?
Solved

How do I let a 3rd party access kit behind Cisco 877 router

Posted on 2009-02-23
13
Medium Priority
?
584 Views
Last Modified: 2012-06-22
I have asked a similair question before and thought I had got the answer, however, I couldn't get the suggested solution to work when I tried.  So I'm posting again with updated requirements and much more info ......

We currently have several sites connected to our HQ via secure VPN.  Each remote site has a Cisco 877 router, that is configured to authenticate to ADSL via username and password.  

This has always been fine as we have only ever had our PC's and CCTV equipment connected via the router.  We now have a requirement to put some kit on the sites that will need access to the internet and also be accessible by the third party who's kit it is, for support reasons.

There is no need for the 3rd party to access any other part of our network, just their kit at the remote site.

I have pasted and attached our current standard 877 config as used at remote sites, it shows the VLANs we have created for the data, cctv etc.  I have creared a VLAN, Vlan 192 that I ideally wanted to use for the 3rd party kit.  

Can anyone take a look at the config and advise what I would need to do to keep our current set-up secure, but allow the 3rd party kit internet access and incoming connections from the vendor for support.

We also have multiple public IP's available from the Net IP range (net subnet 255.255.255.248) at each remote sites if that would help.

Any help, advice or pointers would be greatly appreciated,


Many Thanks,

Ste.
vlan database
  
vlan 1 name Data
vlan 101 name Voice
vlan 102 name Camera
vlan 192 name iPlus_Kiosk
exit
 
conf t
 
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname station
!
!
no logging buffered
no logging console
!
username Router secret secret
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.218.100.1
ip dhcp excluded-address 10.218.100.225
ip dhcp excluded-address 10.218.100.241
ip dhcp excluded-address 10.218.100.242
ip dhcp excluded-address 10.218.100.1 10.218.100.10
ip dhcp excluded-address 10.218.100.50 10.218.100.60
ip dhcp excluded-address 10.218.100.40
!
no ip dhcp pool CLIENT
ip dhcp pool DATA
   import all
   network 10.218.100.0 255.255.255.128
   default-router 10.218.100.1
   dns-server 10.218.200.49 10.218.200.24	
   lease 0 2
!
ip dhcp pool VOIP
   import all
   network 10.218.100.224 255.255.255.240
   default-router 10.218.100.225
   dns-server 10.218.200.49 10.218.200.24
   lease 0 2
!
ip dhcp pool CAMERA
   import all
   network 10.218.100.240 255.255.255.240
   default-router 10.218.100.241
   dns-server 10.218.200.49 10.218.200.24
   lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 0 private address 195.1.1.1 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map station 20 ipsec-isakmp
 description VPN Link to Head Office
 set peer 195.1.1.1
 set security-association lifetime seconds 86400
 set transform-set ESP-3DES-SHA
 match address 130
!
!
!
!
!
interface ATM0
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Dialer1
 ip nat outside
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname hostname@dsl.co.uk
 ppp chap password password
 ppp pap sent-username hsotname@dsl.co.uk password password
 crypto map station
 hold-queue 224 in 
!
 
 
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http secure-server
!
access-list 130 permit ip 10.218.100.0 0.0.0.255 any
access-list 130 permit ip host 10.218.100.1 any
dialer-list 1 protocol ip permit
snmp-server community MR ro 
snmp-server enable traps tty
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 
line vty 0 4
 no access-class 23 in
 
 
no access-list 23 permit 10.10.10.0 0.0.0.7
 
access-list 23 permit 10.218.0.0 0.0.255.255
 
 
line vty 0 4
 exec-timeout 120 0
 access-class 23 in
 login local
 length 0
!
scheduler max-task-time 5000
!
enable secret secret
 
no ip dhcp excluded-address 10.10.10.1
no ip dhcp pool sdm-pool
 
 
int fa0
switchport mode access
switchport access vlan 1
 no ip address
 speed auto
 duplex auto
 
int fa1
switchport mode access
switchport access vlan 101
 no ip address
 speed auto
 duplex auto
 
int fa2
switchport mode access
switchport access vlan 102
 no ip address
 speed auto
 duplex auto
 
int fa3
switchport mode access
switchport access vlan 192
 no ip address
 speed auto
 duplex auto
 
no ip access-list extended local
ip access-list extended local
 permit ip 192.168.1.0 0.0.0.255 any
!
 
