fz2hqs
asked on
CISCO 837 & port forwarding
I am having just the smallest issue with my new 837. I can't get the port forwarding to work for sh*t.
When I add the static in I get an IP conflict on the server that it is meant to be forwarding traffic to? As far as I can tell the rest of it works (and i am sure a faster net connection than the old router gave me !) What am I missing.. here is the config:
interface Dialer1
ip address negotiated
ip access-group 103 in
ip mtu 1492
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname <snip>
ppp chap password <snip>
ppp pap sent-username <snip>
!
!--Adding the followign in doesn't work so good
!--ip nat inside source static tcp a.b.c.7 25 x.y.z.113 25 extendable
!--ip nat inside source static tcp a.b.c.7 80 x.y.z.113 80 extendable
!--ip nat inside source static tcp a.b.c.7 443 x.y.z.113 443 extendable
access-list 103 permit tcp any host x.y.z.113 eq www
access-list 103 permit tcp any host x.y.z.113 eq 443
access-list 103 permit tcp any host x.y.z.113 eq smtp
access-list 103 deny ip a.b.c.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
When I add the static in I get an IP conflict on the server that it is meant to be forwarding traffic to? As far as I can tell the rest of it works (and i am sure a faster net connection than the old router gave me !) What am I missing.. here is the config:
interface Dialer1
ip address negotiated
ip access-group 103 in
ip mtu 1492
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname <snip>
ppp chap password <snip>
ppp pap sent-username <snip>
!
!--Adding the followign in doesn't work so good
!--ip nat inside source static tcp a.b.c.7 25 x.y.z.113 25 extendable
!--ip nat inside source static tcp a.b.c.7 80 x.y.z.113 80 extendable
!--ip nat inside source static tcp a.b.c.7 443 x.y.z.113 443 extendable
access-list 103 permit tcp any host x.y.z.113 eq www
access-list 103 permit tcp any host x.y.z.113 eq 443
access-list 103 permit tcp any host x.y.z.113 eq smtp
access-list 103 deny ip a.b.c.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
Can we see your whole configuration? Also, does your ISP provide you with a static IP Address of a dynamic IP Address?
ASKER
a.b.c.7 is private IP on the LAN
x.y.z.113 is one of my 5 static addresses.
At the moment the ISP dynamically assign an IP to the dialer interface - this may be an error on my part I guess I shoudl be assigming one of those that I have. I'll post up the full config in the morning
x.y.z.113 is one of my 5 static addresses.
At the moment the ISP dynamically assign an IP to the dialer interface - this may be an error on my part I guess I shoudl be assigming one of those that I have. I'll post up the full config in the morning
ASKER
Found one other bit of info the ISP gateway address is x.y.z.118 - to make reading a bit easier I have put in alternate IP numbers:
!version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ernie
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
username <snip> privilege 15 password <snip>
username <snip> secret <snip>
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
!
ip domain name experts-exchange.co.uk
ip name-server 10.1.1.7
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group clients
key <snip>
dns 10.1.1.7
domain experts-exchange.co.uk
pool vpnclients
acl 106
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip access-group 103 in
ip mtu 1492
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname <snip>
ppp chap password <snip>
ppp pap sent-username <snip>
crypto map SDM_CMAP_1
!
ip local pool vpnclients 192.168.168.1 192.168.168.5
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 10.1.1.7 25 200.200.200.113 25 extendable
ip nat inside source static tcp 10.1.1.7 80 200.200.200.113 80 extendable
ip nat inside source static tcp 10.1.1.7 443 200.200.200.113 443 extendable
ip nat inside source list 102 interface Dialer1 overload
!
!
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq smtp
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq 143
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq pop3
access-list 100 permit udp 10.1.1.0 0.0.0.255 any eq domain
access-list 100 permit icmp 10.1.1.0 0.0.0.255 any
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq 3389
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq domain
access-list 100 deny ip any any log
access-list 102 permit tcp 10.1.1.0 0.0.0.255 any eq www
access-list 102 permit tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 102 permit tcp 10.1.1.0 0.0.0.255 any eq smtp
access-list 102 permit tcp 10.1.1.0 0.0.0.255 any eq pop3
access-list 102 permit udp 10.1.1.0 0.0.0.255 any eq domain
access-list 102 permit tcp 10.1.1.0 0.0.0.255 any eq 3389
access-list 102 deny ip any any
access-list 103 permit tcp any host 200.200.200.113 eq www
access-list 103 permit tcp any host 200.200.200.113 eq 443
access-list 103 permit tcp any host 200.200.200.113 eq smtp
access-list 103 permit tcp any host 200.200.200.113 eq 143
access-list 103 permit ahp any any
access-list 103 permit esp any any
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit ip host 192.168.168.5 10.1.1.0 0.0.0.255
access-list 103 permit ip host 192.168.168.4 10.1.1.0 0.0.0.255
access-list 103 permit ip host 192.168.168.3 10.1.1.0 0.0.0.255
access-list 103 permit ip host 192.168.168.2 10.1.1.0 0.0.0.255
access-list 103 permit ip host 192.168.168.1 10.1.1.0 0.0.0.255
access-list 103 deny ip 10.1.1.0 0.0.0.255 any
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 106 permit ip 10.1.1.0 0.0.0.255 192.168.168.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
exec-timeout 120 0
privilege level 15
length 0
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
!version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ernie
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
username <snip> privilege 15 password <snip>
username <snip> secret <snip>
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
!
