Configure Lede with cisco

Gchutlashvili · June 20, 2018, 5:22am

Hello guys
i have some questions if it possible to make.
this is my scenario i have 2 wans connected openwrt router wich run mwan3. than connecet cisco router were connected my lan. interent working i can brows web pages etc but vpns,port forwardings don't work
i searched , reading lot of topics but nothing. this scenario posibble to work ? with vpns and port forwardings

Gchutlashvili · June 21, 2018, 10:34am

some ideas whats wrong with my topology ?

lleachii · June 21, 2018, 11:59am

Please describe more clearly.

Are you having a configuration or software issue?

Gchutlashvili · June 21, 2018, 2:11pm

i have configuration issue , my setup is openwrt mwan3 two wan interface wtich 192.168.247.0 network, than have cisco router wich f0/0 interface ip is 192.168.247.10 nad f0/1 192.168.250.0 network with this config
i can ping 192.168.247.254 gateway openwrt and can access interent to 250.0 network but i can't do ping openwrt to 250 lan and can't do port forwarding or vpn


Current configuration : 1444 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname doso
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$TFVW$jcIdNpb8rMm9pWZN5Lnns/
!
no aaa new-model
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key StandardDOso335577 address 109.238.235.226
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto map PRIMEVPN 15 ipsec-isakmp
 set peer 109.238.235.226
 set transform-set 3DES-SHA
 set pfs group2
 match address 100
!
!
!
interface FastEthernet0/0
 ip address 192.168.247.10 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map PRIMEVPN
!
interface FastEthernet0/1
 ip address 192.168.250.252 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.247.254
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.250.0 0.0.0.255
access-list 100 permit ip 192.168.250.0 0.0.0.255 10.130.130.0 0.0.0.255
access-list 100 permit ip 10.130.130.0 0.0.0.255 192.168.250.0 0.0.0.255
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 password 123qweQWE
 login
!
end

lleachii · June 21, 2018, 2:16pm

This is an OpenWrt forum, is the issue with the OpenWrt or Cisco device?
If you can't ping, have you allowed ping on the interface?

Gchutlashvili · June 21, 2018, 2:36pm

i could find wich device have problem, i can ping cisco lan interface fa0/1 250.252 witch openwrt but can't ping pc 250.12

lleachii · June 21, 2018, 5:31pm

Did you permit input?
Did you make a static route?

Gchutlashvili · June 22, 2018, 6:17am

now i can ping every device in my network but port forwarding stiil not working

Mushoz · June 22, 2018, 7:00am

You have your OpenWRT connected with 2 different WAN interfaces with mwan3 load balancing, correct?

And you have the Cisco router connected to the OpenWRT router, and your LAN devices to your Cisco router?

To me it sounds like you have double NAT, and hence port forwarding isn't working. Connect your LAN devices directly to the OpenWRT router or alternatively, configure your Cisco router as a switch rather than router.

Gchutlashvili · June 22, 2018, 8:17am

Yes the cisco router is my lan device and openwrt connected two wan interface. i add two route openwrt and nat inside witch cisco and than work. i forward rdp port to my lan now i want to do same vpn

Gchutlashvili · June 22, 2018, 8:20am

when configure vpn cisco device and incoming vpn port openwrt forward to cisco router than must work ?

jeff · June 22, 2018, 3:36pm

This appears to be a configuration issue with your Cisco router.

I am not an expert on Cisco configuration, but the lines indicating ip nat outside and ip nat inside suggest that your Cisco router is providing NAT as well. Without equivalent mapping of the ports to be forwarded, the Cisco router is likely dropping the traffic. As I don't know what crypto map PRIMEVPN does, I can't suggest a resolution to your specific problem. You should still be able to run the Cisco router in L3 mode. (My SG300s all run in L3 mode without any issues.)

FastEthernet suggests to me that this is an older device, which only supports 100 Mbps Ethernet. That will be a throughput limitation.

In general, I'd suggest checking that your Cisco firmware is up to date, and that you switch to only secure access to the device, such as HTTP-S and SSH.

Now that you've posted your device's passwords and IPSEC keys in the clear, I'd strongly suggest changing them.