cisco 2901 static route

Hi,

What IP do you have on the IPSec tunnel interface?

What I would do:

Under global config:

Inter vlan 1
ip nat enable

Inter <ipsec tunnel interface>
ip nat enable

ip nat source tcp 192.168.11.170 6200 <ip interface ipsec> 6200 extendable
ip nat source tcp 192.168.11.170 554 <ip interface ipsec> 554 extendable

Hi and thank you for responding....

sorry if I am comfusing

I would like the IPsec tunnel to only facilitate rdp and print traffic from the other site


the inbound  traffic I would like to forward is from external ip   gig 0/1

to   internal ip 192.168.11.170  not through IPsec tunnel.

I hope that is clear

thank you again

Hi,

It is indeed a bit confusing since I don't understand what and where the IPSec-tunnel plays a role in this situation.

Anyhow - in order to forward traffic from the external IP on G0/1 I assume that on G0/1 you have the command "ip nat outside" and on the internal interface for VLAN1 you have "ip nat inside", otherwise they wouldn't access the internet.

Then you would only have to do this:

Global Config:

ip nat inside source static tcp 192.168.11.170 <Internal Port Number> <Public IP> 6200 extendable
ip nat inside source static tcp 192.168.11.170 <Internal Port Number> <Public IP> 554 extendable

I have posted the current config......   it has prevented internet access now ?



:
R1#sh run
Building configuration...

Current configuration : 4964 bytes
!
! Last configuration change at 16:29:47 London Thu Mar 20 2014 by Totel
version 15.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service sequence-numbers
!
hostname R1
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 4 F9PJkkW/iDBmWh/Mk/RJaMHm.v2DrxG4eUpiVJsWdp6
enable password XXXXXXXXX
!
no aaa new-model
clock timezone London 0 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
ip cef
!
!
!
!
!
!
ip domain name hotelsync
ip name-server 217.20.29.9
ip name-server 217.20.22.2
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2078509693
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2078509693
 revocation-check none
 rsakeypair TP-self-signed-2078509693
!
!
crypto pki certificate chain TP-self-signed-2078509693
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32303738 35303936 3933301E 170D3133 31303039 31383239
  30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30373835
  30393639 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81008CBE FA3CB82F 9D8CD451 50107712 9039D617 4B0FC437 276ADD5A B1480840
  34506302 7BFF92B2 8AB0BB03 C68EE566 56B6DD22 A194B064 E2A460E0 81B382B2
  858E9D2A BCC2E729 0F7B8276 FC34C547 8522BDF8 18F359E4 AF3958E4 87307B60
  3F3B43E1 F094D72C 36168DEE E6E5EF9B 25AD6116 8559330D 27B22DE8 0FF635DA
  22950203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14E984D3 2DCE72E2 F1B93138 4A9952C2 75868C8A 96301D06
  03551D0E 04160414 E984D32D CE72E2F1 B931384A 9952C275 868C8A96 300D0609
  2A864886 F70D0101 05050003 81810045 6D2F8412 804CCF1B 3518127E 1D2D6331
  26475BFF 95CFCF6C 2CE2EF3D D63E6ABF 7E72CB78 DD60A0C0 78525C3D D8B4A813
  9D7B95AD CCAD7CFD 1365B6A7 EA3FB803 5343A641 1ACBCFE6 14BCE9B7 5CA831B6
  57CCB785 3D7A1016 04FE7044 D0E5F5B0 D856238F 5ADC0344 62653CAD 7C404680
  217A3232 2CC37954 364EE5E7 771F35
        quit
license udi pid CISCO2901/K9 sn XXXXXXXXXXX
license boot module c2900 technology-package securityk9
!
!
username XXXXX privilege 15 password 0 XXXXXXXX
username XXXXX privilege 15 secret 4 bjcoJTI/OnezUYKEZQAAMw3Ue.YzcegCo65R8X6MDA.
username XXXXXX privilege 15 secret 4 y6iuEwyEPwShaReNwpfzBc8sRYwYlqCoX8Yzv.Yp7aA
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp keyxxxxxxxx address 109.228.62.4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to xx.2x8.xxx.4
 set peer xx.2x8.xxx.4
 set transform-set ESP-3DES-SHA
 match address 100
!
crypto map SDM_CMAP_2 1 ipsec-isakmp
 description Tunnel  toxx.2x8.xxx.4
 set peer  xx.2x8.xxx.4
 set transform-set ESP-3DES-SHA
 match address 102
!
!
!
!
!
interface Loopback0
 ip address 192.168.130.7 255.255.255.240
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description Internal Network
 no ip address
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/0.1
 encapsulation dot1Q 1 native
 ip address 192.168.10.254 255.255.254.0
 ip nat inside
 ip virtual-reassembly in
 crypto map SDM_CMAP_2
!
interface GigabitEthernet0/0.2
 description voice vlan
 encapsulation dot1Q 30
 ip address 192.168.250.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface GigabitEthernet0/1
 description external WAN
 ip address xxx.xx.xx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
!
ip http server
ip http port 8080
ip http authentication local
ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 78.xx.xxx.xxx
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
ip sla auto discovery
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.10.0 0.0.1.255 10.98.136.0 0.0.1.255
access-list 101 permit ip any any
access-list 101 permit icmp any any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.10.0 0.0.1.255 10.98.136.0 0.0.1.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 60 0
 privilege level 15
 password**************
 logging synchronous
 login local
 transport input all
 transport output all
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 194.164.127.6 source GigabitEthernet0/1
!
end

R1#

Thanks

Hi,

Did you just add the "IP nat inside" and "IP nat outside"?
If so, just remove them using "no IP nat ..."

It seem like you have no NAT on the outside interface (public) so I assume you run all Internet-traffic via another router that does the NAT?

Also, I cannot find 192.168.11 in your config. Did you mean 192.168.10 in you original post?

Hi,

sorry my typing....


interal ip

vlan native   192.168.10.1   -  192.168.11.254   (inside is the cctv server 11.170)

vlan  voice      192.168.250.1    ---  192.168.250.250


the external ip

interface GigabitEthernet0/1
 description external WAN
 ip address xxx.xx.xx.xxx 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto

will this not pass internet traffic for native vlan ?

the external interface does have no

You did not answer the question, did you add the nat commands when it stopes passing traffic or not?

You have no NAT-pools so is assume that's why it doesn't pass traffic.

Also - is this router supposed to NAT traffic from your internal interfaces to the Internet or not?

I mean all traffic from internal to Internet.

hi yes this router is to be the only gateway for my local network.

everything should go through this

the vpn and internet traffic

just need to nat incoming ports for cctv

By the way - are you sure you did not remove any extra NAT-commands?

If you want to compare the current config with the saved one you can use "show startup-config", to see if you removed any extra NAT-rules