goraek
asked on
Cisco assistance with configuration
Hi EE
I'm still new to cisco althought I know some basics.
I need some assistance in reconfiguring a cisco router - inherited from someone else. Although I'm not too sure, but it appears to be a mess.
What I needed done is to port forward a few ports, one of them IS rdp.
We've changed our WAN link from PPPoE to WAN (fixed IP). I've updated the port forwarding rules, but doesnt appear to be working.
And also we need update the VPN settings as well, and not sure where to update this.
Here is the config:
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address x.x.x.x 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
ip address y.y.y.y 255.255.255.252
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
mtu 1492
ip address negotiated
ip access-group WAN-Firewall-In in
ip access-group WAN-Firewall-Out out
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username
no cdp enable
crypto map vpn
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list ACL-NAT interface Vlan2 overload
ip nat inside source static tcp ip2 22 interface Vlan2 2222
ip route 0.0.0.0 0.0.0.0 external gateway
!
ip access-list extended ACL-NAT
deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended VPN
permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended WAN-Firewall-In
deny ip host 0.0.0.0 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip host 255.255.255.255 any log
permit tcp any any established
permit udp any any
permit esp any any
permit tcp any any eq 1723 log
permit gre any any
permit icmp any any
permit tcp host eq 15554 any log
permit tcp host any eq ftp-data log
permit tcp host 204. any eq ftp log
permit ip host 203. any log
permit ip host 114. any log
permit ip host 203.2 any log
permit ip host 218. any log
deny ip any any log
ip access-list extended WAN-Firewall-Ip
permit tcp host ip any eq 1723 log
permit tcp host 544 any eq 1723 log
deny ip any any log
ip access-list extended WAN-Firewall-Out
permit tcp any any eq smtp log
permit ip any any
ip access-list extended test
!
logging internal ip
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
logging synchronous
transport output all
stopbits 1
line aux 0
transport output all
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input all
transport output all
!
end
I'm still new to cisco althought I know some basics.
I need some assistance in reconfiguring a cisco router - inherited from someone else. Although I'm not too sure, but it appears to be a mess.
What I needed done is to port forward a few ports, one of them IS rdp.
We've changed our WAN link from PPPoE to WAN (fixed IP). I've updated the port forwarding rules, but doesnt appear to be working.
And also we need update the VPN settings as well, and not sure where to update this.
Here is the config:
interface FastEthernet0
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address x.x.x.x 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
ip address y.y.y.y 255.255.255.252
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
mtu 1492
ip address negotiated
ip access-group WAN-Firewall-In in
ip access-group WAN-Firewall-Out out
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 7
ppp pap sent-username
no cdp enable
crypto map vpn
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list ACL-NAT interface Vlan2 overload
ip nat inside source static tcp ip2 22 interface Vlan2 2222
ip route 0.0.0.0 0.0.0.0 external gateway
!
ip access-list extended ACL-NAT
deny ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended VPN
permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended WAN-Firewall-In
deny ip host 0.0.0.0 any log
deny ip 10.0.0.0 0.255.255.255 any log
deny ip 127.0.0.0 0.255.255.255 any log
deny ip 172.16.0.0 0.15.255.255 any log
deny ip 169.254.0.0 0.0.255.255 any log
deny ip 224.0.0.0 15.255.255.255 any log
deny ip host 255.255.255.255 any log
permit tcp any any established
permit udp any any
permit esp any any
permit tcp any any eq 1723 log
permit gre any any
permit icmp any any
permit tcp host eq 15554 any log
permit tcp host any eq ftp-data log
permit tcp host 204. any eq ftp log
permit ip host 203. any log
permit ip host 114. any log
permit ip host 203.2 any log
permit ip host 218. any log
deny ip any any log
ip access-list extended WAN-Firewall-Ip
permit tcp host ip any eq 1723 log
permit tcp host 544 any eq 1723 log
deny ip any any log
ip access-list extended WAN-Firewall-Out
permit tcp any any eq smtp log
permit ip any any
ip access-list extended test
!
logging internal ip
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
logging synchronous
transport output all
stopbits 1
line aux 0
transport output all
line vty 0 4
exec-timeout 0 0
logging synchronous
transport input all
transport output all
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That depends, did you post the full configuration of the router? by the way which model is it?
When you say the connection is up do you mean the VPN connection is up? are there connections being made through the router at this time...ie. internet traffic?
Where does the VLAN 2 connect to? is this the outside world?
When you say the connection is up do you mean the VPN connection is up? are there connections being made through the router at this time...ie. internet traffic?
Where does the VLAN 2 connect to? is this the outside world?
ASKER
Cool I changed the ip nat to outside, and the port forwarding started to work. Good to know.
Also I've changed the crypto map to vlan 2 interface, did a sh crypto session, the status is down-negotiating, still nothing.
I've updated the IP and crypt mapping, but no good.
Any ideas?
Also I've changed the crypto map to vlan 2 interface, did a sh crypto session, the status is down-negotiating, still nothing.
I've updated the IP and crypt mapping, but no good.
Any ideas?
Is it a site to site vpn or remote access vpn? If it is a site to site then you would need to update the other end of the configuration at the other end to peer against the new IP.
ASKER
Thanks, changed IP nat and remapped crypto. Worked like a treat.
ASKER
If I changed the ip nat on vlan 2 interface, will this affect the connection or drop the connection? At the moment it is up.