stemc
asked on
How do I let a 3rd party access kit behind Cisco 877 router
I have asked a similair question before and thought I had got the answer, however, I couldn't get the suggested solution to work when I tried. So I'm posting again with updated requirements and much more info ......
We currently have several sites connected to our HQ via secure VPN. Each remote site has a Cisco 877 router, that is configured to authenticate to ADSL via username and password.
This has always been fine as we have only ever had our PC's and CCTV equipment connected via the router. We now have a requirement to put some kit on the sites that will need access to the internet and also be accessible by the third party who's kit it is, for support reasons.
There is no need for the 3rd party to access any other part of our network, just their kit at the remote site.
I have pasted and attached our current standard 877 config as used at remote sites, it shows the VLANs we have created for the data, cctv etc. I have creared a VLAN, Vlan 192 that I ideally wanted to use for the 3rd party kit.
Can anyone take a look at the config and advise what I would need to do to keep our current set-up secure, but allow the 3rd party kit internet access and incoming connections from the vendor for support.
We also have multiple public IP's available from the Net IP range (net subnet 255.255.255.248) at each remote sites if that would help.
Any help, advice or pointers would be greatly appreciated,
Many Thanks,
Ste.
We currently have several sites connected to our HQ via secure VPN. Each remote site has a Cisco 877 router, that is configured to authenticate to ADSL via username and password.
This has always been fine as we have only ever had our PC's and CCTV equipment connected via the router. We now have a requirement to put some kit on the sites that will need access to the internet and also be accessible by the third party who's kit it is, for support reasons.
There is no need for the 3rd party to access any other part of our network, just their kit at the remote site.
I have pasted and attached our current standard 877 config as used at remote sites, it shows the VLANs we have created for the data, cctv etc. I have creared a VLAN, Vlan 192 that I ideally wanted to use for the 3rd party kit.
Can anyone take a look at the config and advise what I would need to do to keep our current set-up secure, but allow the 3rd party kit internet access and incoming connections from the vendor for support.
We also have multiple public IP's available from the Net IP range (net subnet 255.255.255.248) at each remote sites if that would help.
Any help, advice or pointers would be greatly appreciated,
Many Thanks,
Ste.
vlan database
vlan 1 name Data
vlan 101 name Voice
vlan 102 name Camera
vlan 192 name iPlus_Kiosk
exit
conf t
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname station
!
!
no logging buffered
no logging console
!
username Router secret secret
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.218.100.1
ip dhcp excluded-address 10.218.100.225
ip dhcp excluded-address 10.218.100.241
ip dhcp excluded-address 10.218.100.242
ip dhcp excluded-address 10.218.100.1 10.218.100.10
ip dhcp excluded-address 10.218.100.50 10.218.100.60
ip dhcp excluded-address 10.218.100.40
!
no ip dhcp pool CLIENT
ip dhcp pool DATA
import all
network 10.218.100.0 255.255.255.128
default-router 10.218.100.1
dns-server 10.218.200.49 10.218.200.24
lease 0 2
!
ip dhcp pool VOIP
import all
network 10.218.100.224 255.255.255.240
default-router 10.218.100.225
dns-server 10.218.200.49 10.218.200.24
lease 0 2
!
ip dhcp pool CAMERA
import all
network 10.218.100.240 255.255.255.240
default-router 10.218.100.241
dns-server 10.218.200.49 10.218.200.24
lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key 0 private address 195.1.1.1 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map station 20 ipsec-isakmp
description VPN Link to Head Office
set peer 195.1.1.1
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
match address 130
!
!
!
!
