Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Port forwarding Issue.

Reply
Thread Tools

Port forwarding Issue.

 
 
shahin
Guest
Posts: n/a
 
      01-30-2007
Hi guys,

I need your help on port forwarding on CISCOrouter,
I am new to configuring CISCO router, any way I did configuer my
router, now I can internet and send and recieve mail, so this part is
good.
I did try to open these ports on the router; 25 ,22,443,4002
and I did forward these ports to one of my servers. but when I try to
telnet any of these port I get no anserw at all or when I try to
access my server (SBS 2003) with remote desktop (port 4002)no
connection is made.
I send you a copy of the router configuration,maybe some of you can
see some mistake in it.
Please let me know where is the problem. ( I did change the IP's for
security reson).


myrouter#sh run
Building configuration...

Current configuration : 4694 bytes
!
version 12.4
no parser cache
service nagle
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname mydomain
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$QRTEUHN$Sb83SiFXpstr562NA/1iQZ/
950
!
aaa new-model
!
!
aaa authentication login userauthen
local
aaa authorization network groupauthor
local
!
aaa session-id common
!
resource policy
!
no ip source-route
ip cef
!
!
!
!
ip tcp mss 1400
no ip domain lookup
ip domain name mydomain.com
ip inspect name myfw cuseeme timeout
3600
ip inspect name myfw http timeout
3600
ip inspect name myfw rcmd timeout
3600
ip inspect name myfw realaudio timeout
3600
ip inspect name myfw tftp timeout
30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout
3600
ip inspect name myfw h323 timeout
3600
!
!
!
username johndo secret 5 $1$LJB.$ty/
MZ6auSm3khkhAIMGeTsF/
username test secret 5 $1$ub5k$b/
nmlDv4eMdRpKertyueEDL1
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
authentication pre-share
group 2
crypto isakmp keepalive 10
!
crypto isakmp client configuration group
groepje1
key 427sieb1
pool ippool
!
!
crypto ipsec transform-set transset1 esp-3des esp-md5-
hmac
!
crypto dynamic-map dynmap 10
set transform-set transset1
!
!
crypto map crypmap1 client authentication list
userauthen
crypto map crypmap1 isakmp authorization list
groupauthor
crypto map crypmap1 client configuration address
respond
crypto map crypmap1 20 ipsec-isakmp dynamic
dynmap
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
no ip mroute-cache
no atm ilmi-keepalive
pvc 0 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 10.0.0.190
255.255.255.0
ip access-group 102 in
ip nat insi
ip inspect myfw in
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
hold-queue 100 out
!
interface Dialer1
ip address negotiated
ip access-group 113 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username http://www.velocityreviews.com/forums/(E-Mail Removed) password 7
66141601034200555953
crypto map crypmap1
!
ip local pool ippool 192.168.10.100
192.168.10.110
ip route 0.0.0.0 0.0.0.0 Dialer1
permanent
!
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 10.0.0.56 7 interface Dialer1
7
ip nat inside source static udp 10.0.0.56 7 interface Dialer1
7
ip nat inside source route-map nonat interface Dialer1
overload
ip nat inside source static tcp 10.0.0.190 22 interface Dialer1
22
ip nat inside source static tcp 10.0.0.180 25 interface Dialer1
25
ip nat inside source static tcp 10.0.0.180 443 interface Dialer1
443
ip nat inside source static tcp 10.0.0.180 110 interface Dialer1
110
ip nat inside source static tcp 10.0.0.180 4002 interface Dialer1
4002
!
access-list 23 permit 82.66.199.22
access-list 23 permit 212.222.20.0
0.0.0.255
access-list 23 permit 10.0.0.0
0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.0.255
any
access-list 102 permit ip 192.168.10.0 0.0.0.255
any
access-list 102 permit esp any any
access-list 105 deny ip 10.0.0.0 0.0.0.255 192.168.10.0
0.0.0.255
access-list 105 permit ip 10.0.0.0 0.0.0.255
any
access-list 112 permit tcp any any eq
smtp
access-list 112 permit tcp any any eq 443
access-list 112 permit tcp any any eq pop3
access-list 112 permit tcp any any eq
4002
access-list 112 permit ip host 82.62.160.105
any
access-list 112 deny ip any any
access-list 113 permit ip 192.168.10.0 0.0.0.255
any
access-list 113 permit esp any any
access-list 113 permit udp any any eq
isakmp
access-list 113 permit tcp host 82.66.199.22 any eq 22
access-list 113 permit tcp 213.222.20.224 0.0.0.7 any eq 22
access-list 113 permit tcp host 193.172.44.45 eq tftp-data any
access-list 113 permit tcp host 194.151.107.40 eq tftp-data any
access-list 113 permit tcp host 194.151.107.44 eq tftp-data any
access-list 113 permit icmp any any
access-list 113 permit tcp any any eq echo
access-list 113 permit udp any any eq echo
access-list 113 deny ip any any
access-list 115 permit ip any any
access-list 115 permit esp any any
dialer-list 1 protocol ip permit
!
!
!
route-map nonat permit 10
match ip address 105
!
!
control-plane
!
!
line con 0
--More--

