Solved

Cisco assistance with configuration

Posted on 2013-06-25
6
391 Views
Last Modified: 2013-06-26
Hi EE

I'm still new to cisco althought I know some basics.

I need some assistance in reconfiguring a cisco router - inherited from someone else. Although I'm not too sure, but it appears to be a mess.

What I needed done is to port forward a few ports, one of them IS rdp.

We've changed our WAN link from PPPoE to WAN (fixed IP). I've updated the port forwarding rules, but doesnt appear to be working.

And also we need update the VPN settings as well, and not sure where to update this.

Here is the config:

interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address x.x.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address y.y.y.y 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer0
 mtu 1492
 ip address negotiated
 ip access-group WAN-Firewall-In in
 ip access-group WAN-Firewall-Out out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname
 ppp chap password 7
 ppp pap sent-username
 no cdp enable
 crypto map vpn
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list ACL-NAT interface Vlan2 overload
ip nat inside source static tcp ip2 22 interface Vlan2 2222
ip route 0.0.0.0 0.0.0.0 external gateway
!
ip access-list extended ACL-NAT
 deny   ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended VPN
 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended WAN-Firewall-In
 deny   ip host 0.0.0.0 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 permit tcp any any established
 permit udp any any
 permit esp any any
 permit tcp any any eq 1723 log
 permit gre any any
 permit icmp any any
 permit tcp host  eq 15554 any log
 permit tcp host  any eq ftp-data log
 permit tcp host 204. any eq ftp log
 permit ip host 203. any log
 permit ip host 114. any log
 permit ip host 203.2 any log
 permit ip host 218. any log

 deny   ip any any log
ip access-list extended WAN-Firewall-Ip
 permit tcp host ip any eq 1723 log
 permit tcp host 544 any eq 1723 log
 deny   ip any any log
ip access-list extended WAN-Firewall-Out
 permit tcp any any eq smtp log
 permit ip any any
ip access-list extended test
!
logging internal ip
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 logging synchronous
 transport output all
 stopbits 1
line aux 0
 transport output all
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 transport input all
 transport output all
!
end
0
Comment
Question by:goraek
  • 3
  • 3
6 Comments
 
LVL 17

Accepted Solution

by:
MAG03 earned 500 total points
ID: 39274678
I am assuming that you are using VLAN2 as your outside interface.  first off I would suggest putting descriptions on the interfaces so that they are easier to read...not needed but just a suggestion.

The problem with NAT first off is that you need to define the VLAN 2 as the outside NATed interface.

interface Vlan1
 ip address x.x.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address y.y.y.y 255.255.255.252
ip nat inside
 ip virtual-reassembly in

Do the following

enable
config t
int vlan 2
no ip nat inside
ip nat outside

Unless you have edited out the VPN configuration I do not see it there...except for the crypto map vpn which is configured on the dialer interface.  Is this a site to site VPN or remote access VPN?

In any case move the command crypto map vpn to the vlan 2 interface and things should start working again.  If that doesn't work try adding that command to the physical outside interface...which looks to be FastEthernet1
0
 
LVL 2

Author Comment

by:goraek
ID: 39274696
Thanks.
If I changed the ip nat on vlan 2 interface, will this affect the connection or drop the connection? At the moment it is up.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39274716
That depends, did you post the full configuration of the router?  by the way which model is it?

When you say the connection is up do you mean the VPN connection is up?  are there connections being made through the router at this time...ie. internet traffic?

Where does the VLAN 2 connect to? is this the outside world?
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 2

Author Comment

by:goraek
ID: 39276484
Cool I changed the ip nat to outside, and the port forwarding started to work. Good to know.

Also I've changed the crypto map to vlan 2 interface, did a sh crypto session, the status is down-negotiating, still nothing.

I've updated the IP and crypt mapping, but no good.

Any ideas?
0
 
LVL 17

Expert Comment

by:MAG03
ID: 39277148
Is it a site to site vpn or remote access vpn?  If it is a site to site then you would need to update the other end of the configuration at the other end to peer against the new IP.
0
 
LVL 2

Author Closing Comment

by:goraek
ID: 39277773
Thanks, changed IP nat and remapped crypto. Worked like a treat.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now