Go Premium for a chance to win a PS4. Enter to Win


try to permit static route for remote admin with 827 cisco router

Posted on 2006-06-26
Medium Priority
Last Modified: 2012-06-21
I have a 827 cisco router and I need to configure a static route from outside IP to inside IP.  Let's say outside IP is and inside IP is and the server to be administrated is on port 555
Here is the current config.  thank you

1 Ethernet/IEEE 802.3
 set peer                      
 set transform-set papabear                      
 match address 106tile configuration
bridge irb          

interface Ethernet0  
8192K bytes of
 ip address secondary                      
 ip address be 0x2102 at next reload)          
 ip nat inside              
 no cdp enable        

 hold-queue 32 in                

interface ATM0              

 ip access-group 102 in

Name c
 ip inspect inside-to-WWW out              
 ip nat outside8, prot=50, spi
 no ip route-cache)            
 no ip mroute-cachesion 12.1(1r)XB1, R
 crypto map armadillo9:09.839: %CRYPTO-4-R
ip classless: decaps: re
ip route, Inc.                          
no ip http server27
s invalid spi
ip nat inside source route-map nonat interface BVI1 overloadpi=0x4DB85D6(81495510)confreg 0x2142                        
logging trap ere          
access-list 102 permit tcp any any eq 56316.22.10                                  
access-list 102 permit udp any any eq 5631        
   network 255.255.2
access-list 102 permit tcp any any eq 5632 default-router 95134-17
access-list 102 permit udp any any eq 563206.13.28.12Internetwork Operating System S
access-list 106 permit ip (C8
ip inspect one-minute low 280C, EARLY DEPLOYMENT RELE    
ip insp
access-list 152 deny   ip host 30 block-time 1
TAC:Home:SW:IOS:Specials for info      
access-list 152 permit ip anyy cisco Systems, Inc.    
ip inspect name inside-t
access-list 152 permit ip anyt name inside-to-WWW ftp              
Image text-ba
no cdp runpect name
route-map nonat permit 10                        

 match ip address 152-to-WWW udp U.S. Expo
snmp-server community coavlesw RWme inside-                      
outside the United Sta
snmp-server chassis-id <<Router Serial#>>bear esp-3des esp-sha-hmac              
snmp-server enable traps snmp linkdown linkup coldstart warmstart 10 ipsec-isakmp                                    
 set peer 20
snmp-server enable traps atm pvcuts
 set transform-set papabear
snmp-server enable traps syslogh address 106        
either b
snmp-server host thlunlad  snmprnet0                  
 ip address 192.168.16
snmp-server managercondaryo Systems, I
bridge 1 protocol ieeeent.          
 ip add
 bridge 1 route ip5.255.255.0Persons
banner motd ^CS. and Canada
*****************************************************************queue 32 in          
interface ATM0              

privilege exec level 5 ping
privilege exec level 5 show crypto isakmp sa
privilege exec level 5 show crypto ipsec sa
privilege exec level 5 clear crypto isakmp
privilege exec level 5 clear crypto sa
line con 0
 exec-timeout 30 30
 password 7 082B434B0D0B091219
 login authentication userauthen
 transport input none
 stopbits 1
line vty 0 4
 exec-timeout 30 30
 privilege level 5
 password 7 105D1A1E
 login authentication userauthen
scheduler max-task-time 5000
Question by:lizardqueen007
  • 7
  • 5

Author Comment

ID: 16988493
also I would like to have more than 1 port static
LVL 25

Expert Comment

by:Ron Malmstead
ID: 16988566
Access-group +list + static mapping.

>config t

access-group acl_out in interface outside
access-group acl_in in interface inside

                                                     from                                               outsideip         port
access-list acl_in permit tcp host eq 555
access-list acl_out permit tcp any any eq 555


                                             outsideip     port   insideip       port
static (inside,outside) tcp 555 555 netmask 0 0

Author Comment

ID: 16988627
Thank you I will try right now
WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.


