Hello, I know that I had previously posted a question similar to this on EE, but I'm still running into this issue with different service ports. The issue that I'm running into is that once I setup a nat forwarding rule for a port, it becomes available from the external interface, but is no longer available from the internal network. I was able to work around this previously by just having the daemon in question listen on two ports, and only port forward one of them, but now I'm running into an issue with an internal application that I cannot do this with. What I need is a way that I can do an ip nat translation for this port and have it available both internally, and from outside the corporate network. The thing that gets me is that a Linksys router does this by default, but the Cisco 1811's we are running now seem like it's an either/or situation. What I am looking for is a way to configure the routers where if a request comes in on a certian port on the external interface, just forward that request to a port on a host off of the internal interface. It seems like the router is binding to the port, and only allowing external traffic to that port on the internal host (ie. When the port is forwarded, any attempts to connect to that resource from internally results in a timeout, when the ip nat command for this is removed, internal access works as it did before) Here is the router config in question:
------------------------------------------------------------------------
!version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname router.east ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 no logging on enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxx ! aaa new-model ! ! aaa authentication login local_authen local aaa authorization exec local_author local ! aaa session-id common ! resource policy ! clock timezone PCTime -5 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 no ip source-route ! ! ip cef no ip dhcp use vrf connected ip dhcp excluded-address 192.168.x.x 192.168.x.x ip dhcp excluded-address 192.168.x.x 192.168.x.x ! ip dhcp pool sdm-pool1 import all network 192.168.x.x 255.255.255.0 dns-server 192.168.x.x 68.87.75.194 default-router 192.168.x.x domain-name xxxx.xxxxxxxxxx.xxx ! ! ip tcp synwait-time 10 no ip bootp server ip domain name xxxxxxxxxx.xxx ip name-server xx.xx.xx.xxx ip name-server xxx.xxx.x.x ip inspect log drop-pkt ip inspect name SDM_MEDIUM appfw SDM_MEDIUM ip inspect name SDM_MEDIUM cuseeme ip inspect name SDM_MEDIUM dns ip inspect name SDM_MEDIUM ftp ip inspect name SDM_MEDIUM h323 ip inspect name SDM_MEDIUM https ip inspect name SDM_MEDIUM icmp ip inspect name SDM_MEDIUM imap reset ip inspect name SDM_MEDIUM pop3 reset ip inspect name SDM_MEDIUM netshow ip inspect name SDM_MEDIUM rcmd ip inspect name SDM_MEDIUM realaudio ip inspect name SDM_MEDIUM rtsp ip inspect name SDM_MEDIUM esmtp ip inspect name SDM_MEDIUM sqlnet ip inspect name SDM_MEDIUM streamworks ip inspect name SDM_MEDIUM tftp ip inspect name SDM_MEDIUM tcp ip inspect name SDM_MEDIUM udp ip inspect name SDM_MEDIUM vdolive ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW https ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ! appfw policy-name SDM_MEDIUM application im aol service default action allow alarm service text-chat action allow alarm server permit name login.oscar.aol.com server permit name toc.oscar.aol.com server permit name oam-d09a.blue.aol.com audit-trail on application im msn service default action allow alarm service text-chat action allow alarm server permit name messenger.hotmail.com server permit name gateway.messenger.hotmail.com server permit name webmessenger.msn.com audit-trail on application http strict-http action allow alarm port-misuse im action reset alarm port-misuse p2p action reset alarm port-misuse tunneling action allow alarm application im yahoo service default action allow alarm service text-chat action allow alarm server permit name scs.msg.yahoo.com server permit name scsa.msg.yahoo.com server permit name scsb.msg.yahoo.com server permit name scsc.msg.yahoo.com server permit name scsd.msg.yahoo.com server permit name cs16.msg.dcn.yahoo.com server permit name cs19.msg.dcn.yahoo.com server permit name cs42.msg.dcn.yahoo.com server permit name cs53.msg.dcn.yahoo.com server permit name cs54.msg.dcn.yahoo.com server permit name ads1.vip.scd.yahoo.com server permit name radio1.launch.vip.dal.yahoo.com server permit name in1.msg.vip.re2.yahoo.com server permit name data1.my.vip.sc5.yahoo.com server permit name address1.pim.vip.mud.yahoo.com server permit name edit.messenger.yahoo.com server permit name messenger.yahoo.com server permit name http.pager.yahoo.com server permit name privacy.yahoo.com server permit name csa.yahoo.com server permit name csb.yahoo.com server permit name csc.yahoo.com audit-trail on ! ! crypto pki trustpoint TP-self-signed-1433850974 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-1433850974 revocation-check none rsakeypair TP-self-signed-1433850974 ! ! crypto pki certificate chain TP-self-signed-1433850974 certificate self-signed 01