 
Reply With Quote
 
 
 
 
www.BradReese.Com
Guest
Posts: n/a
 
      01-30-2007
You may want to investigate the Router Port Forward Wizard:

http://www.portforward.com/english/r...rt_forwarding/
routerindex.htm

Sincerely,

Brad Reese
Cisco Resumes
http://www.bradreese.com/cisco-resumes.htm

 
Reply With Quote
 
 
 
 
www.BradReese.Com
Guest
Posts: n/a
 
      01-30-2007
"http://www.portforward.com/english/routers/port_forwarding/
routerindex.htm"

 
Reply With Quote
 
Al
Guest
Posts: n/a
 
      01-31-2007
On Jan 30, 8:14 pm, "shahin" <(E-Mail Removed)> wrote:
> Hi guys,
>
> I need your help on port forwarding on CISCOrouter,
> I am new to configuring CISCO router, any way I did configuer my
> router, now I can internet and send and recieve mail, so this part is
> good.
> I did try to open these ports on the router; 25 ,22,443,4002
> and I did forward these ports to one of my servers. but when I try to
> telnet any of these port I get no anserw at all or when I try to
> access my server (SBS 2003) with remote desktop (port 4002)no
> connection is made.
> I send you a copy of the router configuration,maybe some of you can
> see some mistake in it.
> Please let me know where is the problem. ( I did change the IP's for
> security reson).
>
> myrouter#sh run
> Building configuration...
>
> Current configuration : 4694 bytes
> !
> version 12.4
> no parser cache
> service nagle
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname mydomain
> !
> boot-start-marker
> boot-end-marker
> !
> enable secret 5 $1$QRTEUHN$Sb83SiFXpstr562NA/1iQZ/
> 950
> !
> aaa new-model
> !
> !
> aaa authentication login userauthen
> local
> aaa authorization network groupauthor
> local
> !
> aaa session-id common
> !
> resource policy
> !
> no ip source-route
> ip cef
> !
> !
> !
> !
> ip tcp mss 1400
> no ip domain lookup
> ip domain name mydomain.com
> ip inspect name myfw cuseeme timeout
> 3600
> ip inspect name myfw http timeout
> 3600
> ip inspect name myfw rcmd timeout
> 3600
> ip inspect name myfw realaudio timeout
> 3600
> ip inspect name myfw tftp timeout
> 30
> ip inspect name myfw udp timeout 15
> ip inspect name myfw tcp timeout
> 3600
> ip inspect name myfw h323 timeout
> 3600
> !
> !
> !
> username johndo secret 5 $1$LJB.$ty/
> MZ6auSm3khkhAIMGeTsF/
> username test secret 5 $1$ub5k$b/
> nmlDv4eMdRpKertyueEDL1
> !
> !
> !
> crypto isakmp policy 3
> encr 3des
> authentication pre-share
> group 2
> !
> crypto isakmp policy 10
> authentication pre-share
> group 2
> crypto isakmp keepalive 10
> !
> crypto isakmp client configuration group
> groepje1
> key 427sieb1
> pool ippool
> !
> !
> crypto ipsec transform-set transset1 esp-3des esp-md5-
> hmac
> !
> crypto dynamic-map dynmap 10
> set transform-set transset1
> !
> !
> crypto map crypmap1 client authentication list
> userauthen
> crypto map crypmap1 isakmp authorization list
> groupauthor
> crypto map crypmap1 client configuration address
> respond
> crypto map crypmap1 20 ipsec-isakmp dynamic
> dynmap
> !
> !
> !
> !
> interface BRI0
> no ip address
> encapsulation hdlc
> shutdown
> !
> interface ATM0
> no ip address
> no ip route-cache cef
> no ip route-cache
> no ip mroute-cache
> no atm ilmi-keepalive
> pvc 0 8/48
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> dsl operating-mode auto
> !
> interface FastEthernet0
> !
