Port forwarding Issue.

Discussion in 'Cisco' started by shahin, Jan 30, 2007.

  1. shahin

    shahin Guest

    Hi guys,

    I need your help on port forwarding on CISCOrouter,
    I am new to configuring CISCO router, any way I did configuer my
    router, now I can internet and send and recieve mail, so this part is
    good.
    I did try to open these ports on the router; 25 ,22,443,4002
    and I did forward these ports to one of my servers. but when I try to
    telnet any of these port I get no anserw at all or when I try to
    access my server (SBS 2003) with remote desktop (port 4002)no
    connection is made.
    I send you a copy of the router configuration,maybe some of you can
    see some mistake in it.
    Please let me know where is the problem. ( I did change the IP's for
    security reson).


    myrouter#sh run
    Building configuration...

    Current configuration : 4694 bytes
    !
    version 12.4
    no parser cache
    service nagle
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname mydomain
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$QRTEUHN$Sb83SiFXpstr562NA/1iQZ/
    950
    !
    aaa new-model
    !
    !
    aaa authentication login userauthen
    local
    aaa authorization network groupauthor
    local
    !
    aaa session-id common
    !
    resource policy
    !
    no ip source-route
    ip cef
    !
    !
    !
    !
    ip tcp mss 1400
    no ip domain lookup
    ip domain name mydomain.com
    ip inspect name myfw cuseeme timeout
    3600
    ip inspect name myfw http timeout
    3600
    ip inspect name myfw rcmd timeout
    3600
    ip inspect name myfw realaudio timeout
    3600
    ip inspect name myfw tftp timeout
    30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout
    3600
    ip inspect name myfw h323 timeout
    3600
    !
    !
    !
    username johndo secret 5 $1$LJB.$ty/
    MZ6auSm3khkhAIMGeTsF/
    username test secret 5 $1$ub5k$b/
    nmlDv4eMdRpKertyueEDL1
    !
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 10
    authentication pre-share
    group 2
    crypto isakmp keepalive 10
    !
    crypto isakmp client configuration group
    groepje1
    key 427sieb1
    pool ippool
    !
    !
    crypto ipsec transform-set transset1 esp-3des esp-md5-
    hmac
    !
    crypto dynamic-map dynmap 10
    set transform-set transset1
    !
    !
    crypto map crypmap1 client authentication list
    userauthen
    crypto map crypmap1 isakmp authorization list
    groupauthor
    crypto map crypmap1 client configuration address
    respond
    crypto map crypmap1 20 ipsec-isakmp dynamic
    dynmap
    !
    !
    !
    !
    interface BRI0
    no ip address
    encapsulation hdlc
    shutdown
    !
    interface ATM0
    no ip address
    no ip route-cache cef
    no ip route-cache
    no ip mroute-cache
    no atm ilmi-keepalive
    pvc 0 8/48
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
    ip address 10.0.0.190
    255.255.255.0
    ip access-group 102 in
    ip nat insi
    ip inspect myfw in
    ip virtual-reassembly
    no ip route-cache cef
    no ip route-cache
    no ip mroute-cache
    hold-queue 100 out
    !
    interface Dialer1
    ip address negotiated
    ip access-group 113 in
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication pap callin
    ppp pap sent-username password 7
    66141601034200555953
    crypto map crypmap1
    !
    ip local pool ippool 192.168.10.100
    192.168.10.110
    ip route 0.0.0.0 0.0.0.0 Dialer1
    permanent
    !
    !
    no ip http server
    no ip http secure-server
    ip nat inside source static tcp 10.0.0.56 7 interface Dialer1
    7
    ip nat inside source static udp 10.0.0.56 7 interface Dialer1
    7
    ip nat inside source route-map nonat interface Dialer1
    overload
    ip nat inside source static tcp 10.0.0.190 22 interface Dialer1
    22
    ip nat inside source static tcp 10.0.0.180 25 interface Dialer1
    25
    ip nat inside source static tcp 10.0.0.180 443 interface Dialer1
    443
    ip nat inside source static tcp 10.0.0.180 110 interface Dialer1
    110
    ip nat inside source static tcp 10.0.0.180 4002 interface Dialer1
    4002
    !
    access-list 23 permit 82.66.199.22
    access-list 23 permit 212.222.20.0
    0.0.0.255
    access-list 23 permit 10.0.0.0
    0.0.0.255
    access-list 102 permit ip 10.0.0.0 0.0.0.255
    any
    access-list 102 permit ip 192.168.10.0 0.0.0.255
    any
    access-list 102 permit esp any any
    access-list 105 deny ip 10.0.0.0 0.0.0.255 192.168.10.0
    0.0.0.255
    access-list 105 permit ip 10.0.0.0 0.0.0.255
    any
    access-list 112 permit tcp any any eq
    smtp
    access-list 112 permit tcp any any eq 443
    access-list 112 permit tcp any any eq pop3
    access-list 112 permit tcp any any eq
    4002
    access-list 112 permit ip host 82.62.160.105
    any
    access-list 112 deny ip any any
    access-list 113 permit ip 192.168.10.0 0.0.0.255
    any
    access-list 113 permit esp any any
    access-list 113 permit udp any any eq
    isakmp
    access-list 113 permit tcp host 82.66.199.22 any eq 22
    access-list 113 permit tcp 213.222.20.224 0.0.0.7 any eq 22
    access-list 113 permit tcp host 193.172.44.45 eq tftp-data any
    access-list 113 permit tcp host 194.151.107.40 eq tftp-data any
    access-list 113 permit tcp host 194.151.107.44 eq tftp-data any
    access-list 113 permit icmp any any
    access-list 113 permit tcp any any eq echo
    access-list 113 permit udp any any eq echo
    access-list 113 deny ip any any
    access-list 115 permit ip any any
    access-list 115 permit esp any any
    dialer-list 1 protocol ip permit
    !
    !
    !
    route-map nonat permit 10
    match ip address 105
    !
    !
    control-plane
    !
    !
    line con 0
    --More--
     
