the WLAN port?
    a. If so ,then I should be able to Port foward from the addtional External IP to the SSL port, while mapping the other IP to the VPN Client
2. Change the VPN Client to not use SSL? or change the SSL Client Port?

Are there other solutions that I am missing?
0
Comment
Question by:Amirlit
2 Comments
 
LVL 9

Accepted Solution

by:
QBRad earned 2000 total points
ID: 19996117
Example public IPs:
1.1.1.1
2.2.2.2
3.3.3.3
4.4.4.4
5.5.5.5

On the WAN interface of your router assign 1 ip address: 1.1.1.1

Assign a static translation from another outside address 2.2.2.2 to the servers internal address and create a rule that allows traffic on ports 80, 443, etc.

When you create your external dns entries make 1 entry for server.domain.com at address 2.2.2.2.  When you go to server.domain.com it will resolve to 2.2.2.2 and get routed to your network, then the router & firewall will pass that traffic through to your network and server.

Create another external dns entrie for vpn.domain.com at address 1.1.1.1.  When you go to vpn.domain.com it will resolve to 1.1.1.1 and get routed to your router or pix (whichever has the vpn enabled) and allow access with the vpn client.

You cannot assign more than 1 address to the interface, but you dont have to do that.  You can create an SSL VPN to the router or firewall (which ever you were planning on) and then create a rule to forward the other SSL traffic to the network server.   As long as you use a different external address for each service you could have as many SSL connections to your network as you have public ips.

What your thinking is if you have 1 public ip and do SSL to that same IP for 2 different services then yes this will NOT work as the same ip will not know 1 service from the other.  But, if you use 2 different public ips it will know that 1 public ip for SSL is the vpn and 1 public ip for SSL is the server.

You have 5 IPs so, 1 for the public interface of the router, 1 for SSL vpn, 1 for SSL server, you now have 2 left for whatever.
0
 

Author Comment

by:Amirlit
ID: 19996190
Thanks for the help. I knew I was not crazy.

BTW, is there some special command to add an additional IP address to the same interface? Its not obvious in the GUI interface.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question