Announcement

Collapse
No announcement yet.

cisco 1811 configuration help

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • cisco 1811 configuration help

    we're trying to implement this series router in order to utilize our static ips.

    one for our web/email server and the other for use with customer machines we do work on which are often infected with spyware/viruses.

    i feel like this configuration should work and it has; however, it blocks out one of our employee's from accessing the his email, etc. from his home--which isn't so good. (we are currently running a virtual router to workaround this issue)

    however, from anywhere but his house he can access it. i can't imagine that it's anything in my configuration, but i wanted to double-check with the minds here.

    Code:
    Building configuration...
    
    Current configuration : 3411 bytes
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Router
    !
    boot-start-marker
    boot-end-marker
    !
    !
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    no aaa new-model
    ip subnet-zero
    !
    !
    ip cef
     --More--
    ip dhcp excluded-address 192.168.5.101 192.168.5.254
    ip dhcp excluded-address 192.168.10.101 192.168.10.254
    !
    ip dhcp pool office_dhcp
       import all
       network 192.168.5.0 255.255.255.0
       dns-server 209.55.5.10 209.55.5.11 
       default-router 192.168.5.254 
    !
    ip dhcp pool customer_dhcp
       import all
       network 192.168.10.0 255.255.255.0
       dns-server 209.55.5.10 209.55.5.11 
       default-router 192.168.10.254 
    !
    !
    ip name-server 209.55.5.10
    ip name-server 209.55.5.11
    ip ips po max-events 100
    no ftp-server write-enable
    !
    !
    !
     --More--
    ! 
    !
    !
    !
    interface FastEthernet0
     ip address 207.x.x.x 255.255.255.0
     ip nat outside
     ip virtual-reassembly
     duplex auto
     speed auto
    !
    interface FastEthernet1
     ip address 10.0.0.1 255.0.0.0
     duplex auto
     speed auto
    !
    interface FastEthernet2
     switchport access vlan 2
     no ip address
    !
    interface FastEthernet3
     switchport access vlan 3
     no ip address
     --More--
    !
    interface FastEthernet4
     no ip address
     shutdown
    !
    interface FastEthernet5
     no ip address
     shutdown
    !
    interface FastEthernet6
     no ip address
     shutdown
    !
    interface FastEthernet7
     no ip address
     shutdown
    !
    interface FastEthernet8
     no ip address
     shutdown
    !
    interface FastEthernet9
     no ip address
     --More--
     shutdown
    !
    interface Vlan1
     no ip address
    !
    interface Vlan2
     ip address 192.168.5.254 255.255.255.0
     ip nat inside
     ip virtual-reassembly
    !
    interface Vlan3
     ip address 192.168.10.254 255.255.255.0
     ip nat inside
     ip virtual-reassembly
    !
    interface Async1
     no ip address
    !
    router rip
     network 192.168.5.0
     network 192.168.10.0
     network 207.x.x.0
     no auto-summary
     --More--
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 FastEthernet0 permanent
    !
    !
    ip http server
    ip http secure-server
    ip nat inside source list 1 interface FastEthernet0 overload
    ip nat inside source static tcp 192.168.5.115 1024 207.x.x.x 1024 extendable
    ip nat inside source static tcp 192.168.5.115 1025 207.x.x.x 1025 extendable
    ip nat inside source static tcp 192.168.5.115 1026 207.x.x.x 1026 extendable
    ip nat inside source static tcp 192.168.5.115 2774 207.x.x.x 2774 extendable
    ip nat inside source static tcp 192.168.5.115 3822 207.x.x.x 3822 extendable
    ip nat inside source static tcp 192.168.5.120 25 207.x.x.x 25 extendable
    ip nat inside source static tcp 192.168.5.120 80 207.x.x.x 80 extendable
    ip nat inside source static tcp 192.168.5.120 110 207.x.x.x 110 extendable
    ip nat inside source static tcp 192.168.5.120 443 207.x.x.x 443 extendable
    ip nat inside source static tcp 192.168.5.120 444 207.x.x.x 444 extendable
    ip nat inside source static tcp 192.168.5.120 1723 207.x.x.x 1723 extendable
    ip nat inside source static udp 192.168.5.120 2883 207.x.x.x 2883 extendable
    ip nat inside source static tcp 192.168.5.120 3389 207.x.x.x 3389 extendable
    ip nat inside source static tcp 192.168.5.120 4125 207.x.x.x 4125 extendable
    ip nat inside source static 192.168.5.120 207.x.x.x
     --More--
    !
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.5.0 0.0.0.255
    access-list 1 permit 192.168.10.0 0.0.0.255
    !
    !
    !
    !
    control-plane
    !
    !
    line con 0
    line 1
    line aux 0
    line vty 0 4
    !
    no scheduler allocate
    end
    as far as the fa1 interface, that is simply for sdm configuration and will be removed later.

