[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 805
  • Last Modified:

How to do it in CISCO

I have the following setup:

Private network <-> SW <-> CISCO VPN <-> ISP MODEM

I have configured VPN part and is working correctly. I have a computer in the private network at static address 192.168.1.100  and an application is running on it on 8100 tcp port for clients.

Now I need to connect from the Internet to the application on 192.168.1.100 on port 8100.

how to configure CISCO router to forward traffic on tcp port 8100 to machine 192.168.1.100??

Thank You
0
YetAnotherCoder
Asked:
YetAnotherCoder
  • 7
  • 3
1 Solution
 
xDUCKxCommented:
static (inside,outside) <public IP> 192.168.1.100 netmask 255.255.255.255
access-group outside in interface outside
access-list outside permit tcp host <public IP> mask 255.255.255.255 any eq 8100

Open in new window


Replace the interface names with the interface names you're using (inside might be something else then "inside") and if you already have an access-list for outside you can use that.  The access-list might be called "Access-list 101" or something like that.

Analyse your show run to get a better idea of what names are assigned to your interfaces and access-lists.
0
 
YetAnotherCoderAuthor Commented:
Hey xDUCKx,

Thank you for the quick response. Should I apply the above access-list on VPN-Access-List in my config. Here is a configuration of my router:

sh run
Building configuration...

Current configuration : 5416 bytes
!
! Last configuration change at 17:58:55 CSTime Mon Aug 20 2012 by csi
! NVRAM config last updated at 17:58:24 CSTime Mon Aug 20 2012 by csi
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$KJWP$wujENW/75bJnnoUxGXYJE0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone CSTime -6
clock summer-time CSTime date Mar 11 2012 2:00 Nov 4 2012 2:00
!
crypto pki trustpoint TP-self-signed-986700165
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-986700165
 revocation-check none
 rsakeypair TP-self-signed-986700165
!
!
crypto pki certificate chain TP-self-signed-986700165
 certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39383637 30303136 35301E17 0D313230 38313631 38353134
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3938 36373030
  31363530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  A4AD22DF ECCB9372 C3E88024 318D7181 C2BE73E1 DB6F0B70 4A2781FF A0AB108D
  FEDD1EE5 C9C761A6 A9738299 684F25AC FC56F107 4FD43297 4D0D248B C431D0E2
  1A53D9B3 B0BCF9CF 7DF157FD 517594D0 B05FCD98 681D5A66 B48265FE BF353F47
  84FDA0C5 1A46E55D 40429810 B0A0D3A8 153FAD0A 78538AE0 657467FD FD44E6ED
  02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
  11041B30 19821750 69636179 756E652E 796F7572 646F6D61 696E2E63 6F6D301F
  0603551D 23041830 16801491 5CACBE40 0996DFCE 1B9C67C3 9316041C 40FB8130
  1D060355 1D0E0416 0414915C ACBE4009 96DFCE1B 9C67C393 16041C40 FB81300D
  06092A86 4886F70D 01010405 00038181 003F26CD 9FA486C5 F71250F6 FC7E44F8
  CC1C15AC 1364CCA1 2E23CACA D123F78B F4B933EB 73648D75 A2C0B17A 28FAAC18
  7CAAB60E 9E5A49C3 50217868 BEFA30F5 6F36A04B BE41FE65 7C684DB9 10320AA1
  77D0BBC4 7216C6F6 20564AE2 8F46A06B 85AED401 9DB59ABF 6B360531 153BA6E1
  ECBF1F55 D4AF489A 70276D39 D13AF574 C5
        quit
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.100.1 192.168.100.25
ip dhcp excluded-address 192.168.100.100
ip dhcp excluded-address 192.168.100.222
ip dhcp excluded-address 192.168.100.254
!
ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
ip dhcp pool Internal_Network
   network 192.168.100.0 255.255.255.0
   default-router 192.168.100.254
   dns-server 192.168.1.1
!
!
ip cef
ip domain name yourdomain.com
ip name-server 192.168.1.1
no ipv6 cef
!
!        
license udi pid CISCO881-K9 sn FTX1604828M
!
!
username csi privilege 15 secret 5 $1$G4wK$PRgc9k9omH9X8s1u37lkh1
username RemoteUser secret 5 $1$EWRQ$vPW7kG3jNhqwHTiL8IsBx0
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group RemoteAccessSupport
 key Router_WWTP
 pool VPN-Pool
 acl VPN-Access-List
crypto isakmp profile vpn-isakmp-profile-1
   match identity group RemoteAccessSupport
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
 set transform-set encrypt-method-1
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!        
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 192.168.1.3 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Virtual-Template2 type tunnel
 ip unnumbered FastEthernet0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 192.168.100.254 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool VPN-Pool 192.168.100.101 192.168.100.150
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 100 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!
ip access-list extended VPN-Access-List
 permit ip 192.168.100.0 0.0.0.255 any
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.100.0 0.0.0.255
access-list 100 remark Used for Internet access to Internal N/W
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
no cdp run

