Question

cant get get Port forwarding to work on my Cisco 857

Asked by: harry738

I've got a single static IP address on my ADSL and I want to forward port 2000 to a PC on my LAN.

Im using SDM to configure the router. I've configured the NAT using SDM but its not working.

here is my config

!This is the running config of the router: xx.xx.xx.40
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname PAY-EDI-CISCO
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$byrbb$TGS7mwtZHjhLIUJDaEOaF/
!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1082389886
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1082389886
 revocation-check none
 rsakeypair TP-self-signed-1082389886
!
!
crypto pki certificate chain TP-self-signed-1082389886
 certificate self-signed 01
 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        quit
dot11 syslog
no ip source-route
ip dhcp excluded-address 10.10.10.1
!
!
ip cef
ip inspect name fw appfw fw
ip inspect name fw tcp
ip inspect name fw https
ip inspect name fw dns
ip inspect name fw pptp
ip inspect name fw l2tp
ip inspect name fw gtpv0
ip inspect name fw gtpv1
ip inspect name fw ddns-v3
ip inspect name fw dnsix
ip inspect name fw ldap-admin
ip inspect name fw ldap
ip inspect name fw ldaps
ip inspect name fw netbios-ns
ip inspect name fw wins
ip inspect name fw daytime
ip inspect name fw ntp
ip inspect name fw time
ip inspect name fw timed
ip inspect name fw hsrp
ip inspect name fw router
ip inspect name fw icmp
ip inspect name fw fragment maximum 256 timeout 1
ip inspect name fw snmp
ip inspect name fw snmptrap
ip inspect name fw syslog
ip inspect name fw syslog-conn
ip inspect name fw tacacs
ip inspect name fw kerberos
ip inspect name fw radius
ip inspect name fw tacacs-ds
ip inspect name fw ident
ip inspect name fw ace-svr
ip inspect name fw bootpc
ip inspect name fw bootps
ip inspect name fw dhcp-failover
ip inspect name fw discard
ip inspect name fw echo
ip inspect name fw finger
ip inspect name fw gopher
ip inspect name fw igmpv3lite
ip inspect name fw ipx
ip inspect name fw pwdgen
ip inspect name fw rsvp-encap
ip inspect name fw rsvp_tunnel
ip inspect name fw socks
ip inspect name fw vqp
ip inspect name fw udp
ip inspect name fw exec
ip inspect name fw telnet
ip inspect name fw telnets
ip inspect name fw rtelnet
ip inspect name fw login
ip inspect name fw rcmd
ip inspect name fw ssh
ip inspect name fw shell
ip inspect name fw sshell
ip inspect name fw x11
ip inspect name fw xdmcp
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip bootp server
ip domain name yourdomain.com
ip name-server 212.23.6.100
ip name-server 212.23.3.100
!
appfw policy-name SDM_MEDIUM
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
!
appfw policy-name fw
  application im aol
    service default action reset
    service text-chat action reset
    server deny name login.oscar.aol.com
    server deny name toc.oscar.aol.com
    server deny name oam-d09a.blue.aol.com
  application im msn
    service default action reset
    service text-chat action reset
    server deny name messenger.hotmail.com
    server deny name gateway.messenger.hotmail.com
    server deny name webmessenger.msn.com
  application im yahoo
    service default action reset
    service text-chat action reset
    server deny name scs.msg.yahoo.com
    server deny name scsa.msg.yahoo.com
    server deny name scsb.msg.yahoo.com
    server deny name scsc.msg.yahoo.com
    server deny name scsd.msg.yahoo.com
    server deny name messenger.yahoo.com
    server deny name cs16.msg.dcn.yahoo.com
    server deny name cs19.msg.dcn.yahoo.com
    server deny name cs42.msg.dcn.yahoo.com
    server deny name cs53.msg.dcn.yahoo.com
    server deny name cs54.msg.dcn.yahoo.com
    server deny name ads1.vip.scd.yahoo.com
    server deny name radio1.launch.vip.dal.yahoo.com
    server deny name in1.msg.vip.re2.yahoo.com
    server deny name data1.my.vip.sc5.yahoo.com
    server deny name address1.pim.vip.mud.yahoo.com
    server deny name edit.messenger.yahoo.com
    server deny name http.pager.yahoo.com
    server deny name privacy.yahoo.com