> interface FastEthernet1
> !
> interface FastEthernet2
> !
> interface FastEthernet3
> !
> interface Vlan1
> ip address 10.0.0.190
> 255.255.255.0
> ip access-group 102 in
> ip nat insi
> ip inspect myfw in
> ip virtual-reassembly
> no ip route-cache cef
> no ip route-cache
> no ip mroute-cache
> hold-queue 100 out
> !
> interface Dialer1
> ip address negotiated
> ip access-group 113 in
> ip nat outside
> ip virtual-reassembly
> encapsulation ppp
> dialer pool 1
> dialer-group 1
> ppp authentication pap callin
> ppp pap sent-username (E-Mail Removed) password 7
> 66141601034200555953
> crypto map crypmap1
> !
> ip local pool ippool 192.168.10.100
> 192.168.10.110
> ip route 0.0.0.0 0.0.0.0 Dialer1
> permanent
> !
> !
> no ip http server
> no ip http secure-server
> ip nat inside source static tcp 10.0.0.56 7 interface Dialer1
> 7
> ip nat inside source static udp 10.0.0.56 7 interface Dialer1
> 7
> ip nat inside source route-map nonat interface Dialer1
> overload
> ip nat inside source static tcp 10.0.0.190 22 interface Dialer1
> 22
> ip nat inside source static tcp 10.0.0.180 25 interface Dialer1
> 25
> ip nat inside source static tcp 10.0.0.180 443 interface Dialer1
> 443
> ip nat inside source static tcp 10.0.0.180 110 interface Dialer1
> 110
> ip nat inside source static tcp 10.0.0.180 4002 interface Dialer1
> 4002
> !
> access-list 23 permit 82.66.199.22
> access-list 23 permit 212.222.20.0
> 0.0.0.255
> access-list 23 permit 10.0.0.0
> 0.0.0.255
> access-list 102 permit ip 10.0.0.0 0.0.0.255
> any
> access-list 102 permit ip 192.168.10.0 0.0.0.255
> any
> access-list 102 permit esp any any
> access-list 105 deny ip 10.0.0.0 0.0.0.255 192.168.10.0
> 0.0.0.255
> access-list 105 permit ip 10.0.0.0 0.0.0.255
> any
> access-list 112 permit tcp any any eq
> smtp
> access-list 112 permit tcp any any eq 443
> access-list 112 permit tcp any any eq pop3
> access-list 112 permit tcp any any eq
> 4002
> access-list 112 permit ip host 82.62.160.105
> any
> access-list 112 deny ip any any
> access-list 113 permit ip 192.168.10.0 0.0.0.255
> any
> access-list 113 permit esp any any
> access-list 113 permit udp any any eq
> isakmp
> access-list 113 permit tcp host 82.66.199.22 any eq 22
> access-list 113 permit tcp 213.222.20.224 0.0.0.7 any eq 22
> access-list 113 permit tcp host 193.172.44.45 eq tftp-data any
> access-list 113 permit tcp host 194.151.107.40 eq tftp-data any
> access-list 113 permit tcp host 194.151.107.44 eq tftp-data any
> access-list 113 permit icmp any any
> access-list 113 permit tcp any any eq echo
> access-list 113 permit udp any any eq echo
> access-list 113 deny ip any any
> access-list 115 permit ip any any
> access-list 115 permit esp any any
> dialer-list 1 protocol ip permit
> !
> !
> !
> route-map nonat permit 10
> match ip address 105
> !
> !
> control-plane
> !
> !
> line con 0
> --More--


Although you have setup the NAT, I'd have thought you need to still
allow the traffic through the firewall acl:

access-list 113 permit tcp any any eq 22
access-list 113 permit tcp any any eq 25
access-list 113 permit tcp any any eq 443
access-list 113 permit tcp any any eq 4002

Obviously, you might want to change the source addresses to be a bit
more limited, or you might want to consider changing the ports rather
than leave the defaults exposed to all....

