Solved

Cisco 1841: Forwarding 1 port on 2 interfaces

Posted on 2008-10-14
11
2,435 Views
Last Modified: 2010-08-05
Hey guys,

I've ran into a challlenge that goes a bit beyond my cisco knowledge. The situation is as following... I've got a Cisco 1841 with a 4-port switch module in it that does our internet access. I've set up a simple NAT, some port forwards, etc.. all works perfect. Now the situation arises where we want to connect the 2nd WAN port to a lease line as a form of site-to-site VPN for specific ports. The remote location works fine, the lease line works fine.. just the part in the Cisco 1841's configuration i can't seem to figure out.

If you look at the little "illustration" (ahem...) below:  
- SERVER A (192.168.2.5) is a mailserver that can be accessed via internet and the local LAN (192.168.2.x/24).
- SERVER B (172.16.2.2) is also a mailserver that can be accessed via internet and it's local LAN ( 172.16.2.x/24 ). I would like SERVER A and SERVER B to be able to talk to eachother on port 25 via the leaseline.
- The Cisco Pix has port 25 forwarded to SERVER B, and works fine; so no change needed there.
- The Cisco 1841 has port 25 forwarded to SERVER A via FE0/0, this works fine.

I somehow need to make a 2nd NAT and portforward on FE0/1, but how would i configure that on the CISCO 1841 ?
[SERVER A]---[CISCO 1841]---FE0/0---(ISP)
                      \
                       \
                        \---FE0/1---(Leaseline)---[CISCO PIX]---[SERVER B]

Open in new window

0
Comment
Question by:bramsauer
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 1

Expert Comment

by:smshah78
ID: 22718085
Dear bramsauer,

Looking at your requirements, it seems ServerA and ServerB are both part of your internal networks. If that is the case, then do you really require to do NAT / PortForwarding between them? Is there a business need to hide actual IPs of servers from each other?

If you are creating a VPN (site to site I assume between Cisco 1841 and PIX), just route (static) the actual IP of Server B over VPN on Cisco 1841 and route (static) actual IP of Server A over VPN on PIX. PIX should then be configured only to allow port 25 as destination port between these 2 servers.

Not sure if this is possible to implement in your specific scenario but can comment more after looking at actual router configuration if it is possible for you to share.
0
 

Author Comment

by:bramsauer
ID: 22718668
Hi,

The servers are not part of the same network. Server A is in one building, and server B is in another building. Normally you'd pull a VPN over internet between the two of them, but in this case the amount of traffic that needs to go back and forth between them would have too much impact on the total bandwidth, hence the dedicated leaseline between the buildings. I've included the configuration of the 1841 (trimmed it a little bit, so it wouldn't be too long).
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname gw1
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-21.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 errors
logging console critical
enable secret 5 <#####>
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
aaa session-id common
clock timezone CET 1
no ip source-route
ip cef
!
!
ip inspect one-minute high 1875
ip inspect one-minute low 1500
ip inspect tcp max-incomplete host 100000 block-time 0
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW ftp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip bootp server
ip domain name <#####>
ip name-server <#####>
ip name-server <#####>
!
!
!
username <#####> password 7 <#####>
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ftp username <#####>
ip ftp password 7 <#####>
! 
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description Internet Uplink
 ip address <#####> <#####> secondary
 ip address <#####> <#####>
 ip access-group inbound in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description OSS Transit
 ip address 10.0.0.1 255.255.255.252
 ip access-group inbound_oss in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/0/0
 description LAN - Front End
 switchport mode trunk
!
interface FastEthernet0/0/1
 shutdown
!
interface FastEthernet0/0/2
 shutdown
!
interface FastEthernet0/0/3
 description LAN - Back End
 switchport access vlan 2
!
interface Vlan1
 description LAN - Front End
 ip address 192.168.2.1 255.255.255.0
 ip access-group outbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
!
interface Vlan2
 description LAN - Back End
 ip address 192.168.1.1 255.255.255.0
 ip access-group outbound_be in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 212.61.144.153 permanent
ip route 10.0.0.0 255.255.255.252 FastEthernet0/1
ip flow-export source Vlan1
ip flow-export version 5
ip flow-export destination 192.168.2.2 9996
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.2.5 25 interface FastEthernet0/0 25
 