    server deny name csa.yahoo.com
    server deny name csb.yahoo.com
    server deny name csc.yahoo.com
!
appfw policy-name SDM_LOW
!
!
!
username admin privilege 15 secret 5 $1$pbb9$1Zr2qmhZsjYVUNPpKIFn8.
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.2 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 0/38
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.100.149 255.255.255.0
 ip access-group 105 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect fw out
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
interface Dialer1
 description $FW_OUTSIDE$
 ip address xx.xx.xx.40 255.255.255.0
 ip access-group 106 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxxxxxxxxxxxxx
 ppp chap password 7 xxxxxxxxxxxxxxx
 ppp pap sent-username xxxxxx password 7 xxxxxxxxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.100.150 2000 xx.xx.xx.40 2000 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 100 remark remote Control
access-list 100 permit tcp any host 192.168.100.150 eq 2000 log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 212.23.6.100 eq domain any
access-list 101 permit udp host 212.23.3.100 eq domain any
access-list 101 permit ip 192.168.100.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 remark Remote Control
access-list 101 permit tcp any host 192.168.100.150 eq 2000 log
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any host 62.173.82.67
access-list 102 deny   ip xx.xx.xx.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 remark PORT 2000 forwarding
access-list 103 permit tcp any host xx.xx.xx.40 eq 2000 log
access-list 103 remark port 2000 UDP forwading
access-list 103 permit udp any host xx.xx.xx.40 eq 2000 log
access-list 103 permit udp host 212.23.3.100 eq domain host xx.xx.xx.40
access-list 103 permit udp host 212.23.6.100 eq domain host xx.xx.xx.40
access-list 103 deny   ip 192.168.100.0 0.0.0.255 any
access-list 103 permit icmp any host xx.xx.xx.40 echo-reply
access-list 103 permit icmp any host xx.xx.xx.40 time-exceeded
access-list 103 permit icmp any host xx.xx.xx.40 unreachable
access-list 103 permit tcp any host xx.xx.xx.40 eq 443
access-list 103 permit tcp any host xx.xx.xx.40 eq 22
access-list 103 permit tcp any host xx.xx.xx.40 eq cmd
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 remark Port 2000 UDP
access-list 104 permit udp any eq 2000 host xx.xx.xx.40 eq 2000
access-list 104 permit tcp any host xx.xx.xx.40 eq www
access-list 104 permit tcp any eq 2000 host xx.xx.xx.40 eq 2000
access-list 104 permit udp host 212.23.3.100 eq domain host xx.xx.xx.40
access-list 104 permit udp host 212.23.6.100 eq domain host xx.xx.xx.40
access-list 104 deny   ip 192.168.100.0 0.0.0.255 any
access-list 104 permit icmp any host xx.xx.xx.40 echo-reply
access-list 104 permit icmp any host xx.xx.xx.40 time-exceeded
access-list 104 permit icmp any host xx.xx.xx.40 unreachable
access-list 104 permit tcp any host xx.xx.xx.40 eq 443
access-list 104 permit tcp any host xx.xx.xx.40 eq 22
access-list 104 permit tcp any host xx.xx.xx.40 eq cmd
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 deny   ip xx.xx.xx.0 0.0.0.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit tcp any eq 2000 host xx.xx.xx.40 eq 2000
access-list 106 permit udp host 212.23.3.100 eq domain host xx.xx.xx.40
access-list 106 permit udp host 212.23.6.100 eq domain host xx.xx.xx.40
access-list 106 deny   ip 192.168.100.0 0.0.0.255 any
access-list 106 permit icmp any host xx.xx.xx.40 echo-reply
access-list 106 permit icmp any host xx.xx.xx.40 time-exceeded
access-list 106 permit icmp any host xx.xx.xx.40 unreachable
access-list 106 permit tcp any host xx.xx.xx.40 eq 443
access-list 106 permit tcp any host xx.xx.xx.40 eq 22
access-list 106 permit tcp any host xx.xx.xx.40 eq cmd
access-list 106 deny   ip 10.0.0.0 0.255.255.255 any
access-list 106 deny   ip 172.16.0.0 0.15.255.255 any
access-list 106 deny   ip 192.168.0.0 0.0.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip host 0.0.0.0 any
access-list 106 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end