Also, as you're using a numbered acl, I think you'll have to remove it
& re-apply it as you can't delete/insert entries as you can with a
named acl.

Regards,

Al

 
Reply With Quote
 
shahin
Guest
Posts: n/a
 
      01-31-2007
On 31 jan, 20:08, "Al" <(E-Mail Removed)> wrote:
> On Jan 30, 8:14 pm, "shahin" <(E-Mail Removed)> wrote:
>
>
>
>
>
> > Hi guys,

>
> > I need your help on port forwarding on CISCOrouter,
> > I am new to configuring CISCO router, any way I did configuer my
> > router, now I can internet and send and recieve mail, so this part is
> > good.
> > I did try to open these ports on the router; 25 ,22,443,4002
> > and I did forward these ports to one of my servers. but when I try to
> > telnet any of these port I get no anserw at all or when I try to
> > access my server (SBS 2003) with remote desktop (port 4002)no
> > connection is made.
> > I send you a copy of the router configuration,maybe some of you can
> > see some mistake in it.
> > Please let me know where is the problem. ( I did change the IP's for
> > security reson).

>
> > myrouter#sh run
> > Building configuration...

>
> > Current configuration : 4694 bytes
> > !
> > version 12.4
> > no parser cache
> > service nagle
> > no service pad
> > service timestamps debug uptime
> > service timestamps log uptime
> > service password-encryption
> > !
> > hostname mydomain
> > !
> > boot-start-marker
> > boot-end-marker
> > !
> > enable secret 5 $1$QRTEUHN$Sb83SiFXpstr562NA/1iQZ/
> > 950
> > !
> > aaa new-model
> > !
> > !
> > aaa authentication login userauthen
> > local
> > aaa authorization network groupauthor
> > local
> > !
> > aaa session-id common
> > !
> > resource policy
> > !
> > no ip source-route
> > ip cef
> > !
> > !
> > !
> > !
> > ip tcp mss 1400
> > no ip domain lookup
> > ip domain name mydomain.com
> > ip inspect name myfw cuseeme timeout
> > 3600
> > ip inspect name myfw http timeout
> > 3600
> > ip inspect name myfw rcmd timeout
> > 3600
> > ip inspect name myfw realaudio timeout
> > 3600
> > ip inspect name myfw tftp timeout
> > 30
> > ip inspect name myfw udp timeout 15
> > ip inspect name myfw tcp timeout
> > 3600
> > ip inspect name myfw h323 timeout
> > 3600
> > !
> > !
> > !
> > username johndo secret 5 $1$LJB.$ty/
> > MZ6auSm3khkhAIMGeTsF/
> > username test secret 5 $1$ub5k$b/
> > nmlDv4eMdRpKertyueEDL1
> > !
> > !
> > !
> > crypto isakmp policy 3
> > encr 3des
> > authentication pre-share
> > group 2
> > !
> > crypto isakmp policy 10
> > authentication pre-share
> > group 2
> > crypto isakmp keepalive 10
> > !
> > crypto isakmp client configuration group
> > groepje1
> > key 427sieb1
> > pool ippool
> > !
> > !
> > crypto ipsec transform-set transset1 esp-3des esp-md5-
> > hmac
> > !
> > crypto dynamic-map dynmap 10
> > set transform-set transset1
> > !
> > !
> > crypto map crypmap1 client authentication list
> > userauthen
> > crypto map crypmap1 isakmp authorization list
> > groupauthor
> > crypto map crypmap1 client configuration address
> > respond
> > crypto map crypmap1 20 ipsec-isakmp dynamic
> > dynmap
> > !
> > !
> > !
> > !
> > interface BRI0
> > no ip address
> > encapsulation hdlc
> > shutdown
> > !
> > interface ATM0
> > no ip address
> > no ip route-cache cef
> > no ip route-cache
> > no ip mroute-cache
