Cisco 1720 Question

Discussion in 'Cisco' started by Thomas E Petersen, Aug 26, 2005.

  1. Please forgive my ignorance, but I'm a total noob at Cisco and this fell
    into my lap. We have a location that has a Cisco 1720 that connects three
    networks to a firewall. One of the clients, who had a server on one of the
    networks, wants to setup a VPN into their server on port 5000. I can get
    this forwarded through our firewall and have pointed it at the gateway
    address of the destination network (on the Cisco 1720).

    I had nothing to do with the setup of this router and I do know that the
    guy who did set it up only did so with the help of Cisco's tech support. I
    don't believe this is an option this time, as the router was installed in
    2001 and, as far as I know we have no service agreement on it. I do know how
    to into the router via Telnet and how to get it into configure mode, but
    after that I'm lost. Can this router forward port 5000 (or any other port)
    to another network? If so, how would I do this?

    Thanks.



    ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
    Thomas E Petersen, Aug 26, 2005
    #1
    1. Advertising

  2. Thomas E Petersen

    RobO Guest

    Thomas E Petersen wrote:
    > Please forgive my ignorance, but I'm a total noob at Cisco and this fell
    > into my lap. We have a location that has a Cisco 1720 that connects three
    > networks to a firewall. One of the clients, who had a server on one of the
    > networks, wants to setup a VPN into their server on port 5000. I can get
    > this forwarded through our firewall and have pointed it at the gateway
    > address of the destination network (on the Cisco 1720).
    >
    > I had nothing to do with the setup of this router and I do know that the
    > guy who did set it up only did so with the help of Cisco's tech support. I
    > don't believe this is an option this time, as the router was installed in
    > 2001 and, as far as I know we have no service agreement on it. I do know how
    > to into the router via Telnet and how to get it into configure mode, but
    > after that I'm lost. Can this router forward port 5000 (or any other port)
    > to another network? If so, how would I do this?


    Hi!

    If the router is doing the NAT'ing then you should be able to setup a
    NAT/PAT translation on the box.

    "show run" will print out the configuration.
    If the config shows up "ip nat inside/outside" on the relevant
    interfaces then the router is doing the NAT;ing.

    A generic example of setting up a translation for TCP port 5000:
    "ip nat inside source static tcp INT-SERVER-IP 5000 EXT-ROUTER-IP 5000
    extendable"

    The other thing to check would be if there is any access-list in place
    (inbound on the external interface):

    Check to see if there are any "access-group" commands under any of the
    interfaces in the config and make of the access-group name.

    This will relate to an access-list that is either blocking/permitting
    specific traffic.
    It will have to be edited to include port 5000 for the traffic that you
    want to permit.

    Post your config if you get stuck.

    Rob
    RobO, Aug 26, 2005
    #2
    1. Advertising

  3. Thomas E Petersen

    Igor Mamuzic Guest

    Or you can use Cisco SDM (Security Device Manager) a web based (GUI) tool
    for configuring Cisco routers.
    http://www.cisco.com/en/US/partner/products/sw/secursw/ps5318/tsd_products_support_series_home.html

    It's great for beginners in the world of Cisco and I think it's supported by
    1720 routers.

    You just need to check whether you run compatible Cisco IOS release on your
    router...You can discover IOS version using 'show version' command.
    This command must be used in privilege ("enable") mode....

    Tell me which IOS version of IOS do you have on your router and I will
    instruct you how to change IOS version if needed...

    B.R.
    Igor


    "Thomas E Petersen" <> wrote in message
    news:...
    > Please forgive my ignorance, but I'm a total noob at Cisco and this
    > fell into my lap. We have a location that has a Cisco 1720 that connects
    > three networks to a firewall. One of the clients, who had a server on one
    > of the networks, wants to setup a VPN into their server on port 5000. I
    > can get this forwarded through our firewall and have pointed it at the
    > gateway address of the destination network (on the Cisco 1720).
    >
    > I had nothing to do with the setup of this router and I do know that
    > the guy who did set it up only did so with the help of Cisco's tech
    > support. I don't believe this is an option this time, as the router was
    > installed in 2001 and, as far as I know we have no service agreement on
    > it. I do know how to into the router via Telnet and how to get it into
    > configure mode, but after that I'm lost. Can this router forward port 5000
    > (or any other port) to another network? If so, how would I do this?
    >
    > Thanks.
    >
    >
    > ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet
    > News==----
    > http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
    > Newsgroups
    > ----= East and West-Coast Server Farms - Total Privacy via Encryption
    > =----
    Igor Mamuzic, Aug 26, 2005
    #3
  4. Thanks for the quick response. I tried this earlier today and it caused
    their internet to stop responding (?). Could that have something to do with
    the access lists?

