Solved

Cisco 1841: Forwarding 1 port on 2 interfaces

Posted on 2008-10-14
11
2,418 Views
Last Modified: 2010-08-05
Hey guys,

I've ran into a challlenge that goes a bit beyond my cisco knowledge. The situation is as following... I've got a Cisco 1841 with a 4-port switch module in it that does our internet access. I've set up a simple NAT, some port forwards, etc.. all works perfect. Now the situation arises where we want to connect the 2nd WAN port to a lease line as a form of site-to-site VPN for specific ports. The remote location works fine, the lease line works fine.. just the part in the Cisco 1841's configuration i can't seem to figure out.

If you look at the little "illustration" (ahem...) below:  
- SERVER A (192.168.2.5) is a mailserver that can be accessed via internet and the local LAN (192.168.2.x/24).
- SERVER B (172.16.2.2) is also a mailserver that can be accessed via internet and it's local LAN ( 172.16.2.x/24 ). I would like SERVER A and SERVER B to be able to talk to eachother on port 25 via the leaseline.
- The Cisco Pix has port 25 forwarded to SERVER B, and works fine; so no change needed there.
- The Cisco 1841 has port 25 forwarded to SERVER A via FE0/0, this works fine.

I somehow need to make a 2nd NAT and portforward on FE0/1, but how would i configure that on the CISCO 1841 ?
[SERVER A]---[CISCO 1841]---FE0/0---(ISP)

                      \

                       \

                        \---FE0/1---(Leaseline)---[CISCO PIX]---[SERVER B]

Open in new window

0
Comment
Question by:bramsauer
  • 6
  • 5
11 Comments
 
LVL 1

Expert Comment

by:smshah78
Comment Utility
Dear bramsauer,

Looking at your requirements, it seems ServerA and ServerB are both part of your internal networks. If that is the case, then do you really require to do NAT / PortForwarding between them? Is there a business need to hide actual IPs of servers from each other?

If you are creating a VPN (site to site I assume between Cisco 1841 and PIX), just route (static) the actual IP of Server B over VPN on Cisco 1841 and route (static) actual IP of Server A over VPN on PIX. PIX should then be configured only to allow port 25 as destination port between these 2 servers.

Not sure if this is possible to implement in your specific scenario but can comment more after looking at actual router configuration if it is possible for you to share.
0
 

Author Comment

by:bramsauer
Comment Utility
Hi,

The servers are not part of the same network. Server A is in one building, and server B is in another building. Normally you'd pull a VPN over internet between the two of them, but in this case the amount of traffic that needs to go back and forth between them would have too much impact on the total bandwidth, hence the dedicated leaseline between the buildings. I've included the configuration of the 1841 (trimmed it a little bit, so it wouldn't be too long).
version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

!

hostname gw1

!

boot-start-marker

boot system flash c1841-advsecurityk9-mz.124-21.bin

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 errors

logging console critical

enable secret 5 <#####>

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authorization exec local_author local 

!

aaa session-id common

clock timezone CET 1

no ip source-route

ip cef

!

!

ip inspect one-minute high 1875

ip inspect one-minute low 1500

ip inspect tcp max-incomplete host 100000 block-time 0

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW ftp

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

no ip bootp server

ip domain name <#####>

ip name-server <#####>

ip name-server <#####>

!

!

!

username <#####> password 7 <#####>

archive

 log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ftp username <#####>

ip ftp password 7 <#####>

! 

!

!

!

interface Null0

 no ip unreachables

!

interface FastEthernet0/0

 description Internet Uplink

 ip address <#####> <#####> secondary

 ip address <#####> <#####>

 ip access-group inbound in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip inspect SDM_LOW out

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

 no mop enabled

!

interface FastEthernet0/1

 description OSS Transit

 ip address 10.0.0.1 255.255.255.252

 ip access-group inbound_oss in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip inspect SDM_LOW out

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

 no mop enabled

!

interface FastEthernet0/0/0

 description LAN - Front End

 switchport mode trunk

!

interface FastEthernet0/0/1

 shutdown

!

interface FastEthernet0/0/2

 shutdown

!

interface FastEthernet0/0/3

 description LAN - Back End

 switchport access vlan 2

!

interface Vlan1

 description LAN - Front End

 ip address 192.168.2.1 255.255.255.0

 ip access-group outbound in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat inside

 ip virtual-reassembly

!

