Question : (Cisco 1811/IOS 12.4 Advanced Security) Port forwarding problem

Hello,
     I know that I had previously posted a question similar to this on EE, but I'm still running into this issue with different service ports.
     The issue that I'm running into is that once I setup a nat forwarding rule for a port, it becomes available from the external interface, but is no longer available from the internal network.  I was able to work around this previously by just having the daemon in question listen on two ports, and only port forward one of them, but now I'm running into an issue with an internal application that I cannot do this with.
     What I need is a way that I can do an ip nat translation for this port and have it available both internally, and from outside the corporate network.  The thing that gets me is that a Linksys router does this by default, but the Cisco 1811's we are running now seem like it's an either/or situation.
     What I am looking for is a way to configure the routers where if a request comes in on a certian port on the external interface, just forward that request to a port on a host off of the internal interface.  It seems like the router is binding to the port, and only allowing external traffic to that port on the internal host (ie. When the port is forwarded, any attempts to connect to that resource from internally results in a timeout, when the ip nat command for this is removed, internal access works as it did before)
     Here is the router config in question:

------------------------------------------------------------------------

!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router.east
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging on
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.x.x 192.168.x.x
ip dhcp excluded-address 192.168.x.x 192.168.x.x
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.x.x 255.255.255.0
   dns-server 192.168.x.x 68.87.75.194
   default-router 192.168.x.x
   domain-name xxxx.xxxxxxxxxx.xxx
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name xxxxxxxxxx.xxx
ip name-server xx.xx.xx.xxx
ip name-server xxx.xxx.x.x
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
appfw policy-name SDM_MEDIUM
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
    audit-trail on
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
    audit-trail on
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
    audit-trail on
!
!
crypto pki trustpoint TP-self-signed-1433850974
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1433850974
 revocation-check none
 rsakeypair TP-self-signed-1433850974
!
!
crypto pki certificate chain TP-self-signed-1433850974
 certificate self-signed 01

  quit
username xxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
class-map match-any sdm_p2p_kazaa
 match protocol fasttrack
 match protocol kazaa2
class-map match-any sdm_p2p_edonkey
 match protocol edonkey
class-map match-any sdm_p2p_gnutella
 match protocol gnutella
class-map match-any sdm_p2p_bittorrent
 match protocol bittorrent
!
!
policy-map SDMPolicy0
 class sdm_p2p_gnutella
 class sdm_p2p_bittorrent
 class sdm_p2p_edonkey
 class sdm_p2p_kazaa
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxx address xx.xx.xx.xx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map mymap 10 ipsec-isakmp
 set peer xx.xx.xx.xx
 set transform-set myset
 match address 101
!
!
!
!
interface Null0
 no ip unreachables
!
interface Loopback0
 ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0
 description Comcast Business Cable Modem$ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address xx.xx.xx.xx xxx.xxx.xxx.xxx
 ip access-group 105 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map mymap
!
interface FastEthernet1
 description $ETH-WAN$
 bandwidth 680
 ip address xxx.xxx.xx.xx xxx.xxx.xxx.xxx
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet2
 description Vlan1
!
interface FastEthernet3
 description Vlan1
!
interface FastEthernet4
 description Vlan1
!
interface FastEthernet5
 description Vlan1
!
interface FastEthernet6
 description Vlan1
!
interface FastEthernet7
 description Vlan1
!
interface FastEthernet8
 description Vlan2
 switchport access vlan 2
!
interface FastEthernet9
 description Vlan2
 switchport access vlan 2
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 192.168.x.x 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 ip tcp adjust-mss 1452
 ip policy route-map nonat
!
interface Vlan2
 description $FW_INSIDE$
 ip address 192.168.x.x 255.255.255.0
 ip access-group 104 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
 shutdown
!
router ospf 1
 log-adjacency-changes
 passive-interface Vlan1
 network 192.168.x.x 0.0.0.255 area 1
!
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.x.x 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.x.x 0.0.0.255
access-list 2 permit 192.168.x.x 0.0.0.255
access-list 2 deny   any
access-list 100 deny   ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 100 deny   ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 100 permit ip 192.168.x.x 0.0.0.255 any
access-list 101 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 101 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 102 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny   ip xx.xx.xx.xx 0.0.0.3 any
access-list 103 deny   ip 192.168.x.x 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny   ip xx.xx.xx.xx 0.0.0.3 any
access-list 104 deny   ip 192.168.x.x 0.0.0.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit udp host xx.xx.xx.xxx eq domain host xx.xx.xx.xx
access-list 105 permit ahp host xx.xx.xx.xx host xx.xx.xx.xx
access-list 105 permit esp host xx.xx.xx.xx host xx.xx.xx.xx
access-list 105 permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq isakmp
access-list 105 permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq non500-isakmp
access-list 105 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 105 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 105 deny   ip 192.168.x.x 0.0.0.255 any
access-list 105 deny   ip 192.168.x.x 0.0.0.255 any
access-list 105 permit icmp any host xx.xx.xx.xx echo-reply
access-list 105 permit icmp any host xx.xx.xx.xx time-exceeded
access-list 105 permit icmp any host xx.xx.xx.xx unreachable
access-list 105 permit tcp any host xx.xx.xx.xx eq 443
access-list 105 permit tcp any host xx.xx.xx.xx eq 22
access-list 105 permit tcp any host xx.xx.xx.xx eq cmd
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any log
access-list 106 remark VTY Access-class list
access-list 106 remark SDM_ACL Category=1
access-list 106 permit ip 192.168.x.x 0.0.0.255 any
access-list 106 permit ip 192.168.x.x 0.0.0.255 any
access-list 106 deny   ip any any
access-list 123 permit ip host 192.168.x.x 192.168.1.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
route-map nonat permit 10
 match ip address 123
 set interface Loopback0
!
!
!
!
control-plane
!
!
line con 0
 login authentication local_authen
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end

--------------------------------------------------------------------------

Any help with this issue will be GREATLY appreciated.

NightBreakA

Answer : (Cisco 1811/IOS 12.4 Advanced Security) Port forwarding problem

OK. I think you need to have the T train of the IOS for that option. I wasn't sure just from reading the documentation but this confirms it. You will have to upgrade your router IOS to get this to work.
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087bac.html
Random Solutions  
 
programming4us programming4us