[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 488
  • Last Modified:

Port Forwarding Across a VPN with Cisco devices

I have an IPSEC VPN across the Internet between two Cisco IOS routers, both on Internet connections with static IPs. The private network in location A is 192.168.4.0/24 and the private network in location B is 192.168.1.0/24. Is there a way to forward port 25 on the static public IP in location A to a private address on location B's network?
 
0
CNTUCKER
Asked:
CNTUCKER
  • 4
  • 3
1 Solution
 
luc_royCommented:
If you can ping from B to A and A to B they you can forward it.  With the tunnel and a routing protocol properly configured you should be able to.

ip nat inside source static tcp <inside ip address> 25 interface dialer0 25
0
 
CNTUCKERAuthor Commented:
The above didn't work. I'm posting configs of both routers in question.

Location A:

Building configuration...

Current configuration : 4525 bytes
!
! Last configuration change at 19:14:38 eastern Sun Apr 4 2010 by username
! NVRAM config last updated at 17:19:16 eastern Sat Mar 20 2010 by username
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname INDYROUTER01
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$8FhA$QSqrmlLw254pBq6HdnUcl.
!
no aaa new-model
clock timezone eastern -5
ip cef
!
!
!
!
ip domain name domain
ip name-server 68.87.72.130
ip name-server 68.87.77.130
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username username privilege 15 secret 5
username admin privilege 15 secret 5
!
!
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key 15831583ff address <PUBLIC IP>
crypto isakmp key 152715271527152715271527 address <PUBLIC IP>185
crypto isakmp key 581958195358195819535819 address <PUBLIC IP>
crypto isakmp key 1112FEFFFF hostname nc.domain
!
!
crypto ipsec transform-set DENVER esp-3des esp-md5-hmac
crypto ipsec transform-set LAFAYETTE esp-3des esp-md5-hmac
crypto ipsec transform-set NC esp-3des esp-sha-hmac
crypto ipsec transform-set FISHERS esp-3des esp-sha-hmac
!
!
crypto map domain 1 ipsec-isakmp
 description Tunnel to Denver
 set peer 173.8.255.209
 set transform-set DENVER
 match address 101
crypto map domain 2 ipsec-isakmp
 description Tunnel to Lafayette
 set peer <PUBLIC IP>185
 set transform-set LAFAYETTE
 match address 102
crypto map domain 3 ipsec-isakmp
 description Tunnel to NC
 set peer nc.domain dynamic
 set transform-set NC
 match address 103
crypto map domain 4 ipsec-isakmp
 description Tunnel to Fishers
 set peer <PUBLIC IP>
 set transform-set FISHERS
 match address 104
!
!
!
!
interface FastEthernet0/0
 no ip address
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet0/1
 ip address <PUBLIC IP>195 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
 crypto map domain
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 <PUBLIC IP>198
ip route 192.168.1.0 255.255.255.0 FastEthernet0/1
ip route 192.168.2.0 255.255.255.0 FastEthernet0/1
ip route 192.168.5.0 255.255.255.0 FastEthernet0/1
ip route 192.168.15.0 255.255.255.0 FastEthernet0/1
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http path flash:
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.4.5 25 <PUBLIC IP>195 25 route-map nonat extendable
ip nat inside source static tcp 192.168.4.5 80 <PUBLIC IP>195 80 route-map nonat extendable
ip nat inside source static tcp 192.168.4.5 443 <PUBLIC IP>195 443 route-map nonat extendable
ip nat inside source static tcp 192.168.4.5 3389 <PUBLIC IP>195 3389 route-map nonat extendable
ip nat inside source static 192.168.4.7 <PUBLIC IP>196 route-map SLING
!
access-list 100 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 100 deny   ip host 192.168.4.7 any
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 remark Tunnel to Denver
access-list 101 permit ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.15.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.255.255 192.168.15.0 0.0.0.255
access-list 102 remark Tunnel to Lafayette
access-list 103 remark Tunnel to NC
access-list 103 permit ip 192.168.0.0 0.0.255.255 192.168.5.0 0.0.0.255
access-list 104 remark Tunnel to Fishers
access-list 104 permit ip 192.168.0.0 0.0.255.255 192.168.2.0 0.0.0.255
access-list 110 deny   ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 110 permit ip host 192.168.4.7 any
!
route-map SLING permit 10
 match ip address 110
!
route-map nonat permit 10
 match ip address 100
!
!
!
control-plane
!
!
!
!
!
!
!
!
!        
telephony-service
 max-ephones 10
 max-dn 10
 max-conferences 4 gain -6
!
!
line con 0
 login local
line aux 0
line vty 0 4
 login local
 transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178096
ntp server 192.43.244.18
end

Location B:


Building configuration...