> > no atm ilmi-keepalive
> > pvc 0 8/48
> > encapsulation aal5mux ppp dialer
> > dialer pool-member 1
> > !
> > dsl operating-mode auto
> > !
> > interface FastEthernet0
> > !
> > interface FastEthernet1
> > !
> > interface FastEthernet2
> > !
> > interface FastEthernet3
> > !
> > interface Vlan1
> > ip address 10.0.0.190
> > 255.255.255.0
> > ip access-group 102 in
> > ip nat insi
> > ip inspect myfw in
> > ip virtual-reassembly
> > no ip route-cache cef
> > no ip route-cache
> > no ip mroute-cache
> > hold-queue 100 out
> > !
> > interface Dialer1
> > ip address negotiated
> > ip access-group 113 in
> > ip nat outside
> > ip virtual-reassembly
> > encapsulation ppp
> > dialer pool 1
> > dialer-group 1
> > ppp authentication pap callin
> > ppp pap sent-username (E-Mail Removed) password 7
> > 66141601034200555953
> > crypto map crypmap1
> > !
> > ip local pool ippool 192.168.10.100
> > 192.168.10.110
> > ip route 0.0.0.0 0.0.0.0 Dialer1
> > permanent
> > !
> > !
> > no ip http server
> > no ip http secure-server
> > ip nat inside source static tcp 10.0.0.56 7 interface Dialer1
> > 7
> > ip nat inside source static udp 10.0.0.56 7 interface Dialer1
> > 7
> > ip nat inside source route-map nonat interface Dialer1
> > overload
> > ip nat inside source static tcp 10.0.0.190 22 interface Dialer1
> > 22
> > ip nat inside source static tcp 10.0.0.180 25 interface Dialer1
> > 25
> > ip nat inside source static tcp 10.0.0.180 443 interface Dialer1
> > 443
> > ip nat inside source static tcp 10.0.0.180 110 interface Dialer1
> > 110
> > ip nat inside source static tcp 10.0.0.180 4002 interface Dialer1
> > 4002
> > !
> > access-list 23 permit 82.66.199.22
> > access-list 23 permit 212.222.20.0
> > 0.0.0.255
> > access-list 23 permit 10.0.0.0
> > 0.0.0.255
> > access-list 102 permit ip 10.0.0.0 0.0.0.255
> > any
> > access-list 102 permit ip 192.168.10.0 0.0.0.255
> > any
> > access-list 102 permit esp any any
> > access-list 105 deny ip 10.0.0.0 0.0.0.255 192.168.10.0
> > 0.0.0.255
> > access-list 105 permit ip 10.0.0.0 0.0.0.255
> > any
> > access-list 112 permit tcp any any eq
> > smtp
> > access-list 112 permit tcp any any eq 443
> > access-list 112 permit tcp any any eq pop3
> > access-list 112 permit tcp any any eq
> > 4002
> > access-list 112 permit ip host 82.62.160.105
> > any
> > access-list 112 deny ip any any
> > access-list 113 permit ip 192.168.10.0 0.0.0.255
> > any
> > access-list 113 permit esp any any
> > access-list 113 permit udp any any eq
> > isakmp
> > access-list 113 permit tcp host 82.66.199.22 any eq 22
> > access-list 113 permit tcp 213.222.20.224 0.0.0.7 any eq 22
> > access-list 113 permit tcp host 193.172.44.45 eq tftp-data any
> > access-list 113 permit tcp host 194.151.107.40 eq tftp-data any
> > access-list 113 permit tcp host 194.151.107.44 eq tftp-data any
> > access-list 113 permit icmp any any
> > access-list 113 permit tcp any any eq echo
> > access-list 113 permit udp any any eq echo
> > access-list 113 deny ip any any
> > access-list 115 permit ip any any
> > access-list 115 permit esp any any
> > dialer-list 1 protocol ip permit
> > !
> > !
> > !
> > route-map nonat permit 10
> > match ip address 105
> > !
> > !
> > control-plane
> > !
> > !
> > line con 0
> > --More--