    shahin, Jan 30, 2007
    #1
    1. Advertising

  2. www.BradReese.Com, Jan 30, 2007
    #2
    1. Advertising

  3. "http://www.portforward.com/english/routers/port_forwarding/
    routerindex.htm"
     
    www.BradReese.Com, Jan 30, 2007
    #3
  4. shahin

    Al Guest

    On Jan 30, 8:14 pm, "shahin" <> wrote:
    > Hi guys,
    >
    > I need your help on port forwarding on CISCOrouter,
    > I am new to configuring CISCO router, any way I did configuer my
    > router, now I can internet and send and recieve mail, so this part is
    > good.
    > I did try to open these ports on the router; 25 ,22,443,4002
    > and I did forward these ports to one of my servers. but when I try to
    > telnet any of these port I get no anserw at all or when I try to
    > access my server (SBS 2003) with remote desktop (port 4002)no
    > connection is made.
    > I send you a copy of the router configuration,maybe some of you can
    > see some mistake in it.
    > Please let me know where is the problem. ( I did change the IP's for
    > security reson).
    >
    > myrouter#sh run
    > Building configuration...
    >
    > Current configuration : 4694 bytes
    > !
    > version 12.4
    > no parser cache
    > service nagle
    > no service pad
    > service timestamps debug uptime
    > service timestamps log uptime
    > service password-encryption
    > !
    > hostname mydomain
    > !
    > boot-start-marker
    > boot-end-marker
    > !
    > enable secret 5 $1$QRTEUHN$Sb83SiFXpstr562NA/1iQZ/
    > 950
    > !
    > aaa new-model
    > !
    > !
    > aaa authentication login userauthen
    > local
    > aaa authorization network groupauthor
    > local
    > !
    > aaa session-id common
    > !
    > resource policy
    > !
    > no ip source-route
    > ip cef
    > !
    > !
    > !
    > !
    > ip tcp mss 1400
    > no ip domain lookup
    > ip domain name mydomain.com
    > ip inspect name myfw cuseeme timeout
    > 3600
    > ip inspect name myfw http timeout
    > 3600
    > ip inspect name myfw rcmd timeout
    > 3600
    > ip inspect name myfw realaudio timeout
    > 3600
    > ip inspect name myfw tftp timeout
    > 30
    > ip inspect name myfw udp timeout 15
    > ip inspect name myfw tcp timeout
    > 3600
    > ip inspect name myfw h323 timeout
    > 3600
    > !
    > !
    > !
    > username johndo secret 5 $1$LJB.$ty/
    > MZ6auSm3khkhAIMGeTsF/
    > username test secret 5 $1$ub5k$b/
    > nmlDv4eMdRpKertyueEDL1
    > !
    > !
    > !
    > crypto isakmp policy 3
    > encr 3des
    > authentication pre-share
    > group 2
    > !
    > crypto isakmp policy 10
    > authentication pre-share
    > group 2
    > crypto isakmp keepalive 10
    > !
    > crypto isakmp client configuration group
    > groepje1
    > key 427sieb1
    > pool ippool
    > !
    > !
    > crypto ipsec transform-set transset1 esp-3des esp-md5-
    > hmac
    > !
    > crypto dynamic-map dynmap 10
    > set transform-set transset1
    > !
    > !
    > crypto map crypmap1 client authentication list
    > userauthen
    > crypto map crypmap1 isakmp authorization list
    > groupauthor
    > crypto map crypmap1 client configuration address
    > respond
    > crypto map crypmap1 20 ipsec-isakmp dynamic
    > dynmap
    > !
    > !
    > !
    > !
    > interface BRI0
    > no ip address
    > encapsulation hdlc
    > shutdown
    > !
    > interface ATM0
    > no ip address
    > no ip route-cache cef
    > no ip route-cache
    > no ip mroute-cache
    > no atm ilmi-keepalive
    > pvc 0 8/48
    > encapsulation aal5mux ppp dialer
    > dialer pool-member 1
    > !
    > dsl operating-mode auto
    > !
    > interface FastEthernet0
    > !
    > interface FastEthernet1
    > !
