CrossRoadCS
asked on
Cisco 800 Series Router Config NIGHTMARE!!!!!
I have been battleling this problem for two weeks. I have consulted sevral articles, both on EE and off. We just installed a brand new Cisco 800 Series router in our small business. After laboring intensly, I was able to get the internet up with the help of a friend who knew just enough about configuring Cisco routers to get it going. But... for the life of me, I cannot get NAT, PAT Port Forwarding, whatever you want to call it, to work. We have 5 IP cameras and 2 Servers we need to be able to access from outside. The 2 Servers need to be able to remote desktop, and the 5 cameras have there own software that if (NAT, PAT, PF) works, can be accessed from outside.
The inside IP's for the devices are as follows (if it helps)
Cam 1: 192.168.1.201 Port 81
Cam 2: 192.168.1.202 Port 82
Cam 3: 192.168.1.203 Port 83
Cam 4: 192.168.1.204 Port 84
Cam 5: 192.168.1.205 Port 85
Server 1: 192.168.1.1
Server 2: 192.168.1.199
There is firewall set up on the router, but I have (to the best of my knowledge) created rules to allow these incoming transmissions. I have also created the PAT in the NAT section (again to the best of my knowledge).
Keep in mind that everything worked on the old (piece of crap) router the ISP gave us.
The inside IP's for the devices are as follows (if it helps)
Cam 1: 192.168.1.201 Port 81
Cam 2: 192.168.1.202 Port 82
Cam 3: 192.168.1.203 Port 83
Cam 4: 192.168.1.204 Port 84
Cam 5: 192.168.1.205 Port 85
Server 1: 192.168.1.1
Server 2: 192.168.1.199
There is firewall set up on the router, but I have (to the best of my knowledge) created rules to allow these incoming transmissions. I have also created the PAT in the NAT section (again to the best of my knowledge).
Keep in mind that everything worked on the old (piece of crap) router the ISP gave us.
ASKER
I'm not at the office so I'll try it in the morning.
But...
For parts 1 and 2, do I just enter "ip nat inside" and "ip nat outside" in the console? Or is there something that goes after? or before? I am guessing that what I need to do would be:
telnet into the router
and enter config mode
and type in the following commands
ip nat inside
ip nat outside
ip nat inside source static tcp 192.168.1.201 81 xxx.xxx.xxx.xxx 81
ip nat inside source static tcp 192.168.1.202 82 xxx.xxx.xxx.xxx 82
so on and so forth until all are entered?
This is my first Cisco router install, so forgive me for being a n00b!
But...
For parts 1 and 2, do I just enter "ip nat inside" and "ip nat outside" in the console? Or is there something that goes after? or before? I am guessing that what I need to do would be:
telnet into the router
and enter config mode
and type in the following commands
ip nat inside
ip nat outside
ip nat inside source static tcp 192.168.1.201 81 xxx.xxx.xxx.xxx 81
ip nat inside source static tcp 192.168.1.202 82 xxx.xxx.xxx.xxx 82
so on and so forth until all are entered?
This is my first Cisco router install, so forgive me for being a n00b!
hi,
for ip nat inside and outside, you must enter them on the proper interface.
router#config t
router(config)#inter s0/1
router(config-int)#ip nat inside
and so forth.
regards,
ASKER
I did everything you said. Still nothing. I can't even remote desktop within the network!
ASKER
I'm still having a hard time understanding exactly what i need to enter. Do i go into a specific interface and then enter the port forwarding.
for example
compren#config t
compren(config)#inter bvi1 (inside interface)
conpren(config-if)#ip nat inside source static tcp 192.168.1.201 81 xxx.xxx.xxx.xxx 81
so on and so forth
that is exactly how I did it still no access!
for example
compren#config t
compren(config)#inter bvi1 (inside interface)
conpren(config-if)#ip nat inside source static tcp 192.168.1.201 81 xxx.xxx.xxx.xxx 81
so on and so forth
that is exactly how I did it still no access!
ASKER
here's the router config if it helps!
User Access Verification
Username: compren
Password:
compren#config t
Enter configuration commands, one per line. End with CNTL/Z.
compren(config)#inter bvi1
compren(config-if)#$de source static tcp 192.168.1.201 81 67.78.160.54 81
compren(config)#^Z
compren#show config
Using 8363 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.
server permit name webmessenger.msn.com
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yaho
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
!
!
crypto pki trustpoint TP-self-signed-636156691
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
certificate self-signed 01 nvram:IOS-Self-Sig#3102.ce
username compren privilege 15 secret 5 $1$x5Ly$abpH9q73EK82MAfvAm
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$$ES_W
ip address 67.78.160.54 255.255.255.0
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit 0 037A64E3F29E74516AFA864565
encryption mode wep mandatory
!
ssid Mine
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
router rip
version 2
network 67.0.0.0
network 192.168.1.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static udp 192.168.1.1 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.1 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.201 81 interface FastEthernet4 81
!