>
> Although you have setup the NAT, I'd have thought you need to still
> allow the traffic through the firewall acl:
>
> access-list 113 permit tcp any any eq 22
> access-list 113 permit tcp any any eq 25
> access-list 113 permit tcp any any eq 443
> access-list 113 permit tcp any any eq 4002
>
> Obviously, you might want to change the source addresses to be a bit
> more limited, or you might want to consider changing the ports rather
> than leave the defaults exposed to all....
>
> Also, as you're using a numbered acl, I think you'll have to remove it
> & re-apply it as you can't delete/insert entries as you can with a
> named acl.
>
> Regards,
>
> Al- Tekst uit oorspronkelijk bericht niet weergeven -
>
> - Tekst uit oorspronkelijk bericht weergeven -


hi Al,

thanks for reply,

I did create a sepreated access list, access list 112:
access-list 112 permit tcp any any eq 443
access-list 112 permit tcp any any eq pop3
access-list 112 permit tcp any any eq
4002
access-list 112 permit ip host 82.62.160.105
any
access-list 112 deny ip any any

do you think I should add this ports under access-list 113?
or do I have to add extra line to access 112?eg

access-list 113 permit ip 192.168.10.0 0.0.0.255
> > any
> > access-list 113 permit esp any any
> > access-list 113 permit udp any any eq
> > isakmp


thanks again.

 
Reply With Quote
 
Al
Guest
Posts: n/a
 
      02-06-2007
On 31 Jan, 22:02, "shahin" <(E-Mail Removed)> wrote:
> On 31 jan, 20:08, "Al" <(E-Mail Removed)> wrote:
>
>
>
> > On Jan 30, 8:14 pm, "shahin" <(E-Mail Removed)> wrote:

>
> > > Hi guys,

>
> > > I need your help on port forwarding on CISCOrouter,
> > > I am new to configuring CISCO router, any way I did configuer my
> > > router, now I can internet and send and recieve mail, so this part is
> > > good.
> > > I did try to open these ports on the router; 25 ,22,443,4002
> > > and I did forward these ports to one of my servers. but when I try to
> > > telnet any of these port I get no anserw at all or when I try to
> > > access my server (SBS 2003) with remote desktop (port 4002)no
> > > connection is made.
> > > I send you a copy of the router configuration,maybe some of you can
> > > see some mistake in it.
> > > Please let me know where is the problem. ( I did change the IP's for
> > > security reson).

>
> > > myrouter#sh run
> > > Building configuration...