    > interface FastEthernet2
    > !
    > interface FastEthernet3
    > !
    > interface Vlan1
    > ip address 10.0.0.190
    > 255.255.255.0
    > ip access-group 102 in
    > ip nat insi
    > ip inspect myfw in
    > ip virtual-reassembly
    > no ip route-cache cef
    > no ip route-cache
    > no ip mroute-cache
    > hold-queue 100 out
    > !
    > interface Dialer1
    > ip address negotiated
    > ip access-group 113 in
    > ip nat outside
    > ip virtual-reassembly
    > encapsulation ppp
    > dialer pool 1
    > dialer-group 1
    > ppp authentication pap callin
    > ppp pap sent-username password 7
    > 66141601034200555953
    > crypto map crypmap1
    > !
    > ip local pool ippool 192.168.10.100
    > 192.168.10.110
    > ip route 0.0.0.0 0.0.0.0 Dialer1
    > permanent
    > !
    > !
    > no ip http server
    > no ip http secure-server
    > ip nat inside source static tcp 10.0.0.56 7 interface Dialer1
    > 7
    > ip nat inside source static udp 10.0.0.56 7 interface Dialer1
    > 7
    > ip nat inside source route-map nonat interface Dialer1
    > overload
    > ip nat inside source static tcp 10.0.0.190 22 interface Dialer1
    > 22
    > ip nat inside source static tcp 10.0.0.180 25 interface Dialer1
    > 25
    > ip nat inside source static tcp 10.0.0.180 443 interface Dialer1
    > 443
    > ip nat inside source static tcp 10.0.0.180 110 interface Dialer1
    > 110
    > ip nat inside source static tcp 10.0.0.180 4002 interface Dialer1
    > 4002
    > !
    > access-list 23 permit 82.66.199.22
    > access-list 23 permit 212.222.20.0
    > 0.0.0.255
    > access-list 23 permit 10.0.0.0
    > 0.0.0.255
    > access-list 102 permit ip 10.0.0.0 0.0.0.255
    > any
    > access-list 102 permit ip 192.168.10.0 0.0.0.255
    > any
    > access-list 102 permit esp any any
    > access-list 105 deny ip 10.0.0.0 0.0.0.255 192.168.10.0
    > 0.0.0.255
    > access-list 105 permit ip 10.0.0.0 0.0.0.255
    > any
    > access-list 112 permit tcp any any eq
    > smtp
    > access-list 112 permit tcp any any eq 443
    > access-list 112 permit tcp any any eq pop3
    > access-list 112 permit tcp any any eq
    > 4002
    > access-list 112 permit ip host 82.62.160.105
    > any
    > access-list 112 deny ip any any
    > access-list 113 permit ip 192.168.10.0 0.0.0.255
    > any
    > access-list 113 permit esp any any
    > access-list 113 permit udp any any eq
    > isakmp
    > access-list 113 permit tcp host 82.66.199.22 any eq 22
    > access-list 113 permit tcp 213.222.20.224 0.0.0.7 any eq 22
    > access-list 113 permit tcp host 193.172.44.45 eq tftp-data any
    > access-list 113 permit tcp host 194.151.107.40 eq tftp-data any
    > access-list 113 permit tcp host 194.151.107.44 eq tftp-data any
    > access-list 113 permit icmp any any
    > access-list 113 permit tcp any any eq echo
    > access-list 113 permit udp any any eq echo
    > access-list 113 deny ip any any
    > access-list 115 permit ip any any
    > access-list 115 permit esp any any
    > dialer-list 1 protocol ip permit
    > !
    > !
    > !
    > route-map nonat permit 10
    > match ip address 105
    > !
    > !
    > control-plane
    > !
    > !
    > line con 0
    > --More--


    Although you have setup the NAT, I'd have thought you need to still
    allow the traffic through the firewall acl:

    access-list 113 permit tcp any any eq 22
    access-list 113 permit tcp any any eq 25
    access-list 113 permit tcp any any eq 443
    access-list 113 permit tcp any any eq 4002

    Obviously, you might want to change the source addresses to be a bit
    more limited, or you might want to consider changing the ports rather
    than leave the defaults exposed to all....

