Solved

problems with port fowarding and acl's

Posted on 2006-06-22
10
329 Views
Last Modified: 2010-04-17
hi, how are you? thank you for looking at my problem. i have a win2k3 network behind a cisco 1841 router. my pub ip addy is 24.9x.xxx.66. my internal private ip's start at 10.10.10.2. i have a webserver on 10.58, which works fine. i can reach my site no problem. i'm also able to remote desktop into the network, as well as ftp into the webserver.

i'm a relative novice when it comes to cisco IOS. but, i'm getting through it.

right now, i'm a little lost when it comes to opening up certain ports for telnet, voip, etc.

here is my running config:


Building configuration...

Current configuration : 3601 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NN29$4LNrKgKxgVqNtGrOvT.r8/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip tcp synwait-time 10
no ip dhcp use vrf connected
!
!
no ip bootp server
ip name-server 24.xx.xx.xx
ip name-server 24.xx.xx.xx
ip ddns update method sdm_ddns1
 HTTP
 
!
!
username xxxxx privilege 15 secret 5 $1$4wnn$8.2XqyZae9xiXTvMylH18.
!
!
!
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
 ip address 10.10.10.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 24.9xx.xxxx.66 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 24.xx.xxx.65 permanent
!
ip http server
ip http authentication local
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 5 interface FastEthernet0/1 overload
ip nat inside source static 10.10.10.58 24.xx.xxx.66
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 5 remark SDM_ACL Category=16
access-list 5 permit 10.10.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=16
access-list 100 permit tcp any host 24.xx.xx.xx.66 eq www
access-list 100 permit tcp any host 24.xx.xx.xx eq ftp
access-list 100 permit tcp any host 24.xx.xx.xx eq ftp-data
access-list 100 permit tcp any eq 6600 any
access-list 100 permit tcp any any eq 6600
access-list 100 permit udp any eq 6522 any
access-list 100 permit udp any any eq 6522
access-list 100 permit udp any any eq 5060
access-list 100 permit udp any any range 9710 20000
access-list 100 permit udp any range 9710 20000 any
access-list 100 permit udp any eq 5060 any
access-list 100 permit tcp any any eq telnet
access-list 100 permit tcp any host 24.xx.xx.xx.66 eq telnet
access-list 120 remark SDM_ACL Category=16
access-list 120 permit tcp any host 10.10.10.5 eq 3389
access-list 120 permit tcp any host 24.xx.xx.xx.66 eq 3389
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet
line vty 5 15
 privilege level 15
 login local
 transport input telnet
!
scheduler allocate 4000 1000
end

thank you so much in advance!

mike
0
Comment
Question by:mmelody22
  • 4
  • 3
10 Comments
 
LVL 12

Accepted Solution

by:
Scotty_cisco earned 250 total points
ID: 16962470
ip nat inside source static 10.10.10.58 24.xx.xxx.66

this statement says everything that hits 24.xx.xxx.66 no matter what port will go to 10.10.10.58 there is no acl applied to either interface so that is not causing any issues.  Can you be more specific as to what your problem is?

Thanks
scott
0
 

Author Comment

by:mmelody22
ID: 16962537
ok..well, that makes sense then why ftp and www work on my webserver.

my problem is..that i need client computers on my network to have, for example, an voip port...udp 5060 open for a softphone that i'm using with my call center.
thats why i put in this: access-list 100 permit udp any eq 5060 any

like i said..i'm a novice when it comes to acls, etc within IOS. i appreciate your help.

thanks

mike
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 250 total points
ID: 16965056
You have it defined within the access-list, problem is that this acl is not applied anywhere.
The fundamental issue is that you have 1-1 static NAT for your server that uses the same public IP as your interface which is also the same IP that dynamic users are supposed to use:
WAN Interface:
>ip address 24.9xx.xxxx.66 255.255.255.248

>ip nat inside source list 5 interface FastEthernet0/1 overload <== all users use xx.66
>ip nat inside source static 10.10.10.58 24.xx.xxx.66 <== but wait, they can't because it is static to this server

Suggest that you use a different IP address for the 1-1 nat for the server, perhaps .67
no  ip nat inside source static 10.10.10.58 24.xx.xxx.66
ip nat inside source static 10.10.10.58 24.xx.xxx.67

Now I'll bet your phones work, too.

0
 

Author Comment

by:mmelody22
ID: 16968998
ok..that makes sense. i made the change...i can get back in remotely, etc.

now...should everything that goes through .66 be able to get through? the softphone is still trying to hit port 6522 and its not getting through. that being said, it could be a software issue on their end. i just want to make sure on my end, that i dont have to do anything else to get the correct ports open etc?

also...is this the best way of doing things? or would using acls be better?

thanks again for your help.

mike
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 79

Expert Comment

by:lrmoore
ID: 16969162
>the softphone is still trying to hit port 6522 and its not getting through
This could be result of random port xlates through PAT (using one IP for everything outbound). You have no acls applied or anything that would block the traffic.

>...is this the best way of doing things?
Absolutely not.

>would using acls be better?
Better than nothing, but not as good as a real firewall.
0
 

Author Comment

by:mmelody22
ID: 16969249
>the softphone is still trying to hit port 6522 and its not getting through
This could be result of random port xlates through PAT (using one IP for everything outbound). You have no acls applied or anything that would block the traffic.

ok..is there a way around this? i have 2 other ip's that i can use. or should i apply acl's to 0/1? or another way?

>would using acls be better?
Better than nothing, but not as good as a real firewall.

i know..i'm getting a pix either next week or the week after. i'm just trying to get everything to work for now before getting a firewall. i know its ass backwards, but, it's all i can do for now!
0
 

Author Comment

by:mmelody22
ID: 16970166
hi...do you think if i added .68 and .69 to an address pool that that would alleviate this problem for now??

thanks again.

mike
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16970339
It might. Worth a shot!
Are the calls going out from a central ip pbx? If so, just do a 1-1 static nat for it just like you did for the server..
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

This article is a guide to configure bridging on Cisco Routers.  This is something I never knew was possible until after making a few phone calls to Cisco.  Using bridging saved our company money by not requiring us to purchase a new switch.  Bridgi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now