Author Comment

ID: 16988640
This router does not recognize access-group.  
Router(config)#access-group acl_out in interface outside
% Invalid input detected at '^' marker.
LVL 10

Expert Comment

ID: 16989446
can you do the following on the router?

no debug all

and then type show running and post the output again?

Author Comment

ID: 16990707
Yes, I can post agin with "no debug all" but I not for a day, because I am not at the location.
May I ask what we are looking for?
Also, their network is very simple.  All they have is a DSL connection with 4 computers.  I did not configure this thing and it seems like an unnecessarily complicated configuration.  I am considering resetting the config and starting from scratch.  Any opinions?
I asked the ISP how the router autenticates since it is ppoe, but no username and password that I see.  He said that entering the external IP address works.  Has any one used this before and is it a common way to configure PPoe/DSL?
Thanks for the help
LVL 10

Expert Comment

ID: 16994099
You can have connection without username password, depending on the ISP.

We need to create static NAT translation on the router itself. Since your configuration is not very clear, I don't want to give commands based on guessing

Author Comment

ID: 16999895
Hi Naveedb,
I agree that this configuration is not very clear.  I am glad to hear someone else say it.  I am new to cisco and looking at that ipsec stuff really threw me.  I was able to accomplish the task of permitting a static route for the remote admin with the following:
ip nat inside source static tcp 4000 4000 extendable
Where the inside IP of the host to be remotely administrated is and the is the outside IP.  The port number is hypothetically 4000.
I also had to add a permit tcp 4000 to the access list.
I was surprised that it worked, but sometimes I get lucky.
The documents that helped me were:
I believe that the person that originally set it up just used some stock configuration, because the clients needs are very simple and this configurations seem way too complicated.
Thank you for the help.  Any insite into what the mroute-cachesion is about please let me know.  I can not find it in the ios book that I have nor cisco documents.  Someday this configuration will come back to haunt me I am sure and I will probably have to clear the config and start from scratch.
LVL 10

Accepted Solution

naveedb earned 1500 total points
ID: 17000789
I believe the command you are referring to is

no ip mroute-cache

-sion is probably from console message or debug which was mixed in the output.

You can safely ignore this commnad. mroute-cache is used for multicast traffic switching, like if you will be feeding 25 workstations with Video and have a infrastructure that support multicasting, you may come accross using mroute-cache, which is highly unlikely in your scenario so it is disabled on your router.


Author Comment

ID: 17003061
Hello, Naveedb,
May I ask?
1)what is in your opinion the best book for someone starting cisco?  I am looking for a book that is not necessarily aimed at  becoming certified, but a good, quick(if possible), book on real-world solutions to cisco routers for someone new to cisco devices.

LVL 10

Expert Comment

ID: 17004346
There are many areas in Cisco Routers, like Routing, Switching, Security, Voice and Data etc.? Which one would better describe your needs?

For very beginners, you normally start with understing IOS commands, but  with the newer routers supporting Web GUIs, it might be much easier to use these tools instead of old command line. So, it is also a generation question in this respect.

Author Comment

ID: 17006092
I have to use command line do to generation issues as you said.
I have the ios in a nutshell book.  I am looking for a book that can translate cisco terminology into more network+ type terminology.  I suppose there is no one book, but I thought you might have a favorite for making the leap from network+ to  cisco.
LVL 10

Expert Comment

ID: 17006488
I have used many books for my certification and latter just to keep up with changing technologies, so would not recommend any one book, as in my experience two readers can have a different opinion about the same book. I would however suggest as my teachers have to use cisco.com for learning. It is an excelent source for training on all aspects of technology and cisco products.

To try; just have a look at the following link; and browse through NAT. Spend sometime gonig through the links and you will realize that it gives a lot of information (and an answer to your question too).



Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
This article will show how Aten was able to supply easy management and control for Artear's video walls and wide range display configurations of their newsroom.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question