    Also, as you're using a numbered acl, I think you'll have to remove it
    & re-apply it as you can't delete/insert entries as you can with a
    named acl.

    Regards,

    Al
     
    Al, Jan 31, 2007
    #4
  5. shahin

    shahin Guest

    On 31 jan, 20:08, "Al" <> wrote:
    > On Jan 30, 8:14 pm, "shahin" <> wrote:
    >
    >
    >
    >
    >
    > > Hi guys,

    >
    > > I need your help on port forwarding on CISCOrouter,
    > > I am new to configuring CISCO router, any way I did configuer my
    > > router, now I can internet and send and recieve mail, so this part is
    > > good.
    > > I did try to open these ports on the router; 25 ,22,443,4002
    > > and I did forward these ports to one of my servers. but when I try to
    > > telnet any of these port I get no anserw at all or when I try to
    > > access my server (SBS 2003) with remote desktop (port 4002)no
    > > connection is made.
    > > I send you a copy of the router configuration,maybe some of you can
    > > see some mistake in it.
    > > Please let me know where is the problem. ( I did change the IP's for
    > > security reson).

    >
    > > myrouter#sh run
    > > Building configuration...

    >
    > > Current configuration : 4694 bytes
    > > !
    > > version 12.4
    > > no parser cache
    > > service nagle
    > > no service pad
    > > service timestamps debug uptime
    > > service timestamps log uptime
    > > service password-encryption
    > > !
    > > hostname mydomain
    > > !
    > > boot-start-marker
    > > boot-end-marker
    > > !
    > > enable secret 5 $1$QRTEUHN$Sb83SiFXpstr562NA/1iQZ/
    > > 950
    > > !
    > > aaa new-model
    > > !
    > > !
    > > aaa authentication login userauthen
    > > local
    > > aaa authorization network groupauthor
    > > local
    > > !
    > > aaa session-id common
    > > !
    > > resource policy
    > > !
    > > no ip source-route
    > > ip cef
    > > !
    > > !
    > > !
    > > !
    > > ip tcp mss 1400
    > > no ip domain lookup
    > > ip domain name mydomain.com
    > > ip inspect name myfw cuseeme timeout
    > > 3600
    > > ip inspect name myfw http timeout
    > > 3600
    > > ip inspect name myfw rcmd timeout
    > > 3600
    > > ip inspect name myfw realaudio timeout
    > > 3600
    > > ip inspect name myfw tftp timeout
    > > 30
    > > ip inspect name myfw udp timeout 15
    > > ip inspect name myfw tcp timeout
    > > 3600
    > > ip inspect name myfw h323 timeout
    > > 3600
    > > !
    > > !
    > > !
    > > username johndo secret 5 $1$LJB.$ty/
    > > MZ6auSm3khkhAIMGeTsF/
    > > username test secret 5 $1$ub5k$b/
    > > nmlDv4eMdRpKertyueEDL1
    > > !
    > > !
    > > !
    > > crypto isakmp policy 3
    > > encr 3des
    > > authentication pre-share
    > > group 2
    > > !
    > > crypto isakmp policy 10
    > > authentication pre-share
    > > group 2
    > > crypto isakmp keepalive 10
    > > !
    > > crypto isakmp client configuration group
    > > groepje1
    > > key 427sieb1
    > > pool ippool
    > > !
    > > !
    > > crypto ipsec transform-set transset1 esp-3des esp-md5-
    > > hmac
    > > !
    > > crypto dynamic-map dynmap 10
    > > set transform-set transset1
    > > !
    > > !
    > > crypto map crypmap1 client authentication list
    > > userauthen
    > > crypto map crypmap1 isakmp authorization list
    > > groupauthor
    > > crypto map crypmap1 client configuration address
    > > respond
    > > crypto map crypmap1 20 ipsec-isakmp dynamic
    > > dynmap
    > > !
    > > !
    > > !
    > > !
    > > interface BRI0
    > > no ip address
    > > encapsulation hdlc
    > > shutdown
    > > !
    > > interface ATM0
    > > no ip address
    > > no ip route-cache cef
