Yes, reverse NAT is what I am referring to, I am trying to allow pptp (port
1723) and GRE pass through NAT from the internet to an internal VPN server.
It is my understanding that GRE can only be passed with an access-list.
Here's my router config:
As you can see, I have dynamic NAT configured so the internal network can
access the internet. Then I have static NAT to allow reverse NAT (internet
initiated access to internal network) You can see I have one for port 1723.
How do I let GRE pass through to my internal VPN server in this
configuration? Question more simplified: How do I enable internet clients to
pass through my router and establish a pptp VPN to an internal NT 4 server?
Thanks for the help!!
Stephen
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname DCI
!
xxxxxxxxxxxxxxxxxxxx (enable password)
!
ip subnet-zero
no ip domain-lookup
!
!
!
!
!
interface Ethernet0
ip address 172.16.2.1 255.255.254.0
no ip directed-broadcast
ip nat inside
no cdp enable
!
interface Serial0
ip address 216.143.248.186 255.255.255.252
no ip directed-broadcast
ip nat outside
no cdp enable
!
interface BRI0
no ip address
no ip directed-broadcast
shutdown
no cdp enable
!
ip nat translation tcp-timeout 240
ip nat pool NAT 216.143.254.253 216.143.254.254 netmask 255.255.255.248
ip nat inside source list 101 pool NAT overload
ip nat inside source static tcp 172.16.2.6 1723 216.143.254.250 1723
extendable
ip nat inside source static tcp 172.16.2.7 1433 216.143.254.250 1433
extendable
ip nat inside source static tcp 172.16.2.3 5637 216.143.254.250 5637
extendable
ip nat inside source static udp 172.16.2.3 5638 216.143.254.250 5638
extendable
ip nat inside source static tcp 172.16.2.7 5635 216.143.254.250 5635
extendable
ip nat inside source static udp 172.16.2.7 5636 216.143.254.250 5636
extendable
ip nat inside source static tcp 172.16.2.5 5631 216.143.254.250 5631
extendable
ip nat inside source static udp 172.16.2.5 5632 216.143.254.250 5632
extendable
ip nat inside source static tcp 172.16.2.4 8000 216.143.254.250 8000
extendable
ip nat inside source static tcp 172.16.2.4 25 216.143.254.250 25 extendable
ip nat inside source static tcp 172.16.2.4 110 216.143.254.250 110
extendable
ip nat inside source static tcp 172.16.2.5 512 216.143.254.250 512
extendable
ip nat inside source static tcp 172.16.2.2 5633 216.143.254.250 5633
extendable
ip nat inside source static udp 172.16.2.2 5634 216.143.254.250 5634
extendable
ip nat inside source static tcp 172.16.2.9 80 216.143.254.249 80 extendable
ip nat inside source static tcp 172.16.2.9 21 216.143.254.249 21 extendable
ip nat inside source static tcp 172.16.2.9 20 216.143.254.249 20 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 216.143.248.185
!
access-list 101 deny tcp any any range 137 139
access-list 101 permit ip 172.16.2.0 0.0.1.255 any
access-list 101 deny ip any any
no cdp run
!
line con 0
transport input none
!
end
----- Original Message -----
From: "Allen May"
To:
Sent: Thursday, June 21, 2001 4:09 PM
Subject: Re: Access-lists and NAT [7:9417]
> OK I'm a little confused, but I'm assuming you mean reverse NAT used as a
> static translation to provide a public IP to an internal IP? If so you
only
> open the needed ports to that server. If you know all of the networks and
> subnets that users will be coming from you can limit source IP's to only
> those networks.
>
> When you say "if I create an inbound ACL on the S0 interface to allow all
> IP" do you mean allowing all external IP's to have access to it? If so,
see
> above comment. If you don't know sources you'll have to do this and your
> only line of defense is the username/password scheme for users.
>
> Once they get into the VPN are they going to be assigned a virtual IP on
the
> inside network?
>
> Maybe I'm misinterpreting the question. Is the public IP of the server in
> the NAT pool? If so, take it out or you'll have a problem there if NAT
> tries to use the ports needed for the VPN connection.
>
> Let me know if I got close to what you were asking ;) It's getting close
to
> 5 and the coffee isn't working any more.
>
> Allen
> ----- Original Message -----
> From: "Stephen Hoover"
> To:
> Sent: Thursday, June 21, 2001 3:30 PM
> Subject: Access-lists and NAT [7:9417]
>
>
> > List,
> >
> > Two questions regarding ACL's and NAT.
> >
> > 1) Is there anyway to apply an ACL to a static NAT entry?
> >
> > 2) My router (1604) has two active interfaces, E0 and S0. S0 has a
public
> IP
> > that does not answer to any service (Not part of NAT scheme) E0 has
> private
> > 172.16 network. I have 6 public IP's that I use in the NAT scheme. My
> > question is this: if I create an inbound ACL on the S0 interface to
allow
> > all IP, does this present any security risk given the fact the interface
> > isn't mapped anywhere via NAT and is also NOT part of my internal IP
> scheme?
> >
> >
> > What I am trying to do is allow pptp VPN to an NT server, which entails
> > NAT'ing tcp 1723 and passing GRE. GRE has to pass on an ACL, so the only
> way
> > I can think to do it is to create an inbound ACL allowing all IP, so
> > returning NAT information from internally initiated conversations is not
> > interupted. Am I way off base here?
> >
> > Thanks!
> > Stephen Hoover
> > Dallas, Texas
Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=9433&t=9417
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
