Maphew
asked on
cisco 2901 static route
please can anyone advise me ...
I have a cisco 2901 router
subinterface 0/0
dot1q 1 == native vlan 192.168.11.1
dot1q 2 == voice vlan 192.168.22.1
I have a Ip sec site to site vpn mapped to external gig 0/1 47.x.x.23
how do I redirect tcp ports 6200 & 554 to internal ip 192.168.11.170
Thank you so much for helping
Regards
Matthew
I have a cisco 2901 router
subinterface 0/0
dot1q 1 == native vlan 192.168.11.1
dot1q 2 == voice vlan 192.168.22.1
I have a Ip sec site to site vpn mapped to external gig 0/1 47.x.x.23
how do I redirect tcp ports 6200 & 554 to internal ip 192.168.11.170
Thank you so much for helping
Regards
Matthew
ASKER
Hi and thank you for responding....
sorry if I am comfusing
I would like the IPsec tunnel to only facilitate rdp and print traffic from the other site
the inbound traffic I would like to forward is from external ip gig 0/1
to internal ip 192.168.11.170 not through IPsec tunnel.
I hope that is clear
thank you again
sorry if I am comfusing
I would like the IPsec tunnel to only facilitate rdp and print traffic from the other site
the inbound traffic I would like to forward is from external ip gig 0/1
to internal ip 192.168.11.170 not through IPsec tunnel.
I hope that is clear
thank you again
Hi,
It is indeed a bit confusing since I don't understand what and where the IPSec-tunnel plays a role in this situation.
Anyhow - in order to forward traffic from the external IP on G0/1 I assume that on G0/1 you have the command "ip nat outside" and on the internal interface for VLAN1 you have "ip nat inside", otherwise they wouldn't access the internet.
Then you would only have to do this:
Global Config:
ip nat inside source static tcp 192.168.11.170 <Internal Port Number> <Public IP> 6200 extendable
ip nat inside source static tcp 192.168.11.170 <Internal Port Number> <Public IP> 554 extendable
It is indeed a bit confusing since I don't understand what and where the IPSec-tunnel plays a role in this situation.
Anyhow - in order to forward traffic from the external IP on G0/1 I assume that on G0/1 you have the command "ip nat outside" and on the internal interface for VLAN1 you have "ip nat inside", otherwise they wouldn't access the internet.
Then you would only have to do this:
Global Config:
ip nat inside source static tcp 192.168.11.170 <Internal Port Number> <Public IP> 6200 extendable
ip nat inside source static tcp 192.168.11.170 <Internal Port Number> <Public IP> 554 extendable
ASKER
I have posted the current config...... it has prevented internet access now ?
:
R1#sh run
Building configuration...
Current configuration : 4964 bytes
!
! Last configuration change at 16:29:47 London Thu Mar 20 2014 by Totel
version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 4 F9PJkkW/iDBmWh/Mk/RJaMHm.v 2DrxG4eUpi VJsWdp6
enable password XXXXXXXXX
!
no aaa new-model
clock timezone London 0 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
ip cef
!
!
!
!
!
!
ip domain name hotelsync
ip name-server 217.20.29.9
ip name-server 217.20.22.2
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2078509693
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi cate-20785 09693
revocation-check none
rsakeypair TP-self-signed-2078509693
!
!
crypto pki certificate chain TP-self-signed-2078509693
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303738 35303936 3933301E 170D3133 31303039 31383239
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30373835
30393639 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81008CBE FA3CB82F 9D8CD451 50107712 9039D617 4B0FC437 276ADD5A B1480840
34506302 7BFF92B2 8AB0BB03 C68EE566 56B6DD22 A194B064 E2A460E0 81B382B2
858E9D2A BCC2E729 0F7B8276 FC34C547 8522BDF8 18F359E4 AF3958E4 87307B60
3F3B43E1 F094D72C 36168DEE E6E5EF9B 25AD6116 8559330D 27B22DE8 0FF635DA
22950203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E984D3 2DCE72E2 F1B93138 4A9952C2 75868C8A 96301D06
03551D0E 04160414 E984D32D CE72E2F1 B931384A 9952C275 868C8A96 300D0609
2A864886 F70D0101 05050003 81810045 6D2F8412 804CCF1B 3518127E 1D2D6331
26475BFF 95CFCF6C 2CE2EF3D D63E6ABF 7E72CB78 DD60A0C0 78525C3D D8B4A813
9D7B95AD CCAD7CFD 1365B6A7 EA3FB803 5343A641 1ACBCFE6 14BCE9B7 5CA831B6
57CCB785 3D7A1016 04FE7044 D0E5F5B0 D856238F 5ADC0344 62653CAD 7C404680
217A3232 2CC37954 364EE5E7 771F35
quit
license udi pid CISCO2901/K9 sn XXXXXXXXXXX
license boot module c2900 technology-package securityk9
!