This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-10-22 at 06:36:26ID24834406
Tags

Cisco

,

port forwarding

,

cisco router

,

router

,

cisco 800 series

,

ADSL

Topics

Network Routers

,

Network Operations

,

Network Design & Methodology

Participating Experts
2
Points
500
Comments
9

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. IPX Routing
    Dear Experts, My Question is about IPX Routing, please take a look on the following diagram. Current IPX network A IPX network B |------(netware user)------(netware server)------|ROUTER|-----------...
  2. ssh for cisco 7200
    Can I have some suggestions or even the commands to enable the ssh server for my cisco router? IOS (tm) 7200 Software (C7200-IS-M), Version 12.2(31), RELEASE SOFTWARE (fc2)
  3. Cisco 2500 & IPX
    Hello; Can anyone confirm if I should be able to route both IP and IPX on Cisco 2500 Series router with IOS Version 12.1(27a) I have them currently configured to route IP on the Ethernet and Serial Interfaces but, I do not even see any IPX commands using the ? I saw a simi...
  4. Port Forwarding problems on Cisco 871W
    I'm trying to get port forwarding to work for an 871W Cisco router for a web server and email. I've setup NAT and set rules in the access lists to allow traffic. Using the CLI to debug it (if I'm interpreting it right) shows traffic being forwarded and allowed by the access...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: SilentezPosted on 2009-10-22 at 06:54:44ID: 25634182

I would start from examining "sh ip nat trans" and temporary disabling all ACLs to find the root. SDM always mess them up :)

 

by: jodylemoinePosted on 2009-10-22 at 07:06:19ID: 25634332

access-list 106 permit tcp any eq 2000 host xx.xx.xx.40 eq 2000

This access list is more specific than it needs to be and is denying traffic based on this.  You're filtering both the source and destination ports when only the destination needs to be filtered.  Given that you only have a single outside IP address, this is closer to what you need.

access-list 106 permit tcp any any eq 2000

 

by: harry738Posted on 2009-10-22 at 07:10:42ID: 25634387

sorry im not that good with cisco, but ive managed to disable the ACLs and the NAT translations seem be showing the right thing

Pro Inside Global              Inside Local          Outside Local             Outside Global
tcp xx.xx.xx.40:2000       xx.xx.xx.:2000     ----                              -----
udpxx.xx.xx.4-:2000        xx.xx.xx.:2000     ----                              -----

 

by: jodylemoinePosted on 2009-10-22 at 07:15:15ID: 25634444

The easiest way to replace the entry is to do the following:

show access-lists | inc access-list 106 permit tcp any eq 2000

This will show the entry number on the left-hand side of the access-list entry itself.  Once you have this, enter the following commands at the privileged command prompt:

config t
ip access-list extended 106
no xxx
xxx access-list 106 permit tcp any any eq 2000
end
wr

Replace all instances of xxx with the entry number reported by the "show access-lists" command above.

 

by: jodylemoinePosted on 2009-10-22 at 07:18:05ID: 25634481

So you've taken the inbound access-list off of the Dialer1 interface for testing?