>
> > > Current configuration : 4694 bytes
> > > !
> > > version 12.4
> > > no parser cache
> > > service nagle
> > > no service pad
> > > service timestamps debug uptime
> > > service timestamps log uptime
> > > service password-encryption
> > > !
> > > hostname mydomain
> > > !
> > > boot-start-marker
> > > boot-end-marker
> > > !
> > > enable secret 5 $1$QRTEUHN$Sb83SiFXpstr562NA/1iQZ/
> > > 950
> > > !
> > > aaa new-model
> > > !
> > > !
> > > aaa authentication login userauthen
> > > local
> > > aaa authorization network groupauthor
> > > local
> > > !
> > > aaa session-id common
> > > !
> > > resource policy
> > > !
> > > no ip source-route
> > > ip cef
> > > !
> > > !
> > > !
> > > !
> > > ip tcp mss 1400
> > > no ip domain lookup
> > > ip domain name mydomain.com
> > > ip inspect name myfw cuseeme timeout
> > > 3600
> > > ip inspect name myfw http timeout
> > > 3600
> > > ip inspect name myfw rcmd timeout
> > > 3600
> > > ip inspect name myfw realaudio timeout
> > > 3600
> > > ip inspect name myfw tftp timeout
> > > 30
> > > ip inspect name myfw udp timeout 15
> > > ip inspect name myfw tcp timeout
> > > 3600
> > > ip inspect name myfw h323 timeout
> > > 3600
> > > !
> > > !
> > > !
> > > username johndo secret 5 $1$LJB.$ty/
> > > MZ6auSm3khkhAIMGeTsF/
> > > username test secret 5 $1$ub5k$b/
> > > nmlDv4eMdRpKertyueEDL1
> > > !
> > > !
> > > !
> > > crypto isakmp policy 3
> > > encr 3des
> > > authentication pre-share
> > > group 2
> > > !
> > > crypto isakmp policy 10
> > > authentication pre-share
> > > group 2
> > > crypto isakmp keepalive 10
> > > !
> > > crypto isakmp client configuration group
> > > groepje1
> > > key 427sieb1
> > > pool ippool
> > > !
> > > !
> > > crypto ipsec transform-set transset1 esp-3des esp-md5-
> > > hmac
> > > !
> > > crypto dynamic-map dynmap 10
> > > set transform-set transset1
> > > !
> > > !
> > > crypto map crypmap1 client authentication list
> > > userauthen
> > > crypto map crypmap1 isakmp authorization list
> > > groupauthor
> > > crypto map crypmap1 client configuration address
> > > respond
> > > crypto map crypmap1 20 ipsec-isakmp dynamic
> > > dynmap
> > > !
> > > !
> > > !
> > > !
> > > interface BRI0
> > > no ip address
> > > encapsulation hdlc
> > > shutdown
> > > !
> > > interface ATM0
> > > no ip address
> > > no ip route-cache cef
> > > no ip route-cache
> > > no ip mroute-cache
> > > no atm ilmi-keepalive
> > > pvc 0 8/48
> > > encapsulation aal5mux ppp dialer
> > > dialer pool-member 1
> > > !
> > > dsl operating-mode auto
> > > !
> > > interface FastEthernet0
> > > !
> > > interface FastEthernet1
> > > !
> > > interface FastEthernet2
> > > !
> > > interface FastEthernet3
> > > !
> > > interface Vlan1
> > > ip address 10.0.0.190
> > > 255.255.255.0
> > > ip access-group 102 in
> > > ip nat insi
> > > ip inspect myfw in
> > > ip virtual-reassembly
> > > no ip route-cache cef
> > > no ip route-cache
> > > no ip mroute-cache
> > > hold-queue 100 out
> > > !
> > > interface Dialer1
> > > ip address negotiated
> > > ip access-group 113 in
> > > ip nat outside
> > > ip virtual-reassembly
> > > encapsulation ppp
> > > dialer pool 1
> > > dialer-group 1
> > > ppp authentication pap callin
> > > ppp pap sent-username (E-Mail Removed) password 7
> > > 66141601034200555953
> > > crypto map crypmap1
> > > !
> > > ip local pool ippool 192.168.10.100
> > > 192.168.10.110
> > > ip route 0.0.0.0 0.0.0.0 Dialer1
> > > permanent
> > > !
> > > !
> > > no ip http server
> > > no ip http secure-server
> > > ip nat inside source static tcp 10.0.0.56 7 interface Dialer1
> > > 7
> > > ip nat inside source static udp 10.0.0.56 7 interface Dialer1
> > > 7
> > > ip nat inside source route-map nonat interface Dialer1
> > > overload
> > > ip nat inside source static tcp 10.0.0.190 22 interface Dialer1
> > > 22
> > > ip nat inside source static tcp 10.0.0.180 25 interface Dialer1
> > > 25
> > > ip nat inside source static tcp 10.0.0.180 443 interface Dialer1
> > > 443
> > > ip nat inside source static tcp 10.0.0.180 110 interface Dialer1
> > > 110
> > > ip nat inside source static tcp 10.0.0.180 4002 interface Dialer1
> > > 4002
> > > !
> > > access-list 23 permit 82.66.199.22
> > > access-list 23 permit 212.222.20.0
> > > 0.0.0.255
> > > access-list 23 permit 10.0.0.0
> > > 0.0.0.255
> > > access-list 102 permit ip 10.0.0.0 0.0.0.255
> > > any
> > > access-list 102 permit ip 192.168.10.0 0.0.0.255
> > > any
> > > access-list 102 permit esp any any
> > > access-list 105 deny ip 10.0.0.0 0.0.0.255 192.168.10.0
> > > 0.0.0.255
> > > access-list 105 permit ip 10.0.0.0 0.0.0.255
> > > any
> > > access-list 112 permit tcp any any eq
> > > smtp
> > > access-list 112 permit tcp any any eq 443
> > > access-list 112 permit tcp any any eq pop3
> > > access-list 112 permit tcp any any eq
> > > 4002
> > > access-list 112 permit ip host 82.62.160.105
> > > any
> > > access-list 112 deny ip any any
> > > access-list 113 permit ip 192.168.10.0 0.0.0.255
> > > any
> > > access-list 113 permit esp any any
> > > access-list 113 permit udp any any eq
> > > isakmp
> > > access-list 113 permit tcp host 82.66.199.22 any eq 22
> > > access-list 113 permit tcp 213.222.20.224 0.0.0.7 any eq 22
> > > access-list 113 permit tcp host 193.172.44.45 eq tftp-data any
> > > access-list 113 permit tcp host 194.151.107.40 eq tftp-data any
> > > access-list 113 permit tcp host 194.151.107.44 eq tftp-data any
> > > access-list 113 permit icmp any any
> > > access-list 113 permit tcp any any eq echo
> > > access-list 113 permit udp any any eq echo
> > > access-list 113 deny ip any any
> > > access-list 115 permit ip any any
> > > access-list 115 permit esp any any
> > > dialer-list 1 protocol ip permit
> > > !
> > > !
> > > !
> > > route-map nonat permit 10
> > > match ip address 105
> > > !
> > > !
> > > control-plane
> > > !
> > > !
> > > line con 0
> > > --More--