!
username XXXXX privilege 15 password 0 XXXXXXXX
username XXXXX privilege 15 secret 4 bjcoJTI/OnezUYKEZQAAMw3Ue. YzcegCo65R 8X6MDA.
username XXXXXX privilege 15 secret 4 y6iuEwyEPwShaReNwpfzBc8sRY wYlqCoX8Yz v.Yp7aA
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keyxxxxxxxx address 109.228.62.4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to xx.2x8.xxx.4
set peer xx.2x8.xxx.4
set transform-set ESP-3DES-SHA
match address 100
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel toxx.2x8.xxx.4
set peer xx.2x8.xxx.4
set transform-set ESP-3DES-SHA
match address 102
!
!
!
!
!
interface Loopback0
ip address 192.168.130.7 255.255.255.240
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.10.254 255.255.254.0
ip nat inside
ip virtual-reassembly in
crypto map SDM_CMAP_2
!
interface GigabitEthernet0/0.2
description voice vlan
encapsulation dot1Q 30
ip address 192.168.250.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description external WAN
ip address xxx.xx.xx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
ip forward-protocol nd
!
ip http server
ip http port 8080
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 78.xx.xxx.xxx
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
ip sla auto discovery
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.1.255 10.98.136.0 0.0.1.255
access-list 101 permit ip any any
access-list 101 permit icmp any any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.10.0 0.0.1.255 10.98.136.0 0.0.1.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
privilege level 15
password**************
logging synchronous
login local
transport input all
transport output all
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 194.164.127.6 source GigabitEthernet0/1
!
end
R1#
Thanks
:
R1#sh run
Building configuration...
Current configuration : 4964 bytes
!
! Last configuration change at 16:29:47 London Thu Mar 20 2014 by Totel
version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 4 F9PJkkW/iDBmWh/Mk/RJaMHm.v
enable password XXXXXXXXX
!
no aaa new-model
clock timezone London 0 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
ip cef
!
!
!
!
!
!
ip domain name hotelsync
ip name-server 217.20.29.9
ip name-server 217.20.22.2
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2078509693
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-2078509693
!
!
crypto pki certificate chain TP-self-signed-2078509693
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32303738 35303936 3933301E 170D3133 31303039 31383239
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30373835
30393639 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81008CBE FA3CB82F 9D8CD451 50107712 9039D617 4B0FC437 276ADD5A B1480840
34506302 7BFF92B2 8AB0BB03 C68EE566 56B6DD22 A194B064 E2A460E0 81B382B2
858E9D2A BCC2E729 0F7B8276 FC34C547 8522BDF8 18F359E4 AF3958E4 87307B60
3F3B43E1 F094D72C 36168DEE E6E5EF9B 25AD6116 8559330D 27B22DE8 0FF635DA
22950203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E984D3 2DCE72E2 F1B93138 4A9952C2 75868C8A 96301D06
03551D0E 04160414 E984D32D CE72E2F1 B931384A 9952C275 868C8A96 300D0609
2A864886 F70D0101 05050003 81810045 6D2F8412 804CCF1B 3518127E 1D2D6331
26475BFF 95CFCF6C 2CE2EF3D D63E6ABF 7E72CB78 DD60A0C0 78525C3D D8B4A813
9D7B95AD CCAD7CFD 1365B6A7 EA3FB803 5343A641 1ACBCFE6 14BCE9B7 5CA831B6
57CCB785 3D7A1016 04FE7044 D0E5F5B0 D856238F 5ADC0344 62653CAD 7C404680
217A3232 2CC37954 364EE5E7 771F35
quit
license udi pid CISCO2901/K9 sn XXXXXXXXXXX
license boot module c2900 technology-package securityk9
!