 

by: harry738Posted on 2009-10-22 at 07:34:23ID: 25634687

nothing happens with I try

show access-lists | inc access-list 106 permit tcp any eq 2000

 

by: harry738Posted on 2009-10-22 at 07:44:43ID: 25634815

I started all over again here is the latest configuration with the adviced firewall rule


!This is the running config of the router: 10.10.10.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Test
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1688838256
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1688838256
 revocation-check none
 rsakeypair TP-self-signed-1688838256
!
!
crypto pki certificate chain TP-self-signed-1688838256
 certificate self-signed 01
xxxxxxx xxxxxxx xxxxxxx xxxxxxxxxxxxxx xxxxxxxxxxxxxx xxxxxxx
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxx
xxxxxxx xxxxxxx xxxxxxx xxxxxxxxxxxxxx xxxxxxxxxxxxxx xxxxxxx
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxx
xxxxxxx xxxxxxx xxxxxxx xxxxxxxxxxxxxx xxxxxxxxxxxxxx xxxxxxx
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxx
xxxxxxx xxxxxxx xxxxxxx xxxxxxxxxxxxxx xxxxxxxxxxxxxx xxxxxxx
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxx
xxxxxxx xxxxxxx xxxxxxx xxxxxxxxxxxxxx xxxxxxxxxxxxxx xxxxxxx
xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxxxx xxxxx
        quit
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.2
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   dns-server 195.216.16.65 195.216.16.129
   lease 0 2
!
!
ip cef
ip inspect name fw tcp
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip domain name yourdomain.com
ip name-server 195.216.16.65
ip name-server 195.216.16.129
!
!
!
username admin privilege 15 secret 5 $1$Ld6H$PaqALXHNeTUG4eT43QOip0
!
!
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.248
 ip access-group 105 in
 ip inspect fw out
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address xx.xx.xx.30 255.255.255.0
 ip access-group 107 in
 ip mtu 1452
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname xxx@adsl.xxxx.co.uk
 ppp chap password 0 xxxxx
 ppp pap sent-username xxxx@adsl.xxxx.co.uk password 0 xxxx
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 5
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.2 2000 xx.xxx.xxx.30 2000 extendable
ip nat inside source static udp 10.10.10.2 2000 xx.xxx.xxx.30 2000 extendable
!
ip access-list extended SDM_HTTPS
 remark SDM_ACL Category=1
 permit tcp any any eq 443
ip access-list extended SDM_SHELL
 remark SDM_ACL Category=1
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 remark SDM_ACL Category=1
 permit tcp any any eq 22
!
no logging trap
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 2 permit 62.173.82.67
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 10.10.10.0 0.0.0.7
access-list 4 remark Auto generated by SDM Management Access feature
access-list 4 remark SDM_ACL Category=1
access-list 4 permit 10.10.10.0 0.0.0.7
access-list 5 remark Auto generated by SDM Management Access feature
access-list 5 remark SDM_ACL Category=1
access-list 5 permit 10.10.10.2
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark SDM_ACL Category=128
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp 10.10.10.0 0.0.0.7 host 10.10.10.1 eq telnet
access-list 104 permit tcp 10.10.10.0 0.0.0.7 host 10.10.10.1 eq 22
access-list 104 permit tcp 10.10.10.0 0.0.0.7 host 10.10.10.1 eq www
access-list 104 permit tcp 10.10.10.0 0.0.0.7 host 10.10.10.1 eq 443
access-list 104 permit tcp 10.10.10.0 0.0.0.7 host 10.10.10.1 eq cmd
access-list 104 deny   tcp any host 10.10.10.1 eq telnet
access-list 104 deny   tcp any host 10.10.10.1 eq 22
access-list 104 deny   tcp any host 10.10.10.1 eq www
access-list 104 deny   tcp any host 10.10.10.1 eq 443
access-list 104 deny   tcp any host 10.10.10.1 eq cmd
access-list 104 deny   udp any host 10.10.10.1 eq snmp
access-list 104 permit tcp any eq 2000 any eq 2000
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 permit ip any any
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit tcp any eq 2000 any eq 2000
