FTP and PPTP in diferent servers behind NAT

Discussion in 'Cisco' started by Josep M Homs, Aug 3, 2006.

  1. Josep M Homs

    Josep M Homs Guest

    Hi,

    i'm trying to setup an 827 (12.2(8)) router with the following scenario
    :
    -all the PPTP related traffic in the inside global interface must be
    sent to the VPN server in the server1 in the inside local lan.
    -all the FTP (and others like www,mail...) related traffic in the
    inside global interface must be sent to the DMZ server in the server2
    in the inside local lan.

    The only way i found to map gre protocol to the internal server is
    assign all the traffic to it, with an entry like (TCP 1723 is no
    problem with an static entry) :

    ip nat inside source static server1ip globalip

    So anyone knows if is possible to send ONLY the gre traffic to a
    determinate host ?

    I ask that because the normal behaviour would be that the "default
    server" was the server2 (because it offers all the services but VPN).
    Additionally, i have not found a way to specify a port range in the ip
    nat , so passive ftp connections are not working correctly (write
    manually or automagically 64000 rules one per port is not an option,
    neither modify the port range in the ftp server).

    So, if no way to redirect only gre, is it possible to redirect non
    privileged ports (>1023) to server1 avoiding to write lots of lines
    like :

    ip nat inside source static tcp server2ip 1024 interface ATM0.1 1024

    I know that in acl is possible to do a gt 1023, but how to apply to ip
    nat ... !


    In the actual situation, if i do :

    ip nat inside source static server1ip globalip
    the VPN works correctly but passive FTP does not

    and if i do

    ip nat inside source static server2ip globalip
    the passive FTP works correctly but ovbiously PPTP does not

    so any hint ?

    Thanks in advance ..
     
    Josep M Homs, Aug 3, 2006
    #1
    1. Advertisements

  2. Josep M Homs

    Merv Guest

    Merv, Aug 5, 2006
    #2
    1. Advertisements

  3. Josep M Homs

    Josep M Homs Guest

    so, that means that from 12.1(4)T, gre is implicitly redirected to the
    same host when 1723 TCP is ...

    I'm going to try ...

    Thank you very much !!
     
    Josep M Homs, Aug 6, 2006
    #3
  4. Josep M Homs

    Merv Guest


    I think what it means is that Cisco is creating a separate NAT
    translation entry ( actuall PAT entry) for each GRE session. I assume
    they are using the GRE PPTP peer call id to identify the session ; wild
    guess on my part.

    I am not sure which end initiated the opening of the GRE tunnel so you
    may need to ensure that you inbound access list allows GRE.
     
    Merv, Aug 6, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.