ip nat source list local interface Dialer1 overload
 
ip nat inside source static udp 192.168.1.2 6502 interface Dialer1 6502
ip nat inside source static udp 192.168.1.2 2233 interface Dialer1 2233
ip nat inside source static tcp 192.168.1.2 23 interface Dialer1 25
 
 
ip access-list extended camera_in
 deny ip any 
 permit ip 192.168.1.0 0.0.0.255 any
!
 
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip nat inside
 ip address 10.218.100.1 255.255.255.128
 ip tcp adjust-mss 1452
 
 
int vlan 101
  ! Voice VLAN
  ip nat inside
  ip address 10.218.100.225 255.255.255.240
  no shut
 ip tcp adjust-mss 1452
 
int vlan 102
  ! Camera VLAN
  ip nat inside
  ip address 10.218.100.241 255.255.255.240
  no shut
 ip tcp adjust-mss 1452
 
int vlan 192
  ! iKiosk VLAN
  ip nat inside
  ip address 192.168.1.1 255.255.255.0
  no shut
 ip tcp adjust-mss 1452
 
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
 
int atm0
no shut
 
no username cisco
 
end

Open in new window

expexc.txt
0
Comment
Question by:stemc
  • 7
  • 6
13 Comments
 
LVL 81

Expert Comment

by:arnold
ID: 23718194
One option is to map a port to the 3rd party device which will expose it to the net at large.
The other option is configure a remote VPN that only grants the remote client access to the third party device.
Does the 3rd party device capable of being a VPN end point i.e. running openVPN or similar applications?
0
 

Author Comment

by:stemc
ID: 23719914
The 3rd party kit will have some sort of remote control software on, like PC Anywhere.

How would I map a port ?  and would a remote VPN sit alongside our current VPN ?

Thanks arnold,

Ste
0
 
LVL 81

Expert Comment

by:arnold
ID: 23721684
You can add the access list to allow external traffic to the port of the external device.  You then similar to your existing map the traffic destined for port x to get to the IP of the 3rd party device.

YOu currently have two VPN policies, you should be able to add a third that will only allow the remote user access to the 3rd party device.

Are you using SDM to manage the cisco's configuration or are you going through the Command Line Inetrface?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 

Author Comment

by:stemc
ID: 23722361
I generally use command line, but can access via SDM (though not too familiar with it).
0
 
LVL 81

Expert Comment

by:arnold
ID: 23722575
You need to add something like:
ip nat inside source static tcp <internal IP> PORTA <external IP> PORTB

PORTB does not have to equal PORTA. You can use this if you want to move the port so it does not use a common port i.e. 3389, 59xx, etc.
Since you do not seem to have an access-list applied to the outside interface, this should be enough to forward external requests to <external IP> PORTB to reach <internal IP> PORTA.
If you add an access-list to the outside interface, you would need to allow this traffic to <external IP> PORTB to pass through.

Currently you have two VPN policies. A site-to-site and an incoming remote.
I think you can add another one and limit to which systems this VPN can connect.
0
 

Author Comment

by:stemc
ID: 23734682
Thanks Arnold. I now have the NAT working :-)

I have successfully mapped a port to the kit in the VLAN 192 range.    The only additional requirement is that I need the equipment in the vlan 192 to have access to the Internet, directly or via our VPN through to HQ.  Do you know how I can achieve this ?

Thanks again,

Ste
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 1500 total points
ID: 23734909
First question first, is the kit unable to access the internet at this time? What is the routing table that it has: netstat -rn?  Does it have a default gateway set correctly?