    > > no ip route-cache
    > > no ip mroute-cache
    > > no atm ilmi-keepalive
    > > pvc 0 8/48
    > > encapsulation aal5mux ppp dialer
    > > dialer pool-member 1
    > > !
    > > dsl operating-mode auto
    > > !
    > > interface FastEthernet0
    > > !
    > > interface FastEthernet1
    > > !
    > > interface FastEthernet2
    > > !
    > > interface FastEthernet3
    > > !
    > > interface Vlan1
    > > ip address 10.0.0.190
    > > 255.255.255.0
    > > ip access-group 102 in
    > > ip nat insi
    > > ip inspect myfw in
    > > ip virtual-reassembly
    > > no ip route-cache cef
    > > no ip route-cache
    > > no ip mroute-cache
    > > hold-queue 100 out
    > > !
    > > interface Dialer1
    > > ip address negotiated
    > > ip access-group 113 in
    > > ip nat outside
    > > ip virtual-reassembly
    > > encapsulation ppp
    > > dialer pool 1
    > > dialer-group 1
    > > ppp authentication pap callin
    > > ppp pap sent-username password 7
    > > 66141601034200555953
    > > crypto map crypmap1
    > > !
    > > ip local pool ippool 192.168.10.100
    > > 192.168.10.110
    > > ip route 0.0.0.0 0.0.0.0 Dialer1
    > > permanent
    > > !
    > > !
    > > no ip http server
    > > no ip http secure-server
    > > ip nat inside source static tcp 10.0.0.56 7 interface Dialer1
    > > 7
    > > ip nat inside source static udp 10.0.0.56 7 interface Dialer1
    > > 7
    > > ip nat inside source route-map nonat interface Dialer1
    > > overload
    > > ip nat inside source static tcp 10.0.0.190 22 interface Dialer1
    > > 22
    > > ip nat inside source static tcp 10.0.0.180 25 interface Dialer1
    > > 25
    > > ip nat inside source static tcp 10.0.0.180 443 interface Dialer1
    > > 443
    > > ip nat inside source static tcp 10.0.0.180 110 interface Dialer1
    > > 110
    > > ip nat inside source static tcp 10.0.0.180 4002 interface Dialer1
    > > 4002
    > > !
    > > access-list 23 permit 82.66.199.22
    > > access-list 23 permit 212.222.20.0
    > > 0.0.0.255
    > > access-list 23 permit 10.0.0.0
    > > 0.0.0.255
    > > access-list 102 permit ip 10.0.0.0 0.0.0.255
    > > any
    > > access-list 102 permit ip 192.168.10.0 0.0.0.255
    > > any
    > > access-list 102 permit esp any any
    > > access-list 105 deny ip 10.0.0.0 0.0.0.255 192.168.10.0
    > > 0.0.0.255
    > > access-list 105 permit ip 10.0.0.0 0.0.0.255
    > > any
    > > access-list 112 permit tcp any any eq
    > > smtp
    > > access-list 112 permit tcp any any eq 443
    > > access-list 112 permit tcp any any eq pop3
    > > access-list 112 permit tcp any any eq
    > > 4002
    > > access-list 112 permit ip host 82.62.160.105
    > > any
    > > access-list 112 deny ip any any
    > > access-list 113 permit ip 192.168.10.0 0.0.0.255
    > > any
    > > access-list 113 permit esp any any
    > > access-list 113 permit udp any any eq
    > > isakmp
    > > access-list 113 permit tcp host 82.66.199.22 any eq 22
    > > access-list 113 permit tcp 213.222.20.224 0.0.0.7 any eq 22
    > > access-list 113 permit tcp host 193.172.44.45 eq tftp-data any
    > > access-list 113 permit tcp host 194.151.107.40 eq tftp-data any
    > > access-list 113 permit tcp host 194.151.107.44 eq tftp-data any
    > > access-list 113 permit icmp any any
    > > access-list 113 permit tcp any any eq echo
    > > access-list 113 permit udp any any eq echo
    > > access-list 113 deny ip any any
    > > access-list 115 permit ip any any
    > > access-list 115 permit esp any any
    > > dialer-list 1 protocol ip permit
    > > !
    > > !
    > > !
    > > route-map nonat permit 10
    > > match ip address 105
    > > !
    > > !
    > > control-plane
    > > !
    > > !
    > > line con 0
    > > --More--