ip domain name experts-exchange.co.uk
ip name-server 10.1.1.7
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group clients
key <snip>
dns 10.1.1.7
domain experts-exchange.co.uk
pool vpnclients
acl 106
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Ethernet0
ip address 10.1.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip access-group 103 in
ip mtu 1492
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname <snip>
ppp chap password <snip>
ppp pap sent-username <snip>
crypto map SDM_CMAP_1
!
ip local pool vpnclients 192.168.168.1 192.168.168.5
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip nat inside source static tcp 10.1.1.7 25 200.200.200.113 25 extendable
ip nat inside source static tcp 10.1.1.7 80 200.200.200.113 80 extendable
ip nat inside source static tcp 10.1.1.7 443 200.200.200.113 443 extendable
ip nat inside source list 102 interface Dialer1 overload
!
!
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq www
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq smtp
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq 143
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq pop3
access-list 100 permit udp 10.1.1.0 0.0.0.255 any eq domain
access-list 100 permit icmp 10.1.1.0 0.0.0.255 any
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq 3389
access-list 100 permit tcp 10.1.1.0 0.0.0.255 any eq domain
access-list 100 deny ip any any log
access-list 102 permit tcp 10.1.1.0 0.0.0.255 any eq www
access-list 102 permit tcp 10.1.1.0 0.0.0.255 any eq 443
access-list 102 permit tcp 10.1.1.0 0.0.0.255 any eq smtp
access-list 102 permit tcp 10.1.1.0 0.0.0.255 any eq pop3
access-list 102 permit udp 10.1.1.0 0.0.0.255 any eq domain
access-list 102 permit tcp 10.1.1.0 0.0.0.255 any eq 3389
access-list 102 deny ip any any
access-list 103 permit tcp any host 200.200.200.113 eq www
access-list 103 permit tcp any host 200.200.200.113 eq 443
access-list 103 permit tcp any host 200.200.200.113 eq smtp
access-list 103 permit tcp any host 200.200.200.113 eq 143
access-list 103 permit ahp any any
access-list 103 permit esp any any
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit ip host 192.168.168.5 10.1.1.0 0.0.0.255
access-list 103 permit ip host 192.168.168.4 10.1.1.0 0.0.0.255
access-list 103 permit ip host 192.168.168.3 10.1.1.0 0.0.0.255
access-list 103 permit ip host 192.168.168.2 10.1.1.0 0.0.0.255
access-list 103 permit ip host 192.168.168.1 10.1.1.0 0.0.0.255
access-list 103 deny ip 10.1.1.0 0.0.0.255 any
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 106 permit ip 10.1.1.0 0.0.0.255 192.168.168.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
no modem enable
transport preferred all
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
exec-timeout 120 0
privilege level 15
length 0
transport preferred all
transport input telnet ssh
transport output all
!
scheduler max-task-time 5000
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Having a re-read of it and other literature I am finding what I think are huge flaws - the one you spot there I hadn't got to. but yes, it is daft!!
It seems that if I have pre determined addresses then there shouldn't really be a Dialer interface but an ATM0.1 instead.
I'd drop the dialer and adjust it so that...
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 200.200.200.117 255.255.255.248
ip access-group 103 in
ip mtu 1492
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
pvc 0/38
encapsulation aal5snap
!
!
ip route 0.0.0.0 0.0.0.0 200.200.200.118 << Information that I know from ISP
!
ip nat inside source static tcp 10.1.1.7 143 200.200.200.113 143
ip nat inside source static tcp 10.1.1.7 25 200.200.200.113 25
ip nat inside source static tcp 10.1.1.7 443 200.200.200.113 443
ip nat inside source static tcp 10.1.1.7 80 200.200.200.113 80
and then the ACL's later on
It seems that if I have pre determined addresses then there shouldn't really be a Dialer interface but an ATM0.1 instead.
I'd drop the dialer and adjust it so that...
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address 200.200.200.117 255.255.255.248
ip access-group 103 in
ip mtu 1492
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1452
pvc 0/38
encapsulation aal5snap
!
!
ip route 0.0.0.0 0.0.0.0 200.200.200.118 << Information that I know from ISP
!
ip nat inside source static tcp 10.1.1.7 143 200.200.200.113 143
ip nat inside source static tcp 10.1.1.7 25 200.200.200.113 25
ip nat inside source static tcp 10.1.1.7 443 200.200.200.113 443
ip nat inside source static tcp 10.1.1.7 80 200.200.200.113 80
and then the ACL's later on
ASKER
Also been given the following by the ISP :
Settings are as follows:
VPI = 0 (zero)
VCI = 38
Authentication = CHAP
Encapsulation = VC MUX
Modulation = G.DMT
Encapsulation Protocol = PPPoA, whether USB modem or
Ethernet router.
Settings are as follows:
VPI = 0 (zero)
VCI = 38
Authentication = CHAP
Encapsulation = VC MUX
Modulation = G.DMT
Encapsulation Protocol = PPPoA, whether USB modem or
Ethernet router.
ASKER
Got it sorted - Had to pay :( have awarded points based on whos post was the biggest ;)
>a.b.c.7 = server's real IP address (same LAN as the Ethernet interface of the router)
>x.y.z.113 = Ip address of Dialer1