interface Vlan2

 description LAN - Back End

 ip address 192.168.1.1 255.255.255.0

 ip access-group outbound_be in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 212.61.144.153 permanent

ip route 10.0.0.0 255.255.255.252 FastEthernet0/1

ip flow-export source Vlan1

ip flow-export version 5

ip flow-export destination 192.168.2.2 9996

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.2.5 25 interface FastEthernet0/0 25
 

<Snip snip>
 

ip nat inside source static tcp 192.168.1.5 25 <#####> 25 extendable

ip nat inside source static tcp 192.168.1.7 81 <#####> 81 extendable
 

!

ip access-list extended inbound

 permit tcp any any eq smtp
 

<Snip snip>

 

 permit icmp any any echo

 permit icmp any any echo-reply

 permit icmp any any time-exceeded

 permit icmp any any unreachable

 permit gre any any

 deny   ip any any log

ip access-list extended inbound_oss

 permit icmp any any echo

 permit icmp any any echo-reply

 permit icmp any any time-exceeded

 permit icmp any any unreachable

 deny   ip any any log

ip access-list extended outbound

 

< Snip snip>
 

 deny   ip host 255.255.255.255 any

 deny   ip 127.0.0.0 0.255.255.255 any

 permit ip any any

ip access-list extended outbound_be
 

< Snip snip>
 

 deny   ip host 255.255.255.255 any

 deny   ip 127.0.0.0 0.255.255.255 any

 permit ip any any

!

logging 192.168.2.2

access-list 1 remark Access List for NAT.

access-list 1 permit 192.168.2.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 remark Management.

access-list 2 permit 192.168.2.90

access-list 103 permit ip host 192.168.2.90 any

access-list 103 deny   ip any any

no cdp run

!

!

control-plane

!

!

line con 0

 login authentication local_authen

 transport output telnet

line aux 0

 login authentication local_authen

 transport output telnet

line vty 0 4

 access-class 103 in

 authorization exec local_author

 login authentication local_authen

 transport input telnet

!

scheduler allocate 4000 1000

end

Open in new window

0
 

Author Comment

by:bramsauer
Comment Utility
As a side-note, I should mention that i -could- give SERVER B a second IP address that is in the 192.168.2.x range ( same as SERVER A ), so there could be made an IPSec VPN between the 1841 and Pix 515. But then the VPN would still go via the leaseline, so the issue of the 2nd entrance on the 1841 would still remain.
0
 
LVL 1

Accepted Solution

by:
smshah78 earned 500 total points
Comment Utility
Few queries:

- Is the same internet connection on 1841 being used for server 172.16.2.2 to be accessed from Internet as I can not see associated NAT configuration?
- Also now, this leased line connection makes both sites part of your private network which is under your management. Please confirm.
- Is WAN Leased Line directly terminating on PIX?

Taking above queries as assumptions and looking at configuration, it seems that you do not need additional NAT configuration at all.
You need to configure following on 1841:
- A static route for 172.16.2.2/32 pointing to WAN IP address of remote site (assume it will be 10.0.0.2)

You will need to configure following on remote locations WAN device/PIX:
- A static route for Global IP of server 192.168.2.5 (which is FE0/0 IP) pointing towards 1841 (10.0.0.1) or a valid next hop towards 1841
- Appropriate firewall rules to allow communication between 172.16.2.2 and Global IP of 192.168.2.5

How this works:
- Overload NAT is already in place for 192.168.2.5 (mapped to FE0/0 IP Address) for all other ports and for port 25 again port forwarding is in place via a static NAT
- When a packet is recived on a NAT inside interface and exiting NAT outside interface, NAT entries will be referred and Natting will be performed. So here when 192.168.2.5 sends a packet to 172.16.2.2 on port 25, overload NAT entry will come into picture and packet will be sent out of the leased line with source changed to IP address of FE0/0. Firewall (if configured correctly) will allow this traffic through. --- Similarly, if 172.16.2.2 wants to send data to 192.168.2.5 on port 25, it should actually send traffic to Global IP (FE0/0) on port 25, firewall will allow this through, there is static NAT already in place and packet will be forwarded to VLAN1

Hope this helps.
0
 

Author Comment

by:bramsauer
Comment Utility
lets see..