At this point, I'm not sure I see anything that will prevent a device with IP 192.168.1.x access to the internet in vlan 192. The VLAN 192 systems seem to rely on static IP allocation rather than via DHCP, so the only thing to make sure is that the netmask, default gateway, and name server records are included in the configuration.  Without name servers, the system will not have a way to resolve domain names.  If the kit is capable of establishing a VPN connection, PPTP, L2TP etc., then it should be able to establish a VPN connection and if the setting is to secure all networks, traffic from the kit will go through the VPN to the internet.  The VPN will also need to pass a DNS server record to the kit.


 
0
 

Author Comment

by:stemc
ID: 23735117
Hi Arnold,

I have the kit assigned ip addres 192.168.1.2

The routing table looks spot on and the default gateway is fine.   The only other ip addresses I can ping are of the kit in the VLAN 192, i.e. DF gateway (192.168.1.1) and other PCs in vlan.  I tried to ping other VLANs on router and internet address 217.146.186.51 (www.yahoo.co.uk) with no joy ???

Thanks

Ste
0
 
LVL 81

Accepted Solution

by:
arnold earned 1500 total points
ID: 23736752
From the 192.168.1.x can you access the cameras?
10.218.100.241 255.255.255.240

Can you post the routing table on the router?
192.168.1.1 is IP for the VLAN interface on the router.

get into the vlan configuration and run show to see what VLANs you have defined and how they are defined.
http://www.velocityreviews.com/forums/t434054-cisco-877-router-vlandmz-configurationproblem.html

http://www.experts-exchange.com/Hardware/Networking_Hardware/Routers/Q_23887778.html

Your "ip nat source list local interface Dialer1 overload" suggests that it should work since your extended local acl allows 192.168.1.0 access..

Could you post your current config? show config?
0
 

Author Comment

by:stemc
ID: 23746052
Hi,

From my PC plugged into the Vlan192, with the IP addy 192.168.1.2, the netstat -rn returns :

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.2       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.2     192.168.1.2       20
      192.168.1.2  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255      192.168.1.2     192.168.1.2       20
        224.0.0.0        240.0.0.0      192.168.1.2     192.168.1.2       20
  255.255.255.255  255.255.255.255      192.168.1.2     192.168.1.2       1
  255.255.255.255  255.255.255.255      192.168.1.2           10004       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

To confirm what I can ping ..........
All other VLans on that router, ie VLan1, Vlan101 & Vlan 102.  I can not ping anything else. ie accross the VPN or on the internet.

I have done the pings from my PC (192.168.1.2) and using the extended ping command from 192.168.1.1, same results for both.

Other VLan's on that router send ALL traffic including port 80 traffic accross the VPN to our HQ where we filter and route all traffic appropriately, we don't have any kit going directly out to the internet through the router.  I don't know if this afffects anything ?

I have attached thr router config and the results of the netstat command as a text file.
RHRouter.txt
netstat.txt
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 1500 total points
ID: 23746426
I think the local policy only allows IP traffic.  pings are part of the ICMP.  See if you add
ip access-list extended local permit icmp 192.168.1.0 0.0.0.255 any
makes a difference.

Can you post the routing table from the router. show ip route?
0
 

Author Comment

by:stemc
ID: 23746617
Hi Arnold,

Thnaks again for the response.

the command made no difference to the result of Pings commands.

The routing table  results are attached :

cheers

Ste
routetable.txt
0
 
LVL 81

Assisted Solution

by:arnold
arnold earned 1500 total points
ID: 23746912
Do you have name servers listed on the pc ipconfig /all?
Are you pinging by IP or by name?
The other EE article referenced in my prior response has a similar check list for you to go through.

You could try adding the various no options referenced under the Dialer in the referenced EE example.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As managed cloud service providers, we often get asked to intervene when cloud deployments go awry. Attracted by apparent ease-of-use, flexibility and low computing costs, companies quickly adopt leading public cloud platforms such as Amazon Web Ser…
Considering cloud tradeoffs and determining the right mix for your organization.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question