access-list 105 permit tcp host 10.10.10.2 host 10.10.10.1 eq telnet
access-list 105 permit tcp host 10.10.10.2 host 10.10.10.1 eq 22
access-list 105 permit tcp host 10.10.10.2 host 10.10.10.1 eq www
access-list 105 permit tcp host 10.10.10.2 host 10.10.10.1 eq 443
access-list 105 permit tcp host 10.10.10.2 host 10.10.10.1 eq cmd
access-list 105 deny   tcp any host 10.10.10.1 eq telnet
access-list 105 deny   tcp any host 10.10.10.1 eq 22
access-list 105 deny   tcp any host 10.10.10.1 eq www
access-list 105 deny   tcp any host 10.10.10.1 eq 443
access-list 105 deny   tcp any host 10.10.10.1 eq cmd
access-list 105 deny   udp any host 10.10.10.1 eq snmp
access-list 105 deny   ip xx.xxx.xxx.0 0.0.0.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 permit ip any any
access-list 106 remark auto generated by SDM firewall configuration
access-list 106 remark SDM_ACL Category=1
access-list 106 permit ip host 10.10.10.2 any
access-list 106 permit udp any any eq 2000 log
access-list 106 permit tcp any any eq 2000 log
access-list 106 permit udp host 195.216.16.129 eq domain host xx.xxx.xxx.30
access-list 106 permit udp host 195.216.16.65 eq domain host xx.xxx.xxx.30
access-list 106 deny   ip 10.10.10.0 0.0.0.7 any
access-list 106 permit icmp any host xx.xxx.xxx.30 echo-reply
access-list 106 permit icmp any host xx.xxx.xxx.30 time-exceeded
access-list 106 permit icmp any host xx.xxx.xxx.30 unreachable
access-list 106 deny   ip 10.0.0.0 0.255.255.255 any
access-list 106 deny   ip 172.16.0.0 0.15.255.255 any
access-list 106 deny   ip 192.168.0.0 0.0.255.255 any
access-list 106 deny   ip 127.0.0.0 0.255.255.255 any
access-list 106 deny   ip host 255.255.255.255 any
access-list 106 deny   ip host 0.0.0.0 any
access-list 106 deny   ip any any log
access-list 107 remark auto generated by SDM firewall configuration
access-list 107 remark SDM_ACL Category=1
access-list 107 permit tcp any any eq 2000
access-list 107 permit udp any any eq 2000
access-list 107 permit udp host 195.216.16.129 eq domain host xx.xxx.xxx.30
access-list 107 permit udp host 195.216.16.65 eq domain host xx.xxx.xxx.30
access-list 107 deny   ip 10.10.10.0 0.0.0.7 any
access-list 107 permit icmp any host xx.xxx.xxx.30 echo-reply
access-list 107 permit icmp any host xx.xxx.xxx.30 time-exceeded
access-list 107 permit icmp any host xx.xxx.xxx.30 unreachable
access-list 107 deny   ip 10.0.0.0 0.255.255.255 any
access-list 107 deny   ip 172.16.0.0 0.15.255.255 any
access-list 107 deny   ip 192.168.0.0 0.0.255.255 any
access-list 107 deny   ip 127.0.0.0 0.255.255.255 any
access-list 107 deny   ip host 255.255.255.255 any
access-list 107 deny   ip host 0.0.0.0 any
access-list 107 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------

^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 106 in
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end


 

by: jodylemoinePosted on 2009-10-22 at 07:56:04ID: 25634970

Nothing happens because access-list 106 has already been changed according to your configuration.  :)  Now you're using access-list 107 for inbound control, but it has the entries too... so we're good as far as that's concerned.  That covers the inbound access-list.

Now we have to deal with the outbound access-list that's applied to your VLAN1 interface.  It has the same problem we originally had with the inbound access-list, so the replies are being blocked.

access-list 105 permit tcp any eq 2000 any eq 2000

show access-lists | inc access-list 105 permit tcp any eq 2000

This will show the entry number on the left-hand side of the access-list entry itself.  Once you have this, enter the following commands at the privileged command prompt:

config t
ip access-list extended 105
no xxx
xxx access-list 105 permit tcp any eq 2000 any
end
wr

 

by: jodylemoinePosted on 2009-10-22 at 07:58:02ID: 25634996

Whoops... slight error on one line of my recommendation:

xxx access-list 105 permit tcp any eq 2000 any

should be:

xxx permit tcp any eq 2000 any

Sorry about that.  I'm mixing up my configuration modes today.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...