Microsoft
Software
Hardware
Network
Question : (Cisco 1811/IOS 12.4 Advanced Security) Port forwarding problem
Hello,
I know that I had previously posted a question similar to this on EE, but I'm still running into this issue with different service ports.
The issue that I'm running into is that once I setup a nat forwarding rule for a port, it becomes available from the external interface, but is no longer available from the internal network. I was able to work around this previously by just having the daemon in question listen on two ports, and only port forward one of them, but now I'm running into an issue with an internal application that I cannot do this with.
What I need is a way that I can do an ip nat translation for this port and have it available both internally, and from outside the corporate network. The thing that gets me is that a Linksys router does this by default, but the Cisco 1811's we are running now seem like it's an either/or situation.
What I am looking for is a way to configure the routers where if a request comes in on a certian port on the external interface, just forward that request to a port on a host off of the internal interface. It seems like the router is binding to the port, and only allowing external traffic to that port on the internal host (ie. When the port is forwarded, any attempts to connect to that resource from internally results in a timeout, when the ip nat command for this is removed, internal access works as it did before)
Here is the router config in question:
--------------------------
----------
----------
----------
----------
------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router.east
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
no logging on
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.x.x 192.168.x.x
ip dhcp excluded-address 192.168.x.x 192.168.x.x
!
ip dhcp pool sdm-pool1
import all
network 192.168.x.x 255.255.255.0
dns-server 192.168.x.x 68.87.75.194
default-router 192.168.x.x
domain-name xxxx.xxxxxxxxxx.xxx
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name xxxxxxxxxx.xxx
ip name-server xx.xx.xx.xxx
ip name-server xxx.xxx.x.x
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.
com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yaho
o.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo
.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-1433850974
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
cate-14338
50974
revocation-check none
rsakeypair TP-self-signed-1433850974
!
!
crypto pki certificate chain TP-self-signed-1433850974
certificate self-signed 01
quit
username xxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx
xxx
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map SDMPolicy0
class sdm_p2p_gnutella
class sdm_p2p_bittorrent
class sdm_p2p_edonkey
class sdm_p2p_kazaa
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxxx address xx.xx.xx.xx
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map mymap 10 ipsec-isakmp
set peer xx.xx.xx.xx
set transform-set myset
match address 101
!
!
!
!
interface Null0
no ip unreachables
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0
description Comcast Business Cable Modem$ES_WAN$$FW_OUTSIDE$$
ETH-WAN$
ip address xx.xx.xx.xx xxx.xxx.xxx.xxx
ip access-group 105 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map mymap
!
interface FastEthernet1
description $ETH-WAN$
bandwidth 680
ip address xxx.xxx.xx.xx xxx.xxx.xxx.xxx
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet2
description Vlan1
!
interface FastEthernet3
description Vlan1
!
interface FastEthernet4
description Vlan1
!
interface FastEthernet5
description Vlan1
!
interface FastEthernet6
description Vlan1
!
interface FastEthernet7
description Vlan1
!
interface FastEthernet8
description Vlan2
switchport access vlan 2
!
interface FastEthernet9
description Vlan2
switchport access vlan 2
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
FE 2$$ES_LAN$$FW_INSIDE$
ip address 192.168.x.x 255.255.255.0
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
ip tcp adjust-mss 1452
ip policy route-map nonat
!
interface Vlan2
description $FW_INSIDE$
ip address 192.168.x.x 255.255.255.0
ip access-group 104 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
shutdown
!
router ospf 1
log-adjacency-changes
passive-interface Vlan1
network 192.168.x.x 0.0.0.255 area 1
!
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.x.x 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.x.x 0.0.0.255
access-list 2 permit 192.168.x.x 0.0.0.255
access-list 2 deny any
access-list 100 deny ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 100 deny ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 100 permit ip 192.168.x.x 0.0.0.255 any
access-list 101 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 101 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 102 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip xx.xx.xx.xx 0.0.0.3 any
access-list 103 deny ip 192.168.x.x 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 deny ip xx.xx.xx.xx 0.0.0.3 any
access-list 104 deny ip 192.168.x.x 0.0.0.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit udp host xx.xx.xx.xxx eq domain host xx.xx.xx.xx
access-list 105 permit ahp host xx.xx.xx.xx host xx.xx.xx.xx
access-list 105 permit esp host xx.xx.xx.xx host xx.xx.xx.xx
access-list 105 permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq isakmp
access-list 105 permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq non500-isakmp
access-list 105 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 105 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255
access-list 105 deny ip 192.168.x.x 0.0.0.255 any
access-list 105 deny ip 192.168.x.x 0.0.0.255 any
access-list 105 permit icmp any host xx.xx.xx.xx echo-reply
access-list 105 permit icmp any host xx.xx.xx.xx time-exceeded
access-list 105 permit icmp any host xx.xx.xx.xx unreachable
access-list 105 permit tcp any host xx.xx.xx.xx eq 443
access-list 105 permit tcp any host xx.xx.xx.xx eq 22
access-list 105 permit tcp any host xx.xx.xx.xx eq cmd
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
access-list 106 remark VTY Access-class list
access-list 106 remark SDM_ACL Category=1
access-list 106 permit ip 192.168.x.x 0.0.0.255 any
access-list 106 permit ip 192.168.x.x 0.0.0.255 any
access-list 106 deny ip any any
access-list 123 permit ip host 192.168.x.x 192.168.1.0 0.0.0.255
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map nonat permit 10
match ip address 123
set interface Loopback0
!
!
!
!
control-plane
!
!
line con 0
login authentication local_authen
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
--------------------------
----------
----------
----------
----------
--------
Any help with this issue will be GREATLY appreciated.
NightBreakA
Answer : (Cisco 1811/IOS 12.4 Advanced Security) Port forwarding problem
OK. I think you need to have the T train of the IOS for that option. I wasn't sure just from reading the documentation but this confirms it. You will have to upgrade your router IOS to get this to work.
http://www.cisco.com/en/US
/products/
sw/iosswre
l/ps1839/
p
roducts_fe
ature_guid
e09186a008
0087bac.ht
ml
Random Solutions
recur send return -1 with EWOULDBLOCK errno
Easy Belkin Wireless Router Question and use of Sony Vaio laptop...Wep versus MAC address.
not enough server storage is available to process command
DNS Issues with backup internet provider
Can't switch users on sign-in
DHCP/BINL service on this computer running windows server 2003 for Small Business Server has encountered another server on this network with IP Address, 10.0.0.19, belonging to the domain
Apache + IIS problems
Jython scripts
Recommend IP PoE camera?
Network - Remote access with windows 2000 server