>
> > Although you have setup the NAT, I'd have thought you need to still
> > allow the traffic through the firewall acl:

>
> > access-list 113 permit tcp any any eq 22
> > access-list 113 permit tcp any any eq 25
> > access-list 113 permit tcp any any eq 443
> > access-list 113 permit tcp any any eq 4002

>
> > Obviously, you might want to change the source addresses to be a bit
> > more limited, or you might want to consider changing the ports rather
> > than leave the defaults exposed to all....

>
> > Also, as you're using a numbered acl, I think you'll have to remove it
> > & re-apply it as you can't delete/insert entries as you can with a
> > named acl.

>
> > Regards,

>
> > Al- Tekst uit oorspronkelijk bericht niet weergeven -

>
> > - Tekst uit oorspronkelijk bericht weergeven -

>
> hi Al,
>
> thanks for reply,
>
> I did create a sepreated access list, access list 112:
> access-list 112 permit tcp any any eq 443
> access-list 112 permit tcp any any eq pop3
> access-list 112 permit tcp any any eq
> 4002
> access-list 112 permit ip host 82.62.160.105
> any
> access-list 112 deny ip any any
>
> do you think I should add this ports under access-list 113?
> or do I have to add extra line to access 112?eg
>
> access-list 113 permit ip 192.168.10.0 0.0.0.255
>
> > > any
> > > access-list 113 permit esp any any
> > > access-list 113 permit udp any any eq
> > > isakmp

>
> thanks again.


You will have to add the exceptions to whatever list you have applied
to your outside interface, which is currently 113, e.g:

! Existing lines
access-list 113 permit ip 192.168.10.0 0.0.0.255 any
access-list 113 permit esp any any
access-list 113 permit udp any any eq isakmp
access-list 113 permit tcp host 82.66.199.22 any eq 22
access-list 113 permit tcp 213.222.20.224 0.0.0.7 any eq 22
access-list 113 permit tcp host 193.172.44.45 eq tftp-data any
access-list 113 permit tcp host 194.151.107.40 eq tftp-data any
access-list 113 permit tcp host 194.151.107.44 eq tftp-data any
access-list 113 permit icmp any any
access-list 113 permit tcp any any eq echo
access-list 113 permit udp any any eq echo
! New lines
access-list 113 permit tcp any any eq 22
access-list 113 permit tcp any any eq 25
access-list 113 permit tcp any any eq 443
access-list 113 permit tcp any any eq 4002
! Deny any - does not do anything particularly as you're not logging
matches & there's the implicit deny at the end anyway
access-list 113 deny ip any any
!
interface Dialer1
ip access-group 113 in
!

As far as I can see, the ACL 112 is not applied & could eb removed.

HTH,

Al

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
forwarding Args&&... vs forwarding Args... Andrew Tomazos C++ 5 01-05-2012 11:15 PM
Router Port forwarding/port triggering WHAT DO THEY DO? ToyalP2 Computer Support 7 01-07-2008 08:08 AM
Port forwarding problems with SP2 =?Utf-8?B?QW5keSBU?= Wireless Networking 1 03-29-2005 07:13 PM
Simple CGI port forwarding question Navic Perl 2 05-11-2004 11:40 AM
[HELP] Cisco PIX 515 Port Forwarding Corbin O'Reilly Cisco 4 09-26-2003 08:39 PM



Advertisments