Solved

How do I configure port forwarding to a server over a PPP connection with no public ip at branch site

Posted on 2009-03-31
15
867 Views
Last Modified: 2012-08-13
I have configured a ppp connection to a branch site.  The main site provides internet to the branch site. I have configured multiple port forwards to 192.168.2.10 (server) at main site.  How do I port forward same ports over ppp connection to server at branch site.  I assumed I could just add a secondary IP address to wan connection at main site and port forward the ports to the branch site server.  I am having trouble doing this and I am not sure this is the correct route to take. Should I port forward on branch site and main or do I just need to forward from main secondary ip to branch and forward specific ports to 192.168.1.17 (server) at branch.  Does anyone have any experience or insight on this scenarion.  I have included configs and a quick diagram.  If any more indo or clarification is needed please let me know. Any help is greatly appreciated.
main.txt
branch.txt
netdiagram.gif
0
Comment
Question by:3l3mn8r
  • 7
  • 4
  • 4
15 Comments
 
LVL 4

Expert Comment

by:Multipath
ID: 24035920
I am not familiar with the equipment but the setup is actually prety straight forward.  I see a few things that dont look right to me comparing the pictures ot the config and it may be me missing something but the picture shows 172.16.28.1 and .2 however the config shows different ips from what I can tell.

interface ppp 1
  ip address  172.16.21.1  255.255.255.0
  access-policy Private
  peer default ip address 172.16.21.2
  ppp multilink
  no shutdown
  cross-connect 1 t1 1/1 1 ppp 1
  cross-connect 2 t1 1/2 1 ppp 1

My suggestion either way would be to simply change the route on main for the 1.1/24 network to go to 172.16.28.1 (looking at pick) and a route at the branch side for 2.1/24 to go to 28.2

I have a similar set up at a few customer sites where the ppp links are not restricted, if you are wanting to restrict the ports between the two I would be unable ot help further.
0
 

Author Comment

by:3l3mn8r
ID: 24039259
Yes, the diagram I used was an older version with only the PPP connection IP's changed on config.  My question was actually how to forward identical ports to two different servers, one at Main and one at branch.  I have the port forwards setup for server at main but I cant figure out how to set same ports to also forward to branch site server.  
0
 

Author Comment

by:3l3mn8r
ID: 24039310
I believe I do have both sites routes set to go to 0.0.0.0 0.0.0.0 ppp1 for both.  Both sites are working perfectly, internet access is available at branch site, each site can access other,  the only problem is I cant forward ports from x.x.x.x (vendors public IP) to both servers without using a secondary IP, I think.  I hope this is making sense.  Thanks for your help.
0
 
LVL 4

Expert Comment

by:Multipath
ID: 24039398
Ok so you are trying to forward ports from the internet router to a system at the branch correct?

If so are you trying to forward the same port from the same destination on the outside?

Is this a router or Firewall?
0
 

Author Comment

by:3l3mn8r
ID: 24039582
Yes, I am trying to forward same ports to main and branch servers from same outside ip address.  I thought I would just add a secondary IP address on the WAN connection at Main site and forward ports coming to it from the same outside IP to the branch server.  So any traffic received from 1.2.3.4 (outsideIP) with destination x.x.x.202 would be forwarded to main server and any traffic received from 1.2.3.4 (outside IP) with destination x.x.x.203 would be forwarded to branch server.  

This is an Adtran Netvanta 3448 router with firewall enabled.  I have found the configurations are very similar to Ciscos 2500 series with only minor command name changes.

Thanks for brainstorming with me on this one.
0
 
LVL 4

Expert Comment

by:Multipath
ID: 24040210
If possible can I see the config of the router/firewall with what ever changes you need to make for anonymity.
0
 

Author Comment

by:3l3mn8r
ID: 24049360
Multipath, both of the config files attached are the current in place config files.  If you look at the main.cfg you can see the port forwards to the 192.168.2.10 server.  These are the same ports I need to forward to the 192.168.1.17 server at branch site.  Originally I only had one IP address on the WAN  side so anything coming in with source would be forwarded from source to 192.168.2.10.  I created a secondary IP and wish to forward anything coming in from source to secondary IP to 192.168.1.17 at branch site.  Thanks for your help so far.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 8

Accepted Solution

by:
API_NOC earned 500 total points
ID: 24050541

First, a couple of things on this policy:

!
ip policy-class Private
  allow list self self
  nat source list wizard-ics interface eth 0/1 overload
  nat source list web-acl-5 address 12.34.29.203 overload
!

1. I'm not sure that this line is needed.  I believe that when you use the web gui it places it in there.

2. "nat source list wizard-ics interface eth 0/1 overload" is basically saying to nat all LAN networks via the eth 0/1 interface.  It is probably assuming the ip address of 12.34.29.202.

3. "nat source list web-acl-5 address 12.34.29.203 overload" is saying that only host 192.168.2.17 nats off of 12.34.29.203, but it is process after the global natting of all networks.  It is possible that 192.168.2.17 is natting off og 12.34.29.202 and not 12.34.29.203.

So let's reorganize your policy class like this:

!
ip policy-class Private
  nat source list web-acl-5 address 12.34.29.203 overload
  nat source list wizard-ics interface eth 0/1 overload
!

Now with the port forwarding, a similar reconfiguration is required.

!
ip policy-class Public
  nat destination list wizard-pfwd-1 address 192.168.2.10
  nat destination list web-acl-7 address 192.168.1.17
  allow list web-acl-6 self
!

Finally, see if this configuration works without you specifically applying the secondary address to eth 0/1.  The reason is that the router should know that 12.34.29.203 is within the /29 subnet already.  If it does not work, then just add it back in.

!
interface eth 0/1
  description CCAAWan
  speed 10
  ip address  12.34.29.202  255.255.255.248
  access-policy Public
  no awcp
  no shutdown
!
0
 
LVL 8

Expert Comment

by:API_NOC
ID: 24050559
Also, please back up your configs before making any changes.
0
 

Author Comment

by:3l3mn8r
ID: 24050775
Sorry API NOC, you beat me back to the question before I could update them.  THe config files were not the finalized/edited versions.  I feel I have wasted your time at this point.  I have attached the final versions that are in production now.  
main-final.txt
branch-final.txt
netdiagram.gif
0
 
LVL 8

Expert Comment

by:API_NOC
ID: 24050818
The files look similar in the sections that we are dealing with.  Read over what I wrote and see how it works out.  Remember to back up your existing config first.
0
 

Author Comment

by:3l3mn8r
ID: 24050825
Ok, I read your question and I see what you are saying I will give it a try.  But, should I apply any changes to branch router or just the main router?
0
 
LVL 8

Expert Comment

by:API_NOC
ID: 24050904
Just the main router
0
 

Author Closing Comment

by:3l3mn8r
ID: 31565147
Ok, I actually forgot to disable the firewall on the Branch site router.  Once I disabled it all traffic destined for 12.34.29.203 forwarded to the branch server.  All functions are working correctly now.  Thanks for all your help!
0
 
LVL 4

Expert Comment

by:Multipath
ID: 24070406
Glad you got a solution!!!!
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

AWS has developed and created its highly available global infrastructure allowing users to deploy and manage their estates all across the world through the use of the following geographical components   RegionsAvailability ZonesEdge Locations  Wh…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now