quit username xxxxxx privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxx ! ! class-map match-any sdm_p2p_kazaa match protocol fasttrack match protocol kazaa2 class-map match-any sdm_p2p_edonkey match protocol edonkey class-map match-any sdm_p2p_gnutella match protocol gnutella class-map match-any sdm_p2p_bittorrent match protocol bittorrent ! ! policy-map SDMPolicy0 class sdm_p2p_gnutella class sdm_p2p_bittorrent class sdm_p2p_edonkey class sdm_p2p_kazaa ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxxxxx address xx.xx.xx.xx ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac crypto ipsec df-bit clear ! crypto map mymap 10 ipsec-isakmp set peer xx.xx.xx.xx set transform-set myset match address 101 ! ! ! ! interface Null0 no ip unreachables ! interface Loopback0 ip address 1.1.1.1 255.255.255.0 ! interface FastEthernet0 description Comcast Business Cable Modem$ES_WAN$$FW_OUTSIDE$$ETH-WAN$ ip address xx.xx.xx.xx xxx.xxx.xxx.xxx ip access-group 105 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip flow egress ip nat outside ip inspect SDM_LOW out ip virtual-reassembly ip route-cache flow duplex auto speed auto crypto map mymap ! interface FastEthernet1 description $ETH-WAN$ bandwidth 680 ip address xxx.xxx.xx.xx xxx.xxx.xxx.xxx no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow duplex auto speed auto ! interface FastEthernet2 description Vlan1 ! interface FastEthernet3 description Vlan1 ! interface FastEthernet4 description Vlan1 ! interface FastEthernet5 description Vlan1 ! interface FastEthernet6 description Vlan1 ! interface FastEthernet7 description Vlan1 ! interface FastEthernet8 description Vlan2 switchport access vlan 2 ! interface FastEthernet9 description Vlan2 switchport access vlan 2 ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$ ip address 192.168.x.x 255.255.255.0 ip access-group 103 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly no ip route-cache cef no ip route-cache ip tcp adjust-mss 1452 ip policy route-map nonat ! interface Vlan2 description $FW_INSIDE$ ip address 192.168.x.x 255.255.255.0 ip access-group 104 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly no ip route-cache cef no ip route-cache ! interface Async1 no ip address no ip redirects no ip unreachables no ip proxy-arp encapsulation slip shutdown ! router ospf 1 log-adjacency-changes passive-interface Vlan1 network 192.168.x.x 0.0.0.255 area 1 ! ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent ! ! ip http server ip http access-class 2 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload ! access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.x.x 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit 192.168.x.x 0.0.0.255 access-list 2 permit 192.168.x.x 0.0.0.255 access-list 2 deny any access-list 100 deny ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255 access-list 100 deny ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255 access-list 100 permit ip 192.168.x.x 0.0.0.255 any access-list 101 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255 access-list 101 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255 access-list 102 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255 access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=1 access-list 103 deny ip xx.xx.xx.xx 0.0.0.3 any access-list 103 deny ip 192.168.x.x 0.0.0.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 permit ip any any access-list 104 remark auto generated by SDM firewall configuration access-list 104 remark SDM_ACL Category=1 access-list 104 deny ip xx.xx.xx.xx 0.0.0.3 any access-list 104 deny ip 192.168.x.x 0.0.0.255 any access-list 104 deny ip host 255.255.255.255 any access-list 104 deny ip 127.0.0.0 0.255.255.255 any access-list 104 permit ip any any access-list 105 remark auto generated by SDM firewall configuration access-list 105 remark SDM_ACL Category=1 access-list 105 permit udp host xx.xx.xx.xxx eq domain host xx.xx.xx.xx access-list 105 permit ahp host xx.xx.xx.xx host xx.xx.xx.xx access-list 105 permit esp host xx.xx.xx.xx host xx.xx.xx.xx access-list 105 permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq isakmp access-list 105 permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq non500-isakmp access-list 105 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255 access-list 105 permit ip 192.168.x.x 0.0.0.255 192.168.x.x 0.0.0.255 access-list 105 deny ip 192.168.x.x 0.0.0.255 any access-list 105 deny ip 192.168.x.x 0.0.0.255 any access-list 105 permit icmp any host xx.xx.xx.xx echo-reply access-list 105 permit icmp any host xx.xx.xx.xx time-exceeded access-list 105 permit icmp any host xx.xx.xx.xx unreachable access-list 105 permit tcp any host xx.xx.xx.xx eq 443 access-list 105 permit tcp any host xx.xx.xx.xx eq 22 access-list 105 permit tcp any host xx.xx.xx.xx eq cmd access-list 105 deny ip 10.0.0.0 0.255.255.255 any access-list 105 deny ip 172.16.0.0 0.15.255.255 any access-list 105 deny ip 192.168.0.0 0.0.255.255 any access-list 105 deny ip 127.0.0.0 0.255.255.255 any access-list 105 deny ip host 255.255.255.255 any access-list 105 deny ip host 0.0.0.0 any access-list 105 deny ip any any log access-list 106 remark VTY Access-class list access-list 106 remark SDM_ACL Category=1 access-list 106 permit ip 192.168.x.x 0.0.0.255 any access-list 106 permit ip 192.168.x.x 0.0.0.255 any access-list 106 deny ip any any access-list 123 permit ip host 192.168.x.x 192.168.1.0 0.0.0.255 no cdp run ! ! ! route-map SDM_RMAP_1 permit 1 match ip address 100 ! route-map nonat permit 10 match ip address 123 set interface Loopback0 ! ! ! ! control-plane ! ! line con 0 login authentication local_authen transport output telnet line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 login authentication local_authen transport output telnet line vty 0 4 authorization exec local_author login authentication local_authen transport input telnet ssh line vty 5 15 authorization exec local_author login authentication local_authen transport input telnet ssh ! scheduler allocate 4000 1000 scheduler interval 500 ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end
--------------------------------------------------------------------------
Any help with this issue will be GREATLY appreciated.
NightBreakA
|