?
Solved

Cisco assistance with configuration

Posted on 2013-06-25
6
Medium Priority
?
409 Views
Last Modified: 2013-06-26
Hi EE

I'm still new to cisco althought I know some basics.

I need some assistance in reconfiguring a cisco router - inherited from someone else. Although I'm not too sure, but it appears to be a mess.

What I needed done is to port forward a few ports, one of them IS rdp.

We've changed our WAN link from PPPoE to WAN (fixed IP). I've updated the port forwarding rules, but doesnt appear to be working.

And also we need update the VPN settings as well, and not sure where to update this.

Here is the config:

interface FastEthernet0
 no ip address
!
interface FastEthernet1
 switchport access vlan 2
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address x.x.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address y.y.y.y 255.255.255.252
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer0
 mtu 1492
 ip address negotiated
 ip access-group WAN-Firewall-In in
 ip access-group WAN-Firewall-Out out
 no ip redirects
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname
 ppp chap password 7
 ppp pap sent-username
 no cdp enable
 crypto map vpn
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list ACL-NAT interface Vlan2 overload
ip nat inside source static tcp ip2 22 interface Vlan2 2222
ip route 0.0.0.0 0.0.0.0 external gateway
!
ip access-list extended ACL-NAT
 deny   ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
 permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended VPN
 permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
ip access-list extended WAN-Firewall-In
 deny   ip host 0.0.0.0 any log
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 127.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 deny   ip 224.0.0.0 15.255.255.255 any log
 deny   ip host 255.255.255.255 any log
 permit tcp any any established
 permit udp any any
 permit esp any any
 permit tcp any any eq 1723 log
 permit gre any any
 permit icmp any any
 permit tcp host  eq 15554 any log
 permit tcp host  any eq ftp-data log
 permit tcp host 204. any eq ftp log
 permit ip host 203. any log
 permit ip host 114. any log
 permit ip host 203.2 any log
 permit ip host 218. any log

 deny   ip any any log
ip access-list extended WAN-Firewall-Ip
 permit tcp host ip any eq 1723 log
 permit tcp host 544 any eq 1723 log
 deny   ip any any log
ip access-list extended WAN-Firewall-Out
 permit tcp any any eq smtp log
 permit ip any any
ip access-list extended test
!
logging internal ip
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
!
control-plane
!
!
line con 0
 exec-timeout 120 0
 logging synchronous
 transport output all
 stopbits 1
line aux 0
 transport output all
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 transport input all
 transport output all
!
end
0
Comment
Question by:goraek
  • 3
  • 3
6 Comments
 
LVL 17

Accepted Solution

by:
Marius Gunnerud earned 2000 total points
ID: 39274678
I am assuming that you are using VLAN2 as your outside interface.  first off I would suggest putting descriptions on the interfaces so that they are easier to read...not needed but just a suggestion.

The problem with NAT first off is that you need to define the VLAN 2 as the outside NATed interface.

interface Vlan1
 ip address x.x.x.x 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1452
!
interface Vlan2
 ip address y.y.y.y 255.255.255.252
ip nat inside
 ip virtual-reassembly in

Do the following

enable
config t
int vlan 2
no ip nat inside
ip nat outside

Unless you have edited out the VPN configuration I do not see it there...except for the crypto map vpn which is configured on the dialer interface.  Is this a site to site VPN or remote access VPN?

In any case move the command crypto map vpn to the vlan 2 interface and things should start working again.  If that doesn't work try adding that command to the physical outside interface...which looks to be FastEthernet1
0
 
LVL 2

Author Comment

by:goraek
ID: 39274696
Thanks.
If I changed the ip nat on vlan 2 interface, will this affect the connection or drop the connection? At the moment it is up.
0
 
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 39274716
That depends, did you post the full configuration of the router?  by the way which model is it?

When you say the connection is up do you mean the VPN connection is up?  are there connections being made through the router at this time...ie. internet traffic?

Where does the VLAN 2 connect to? is this the outside world?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 2

Author Comment

by:goraek
ID: 39276484
Cool I changed the ip nat to outside, and the port forwarding started to work. Good to know.

Also I've changed the crypto map to vlan 2 interface, did a sh crypto session, the status is down-negotiating, still nothing.

I've updated the IP and crypt mapping, but no good.

Any ideas?
0
 
LVL 17

Expert Comment

by:Marius Gunnerud
ID: 39277148
Is it a site to site vpn or remote access vpn?  If it is a site to site then you would need to update the other end of the configuration at the other end to peer against the new IP.
0
 
LVL 2

Author Closing Comment

by:goraek
ID: 39277773
Thanks, changed IP nat and remapped crypto. Worked like a treat.
0

Featured Post

Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
Unable to change the program that handles the scan event from a network attached Canon/Brother printer/scanner. This means you'll always have to choose which program handles this action, e.g. ControlCenter4 (in the case of a Brother).
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question