    Anyway, here is their current run configuration.



    Building configuration...

    Current configuration : 1235 bytes

    !

    version 12.2

    no parser cache

    no service single-slot-reload-enable

    service timestamps debug uptime

    service timestamps log uptime

    no service password-encryption

    !

    hostname Router

    !

    logging rate-limit console 10 except errors

    enable secret 5 $1$JAC4$JimvcKDrpFPl7vLW5k.1G.

    enable password ********

    !

    username Exec

    memory-size iomem 25

    mmi polling-interval 60

    no mmi auto-configure

    no mmi pvc

    mmi snmp-timeout 180

    ip subnet-zero

    !

    no ip dhcp-client network-discovery

    !

    !

    !

    interface Ethernet0

    ip address 172.16.2.210 255.255.0.0

    ip nat outside

    half-duplex

    !

    interface FastEthernet0

    ip address 130.100.0.222 255.255.255.0 secondary

    ip address 100.75.0.23 255.0.0.0

    ip broadcast-address 0.0.0.0

    ip nat inside

    no ip route-cache

    speed auto

    half-duplex

    !

    ip nat inside source list 101 interface Ethernet0 overload

    ip classless

    ip route 0.0.0.0 0.0.0.0 172.16.2.207

    no ip http server

    !

    access-list 101 deny ip 100.0.0.0 0.0.0.255 130.100.0.0 0.0.0.255

    access-list 101 deny ip 130.100.0.0 0.0.0.255 100.0.0.0 0.255.255.255

    access-list 101 permit ip 100.0.0.0 0.255.255.255 any

    access-list 101 permit ip 130.100.0.0 0.0.0.255 any

    snmp-server community public RO

    !

    line con 0

    line aux 0

    line vty 0 4

    password ********

    login

    !

    end



    The server we are trying to get to is at 130.100.0.100 and the firewall the
    traffic will becoming in through is at 172.16.2.207. It then sends anything
    coming in on port 5000 to 172.16.2.210, which it the IP of the 1720 on the
    172.16.xxx.xxx subnet.

    The command I ran was 'ip nat inside source static tcp 130.100.0.100 5000
    172.16.2.207 5000 extendable'

    Was this correct?

    Thanks again.

    "RobO" <> wrote in message
    news:...
    > Thomas E Petersen wrote:
    >> Please forgive my ignorance, but I'm a total noob at Cisco and this
    >> fell
    >> into my lap. We have a location that has a Cisco 1720 that connects three
    >> networks to a firewall. One of the clients, who had a server on one of
    >> the
    >> networks, wants to setup a VPN into their server on port 5000. I can get
    >> this forwarded through our firewall and have pointed it at the gateway
    >> address of the destination network (on the Cisco 1720).
    >>
    >> I had nothing to do with the setup of this router and I do know that
    >> the
    >> guy who did set it up only did so with the help of Cisco's tech support.
    >> I
    >> don't believe this is an option this time, as the router was installed in
    >> 2001 and, as far as I know we have no service agreement on it. I do know
    >> how
    >> to into the router via Telnet and how to get it into configure mode, but
    >> after that I'm lost. Can this router forward port 5000 (or any other
    >> port)
    >> to another network? If so, how would I do this?