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip nat outside
ip address negotiated
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname hostname@dsl.co.uk
ppp chap password password
ppp pap sent-username hsotname@dsl.co.uk password password
crypto map station
hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http secure-server
!
access-list 130 permit ip 10.218.100.0 0.0.0.255 any
access-list 130 permit ip host 10.218.100.1 any
dialer-list 1 protocol ip permit
snmp-server community MR ro
snmp-server enable traps tty
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
no access-class 23 in
no access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.218.0.0 0.0.255.255
line vty 0 4
exec-timeout 120 0
access-class 23 in
login local
length 0
!
scheduler max-task-time 5000
!
enable secret secret
no ip dhcp excluded-address 10.10.10.1
no ip dhcp pool sdm-pool
int fa0
switchport mode access
switchport access vlan 1
no ip address
speed auto
duplex auto
int fa1
switchport mode access
switchport access vlan 101
no ip address
speed auto
duplex auto
int fa2
switchport mode access
switchport access vlan 102
no ip address
speed auto
duplex auto
int fa3
switchport mode access
switchport access vlan 192
no ip address
speed auto
duplex auto
no ip access-list extended local
ip access-list extended local
permit ip 192.168.1.0 0.0.0.255 any
!
ip nat source list local interface Dialer1 overload
ip nat inside source static udp 192.168.1.2 6502 interface Dialer1 6502
ip nat inside source static udp 192.168.1.2 2233 interface Dialer1 2233
ip nat inside source static tcp 192.168.1.2 23 interface Dialer1 25
ip access-list extended camera_in
deny ip any
permit ip 192.168.1.0 0.0.0.255 any
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip nat inside
ip address 10.218.100.1 255.255.255.128
ip tcp adjust-mss 1452
int vlan 101
! Voice VLAN
ip nat inside
ip address 10.218.100.225 255.255.255.240
no shut
ip tcp adjust-mss 1452
int vlan 102
! Camera VLAN
ip nat inside
ip address 10.218.100.241 255.255.255.240
no shut
ip tcp adjust-mss 1452
int vlan 192
! iKiosk VLAN
ip nat inside
ip address 192.168.1.1 255.255.255.0
no shut
ip tcp adjust-mss 1452
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
int atm0
no shut
no username cisco
end
expexc.txt
ASKER
The 3rd party kit will have some sort of remote control software on, like PC Anywhere.
How would I map a port ? and would a remote VPN sit alongside our current VPN ?
Thanks arnold,
Ste
How would I map a port ? and would a remote VPN sit alongside our current VPN ?
Thanks arnold,
Ste
You can add the access list to allow external traffic to the port of the external device. You then similar to your existing map the traffic destined for port x to get to the IP of the 3rd party device.
YOu currently have two VPN policies, you should be able to add a third that will only allow the remote user access to the 3rd party device.
Are you using SDM to manage the cisco's configuration or are you going through the Command Line Inetrface?
YOu currently have two VPN policies, you should be able to add a third that will only allow the remote user access to the 3rd party device.
Are you using SDM to manage the cisco's configuration or are you going through the Command Line Inetrface?
ASKER
I generally use command line, but can access via SDM (though not too familiar with it).
You need to add something like:
ip nat inside source static tcp <internal IP> PORTA <external IP> PORTB
PORTB does not have to equal PORTA. You can use this if you want to move the port so it does not use a common port i.e. 3389, 59xx, etc.
Since you do not seem to have an access-list applied to the outside interface, this should be enough to forward external requests to <external IP> PORTB to reach <internal IP> PORTA.
If you add an access-list to the outside interface, you would need to allow this traffic to <external IP> PORTB to pass through.
Currently you have two VPN policies. A site-to-site and an incoming remote.
I think you can add another one and limit to which systems this VPN can connect.
ip nat inside source static tcp <internal IP> PORTA <external IP> PORTB
PORTB does not have to equal PORTA. You can use this if you want to move the port so it does not use a common port i.e. 3389, 59xx, etc.
Since you do not seem to have an access-list applied to the outside interface, this should be enough to forward external requests to <external IP> PORTB to reach <internal IP> PORTA.
If you add an access-list to the outside interface, you would need to allow this traffic to <external IP> PORTB to pass through.