    >
    > Although you have setup the NAT, I'd have thought you need to still
    > allow the traffic through the firewall acl:
    >
    > access-list 113 permit tcp any any eq 22
    > access-list 113 permit tcp any any eq 25
    > access-list 113 permit tcp any any eq 443
    > access-list 113 permit tcp any any eq 4002
    >
    > Obviously, you might want to change the source addresses to be a bit
    > more limited, or you might want to consider changing the ports rather
    > than leave the defaults exposed to all....
    >
    > Also, as you're using a numbered acl, I think you'll have to remove it
    > & re-apply it as you can't delete/insert entries as you can with a
    > named acl.
    >
    > Regards,
    >
    > Al- Tekst uit oorspronkelijk bericht niet weergeven -
    >
    > - Tekst uit oorspronkelijk bericht weergeven -


    hi Al,

    thanks for reply,

    I did create a sepreated access list, access list 112:
    access-list 112 permit tcp any any eq 443
    access-list 112 permit tcp any any eq pop3
    access-list 112 permit tcp any any eq
    4002
    access-list 112 permit ip host 82.62.160.105
    any
    access-list 112 deny ip any any

    do you think I should add this ports under access-list 113?
    or do I have to add extra line to access 112?eg

    access-list 113 permit ip 192.168.10.0 0.0.0.255
    > > any
    > > access-list 113 permit esp any any
    > > access-list 113 permit udp any any eq
    > > isakmp


    thanks again.
     
    shahin, Jan 31, 2007
    #5
  6. shahin

    Al Guest

    On 31 Jan, 22:02, "shahin" <> wrote:
    > On 31 jan, 20:08, "Al" <> wrote:
    >
    >
    >
    > > On Jan 30, 8:14 pm, "shahin" <> wrote:

    >
    > > > Hi guys,

    >
    > > > I need your help on port forwarding on CISCOrouter,
    > > > I am new to configuring CISCO router, any way I did configuer my
    > > > router, now I can internet and send and recieve mail, so this part is
    > > > good.
    > > > I did try to open these ports on the router; 25 ,22,443,4002
    > > > and I did forward these ports to one of my servers. but when I try to
    > > > telnet any of these port I get no anserw at all or when I try to
    > > > access my server (SBS 2003) with remote desktop (port 4002)no
    > > > connection is made.
    > > > I send you a copy of the router configuration,maybe some of you can
    > > > see some mistake in it.
    > > > Please let me know where is the problem. ( I did change the IP's for
    > > > security reson).

    >
    > > > myrouter#sh run
    > > > Building configuration...