!
!
!
!
!
control-plane
!
banner motd ^C----------  Router VPN Router ----------^C
!
line con 0
 exec-timeout 30 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 password 7 124A50424A5E5550
 transport input telnet ssh
!
scheduler max-task-time 5000
end
0
 
YetAnotherCoderAuthor Commented:
Small correction:

1) 192.168.1.100 is actually 192.168.100.100
2) This 8100 traffic should work without having to go through VPN. That is it will be accessed like http://Public IP of ISP:8100/

3) Sometimes it could be accessed after establishing VPN tunnel as
http://192.168.100.100:8100/

I need to make it work in both of the above 2) and 3) scenarios.

Any help would be appreciated.

Thank You
0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 
xDUCKxCommented:
ip route 0.0.0.0 0.0.0.0 192.168.1.1

Open in new window


This isn't your edge device.  It's not the device that's connecting to the internet.  Do you have another hop?  A firewall or a router that is beyond this device?  (With ip address 192.168.1.1?)
0
 
YetAnotherCoderAuthor Commented:
That is the ISP Router address for the CISCO device
0
 
YetAnotherCoderAuthor Commented:
Currently it is setup as below

Private Network <-> Belkin Wireless Router (192.168.1.1) <-> Cable Modem (ISP)

Belink forwards all the packets to 192.168.100.100 machine that is running Web Server, FTP Server, and Application waiting on port 8100...

Everything is working...

The plan is to add a CISCO VPN/Firewall... and replace Belkin router so that the new setup will looks like

Private Network (192.168.100.0/24) <-> CISCO VPN/Firewall <-> Cable Modem
0
 
xDUCKxCommented:
In the above device config you only have 1 interface plugged in.  Internal.  You don't have an external defined.  This will make nat'ing difficult.  If you're trying to get the config going and slipstream it in with the belkin, that's fine.  Just post which interface you'll be using for outside.  We can give you XXX.XXX.XXX.XXX for the IP's to use for the config.
0
 
YetAnotherCoderAuthor Commented:
I have ip nat inside defined on VLAN 1. I am not following the technical jargon. But if you could propose working alternative, I will be glad to accept it.

I have added the following so far with no luck...

ip nat inside source static tcp 192.168.100.100 8085 My_Home_Public_IP 8085 extendable

I am testing the configuration at my home as below

PC (192.168.100.100) <-> CISCO <-> NETGEAR <-> ISP

In the field NETGEAR would be substituted with BELKIN.

I have another PC thats not in the network but is connected to the Internet using Cellular WiFi. So I am trying to go from this PC on Verizon network into the PC behind CISCO... with no luck.
0
 
YetAnotherCoderAuthor Commented:
The solutions is actually this:

ip nat inside source static tcp 192.168.100.100 8085 WAN_IP 8085 extendable

apply for each port a static entry.

That should do it.
0
 
YetAnotherCoderAuthor Commented:
Got it..
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 7
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now