Currently you have two VPN policies. A site-to-site and an incoming remote.
I think you can add another one and limit to which systems this VPN can connect.
ASKER
Thanks Arnold. I now have the NAT working :-)
I have successfully mapped a port to the kit in the VLAN 192 range. The only additional requirement is that I need the equipment in the vlan 192 to have access to the Internet, directly or via our VPN through to HQ. Do you know how I can achieve this ?
Thanks again,
Ste
I have successfully mapped a port to the kit in the VLAN 192 range. The only additional requirement is that I need the equipment in the vlan 192 to have access to the Internet, directly or via our VPN through to HQ. Do you know how I can achieve this ?
Thanks again,
Ste
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Arnold,
I have the kit assigned ip addres 192.168.1.2
The routing table looks spot on and the default gateway is fine. The only other ip addresses I can ping are of the kit in the VLAN 192, i.e. DF gateway (192.168.1.1) and other PCs in vlan. I tried to ping other VLANs on router and internet address 217.146.186.51 (www.yahoo.co.uk) with no joy ???
Thanks
Ste
I have the kit assigned ip addres 192.168.1.2
The routing table looks spot on and the default gateway is fine. The only other ip addresses I can ping are of the kit in the VLAN 192, i.e. DF gateway (192.168.1.1) and other PCs in vlan. I tried to ping other VLANs on router and internet address 217.146.186.51 (www.yahoo.co.uk) with no joy ???
Thanks
Ste
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi,
From my PC plugged into the Vlan192, with the IP addy 192.168.1.2, the netstat -rn returns :
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
255.255.255.255 255.255.255.255 192.168.1.2 10004 1
Default Gateway: 192.168.1.1
========================== ========== ========== ========== ========== =========
Persistent Routes:
None
To confirm what I can ping ..........
All other VLans on that router, ie VLan1, Vlan101 & Vlan 102. I can not ping anything else. ie accross the VPN or on the internet.
I have done the pings from my PC (192.168.1.2) and using the extended ping command from 192.168.1.1, same results for both.
Other VLan's on that router send ALL traffic including port 80 traffic accross the VPN to our HQ where we filter and route all traffic appropriately, we don't have any kit going directly out to the internet through the router. I don't know if this afffects anything ?
I have attached thr router config and the results of the netstat command as a text file.
RHRouter.txt
netstat.txt
From my PC plugged into the Vlan192, with the IP addy 192.168.1.2, the netstat -rn returns :
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.2 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.2 192.168.1.2 20
192.168.1.2 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.1.255 255.255.255.255 192.168.1.2 192.168.1.2 20
224.0.0.0 240.0.0.0 192.168.1.2 192.168.1.2 20
255.255.255.255 255.255.255.255 192.168.1.2 192.168.1.2 1
255.255.255.255 255.255.255.255 192.168.1.2 10004 1
Default Gateway: 192.168.1.1
==========================
Persistent Routes:
None
To confirm what I can ping ..........
All other VLans on that router, ie VLan1, Vlan101 & Vlan 102. I can not ping anything else. ie accross the VPN or on the internet.
I have done the pings from my PC (192.168.1.2) and using the extended ping command from 192.168.1.1, same results for both.
Other VLan's on that router send ALL traffic including port 80 traffic accross the VPN to our HQ where we filter and route all traffic appropriately, we don't have any kit going directly out to the internet through the router. I don't know if this afffects anything ?
I have attached thr router config and the results of the netstat command as a text file.
RHRouter.txt
netstat.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Arnold,
Thnaks again for the response.
the command made no difference to the result of Pings commands.
The routing table results are attached :
cheers
Ste
routetable.txt
Thnaks again for the response.
the command made no difference to the result of Pings commands.
The routing table results are attached :
cheers
Ste
routetable.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The other option is configure a remote VPN that only grants the remote client access to the third party device.
Does the 3rd party device capable of being a VPN end point i.e. running openVPN or similar applications?