Solved

Cisco assistance with configuration

Posted on 2013-06-25
6
399 Views
Last Modified: 2013-06-26
Hi EE

I'm still new to cisco althought I know some basics.

I need some assistance in reconfiguring a cisco router - inherited from someone else. Although I'm not too sure, but it appears to be a mess.

What I needed done is to port forward a few ports, one of them IS rdp.

We've changed our WAN link from PPPoE to WAN (fixed IP). I've updated the port forwarding rules, but doesnt appear to be working.

And also we need update the VPN settings as well, and not sure where to update this.

Here is the config:

interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address x.x.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address y.y.y.y 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer0
 mtu 1492
 ip address negotiated
 ip access-group WAN-Firewall-In in
 ip access-group WAN-Firewall-Out out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname
 ppp chap password 7
 ppp pap sent-username
 no cdp enable
 crypto map vpn
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list ACL-NAT interface Vlan2 overload
ip nat inside source static tcp ip2 22 interface Vlan2 2222
ip route 0.0.0.0 0.0.0.0 external gateway
!
ip access-list extended ACL-NAT
 deny   ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended VPN
 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended WAN-Firewall-In
 deny   ip host 0.0.0.0 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 permit tcp any any established
 permit udp any any
 permit esp any any
 permit tcp any any eq 1723 log
 permit gre any any
 permit icmp any any
 permit tcp host  eq 15554 any log
 permit tcp host  any eq ftp-data log
 permit tcp host 204. any eq ftp log
 permit ip host 203. any log
 permit ip host 114. any log
 permit ip host 203.2 any log
 permit ip host 218. any log

 deny   ip any any log
ip access-list extended WAN-Firewall-Ip
 permit tcp host ip any eq 1723 log
 permit tcp host 544 any eq 1723 log
 deny   ip any any log
ip access-list extended WAN-Firewall-Out
 permit tcp any any eq smtp log
 permit ip any any
ip access-list extended test
!
logging internal ip
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 logging synchronous
 transport output all
 stopbits 1
line aux 0
 transport output all
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 transport input all
 transport output all
!
end
0
Comment
Question by:goraek
  • 3
  • 3
6 Comments
 
LVL 17

Accepted Solution

by:
MAG03 earned 500 total points
ID: 39274678
I am assuming that you are using VLAN2 as your outside interface.  first off I would suggest putting descriptions on the interfaces so that they are easier to read...not needed but just a suggestion.

The problem with NAT first off is that you need to define the VLAN 2 as the outside NATed interface.

interface Vlan1
 ip address x.x.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address y.y.y.y 255.255.255.252
ip nat inside
 ip virtual-reassembly in

Do the following

enable
config t
int vlan 2
no ip nat inside
ip nat outside

Unless you have edited out the VPN configuration I do not see it there...except for the crypto map vpn which is configured on the dialer interface.  Is this a site to site VPN or remote access VPN?

In any case move the command crypto map vpn to the vlan 2 interface and things should start working again.  If that doesn't work try adding that command to the physical outside interface...which looks to be FastEthernet1
0
 
LVL 2

Author Comment

by:goraek
ID: 39274696
Thanks.
If I changed the ip nat on vlan 2 interface, will this affect the connection or drop the connection? At the moment it is up.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39274716
That depends, did you post the full configuration of the router?  by the way which model is it?

When you say the connection is up do you mean the VPN connection is up?  are there connections being made through the router at this time...ie. internet traffic?

Where does the VLAN 2 connect to? is this the outside world?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 2

Author Comment

by:goraek
ID: 39276484
Cool I changed the ip nat to outside, and the port forwarding started to work. Good to know.

Also I've changed the crypto map to vlan 2 interface, did a sh crypto session, the status is down-negotiating, still nothing.

I've updated the IP and crypt mapping, but no good.

Any ideas?
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39277148
Is it a site to site vpn or remote access vpn?  If it is a site to site then you would need to update the other end of the configuration at the other end to peer against the new IP.
0
 
LVL 2

Author Closing Comment

by:goraek
ID: 39277773
Thanks, changed IP nat and remapped crypto. Worked like a treat.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question