    >
    > > > Current configuration : 4694 bytes
    > > > !
    > > > version 12.4
    > > > no parser cache
    > > > service nagle
    > > > no service pad
    > > > service timestamps debug uptime
    > > > service timestamps log uptime
    > > > service password-encryption
    > > > !
    > > > hostname mydomain
    > > > !
    > > > boot-start-marker
    > > > boot-end-marker
    > > > !
    > > > enable secret 5 $1$QRTEUHN$Sb83SiFXpstr562NA/1iQZ/
    > > > 950
    > > > !
    > > > aaa new-model
    > > > !
    > > > !
    > > > aaa authentication login userauthen
    > > > local
    > > > aaa authorization network groupauthor
    > > > local
    > > > !
    > > > aaa session-id common
    > > > !
    > > > resource policy
    > > > !
    > > > no ip source-route
    > > > ip cef
    > > > !
    > > > !
    > > > !
    > > > !
    > > > ip tcp mss 1400
    > > > no ip domain lookup
    > > > ip domain name mydomain.com
    > > > ip inspect name myfw cuseeme timeout
    > > > 3600
    > > > ip inspect name myfw http timeout
    > > > 3600
    > > > ip inspect name myfw rcmd timeout
    > > > 3600
    > > > ip inspect name myfw realaudio timeout
    > > > 3600
    > > > ip inspect name myfw tftp timeout
    > > > 30
    > > > ip inspect name myfw udp timeout 15
    > > > ip inspect name myfw tcp timeout
    > > > 3600
    > > > ip inspect name myfw h323 timeout
    > > > 3600
    > > > !
    > > > !
    > > > !
    > > > username johndo secret 5 $1$LJB.$ty/
    > > > MZ6auSm3khkhAIMGeTsF/
    > > > username test secret 5 $1$ub5k$b/
    > > > nmlDv4eMdRpKertyueEDL1
    > > > !
    > > > !
    > > > !
    > > > crypto isakmp policy 3
    > > > encr 3des
    > > > authentication pre-share
    > > > group 2
    > > > !
    > > > crypto isakmp policy 10
    > > > authentication pre-share
    > > > group 2
    > > > crypto isakmp keepalive 10
    > > > !
    > > > crypto isakmp client configuration group
    > > > groepje1
    > > > key 427sieb1
    > > > pool ippool
    > > > !
    > > > !
    > > > crypto ipsec transform-set transset1 esp-3des esp-md5-
    > > > hmac
    > > > !
    > > > crypto dynamic-map dynmap 10
    > > > set transform-set transset1
    > > > !
    > > > !
    > > > crypto map crypmap1 client authentication list
    > > > userauthen
    > > > crypto map crypmap1 isakmp authorization list
    > > > groupauthor
    > > > crypto map crypmap1 client configuration address
    > > > respond
    > > > crypto map crypmap1 20 ipsec-isakmp dynamic
    > > > dynmap
    > > > !
    > > > !
    > > > !
    > > > !
    > > > interface BRI0
    > > > no ip address
    > > > encapsulation hdlc
    > > > shutdown
    > > > !
    > > > interface ATM0
    > > > no ip address
    > > > no ip route-cache cef
    > > > no ip route-cache
    > > > no ip mroute-cache
    > > > no atm ilmi-keepalive
    > > > pvc 0 8/48
    > > > encapsulation aal5mux ppp dialer
    > > > dialer pool-member 1
    > > > !
    > > > dsl operating-mode auto
    > > > !
    > > > interface FastEthernet0
    > > > !
    > > > interface FastEthernet1
    > > > !
    > > > interface FastEthernet2
    > > > !
    > > > interface FastEthernet3
    > > > !
    > > > interface Vlan1
    > > > ip address 10.0.0.190
    > > > 255.255.255.0
    > > > ip access-group 102 in
    > > > ip nat insi
    > > > ip inspect myfw in
    > > > ip virtual-reassembly
    > > > no ip route-cache cef
    > > > no ip route-cache
    > > > no ip mroute-cache
    > > > hold-queue 100 out
    > > > !
    > > > interface Dialer1
    > > > ip address negotiated
    > > > ip access-group 113 in
    > > > ip nat outside
    > > > ip virtual-reassembly
    > > > encapsulation ppp
    > > > dialer pool 1
    > > > dialer-group 1
    > > > ppp authentication pap callin
    > > > ppp pap sent-username password 7
    > > > 66141601034200555953
    > > > crypto map crypmap1
    > > > !
    > > > ip local pool ippool 192.168.10.100
    > > > 192.168.10.110
    > > > ip route 0.0.0.0 0.0.0.0 Dialer1
    > > > permanent
    > > > !
    > > > !
    > > > no ip http server
    > > > no ip http secure-server
    > > > ip nat inside source static tcp 10.0.0.56 7 interface Dialer1
    > > > 7
    > > > ip nat inside source static udp 10.0.0.56 7 interface Dialer1
    > > > 7
    > > > ip nat inside source route-map nonat interface Dialer1
    > > > overload
    > > > ip nat inside source static tcp 10.0.0.190 22 interface Dialer1
    > > > 22
    > > > ip nat inside source static tcp 10.0.0.180 25 interface Dialer1
    > > > 25
    > > > ip nat inside source static tcp 10.0.0.180 443 interface Dialer1
    > > > 443
    > > > ip nat inside source static tcp 10.0.0.180 110 interface Dialer1
    > > > 110
    > > > ip nat inside source static tcp 10.0.0.180 4002 interface Dialer1
    > > > 4002
    > > > !
    > > > access-list 23 permit 82.66.199.22
    > > > access-list 23 permit 212.222.20.0
    > > > 0.0.0.255
    > > > access-list 23 permit 10.0.0.0
    > > > 0.0.0.255
    > > > access-list 102 permit ip 10.0.0.0 0.0.0.255
    > > > any
    > > > access-list 102 permit ip 192.168.10.0 0.0.0.255
    > > > any
    > > > access-list 102 permit esp any any
    > > > access-list 105 deny ip 10.0.0.0 0.0.0.255 192.168.10.0
    > > > 0.0.0.255
    > > > access-list 105 permit ip 10.0.0.0 0.0.0.255
    > > > any
    > > > access-list 112 permit tcp any any eq
    > > > smtp
    > > > access-list 112 permit tcp any any eq 443
    > > > access-list 112 permit tcp any any eq pop3
    > > > access-list 112 permit tcp any any eq
    > > > 4002
    > > > access-list 112 permit ip host 82.62.160.105
    > > > any
    > > > access-list 112 deny ip any any
    > > > access-list 113 permit ip 192.168.10.0 0.0.0.255
    > > > any
    > > > access-list 113 permit esp any any
    > > > access-list 113 permit udp any any eq
    > > > isakmp
    > > > access-list 113 permit tcp host 82.66.199.22 any eq 22
    > > > access-list 113 permit tcp 213.222.20.224 0.0.0.7 any eq 22
    > > > access-list 113 permit tcp host 193.172.44.45 eq tftp-data any
    > > > access-list 113 permit tcp host 194.151.107.40 eq tftp-data any
    > > > access-list 113 permit tcp host 194.151.107.44 eq tftp-data any
    > > > access-list 113 permit icmp any any
    > > > access-list 113 permit tcp any any eq echo
    > > > access-list 113 permit udp any any eq echo
    > > > access-list 113 deny ip any any
    > > > access-list 115 permit ip any any
    > > > access-list 115 permit esp any any
    > > > dialer-list 1 protocol ip permit
    > > > !
    > > > !
    > > > !
    > > > route-map nonat permit 10
    > > > match ip address 105
    > > > !
    > > > !
    > > > control-plane
    > > > !
    > > > !
    > > > line con 0
    > > > --More--