Current configuration : 6166 bytes
!
! Last configuration change at 18:13:17 MDT Sun Apr 4 2010 by ctucker
! NVRAM config last updated at 13:45:13 MDT Sat Apr 3 2010 by ctucker
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname denver
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login ADLIST group radius local
!
!
aaa session-id common
clock timezone mtn -7
clock summer-time MDT recurring
!
crypto pki trustpoint TP-self-signed-959797185
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-959797185
 revocation-check none
 rsakeypair TP-self-signed-959797185
!
!
crypto pki certificate chain TP-self-signed-959797185
 certificate self-signed 01
  30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39353937 39373138 35301E17 0D303230 33303131 34323535
  315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3935 39373937
  31383530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  DAE7E09B D49E6DC1 7AEB91ED 2BB6B4A5 3C398D56 0EA63FD1 945D77CA 6A2F0C5C
  074837DD 25523FD7 B1177FB3 DFB32D53 D9FD3394 D74FC446 AF602D2B 2E8371A8
  223F6988 1369165F 8E4CC175 2396A360 E5B77662 FD6C3EE8 F2778281 CC7763C7
  98486F0B 1973D18D 807AA2E6 66C7FD9C 7183F677 D290CF3F CA319B96 E997720B
  02030100 01A37230 70300F06 03551D13 0101FF04 05300301 01FF301D 0603551D
  11041630 14821264 656E7665 722E6172 7061636F 6D2E6E65 74301F06 03551D23
  04183016 80145BE3 026F0462 5885F645 F2776494 6CAF5CC3 BF62301D 0603551D
  0E041604 145BE302 6F046258 85F645F2 7764946C AF5CC3BF 62300D06 092A8648
  86F70D01 01040500 03818100 03E421F2 25E0D682 4DD30706 E0AD16A1 4FF9AB7B
  B1096FF4 EDE87454 DF7A631C CFACC83D B0E98423 519EAC9E E5FF9C95 FF1E01F8
  16FC2B00 C5E36CCD A7A06E00 6BF6AB2C C8162440 BE458026 812A5501 DFFFCA00
  6573320A D508D620 767F39B3 B7377607 354EC369 19A7CB31 2141DAF0 1527A02F
  1049D731 9C4A5ACF 78CED494
        quit
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.8 192.168.1.9
ip dhcp excluded-address 192.168.1.7
!
ip dhcp pool DENVER
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   domain-name domain.net
   dns-server 192.168.4.5
!
ip dhcp pool DENVER_STATICS
   origin file flash://dhcp.txt
   default-router 192.168.1.1
   dns-server 192.168.4.5
!
!
ip domain lookup source-interface FastEthernet4
ip domain name domain.net
ip name-server 68.87.85.98
ip name-server 68.87.69.146
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5
username user privilege 15 secret 5
username user2 privilege 15 secret 5
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key 15831583ff address PUBLIC IP
crypto isakmp key Tucker2Bobby hostname PUBLIC IP
crypto isakmp keepalive 30
!
!
crypto ipsec transform-set indy esp-3des esp-md5-hmac
crypto ipsec transform-set Bobby esp-3des esp-md5-hmac
!
crypto map domain 1 ipsec-isakmp
 set peer PUBLIC IP
 set transform-set indy
 match address 101
crypto map domain 3 ipsec-isakmp
 description VPN Tunnel to Bobby
 set peer PUBLIC IP dynamic
 set transform-set Bobby
 match address 105
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address PUBLIC IP 255.255.255.252
 ip nat outside
 no ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 duplex auto
 speed auto
 crypto map domain
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.1.1 255.255.255.0
 ip helper-address 192.168.1.4
 ip nat inside
 no ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 ip tcp adjust-mss 1452
 no ip mroute-cache
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 PUBLIC IP
ip route 192.168.2.0 255.255.255.0 FastEthernet4
ip route 192.168.4.0 255.255.255.0 FastEthernet4
ip route 192.168.5.0 255.255.255.0 FastEthernet4
ip route 192.168.15.0 255.255.255.0 FastEthernet4
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.4 3389 interface FastEthernet4 3390
ip nat inside source static tcp 192.168.1.92 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.8 5002 interface FastEthernet4 5002
ip nat inside source static tcp 192.168.1.9 5001 interface FastEthernet4 5001
!
ip radius source-interface Vlan1
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark indy tunnel
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 remark Bobby Tunnel
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
snmp-server community domain RO
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17175031
ntp server 192.43.244.18
end

Also, I'm increasing the points to encourage completion! I'm a CCNA, and I can't seem to figure this one out. Thanks, all!
0
 
luc_royCommented:
can you ping from network to network?
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 
CNTUCKERAuthor Commented:
From router A, I can ping the host on network B by typing:

ping 192.168.1.7 source fa0/0.1
0
 
luc_royCommented:
ip nat inside source static tcp "Inside IP" 25 "Public IP" 25 extendable


This is the command string
0
 
luc_royCommented:
try to ping the inside ip sourced from the public ip to make sure it works.
0
 
vreinaldoCommented:
Hi there,

Is very interesting your post, but let's consider some factors:

1) Who will access the public natted address in Site A? Everyone from the internet? or a set of ip address range from branch offices?

(if your answer is FROM INTERNET, It's almost imposible, the reason is because you already have the tunnel prepared to encrypt and decrypt traffic from the locations (took from your config):
                           FROM       -->        TO    
 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

So when a request comes from the internet obviously it will not fall in any of those ranges... What you need to do is an address translation, to any traffic from the internet to a private pool (ip nat outside), and example of what i mean is:

ip nat pool Net171 171.68.16.10 171.68.16.254 netmask 255.255.255.0
ip nat outside source list 130 pool Net171 add-route
ip access-list 130 extended
permit ip any 192.168.1.0 0.0.255.255 eq 80

An example of what i mean can be found in:

http://www9.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080093f8e.shtml


Good luck!!
0
 
CNTUCKERAuthor Commented:
I ended up doing this a different way. Thank you for the responses. Sorry for the delay in resolving.
0

Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now