- Right now ithey are 100% two independant locations. Each location has it's own network and it's own internet access.
- Location A is currently 50+ servers, computers, etc..  
- Location B is (currently) only 6 computers ( but these 6 computers generate a lot of traffic ).Since Location B is only 6 computers, i could change the IP range on location B to 192.168.2.x.
- The leaseline would indeed make it one network, but with two different ranges.
- The 1841's second WAN port connects to an ethernet to fiber converter.
- The PIX's second WAN port also connects to a ethernet to fiber converter.
- How the fiber converters are connected is unknown to me (they're managed by the provider of the leaseline).

So if i understand you correctly there are 2 options ?

1) Make a site-to-site VPN  between the Pix and the 1841. This would put both locations in 1 network, and would allow the servers to talk freely with eachother. Other ports can be blocked via an ACL. both locations keep their separate internet access, and only trafffic for 192.168.2.x is routed via the VPN.

2) Keep both locations separate, and do the NAT trick for port 25. This would keep two separate networks, and would allow only port 25 to travel via the leaseline between both locations.

To be honest, option 1 seems more interesting, because it would be easier to open other ports in the future, should the need arise. But My knowledge and experience with both the Pix and the 1841 is far from sufficient to set up a VPN between them.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 1

Expert Comment

by:smshah78
Comment Utility
Changing the IP range to 192.168.2.x will not help as you can not have same network address on 2 different LAN segments.

Also, if each location is using their own internet connections, there is no need of "ip nat outside" command  on Fa0/1. This will ensure that traffic between location A and location B is not natted. Any security policy control you want to put in can be put in via extended ACLs on Fa0/1 or on PIX or on both. This will ensure that you have complete control over traffic (open ports only when required) that you want to allow while at the same time eliminating the complexity of NAT or setting up a VPN.

Your existing policies on PIX may need to be reviewed by yourself to ensure existing traffic if at all is there does not get impacted.

Unless there is explicit need of encryption over the leased line (which is private anyways), I recommend not to use VPN at all and consider it as one private network. Look at it as 2 sites of same company connected via a Leased Line to facilitate communication between them.
0
 

Author Comment

by:bramsauer
Comment Utility
I meant including the computers at location B in the IP range of location A.. just a remote branch so to speak. At current there is no explicit need to encrypt the data (since it's just e-mail), but I don't know how it will be in the (near) future.

Lets say I did want to make a VPN connection between the 1841 and the Pix via the leaseline; what would i have to change in the configuration on the 1841 ?

The Pix 515 is not really a problem, The configuration on that one is very basic/simple, and can be changed without problems.. it's the part on the 1841 that i'm not clear about.
0
 
LVL 1

Expert Comment

by:smshah78
Comment Utility
I have personally not run 1821 to PIX site to site VPN in past but this configuration should work:

On 1841, IPSec Tunnel Configuration will look something like this:

!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key Test1234 address 10.0.0.2 255.255.255.252
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile vpnprof
 set transform-set strong
!
interface Tunnel1
 description CryptoGRE Link to PIX
 ip address 10.0.0.4 255.255.255.252
 ip mtu 1416
 ip virtual-reassembly
 tunnel source 10.0.0.1
 tunnel destination 10.0.0.2
!!!!! next command may or may not be needed
 tunnel key 571694
 tunnel path-mtu-discovery
 tunnel protection ipsec profile vpnprof
!!!!! next command may or may not be needed
 no keepalive
!
ip route 172.16.2.0 255.255.255.0 10.0.0.5
0
 
LVL 1

Expert Comment

by:smshah78
Comment Utility
Just to add, this link might be able to provide some more help to you with setting up the router, configuration is a bit different and uses NAT which is not required in your case and can be ignored.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml
0
 

Author Comment

by:bramsauer
Comment Utility
Ok i've been experimenting with the site-to-site VPN a bit to no avail. Since the issue was starting to get a bit pressing and (a lttle) annoying,  I decided to go for your first proposal: routing between the interfaces without any form of encryption. And this works like a charm. Should the need arise to encrypt data, i could always pull a PPTP based site-to-site VPN within Windows 2003 from Server B directly to server A.

Thanks for the help :)

0
 
LVL 1

Expert Comment

by:smshah78
Comment Utility
Glad was able to help, Cheers !!!
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Security is one of the biggest concerns when moving and migrating your data from your on-premise location to the Public Cloud.  Where is your data? Who can access it? Will it be safe from accidental deletion?  All of these questions and more are imp…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now