Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations derfloh on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Forcing Traffic to inside network?

Status
Not open for further replies.

baldhead

Technical User
Joined
Apr 27, 2004
Messages
111
Location
US
Here's my situation. I have a Cisco 2520 at my office and a Cisco 806 at another. I've enabled tunneling so that the 806 will send it's traffic over to my Cisco 2520 and then out the Internet. What I need to do is get all the traffic to hit the 2520's external interface and then be forced inside so that our SurfControl server can sniff and filter if necessary. Then I need the traffic sent back out to the Internet (if it's not filtered by SurfControl) and serviced by whatever the host was requesting (webpage, ftp, etc). Here are the two configs, if you need to see them. I'm not sure if this is possible, but I was thinking it could be done due to knowing how Cisco routers have endless possibilities.

Mesa Cisco 806 Config

Code:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname mesa
!
enable secret 5 **************
!
ip subnet-zero
!
ip ssh time-out 20
ip ssh source-interface Ethernet1
ip ssh rsa keypair-name mesaclub
!
crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 group 2

!Going to Admin 2520's External IP

 crypto isakmp key xxxxxx address 208.x.x.x 255.255.255.0
!
!
crypto ipsec transform-set Admin esp-3des esp-md5-hmac 
!
crypto map Admin 100 ipsec-isakmp 
 set peer 208.x.x.x
 set transform-set Admin 
 match address 100
!
!
!
!
interface Tunnel0
 ip address 10.1.2.2 255.255.255.0
 keepalive 32767 3
 tunnel source Ethernet1
! Admin 2520's External IP
 tunnel destination 208.x.x.x
!
interface Ethernet0
 ip address 192.168.80.1 255.255.255.0
 ip nat inside
 no cdp enable
 hold-queue 100 out
!
interface Ethernet1
 ip address 216.x.x.x 255.255.255.0
 ip nat outside
 no cdp enable
!
ip nat inside source list 1 interface Ethernet1 overload
! Port Forwarding Remote Desktop
ip nat inside source static tcp 192.168.80.2 3389 216.x.x.x 3389 extendable
ip classless
! Ethernet 0/1's Gateway
ip route 0.0.0.0 0.0.0.0 216.x.x.x
ip route 192.168.0.0 255.255.255.0 10.1.2.1
no ip http server
!
!
access-list 1 permit 192.168.80.0 0.0.0.255
access-list 100 permit ip 192.168.80.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
no cdp run
!
line con 0
 password 7 xxxxxxxxxxxxxxx
 logging synchronous
 login
 stopbits 1
line vty 0 4
 password 7 xxxxxxxxxxxxxxx
 login
!
scheduler max-task-time 5000
end

Admin Cisco 2520's Config

Code:
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Admin2600
!
enable secret 5 ****************
!
!
!
!
!
memory-size iomem 10
ip subnet-zero
!
!
!
crypto isakmp policy 100
 encr 3des
 hash md5
 authentication pre-share
 group 2

! Going to Mesa's 806 External IP
crypto isakmp key xxxxxx address 216.x.x.x 
!
!
crypto ipsec transform-set Admin esp-3des esp-md5-hmac 
!
!
crypto map Admin 100 ipsec-isakmp   
 set peer 216.x.x.x
 set transform-set Admin 
 match address 100
!
!
!
!
!
!
interface Tunnel0
 ip address 10.1.2.1 255.255.255.0
 tunnel source Ethernet0/1
! Mesa 806's External IP
 tunnel destination 216.x.x.x
!
interface Ethernet0/0
 ip address 192.168.0.6 255.255.255.0
 ip nat inside
!
interface Ethernet0/1
 ip address 208.x.x.x 255.255.255.0
 ip nat outside
!
ip nat inside source list 1 interface Ethernet0/1 overload
ip nat inside source static tcp 192.168.0.7 3389 208.x.x.x 3389 extendable
ip classless
! Description Ethernet 0/1's Gateway
ip route 0.0.0.0 0.0.0.0 208.x.x.x
ip route 192.168.80.0 255.255.255.0 10.1.2.2
no ip http server
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.80.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.80.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
 password 7 ***************
 login
!
end

thanks
baldhead
 
Not sure I'm getting this right, and I guess I'm not since the solution then would be pretty easy. 1st of all sending the traffic out straight away will obviously not get it filtered :) What you need to do is make a few static routes no ? making 1 static route on the Cisco 2520 so that all traffic except the traffic coming from the surfcontrol server is sent to the surfcontrol center. and the traffic coming from the surfcontrol center is sent outside. On the surfcontrol center you get the traffic from the router and after filtering send it back out the same port (I never worked with those servers so not sure if they have routing capability's of even what OS they run.)

Internet
|
|
firewall
|
|
2520 ------- surfcontrol center
|
|
806

on 2520
! Description Ethernet 0/1's Gateway
ip route 0.0.0.0 0.0.0.0 208.x.x.x
ip route 192.168.80.0 255.255.255.0 10.1.2.2 --> ? you send traffic coming from your 806 router back to the 806 -> not familiar with tunnels.
no ip http server

anyhow send traffic from 192.168.80.0 255.255.255.0 to the server THEN send 0.0.0.0 0.0.0.0 to 208.x.x.x
I'm not sure (but I think so) that the order matters here and in that case you should first send all traffic coming from the 806 to the control center and all other traffic outside (all other traffic being that of the server)

lemme know if I'm anywhere near heh :)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top