!
username XXXXX privilege 15 password 0 XXXXXXXX
username XXXXX privilege 15 secret 4 bjcoJTI/OnezUYKEZQAAMw3Ue.
username XXXXXX privilege 15 secret 4 y6iuEwyEPwShaReNwpfzBc8sRY
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keyxxxxxxxx address 109.228.62.4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to xx.2x8.xxx.4
set peer xx.2x8.xxx.4
set transform-set ESP-3DES-SHA
match address 100
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
description Tunnel toxx.2x8.xxx.4
set peer xx.2x8.xxx.4
set transform-set ESP-3DES-SHA
match address 102
!
!
!
!
!
interface Loopback0
ip address 192.168.130.7 255.255.255.240
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/0.1
encapsulation dot1Q 1 native
ip address 192.168.10.254 255.255.254.0
ip nat inside
ip virtual-reassembly in
crypto map SDM_CMAP_2
!
interface GigabitEthernet0/0.2
description voice vlan
encapsulation dot1Q 30
ip address 192.168.250.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1
description external WAN
ip address xxx.xx.xx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
ip forward-protocol nd
!
ip http server
ip http port 8080
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 78.xx.xxx.xxx
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
ip sla auto discovery
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.1.255 10.98.136.0 0.0.1.255
access-list 101 permit ip any any
access-list 101 permit icmp any any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.10.0 0.0.1.255 10.98.136.0 0.0.1.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 60 0
privilege level 15
password**************
logging synchronous
login local
transport input all
transport output all
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 194.164.127.6 source GigabitEthernet0/1
!
end
R1#
Thanks
Hi,
Did you just add the "IP nat inside" and "IP nat outside"?
If so, just remove them using "no IP nat ..."
It seem like you have no NAT on the outside interface (public) so I assume you run all Internet-traffic via another router that does the NAT?
Also, I cannot find 192.168.11 in your config. Did you mean 192.168.10 in you original post?
Did you just add the "IP nat inside" and "IP nat outside"?
If so, just remove them using "no IP nat ..."
It seem like you have no NAT on the outside interface (public) so I assume you run all Internet-traffic via another router that does the NAT?
Also, I cannot find 192.168.11 in your config. Did you mean 192.168.10 in you original post?
ASKER
Hi,
sorry my typing....
interal ip
vlan native 192.168.10.1 - 192.168.11.254 (inside is the cctv server 11.170)
vlan voice 192.168.250.1 --- 192.168.250.250
the external ip
interface GigabitEthernet0/1
description external WAN
ip address xxx.xx.xx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
will this not pass internet traffic for native vlan ?
the external interface does have no
sorry my typing....
interal ip
vlan native 192.168.10.1 - 192.168.11.254 (inside is the cctv server 11.170)
vlan voice 192.168.250.1 --- 192.168.250.250
the external ip
interface GigabitEthernet0/1
description external WAN
ip address xxx.xx.xx.xxx 255.255.255.248
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
will this not pass internet traffic for native vlan ?
the external interface does have no
You did not answer the question, did you add the nat commands when it stopes passing traffic or not?
You have no NAT-pools so is assume that's why it doesn't pass traffic.
You have no NAT-pools so is assume that's why it doesn't pass traffic.
Also - is this router supposed to NAT traffic from your internal interfaces to the Internet or not?
I mean all traffic from internal to Internet.
ASKER
hi yes this router is to be the only gateway for my local network.
everything should go through this
the vpn and internet traffic
just need to nat incoming ports for cctv
everything should go through this
the vpn and internet traffic
just need to nat incoming ports for cctv
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
By the way - are you sure you did not remove any extra NAT-commands?
If you want to compare the current config with the saved one you can use "show startup-config", to see if you removed any extra NAT-rules
If you want to compare the current config with the saved one you can use "show startup-config", to see if you removed any extra NAT-rules
What IP do you have on the IPSec tunnel interface?
What I would do:
Under global config:
Inter vlan 1
ip nat enable
Inter <ipsec tunnel interface>
ip nat enable
ip nat source tcp 192.168.11.170 6200 <ip interface ipsec> 6200 extendable
ip nat source tcp 192.168.11.170 554 <ip interface ipsec> 554 extendable