<Snip snip>
 
ip nat inside source static tcp 192.168.1.5 25 <#####> 25 extendable
ip nat inside source static tcp 192.168.1.7 81 <#####> 81 extendable
 
!
ip access-list extended inbound
 permit tcp any any eq smtp
 
<Snip snip>
 
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 permit gre any any
 deny   ip any any log
ip access-list extended inbound_oss
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any time-exceeded
 permit icmp any any unreachable
 deny   ip any any log
ip access-list extended outbound
 
< Snip snip>
 
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 permit ip any any
ip access-list extended outbound_be
 
< Snip snip>
 
 deny   ip host 255.255.255.255 any
 deny   ip 127.0.0.0 0.255.255.255 any
 permit ip any any
!
logging 192.168.2.2
access-list 1 remark Access List for NAT.
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark Management.
access-list 2 permit 192.168.2.90
access-list 103 permit ip host 192.168.2.90 any
access-list 103 deny   ip any any
no cdp run
!
!
control-plane
!
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 103 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet
!
scheduler allocate 4000 1000
end

Open in new window

0
 

Author Comment

by:bramsauer
ID: 22718703
As a side-note, I should mention that i -could- give SERVER B a second IP address that is in the 192.168.2.x range ( same as SERVER A ), so there could be made an IPSec VPN between the 1841 and Pix 515. But then the VPN would still go via the leaseline, so the issue of the 2nd entrance on the 1841 would still remain.
0
Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

 
LVL 1

Accepted Solution

by:
smshah78 earned 500 total points
ID: 22718864
Few queries:

- Is the same internet connection on 1841 being used for server 172.16.2.2 to be accessed from Internet as I can not see associated NAT configuration?
- Also now, this leased line connection makes both sites part of your private network which is under your management. Please confirm.
- Is WAN Leased Line directly terminating on PIX?

Taking above queries as assumptions and looking at configuration, it seems that you do not need additional NAT configuration at all.
You need to configure following on 1841:
- A static route for 172.16.2.2/32 pointing to WAN IP address of remote site (assume it will be 10.0.0.2)

You will need to configure following on remote locations WAN device/PIX:
- A static route for Global IP of server 192.168.2.5 (which is FE0/0 IP) pointing towards 1841 (10.0.0.1) or a valid next hop towards 1841
- Appropriate firewall rules to allow communication between 172.16.2.2 and Global IP of 192.168.2.5

How this works:
- Overload NAT is already in place for 192.168.2.5 (mapped to FE0/0 IP Address) for all other ports and for port 25 again port forwarding is in place via a static NAT
- When a packet is recived on a NAT inside interface and exiting NAT outside interface, NAT entries will be referred and Natting will be performed. So here when 192.168.2.5 sends a packet to 172.16.2.2 on port 25, overload NAT entry will come into picture and packet will be sent out of the leased line with source changed to IP address of FE0/0. Firewall (if configured correctly) will allow this traffic through. --- Similarly, if 172.16.2.2 wants to send data to 192.168.2.5 on port 25, it should actually send traffic to Global IP (FE0/0) on port 25, firewall will allow this through, there is static NAT already in place and packet will be forwarded to VLAN1

Hope this helps.
0
 

Author Comment

by:bramsauer
ID: 22719103
lets see..

- Right now ithey are 100% two independant locations. Each location has it's own network and it's own internet access.
- Location A is currently 50+ servers, computers, etc..  
- Location B is (currently) only 6 computers ( but these 6 computers generate a lot of traffic ).Since Location B is only 6 computers, i could change the IP range on location B to 192.168.2.x.
- The leaseline would indeed make it one network, but with two different ranges.
- The 1841's second WAN port connects to an ethernet to fiber converter.
- The PIX's second WAN port also connects to a ethernet to fiber converter.
- How the fiber converters are connected is unknown to me (they're managed by the provider of the leaseline).

So if i understand you correctly there are 2 options ?

