Hey all,
So I just started a role as an engineer at my new company. One thing that's weird though is I'm the only guy, so bouncing ideas off co-workers and getting config proofread really isn't a possibility. I'm hoping maybe someone else has ran into this scenario and might have some thoughts.
Situation:
Outside facilities vendor sets up a monitoring system for HVAC equipment at one of my remote sites. They want network connectivity to the device to be able to login and view HVAC stats and what not. The traffic has to be isolated from the rest of the network. My site has an MPLS and DSL DMPVN outbound link. My goal is to bring the traffic in over the DSL link's public IP, and then port it down into the private VRF for this traffic and have it connect.
What I've done so far:
The VRF is created and is natting correctly. I know this because when I'm on site I can login to the HVAC PC I obtain the correct IP addresses in the small VRF subnet and can communicate with the other HVAC device on site. I can also browse the internet and do basically whatever internet services I'd like.
Except, when the vendor tries to connect over two specific ports (lets say, 1111 and 2222) they are unable to reach through to their node. This is making me think some kind of L4 issue. The vendor has a "port forwarding detection tool" that they reference that shows the ports closed. However, it also shows 443 and 80 are closed too which I know can't be the case because the device is able to access the network? (not sure if thats relevant....
ANYWAYS....
So far to try to fix this I applied two ACLs. Verified that they are placed correctly and the IPs are correct and the customer still cant connect:
330 permit udp any host 10.1.1.1 eq 1111
340 permit udp any host 10.1.1.1 eq 2222
I'm wondering if maybe I need to perform port forwarding as well on the device? I'm thinking of adding this configuration:
ip nat inside source static udp 10.1.1.1 1911 int gigabitEthernet 0/0/2 1111
ip nat inside source static udp 10.1.1.1 1911 int gigabitEthernet 0/0/2 2222
I got this from a Kevin Wallace guide that seems to be doing something similar (but with SSH in his case):
https://www.youtube.com/watch?v=5_9DaAcZqtY
---------------
The only other thing I can think of.. (keep in mind I just started in this role and am still learning traffic flows and the network layout), is that the public IP address on the remote site gets routed to via DMVPN and then I need to look at the DMVPN hub and firewalls at our internal data center... I wouldnt think this the case though since the router is NATing successfully and having connectivity and it appears to not be crossing the DMVPN channels at all...
Thanks for reading! I'm sure someone out there has had to do something similar to this before. Hoping to maybe get some assistance on where to go next.
No comments:
Post a Comment