Link to home
Start Free TrialLog in
Avatar of stemc
stemcFlag for United States of America

asked on

How do I let a 3rd party access kit behind Cisco 877 router

I have asked a similair question before and thought I had got the answer, however, I couldn't get the suggested solution to work when I tried.  So I'm posting again with updated requirements and much more info ......

We currently have several sites connected to our HQ via secure VPN.  Each remote site has a Cisco 877 router, that is configured to authenticate to ADSL via username and password.  

This has always been fine as we have only ever had our PC's and CCTV equipment connected via the router.  We now have a requirement to put some kit on the sites that will need access to the internet and also be accessible by the third party who's kit it is, for support reasons.

There is no need for the 3rd party to access any other part of our network, just their kit at the remote site.

I have pasted and attached our current standard 877 config as used at remote sites, it shows the VLANs we have created for the data, cctv etc.  I have creared a VLAN, Vlan 192 that I ideally wanted to use for the 3rd party kit.  

Can anyone take a look at the config and advise what I would need to do to keep our current set-up secure, but allow the 3rd party kit internet access and incoming connections from the vendor for support.

We also have multiple public IP's available from the Net IP range (net subnet 255.255.255.248) at each remote sites if that would help.

Any help, advice or pointers would be greatly appreciated,


Many Thanks,

Ste.
vlan database
  
vlan 1 name Data
vlan 101 name Voice
vlan 102 name Camera
vlan 192 name iPlus_Kiosk
exit
 
conf t
 
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname station
!
!
no logging buffered
no logging console
!
username Router secret secret
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.218.100.1
ip dhcp excluded-address 10.218.100.225
ip dhcp excluded-address 10.218.100.241
ip dhcp excluded-address 10.218.100.242
ip dhcp excluded-address 10.218.100.1 10.218.100.10
ip dhcp excluded-address 10.218.100.50 10.218.100.60
ip dhcp excluded-address 10.218.100.40
!
no ip dhcp pool CLIENT
ip dhcp pool DATA
   import all
   network 10.218.100.0 255.255.255.128
   default-router 10.218.100.1
   dns-server 10.218.200.49 10.218.200.24	
   lease 0 2
!
ip dhcp pool VOIP
   import all
   network 10.218.100.224 255.255.255.240
   default-router 10.218.100.225
   dns-server 10.218.200.49 10.218.200.24
   lease 0 2
!
ip dhcp pool CAMERA
   import all
   network 10.218.100.240 255.255.255.240
   default-router 10.218.100.241
   dns-server 10.218.200.49 10.218.200.24
   lease 0 2
!
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key 0 private address 195.1.1.1 no-xauth
!
!
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map station 20 ipsec-isakmp
 description VPN Link to Head Office
 set peer 195.1.1.1
 set security-association lifetime seconds 86400
 set transform-set ESP-3DES-SHA
 match address 130
!
!
!
!
!
interface ATM0
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Dialer1
 ip nat outside
 ip address negotiated
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname hostname@dsl.co.uk
 ppp chap password password
 ppp pap sent-username hsotname@dsl.co.uk password password
 crypto map station
 hold-queue 224 in 
!
 
 
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http secure-server
!
access-list 130 permit ip 10.218.100.0 0.0.0.255 any
access-list 130 permit ip host 10.218.100.1 any
dialer-list 1 protocol ip permit
snmp-server community MR ro 
snmp-server enable traps tty
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 
line vty 0 4
 no access-class 23 in
 
 
no access-list 23 permit 10.10.10.0 0.0.0.7
 
access-list 23 permit 10.218.0.0 0.0.255.255
 
 
line vty 0 4
 exec-timeout 120 0
 access-class 23 in
 login local
 length 0
!
scheduler max-task-time 5000
!
enable secret secret
 
no ip dhcp excluded-address 10.10.10.1
no ip dhcp pool sdm-pool
 
 
int fa0
switchport mode access
switchport access vlan 1
 no ip address
 speed auto
 duplex auto
 
int fa1
switchport mode access
switchport access vlan 101
 no ip address
 speed auto
 duplex auto
 
int fa2
switchport mode access
switchport access vlan 102
 no ip address
 speed auto
 duplex auto
 
int fa3
switchport mode access
switchport access vlan 192
 no ip address
 speed auto
 duplex auto
 
no ip access-list extended local
ip access-list extended local
 permit ip 192.168.1.0 0.0.0.255 any
!
 
ip nat source list local interface Dialer1 overload
 
ip nat inside source static udp 192.168.1.2 6502 interface Dialer1 6502
ip nat inside source static udp 192.168.1.2 2233 interface Dialer1 2233
ip nat inside source static tcp 192.168.1.2 23 interface Dialer1 25
 
 
ip access-list extended camera_in
 deny ip any 
 permit ip 192.168.1.0 0.0.0.255 any
!
 