1) Make a site-to-site VPN  between the Pix and the 1841. This would put both locations in 1 network, and would allow the servers to talk freely with eachother. Other ports can be blocked via an ACL. both locations keep their separate internet access, and only trafffic for 192.168.2.x is routed via the VPN.

2) Keep both locations separate, and do the NAT trick for port 25. This would keep two separate networks, and would allow only port 25 to travel via the leaseline between both locations.

To be honest, option 1 seems more interesting, because it would be easier to open other ports in the future, should the need arise. But My knowledge and experience with both the Pix and the 1841 is far from sufficient to set up a VPN between them.
0
 
LVL 1

Expert Comment

by:smshah78
ID: 22719216
Changing the IP range to 192.168.2.x will not help as you can not have same network address on 2 different LAN segments.

Also, if each location is using their own internet connections, there is no need of "ip nat outside" command  on Fa0/1. This will ensure that traffic between location A and location B is not natted. Any security policy control you want to put in can be put in via extended ACLs on Fa0/1 or on PIX or on both. This will ensure that you have complete control over traffic (open ports only when required) that you want to allow while at the same time eliminating the complexity of NAT or setting up a VPN.

Your existing policies on PIX may need to be reviewed by yourself to ensure existing traffic if at all is there does not get impacted.

Unless there is explicit need of encryption over the leased line (which is private anyways), I recommend not to use VPN at all and consider it as one private network. Look at it as 2 sites of same company connected via a Leased Line to facilitate communication between them.
0
 

Author Comment

by:bramsauer
ID: 22720212
I meant including the computers at location B in the IP range of location A.. just a remote branch so to speak. At current there is no explicit need to encrypt the data (since it's just e-mail), but I don't know how it will be in the (near) future.

Lets say I did want to make a VPN connection between the 1841 and the Pix via the leaseline; what would i have to change in the configuration on the 1841 ?

The Pix 515 is not really a problem, The configuration on that one is very basic/simple, and can be changed without problems.. it's the part on the 1841 that i'm not clear about.
0
 
LVL 1

Expert Comment

by:smshah78
ID: 22720461
I have personally not run 1821 to PIX site to site VPN in past but this configuration should work:

On 1841, IPSec Tunnel Configuration will look something like this:

!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
crypto isakmp key Test1234 address 10.0.0.2 255.255.255.252
!
!
crypto ipsec transform-set strong esp-3des esp-md5-hmac
 mode transport
!
crypto ipsec profile vpnprof
 set transform-set strong
!
interface Tunnel1
 description CryptoGRE Link to PIX
 ip address 10.0.0.4 255.255.255.252
 ip mtu 1416
 ip virtual-reassembly
 tunnel source 10.0.0.1
 tunnel destination 10.0.0.2
!!!!! next command may or may not be needed
 tunnel key 571694
 tunnel path-mtu-discovery
 tunnel protection ipsec profile vpnprof
!!!!! next command may or may not be needed
 no keepalive
!
ip route 172.16.2.0 255.255.255.0 10.0.0.5
0
 
LVL 1

Expert Comment

by:smshah78
ID: 22720483
Just to add, this link might be able to provide some more help to you with setting up the router, configuration is a bit different and uses NAT which is not required in your case and can be ignored.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080094498.shtml
0
 

Author Comment

by:bramsauer
ID: 22730076
Ok i've been experimenting with the site-to-site VPN a bit to no avail. Since the issue was starting to get a bit pressing and (a lttle) annoying,  I decided to go for your first proposal: routing between the interfaces without any form of encryption. And this works like a charm. Should the need arise to encrypt data, i could always pull a PPTP based site-to-site VPN within Windows 2003 from Server B directly to server A.

Thanks for the help :)

0
 
LVL 1

Expert Comment

by:smshah78
ID: 22731489
Glad was able to help, Cheers !!!
0

Featured Post

Retailers - Is your network secure?

With the prevalence of social media & networking tools, for retailers, reputation is critical. Have you considered the impact your network security could have in your customer's experience? Learn more in our Retail Security Resource Kit Today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question