    >
    > > Although you have setup the NAT, I'd have thought you need to still
    > > allow the traffic through the firewall acl:

    >
    > > access-list 113 permit tcp any any eq 22
    > > access-list 113 permit tcp any any eq 25
    > > access-list 113 permit tcp any any eq 443
    > > access-list 113 permit tcp any any eq 4002

    >
    > > Obviously, you might want to change the source addresses to be a bit
    > > more limited, or you might want to consider changing the ports rather
    > > than leave the defaults exposed to all....

    >
    > > Also, as you're using a numbered acl, I think you'll have to remove it
    > > & re-apply it as you can't delete/insert entries as you can with a
    > > named acl.

    >
    > > Regards,

    >
    > > Al- Tekst uit oorspronkelijk bericht niet weergeven -

    >
    > > - Tekst uit oorspronkelijk bericht weergeven -

    >
    > hi Al,
    >
    > thanks for reply,
    >
    > I did create a sepreated access list, access list 112:
    > access-list 112 permit tcp any any eq 443
    > access-list 112 permit tcp any any eq pop3
    > access-list 112 permit tcp any any eq
    > 4002
    > access-list 112 permit ip host 82.62.160.105
    > any
    > access-list 112 deny ip any any
    >
    > do you think I should add this ports under access-list 113?
    > or do I have to add extra line to access 112?eg
    >
    > access-list 113 permit ip 192.168.10.0 0.0.0.255
    >
    > > > any
    > > > access-list 113 permit esp any any
    > > > access-list 113 permit udp any any eq
    > > > isakmp

    >
    > thanks again.


    You will have to add the exceptions to whatever list you have applied
    to your outside interface, which is currently 113, e.g:

    ! Existing lines
    access-list 113 permit ip 192.168.10.0 0.0.0.255 any
    access-list 113 permit esp any any
    access-list 113 permit udp any any eq isakmp
    access-list 113 permit tcp host 82.66.199.22 any eq 22
    access-list 113 permit tcp 213.222.20.224 0.0.0.7 any eq 22
    access-list 113 permit tcp host 193.172.44.45 eq tftp-data any
    access-list 113 permit tcp host 194.151.107.40 eq tftp-data any
    access-list 113 permit tcp host 194.151.107.44 eq tftp-data any
    access-list 113 permit icmp any any
    access-list 113 permit tcp any any eq echo
    access-list 113 permit udp any any eq echo
    ! New lines
    access-list 113 permit tcp any any eq 22
    access-list 113 permit tcp any any eq 25
    access-list 113 permit tcp any any eq 443
    access-list 113 permit tcp any any eq 4002
    ! Deny any - does not do anything particularly as you're not logging
    matches & there's the implicit deny at the end anyway
    access-list 113 deny ip any any
    !
    interface Dialer1
    ip access-group 113 in
    !

    As far as I can see, the ACL 112 is not applied & could eb removed.

    HTH,

    Al
     
    Al, Feb 6, 2007
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?QW5keSBU?=

    Port forwarding problems with SP2

    =?Utf-8?B?QW5keSBU?=, Mar 28, 2005, in forum: Wireless Networking
    Replies:
    1
    Views:
    578
    =?Utf-8?B?QW5keSBU?=
    Mar 29, 2005
  2. Corbin O'Reilly

    [HELP] Cisco PIX 515 Port Forwarding

    Corbin O'Reilly, Sep 26, 2003, in forum: Cisco
    Replies:
    4
    Views:
    8,277
    Walter Roberson
    Sep 26, 2003
  3. Salus

    Cisco PIX Port Forwarding

    Salus, Oct 20, 2003, in forum: Cisco
    Replies:
    2
    Views:
    5,242
    Jyri Korhonen
    Oct 20, 2003
  4. Jason Smith

    Port Forwarding Issue again

    Jason Smith, Jan 13, 2005, in forum: Cisco
    Replies:
    2
    Views:
    1,665
    Walter Roberson
    Jan 17, 2005
  5. ToyalP2
    Replies:
    7
    Views:
    1,544
    ToyalP2
    Jan 7, 2008
Loading...

Share This Page