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip nat inside
 ip address 10.218.100.1 255.255.255.128
 ip tcp adjust-mss 1452
 
 
int vlan 101
  ! Voice VLAN
  ip nat inside
  ip address 10.218.100.225 255.255.255.240
  no shut
 ip tcp adjust-mss 1452
 
int vlan 102
  ! Camera VLAN
  ip nat inside
  ip address 10.218.100.241 255.255.255.240
  no shut
 ip tcp adjust-mss 1452
 
int vlan 192
  ! iKiosk VLAN
  ip nat inside
  ip address 192.168.1.1 255.255.255.0
  no shut
 ip tcp adjust-mss 1452
 
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
 
int atm0
no shut
 
no username cisco
 
end

Open in new window

expexc.txt
Avatar of arnold
arnold
Flag of United States of America image
One option is to map a port to the 3rd party device which will expose it to the net at large.
The other option is configure a remote VPN that only grants the remote client access to the third party device.
Does the 3rd party device capable of being a VPN end point i.e. running openVPN or similar applications?
Avatar of stemc
stemc
Flag of United States of America image

ASKER

The 3rd party kit will have some sort of remote control software on, like PC Anywhere.

How would I map a port ?  and would a remote VPN sit alongside our current VPN ?

Thanks arnold,

Ste
Avatar of arnold
arnold
Flag of United States of America image
You can add the access list to allow external traffic to the port of the external device.  You then similar to your existing map the traffic destined for port x to get to the IP of the 3rd party device.

YOu currently have two VPN policies, you should be able to add a third that will only allow the remote user access to the 3rd party device.

Are you using SDM to manage the cisco's configuration or are you going through the Command Line Inetrface?
Avatar of stemc
stemc
Flag of United States of America image

ASKER

I generally use command line, but can access via SDM (though not too familiar with it).
Avatar of arnold
arnold
Flag of United States of America image
You need to add something like:
ip nat inside source static tcp <internal IP> PORTA <external IP> PORTB

PORTB does not have to equal PORTA. You can use this if you want to move the port so it does not use a common port i.e. 3389, 59xx, etc.
Since you do not seem to have an access-list applied to the outside interface, this should be enough to forward external requests to <external IP> PORTB to reach <internal IP> PORTA.
If you add an access-list to the outside interface, you would need to allow this traffic to <external IP> PORTB to pass through.

Currently you have two VPN policies. A site-to-site and an incoming remote.
I think you can add another one and limit to which systems this VPN can connect.
Avatar of stemc
stemc
Flag of United States of America image

ASKER

Thanks Arnold. I now have the NAT working :-)

I have successfully mapped a port to the kit in the VLAN 192 range.    The only additional requirement is that I need the equipment in the vlan 192 to have access to the Internet, directly or via our VPN through to HQ.  Do you know how I can achieve this ?

Thanks again,

Ste
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of stemc
stemc
Flag of United States of America image

ASKER

Hi Arnold,

I have the kit assigned ip addres 192.168.1.2

The routing table looks spot on and the default gateway is fine.   The only other ip addresses I can ping are of the kit in the VLAN 192, i.e. DF gateway (192.168.1.1) and other PCs in vlan.  I tried to ping other VLANs on router and internet address 217.146.186.51 (www.yahoo.co.uk) with no joy ???

Thanks

Ste
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of stemc
stemc
Flag of United States of America image

ASKER

Hi,

From my PC plugged into the Vlan192, with the IP addy 192.168.1.2, the netstat -rn returns :

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.1.1     192.168.1.2       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.1.0    255.255.255.0      192.168.1.2     192.168.1.2       20
      192.168.1.2  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.1.255  255.255.255.255      192.168.1.2     192.168.1.2       20
        224.0.0.0        240.0.0.0      192.168.1.2     192.168.1.2       20
  255.255.255.255  255.255.255.255      192.168.1.2     192.168.1.2       1
  255.255.255.255  255.255.255.255      192.168.1.2           10004       1
Default Gateway:       192.168.1.1
===========================================================================
Persistent Routes:
  None

To confirm what I can ping ..........
All other VLans on that router, ie VLan1, Vlan101 & Vlan 102.  I can not ping anything else. ie accross the VPN or on the internet.

I have done the pings from my PC (192.168.1.2) and using the extended ping command from 192.168.1.1, same results for both.

Other VLan's on that router send ALL traffic including port 80 traffic accross the VPN to our HQ where we filter and route all traffic appropriately, we don't have any kit going directly out to the internet through the router.  I don't know if this afffects anything ?

I have attached thr router config and the results of the netstat command as a text file.
RHRouter.txt
netstat.txt
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of stemc
stemc
Flag of United States of America image

ASKER

Hi Arnold,

Thnaks again for the response.

the command made no difference to the result of Pings commands.

The routing table  results are attached :

cheers

Ste
routetable.txt
SOLUTION
Avatar of arnold
arnold
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial