i have some questions if it possible to make.
this is my scenario i have 2 wans connected openwrt router wich run mwan3. than connecet cisco router were connected my lan. interent working i can brows web pages etc but vpns,port forwardings don't work
i searched , reading lot of topics but nothing. this scenario posibble to work ? with vpns and port forwardings
some ideas whats wrong with my topology ?
Please describe more clearly.
Are you having a configuration or software issue?
i have configuration issue , my setup is openwrt mwan3 two wan interface wtich 192.168.247.0 network, than have cisco router wich f0/0 interface ip is 192.168.247.10 nad f0/1 192.168.250.0 network with this config
i can ping 192.168.247.254 gateway openwrt and can access interent to 250.0 network but i can't do ping openwrt to 250 lan and can't do port forwarding or vpn
Current configuration : 1444 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname doso ! boot-start-marker boot-end-marker ! enable secret 5 $1$TFVW$jcIdNpb8rMm9pWZN5Lnns/ ! no aaa new-model ! resource policy ! mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero ip cef ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key StandardDOso335577 address 220.127.116.11 ! ! crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac ! crypto map PRIMEVPN 15 ipsec-isakmp set peer 18.104.22.168 set transform-set 3DES-SHA set pfs group2 match address 100 ! ! ! interface FastEthernet0/0 ip address 192.168.247.10 255.255.255.0 ip nat outside ip virtual-reassembly duplex auto speed auto crypto map PRIMEVPN ! interface FastEthernet0/1 ip address 192.168.250.252 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto ! ip classless ip route 0.0.0.0 0.0.0.0 192.168.247.254 ! ip http server no ip http secure-server ip nat inside source list 1 interface FastEthernet0/0 overload ! access-list 1 permit 192.168.250.0 0.0.0.255 access-list 100 permit ip 192.168.250.0 0.0.0.255 10.130.130.0 0.0.0.255 access-list 100 permit ip 10.130.130.0 0.0.0.255 192.168.250.0 0.0.0.255 ! ! control-plane ! ! line con 0 line aux 0 line vty 0 4 password 123qweQWE login ! end
- This is an OpenWrt forum, is the issue with the OpenWrt or Cisco device?
- If you can't ping, have you allowed ping on the interface?
i could find wich device have problem, i can ping cisco lan interface fa0/1 250.252 witch openwrt but can't ping pc 250.12
- Did you permit input?
- Did you make a static route?
now i can ping every device in my network but port forwarding stiil not working
You have your OpenWRT connected with 2 different WAN interfaces with mwan3 load balancing, correct?
And you have the Cisco router connected to the OpenWRT router, and your LAN devices to your Cisco router?
To me it sounds like you have double NAT, and hence port forwarding isn't working. Connect your LAN devices directly to the OpenWRT router or alternatively, configure your Cisco router as a switch rather than router.
Yes the cisco router is my lan device and openwrt connected two wan interface. i add two route openwrt and nat inside witch cisco and than work. i forward rdp port to my lan now i want to do same vpn
when configure vpn cisco device and incoming vpn port openwrt forward to cisco router than must work ?
This appears to be a configuration issue with your Cisco router.
I am not an expert on Cisco configuration, but the lines indicating
ip nat outside and
ip nat inside suggest that your Cisco router is providing NAT as well. Without equivalent mapping of the ports to be forwarded, the Cisco router is likely dropping the traffic. As I don't know what
crypto map PRIMEVPN does, I can't suggest a resolution to your specific problem. You should still be able to run the Cisco router in L3 mode. (My SG300s all run in L3 mode without any issues.)
FastEthernet suggests to me that this is an older device, which only supports 100 Mbps Ethernet. That will be a throughput limitation.
In general, I'd suggest checking that your Cisco firmware is up to date, and that you switch to only secure access to the device, such as HTTP-S and SSH.
Now that you've posted your device's passwords and IPSEC keys in the clear, I'd strongly suggest changing them.