    >
    > Hi!
    >
    > If the router is doing the NAT'ing then you should be able to setup a
    > NAT/PAT translation on the box.
    >
    > "show run" will print out the configuration.
    > If the config shows up "ip nat inside/outside" on the relevant
    > interfaces then the router is doing the NAT;ing.
    >
    > A generic example of setting up a translation for TCP port 5000:
    > "ip nat inside source static tcp INT-SERVER-IP 5000 EXT-ROUTER-IP 5000
    > extendable"
    >
    > The other thing to check would be if there is any access-list in place
    > (inbound on the external interface):
    >
    > Check to see if there are any "access-group" commands under any of the
    > interfaces in the config and make of the access-group name.
    >
    > This will relate to an access-list that is either blocking/permitting
    > specific traffic.
    > It will have to be edited to include port 5000 for the traffic that you
    > want to permit.
    >
    > Post your config if you get stuck.
    >
    > Rob




    ----== Posted via Newsfeeds.Com - Unlimited-Uncensored-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
    Thomas E Petersen, Aug 29, 2005
    #4
  5. Thomas E Petersen

    RobO Guest

    Thomas E Petersen wrote:

    > The server we are trying to get to is at 130.100.0.100 and the firewall the
    > traffic will becoming in through is at 172.16.2.207. It then sends anything
    > coming in on port 5000 to 172.16.2.210, which it the IP of the 1720 on the
    > 172.16.xxx.xxx subnet.
    >
    > The command I ran was 'ip nat inside source static tcp 130.100.0.100 5000
    > 172.16.2.207 5000 extendable'
    >
    > Was this correct?
    >
    > Thanks again.


    Hi Thomas,

    The static static NAT command is incorrect, it should reference the
    external IP address of the router itself and not the firewall that you
    mention.
    So this would be:

    "ip nat inside source static tcp 130.100.0.100 5000 172.16.2.210 5000
    extendable"

    Because all the NAT'ing is done on the ethernet0 interface on IP
    172.16.2.210:
    "ip nat inside source list 101 interface Ethernet0 overload"

    this is called PAT(Port Address Translation) where all NAT'ed traffic is
    assigned a dynamic port for translation using the external IP of
    172.16.2.210.

    Hope this helps and let us know.

    Rob
    RobO, Aug 30, 2005
    #5
  6. Thomas E Petersen

    primesoft

    Joined:
    Oct 29, 2006
    Messages:
    4
    Configration of CISCO 1720Router[VPN issue]

    This is the configuration I have done in my router.

    ip subnet-zero
    ip name-server x.x.x.x
    ip name-server x.x.x.x
    !
    ip dhcp pool 192.168.0.1/24
    network 192.168.0.0 255.255.255.0
    default-router 192.168.0.1
    dns-server x.x.x.x x.x.x.x
    !
    ip dhcp pool prime
    dns-server x.x.x.x
    default-router 192.168.0.1
    !
    !
    !
    !
    interface Serial0
    ip address x.x.x.133 x.x.x.252
    no ip directed-broadcast
    ip nat outside
    encapsulation ppp
    no ip mroute-cache
    no fair-queue
    !
    interface FastEthernet0
    ip address 192.168.0.1 255.255.255.0 secondary
    ip address x.x.x.177 x.x.x..248
    no ip directed-broadcast
    ip nat inside
    half-duplex
    !
    ip nat inside source list 1 interface FastEthernet0 overload
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0
    no ip http server
    !
    access-list 1 permit 192.168.0.0 0.0.0.255
    !
    line con 0
    transport input none
    line aux 0
    line vty 0 4
    password xyxxxx
    login
    !
    no scheduler allocate
    end
    -------------------------------------------------------------------

    1) I am unable to connect VPN (It is diconnecting)
    2) I want to open only smtp and pop3 and rest of the sites I want to block
    for LAN users. And I want to open some sites for specific LAN user.


    Please give the details step by step.

    Thanks

    Regards,
    Rajeshwar
    primesoft, Oct 29, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Nite Rider

    Cisco 1720 access-lists

    Nite Rider, Nov 1, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,288
    Nite Rider
    Nov 1, 2003
  2. George M. Karaganis

    Walkthrough for VPN setup on Cisco 1720

    George M. Karaganis, Dec 12, 2003, in forum: Cisco
    Replies:
    0
    Views:
    527
    George M. Karaganis
    Dec 12, 2003
  3. sychial
    Replies:
    0
    Views:
    601
    sychial
    Feb 18, 2004
  4. gopher2

    cisco 1720 question

    gopher2, Jun 8, 2004, in forum: Cisco
    Replies:
    4
    Views:
    447
  5. Steve Houle

    IOS question about Cisco 1720.

    Steve Houle, Jul 26, 2007, in forum: Cisco
    Replies:
    1
    Views:
    560
    Doug McIntyre
    Jul 26, 2007
Loading...

Share This Page