How do I configure port forwarding to a server over a PPP connection with no public ip at branch site

I have configured a ppp connection to a branch site.  The main site provides internet to the branch site. I have configured multiple port forwards to 192.168.2.10 (server) at main site.  How do I port forward same ports over ppp connection to server at branch site.  I assumed I could just add a secondary IP address to wan connection at main site and port forward the ports to the branch site server.  I am having trouble doing this and I am not sure this is the correct route to take. Should I port forward on branch site and main or do I just need to forward from main secondary ip to branch and forward specific ports to 192.168.1.17 (server) at branch.  Does anyone have any experience or insight on this scenarion.  I have included configs and a quick diagram.  If any more indo or clarification is needed please let me know. Any help is greatly appreciated.
main.txt
branch.txt
netdiagram.gif
3l3mn8rAsked:
Who is Participating?
 
API_NOCConnect With a Mentor Commented:

First, a couple of things on this policy:

!
ip policy-class Private
  allow list self self
  nat source list wizard-ics interface eth 0/1 overload
  nat source list web-acl-5 address 12.34.29.203 overload
!

1. I'm not sure that this line is needed.  I believe that when you use the web gui it places it in there.

2. "nat source list wizard-ics interface eth 0/1 overload" is basically saying to nat all LAN networks via the eth 0/1 interface.  It is probably assuming the ip address of 12.34.29.202.

3. "nat source list web-acl-5 address 12.34.29.203 overload" is saying that only host 192.168.2.17 nats off of 12.34.29.203, but it is process after the global natting of all networks.  It is possible that 192.168.2.17 is natting off og 12.34.29.202 and not 12.34.29.203.

So let's reorganize your policy class like this:

!
ip policy-class Private
  nat source list web-acl-5 address 12.34.29.203 overload
  nat source list wizard-ics interface eth 0/1 overload
!

Now with the port forwarding, a similar reconfiguration is required.

!
ip policy-class Public
  nat destination list wizard-pfwd-1 address 192.168.2.10
  nat destination list web-acl-7 address 192.168.1.17
  allow list web-acl-6 self
!

Finally, see if this configuration works without you specifically applying the secondary address to eth 0/1.  The reason is that the router should know that 12.34.29.203 is within the /29 subnet already.  If it does not work, then just add it back in.

!
interface eth 0/1
  description CCAAWan
  speed 10
  ip address  12.34.29.202  255.255.255.248
  access-policy Public
  no awcp
  no shutdown
!
0
 
MultipathCommented:
I am not familiar with the equipment but the setup is actually prety straight forward.  I see a few things that dont look right to me comparing the pictures ot the config and it may be me missing something but the picture shows 172.16.28.1 and .2 however the config shows different ips from what I can tell.

interface ppp 1
  ip address  172.16.21.1  255.255.255.0
  access-policy Private
  peer default ip address 172.16.21.2
  ppp multilink
  no shutdown
  cross-connect 1 t1 1/1 1 ppp 1
  cross-connect 2 t1 1/2 1 ppp 1

My suggestion either way would be to simply change the route on main for the 1.1/24 network to go to 172.16.28.1 (looking at pick) and a route at the branch side for 2.1/24 to go to 28.2

I have a similar set up at a few customer sites where the ppp links are not restricted, if you are wanting to restrict the ports between the two I would be unable ot help further.
0
 
3l3mn8rAuthor Commented:
Yes, the diagram I used was an older version with only the PPP connection IP's changed on config.  My question was actually how to forward identical ports to two different servers, one at Main and one at branch.  I have the port forwards setup for server at main but I cant figure out how to set same ports to also forward to branch site server.  
0
Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

 
3l3mn8rAuthor Commented:
I believe I do have both sites routes set to go to 0.0.0.0 0.0.0.0 ppp1 for both.  Both sites are working perfectly, internet access is available at branch site, each site can access other,  the only problem is I cant forward ports from x.x.x.x (vendors public IP) to both servers without using a secondary IP, I think.  I hope this is making sense.  Thanks for your help.
0
 
MultipathCommented:
Ok so you are trying to forward ports from the internet router to a system at the branch correct?

If so are you trying to forward the same port from the same destination on the outside?

Is this a router or Firewall?
0
 
3l3mn8rAuthor Commented:
Yes, I am trying to forward same ports to main and branch servers from same outside ip address.  I thought I would just add a secondary IP address on the WAN connection at Main site and forward ports coming to it from the same outside IP to the branch server.  So any traffic received from 1.2.3.4 (outsideIP) with destination x.x.x.202 would be forwarded to main server and any traffic received from 1.2.3.4 (outside IP) with destination x.x.x.203 would be forwarded to branch server.  

This is an Adtran Netvanta 3448 router with firewall enabled.  I have found the configurations are very similar to Ciscos 2500 series with only minor command name changes.

Thanks for brainstorming with me on this one.
0
 
MultipathCommented:
If possible can I see the config of the router/firewall with what ever changes you need to make for anonymity.
0
 
3l3mn8rAuthor Commented:
Multipath, both of the config files attached are the current in place config files.  If you look at the main.cfg you can see the port forwards to the 192.168.2.10 server.  These are the same ports I need to forward to the 192.168.1.17 server at branch site.  Originally I only had one IP address on the WAN  side so anything coming in with source would be forwarded from source to 192.168.2.10.  I created a secondary IP and wish to forward anything coming in from source to secondary IP to 192.168.1.17 at branch site.  Thanks for your help so far.
0
 
API_NOCCommented:
Also, please back up your configs before making any changes.
0
 
3l3mn8rAuthor Commented:
Sorry API NOC, you beat me back to the question before I could update them.  THe config files were not the finalized/edited versions.  I feel I have wasted your time at this point.  I have attached the final versions that are in production now.  
main-final.txt
branch-final.txt
netdiagram.gif
0
 
API_NOCCommented:
The files look similar in the sections that we are dealing with.  Read over what I wrote and see how it works out.  Remember to back up your existing config first.
0
 
3l3mn8rAuthor Commented:
Ok, I read your question and I see what you are saying I will give it a try.  But, should I apply any changes to branch router or just the main router?
0
 
API_NOCCommented:
Just the main router
0
 
3l3mn8rAuthor Commented:
Ok, I actually forgot to disable the firewall on the Branch site router.  Once I disabled it all traffic destined for 12.34.29.203 forwarded to the branch server.  All functions are working correctly now.  Thanks for all your help!
0
 
MultipathCommented:
Glad you got a solution!!!!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.