    and as far as isolating the probelm from his house: same isp (but his home is dhcp assigned). we've swapped different brand routers, custom settings, default settings, etc. and nothing has worked.

    also, i just reset factory settings and redid this configuration from memory, so it might be missing a few things. if i am, please let me know (it's been nearly 3 months since trying to get this in production).

    any help is greatly appreciated.
    Last edited by jcpoole2501; 7th May 2008, 14:42.

  • #2
    Re: cisco 1811 configuration help

    Is the users home subnet also on the 192.168.5.0/24? If so you may have overlapping routes. Your configuration looks fine as far as I can tell. Just my initial thoughts. I guess it would help to get a little more detail on the home users setup.

    Ryan
    Last edited by ryansmitty; 8th May 2008, 00:00.

    Comment


    • #3
      Re: cisco 1811 configuration help

      I agree with Ryan. This is pretty common with remote access. The connection to the office is through a 192.168.5.x ip address but the home network is also on a 192.168.5.x subnet so the computer thinks the resources are local and traffic never gets routed through the remote access connection. The easiest thing to do is to have the user change their home subnet to anything other than 192.168.5.x.

      Comment


      • #4
        Re: cisco 1811 configuration help

        thanks for the replies.
        his home network is on the 192.168.0.x subnet.
        and he also clarified the problem from before as not being able to use outlook with RPC over HTTP -- if he recalls correctly, webmail on our exchange server worked.
        i've put my configuration back into production and we'll do some more testing tonight.

        i do have another question. i'd like to know how to forward a range of ports (for 1024-2048 backup services to 192.168.5.115). at one point i think i knew, but it's too long gone to remember.

        Comment


        • #5
          Re: cisco 1811 configuration help

          Can anyone help me with this problem?

          I need to forward a range of ports ( 1024-2048 ) to an internal IP address from an outside static of xxx.xxx.xxx.37.

          Thanks in advance.

          Comment


          • #6
            Re: cisco 1811 configuration help

            Why do you need to forward so many ports???

            Also have a review on this thread:
            http://forums.petri.com/showthread.php?t=4305&page=2
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: cisco 1811 configuration help

              Dumber,

              The massive number of ports is for some remote backup software, allowing multiple clients bandwidth room for their backups at night.
              I was able to resolve this issue with the following commands:

              ip nat pool blah 192.168.5.115 192.168.5.115 netmask 255.255.255.0 type rotary
              ip nat inside destination list 101 pool blah
              access-list 101 permit tcp any any range 1024 2048

              Another question I have, will the Cisco 1811 support a Windows VPN connection, as in, without having to load any third party software/hardware (such as EasyVPN) on the client's end?

              Comment


              • #8
                Re: cisco 1811 configuration help

                But can't you configure your backup software to limit the portnumbers?
                I don't know what kind of exotic software you're using but I never have seen a backup solution where you can't limit the portnumbers.
                Marcel
                Technical Consultant
                Netherlands
                http://www.phetios.com
                http://blog.nessus.nl

                MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                "No matter how secure, there is always the human factor."

                "Enjoy life today, tomorrow may never come."
                "If you're going through hell, keep going. ~Winston Churchill"

                Comment


                • #9
                  Re: cisco 1811 configuration help

                  The software does allow the limiting of port numbers, we just chose to keep that many open so our clients could finish downloads within a reasonable time frame, allow for plenty of throughput, etc.

                  Any advice on the VPN issue? I need to try and get this set up so the user in the OP can access network resources from his home.
                  Last edited by jcpoole2501; 13th June 2008, 16:24.

                  Comment

                  Working...
                  X