Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco assistance with configuration

Posted on 2013-06-25
6
Medium Priority
?
404 Views
Last Modified: 2013-06-26
Hi EE

I'm still new to cisco althought I know some basics.

I need some assistance in reconfiguring a cisco router - inherited from someone else. Although I'm not too sure, but it appears to be a mess.

What I needed done is to port forward a few ports, one of them IS rdp.

We've changed our WAN link from PPPoE to WAN (fixed IP). I've updated the port forwarding rules, but doesnt appear to be working.

And also we need update the VPN settings as well, and not sure where to update this.

Here is the config:

interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address x.x.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address y.y.y.y 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer0
 mtu 1492
 ip address negotiated
 ip access-group WAN-Firewall-In in
 ip access-group WAN-Firewall-Out out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname
 ppp chap password 7
 ppp pap sent-username
 no cdp enable
 crypto map vpn
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list ACL-NAT interface Vlan2 overload
ip nat inside source static tcp ip2 22 interface Vlan2 2222
ip route 0.0.0.0 0.0.0.0 external gateway
!
ip access-list extended ACL-NAT
 deny   ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended VPN
 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended WAN-Firewall-In
 deny   ip host 0.0.0.0 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 permit tcp any any established
 permit udp any any
 permit esp any any
 permit tcp any any eq 1723 log
 permit gre any any
 permit icmp any any
 permit tcp host  eq 15554 any log
 permit tcp host  any eq ftp-data log
 permit tcp host 204. any eq ftp log
 permit ip host 203. any log
 permit ip host 114. any log
 permit ip host 203.2 any log
 permit ip host 218. any log

 deny   ip any any log
ip access-list extended WAN-Firewall-Ip
 permit tcp host ip any eq 1723 log
 permit tcp host 544 any eq 1723 log
 deny   ip any any log
ip access-list extended WAN-Firewall-Out
 permit tcp any any eq smtp log
 permit ip any any
ip access-list extended test
!
logging internal ip
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 logging synchronous
 transport output all
 stopbits 1
line aux 0
 transport output all
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 transport input all
 transport output all
!
end
0
Comment
Question by:goraek
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 17

Accepted Solution

by:
Marius Gunnerud earned 2000 total points
ID: 39274678
I am assuming that you are using VLAN2 as your outside interface.  first off I would suggest putting descriptions on the interfaces so that they are easier to read...not needed but just a suggestion.

The problem with NAT first off is that you need to define the VLAN 2 as the outside NATed interface.

interface Vlan1
 ip address x.x.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address y.y.y.y 255.255.255.252
ip nat inside
 ip virtual-reassembly in

Do the following

enable
config t
int vlan 2
no ip nat inside
ip nat outside

Unless you have edited out the VPN configuration I do not see it there...except for the crypto map vpn which is configured on the dialer interface.  Is this a site to site VPN or remote access VPN?

In any case move the command crypto map vpn to the vlan 2 interface and things should start working again.  If that doesn't work try adding that command to the physical outside interface...which looks to be FastEthernet1
0
 
LVL 2

Author Comment

by:goraek
ID: 39274696
Thanks.
If I changed the ip nat on vlan 2 interface, will this affect the connection or drop the connection? At the moment it is up.
0
 
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 39274716
That depends, did you post the full configuration of the router?  by the way which model is it?

When you say the connection is up do you mean the VPN connection is up?  are there connections being made through the router at this time...ie. internet traffic?

Where does the VLAN 2 connect to? is this the outside world?
0
Looking for a new Web Host?

Lunarpages' assortment of hosting products and solutions ensure a perfect fit for anyone looking to get their vision or products to market. Our award winning customer support and 30-day money back guarantee show the pride we take in being the industry's premier MSP.

 
LVL 2

Author Comment

by:goraek
ID: 39276484
Cool I changed the ip nat to outside, and the port forwarding started to work. Good to know.

Also I've changed the crypto map to vlan 2 interface, did a sh crypto session, the status is down-negotiating, still nothing.

I've updated the IP and crypt mapping, but no good.

Any ideas?
0
 
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 39277148
Is it a site to site vpn or remote access vpn?  If it is a site to site then you would need to update the other end of the configuration at the other end to peer against the new IP.
0
 
LVL 2

Author Closing Comment

by:goraek
ID: 39277773
Thanks, changed IP nat and remapped crypto. Worked like a treat.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of the companies I’ve worked with have embraced cloud solutions due to their desire to “get out of the datacenter business.” The ability to achieve better security and availability, and the speed with which they are able to deploy, is far grea…
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
Suggested Courses

618 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question