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 67.78.160.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Remote Desk
access-list 102 permit udp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Remote Desk
access-list 102 permit tcp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Cam1
access-list 102 permit tcp any eq 81 host 192.168.1.201 eq 81
access-list 102 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 102 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 67.78.160.54 echo-reply
access-list 102 permit icmp any host 67.78.160.54 time-exceeded
access-list 102 permit icmp any host 67.78.160.54 unreachable
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 443
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 22
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq cmd
access-list 102 permit udp any any eq rip
access-list 102 permit ip any host 224.0.0.9
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
--------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
compren#
User Access Verification
Username: compren
Password:
compren#config t
Enter configuration commands, one per line. End with CNTL/Z.
compren(config)#inter bvi1
compren(config-if)#$de source static tcp 192.168.1.201 81 67.78.160.54 81
compren(config)#^Z
compren#show config
Using 8363 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.
server permit name webmessenger.msn.com
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yaho
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
!
!
crypto pki trustpoint TP-self-signed-636156691
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
certificate self-signed 01 nvram:IOS-Self-Sig#3102.ce
username compren privilege 15 secret 5 $1$x5Ly$abpH9q73EK82MAfvAm
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$$ES_W
ip address 67.78.160.54 255.255.255.0
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit 0 037A64E3F29E74516AFA864565
encryption mode wep mandatory
!
ssid Mine
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
router rip
version 2
network 67.0.0.0
network 192.168.1.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static udp 192.168.1.1 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.1 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.201 81 interface FastEthernet4 81
!
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 67.78.160.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Remote Desk
access-list 102 permit udp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Remote Desk
access-list 102 permit tcp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Cam1
access-list 102 permit tcp any eq 81 host 192.168.1.201 eq 81
access-list 102 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 102 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 67.78.160.54 echo-reply
access-list 102 permit icmp any host 67.78.160.54 time-exceeded
access-list 102 permit icmp any host 67.78.160.54 unreachable
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 443
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 22
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq cmd
access-list 102 permit udp any any eq rip
access-list 102 permit ip any host 224.0.0.9
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
--------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
compren#
ASKER
I said to HELL with it and reset the router to factory and started over. I only put in all the basic settings to get online and setup wireless. no firewall. nat configured exactly as you showed me. so here is the new router config:
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
--------------------------
User Access Verification
Username: compren
Password:
compren#show config
Using 9051 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
!
!
crypto pki trustpoint TP-self-signed-636156691
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
certificate self-signed 01 nvram:IOS-Self-Sig#3102.ce
username compren privilege 15 secret 5 $1$x5Ly$abpH9q73EK82MAfvAm
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip address 67.78.160.54 255.255.255.0
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit 0 037A64E3F29E74516AFA864565
encryption mode wep mandatory
!
ssid Mine
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router rip
version 2
network 67.0.0.0
network 192.168.1.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.201 81 67.78.160.54 81 extendable
ip nat inside source static tcp 192.168.1.202 82 67.78.160.54 82 extendable
ip nat inside source static tcp 192.168.1.203 83 67.78.160.54 83 extendable
ip nat inside source static tcp 192.168.1.204 84 67.78.160.54 84 extendable
ip nat inside source static tcp 192.168.1.206 86 67.78.160.54 86 extendable
ip nat inside source static tcp 192.168.1.2 3389 67.78.160.54 3389 extendable
!
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any eq 3389 any eq 3389
access-list 101 deny ip 67.78.160.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Remote Desk
access-list 102 permit udp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Remote Desk
access-list 102 permit tcp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Cam1
access-list 102 permit tcp any eq 81 host 192.168.1.201 eq 81
access-list 102 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 102 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 67.78.160.54 echo-reply
access-list 102 permit icmp any host 67.78.160.54 time-exceeded
access-list 102 permit icmp any host 67.78.160.54 unreachable
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 443
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 22
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq cmd
access-list 102 permit udp any any eq rip
access-list 102 permit ip any host 224.0.0.9
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp any eq 81 any eq 81
access-list 103 deny ip 67.78.160.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any host 67.78.160.54 eq 81
access-list 104 permit tcp any host 67.78.160.54 eq 3389
access-list 104 permit udp any host 67.78.160.54 eq 3389
access-list 104 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 104 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 104 deny ip 192.168.1.0 0.0.0.255 any
access-list 104 permit icmp any host 67.78.160.54 echo-reply
access-list 104 permit icmp any host 67.78.160.54 time-exceeded
access-list 104 permit icmp any host 67.78.160.54 unreachable
access-list 104 permit udp any any eq rip
access-list 104 permit ip any host 224.0.0.9
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit tcp any eq 81 any eq 81
access-list 105 permit tcp any host 67.78.160.54 eq 81
access-list 105 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 105 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 105 deny ip 192.168.1.0 0.0.0.255 any
access-list 105 permit icmp any host 67.78.160.54 echo-reply
access-list 105 permit icmp any host 67.78.160.54 time-exceeded
access-list 105 permit icmp any host 67.78.160.54 unreachable
access-list 105 permit udp any any eq rip
access-list 105 permit ip any host 224.0.0.9
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
--------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
compren#
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
--------------------------
User Access Verification
Username: compren
Password:
compren#show config
Using 9051 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
!
!
crypto pki trustpoint TP-self-signed-636156691
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
certificate self-signed 01 nvram:IOS-Self-Sig#3102.ce
username compren privilege 15 secret 5 $1$x5Ly$abpH9q73EK82MAfvAm
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-W
ip address 67.78.160.54 255.255.255.0
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit 0 037A64E3F29E74516AFA864565
encryption mode wep mandatory
!
ssid Mine
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
router rip
version 2
network 67.0.0.0
network 192.168.1.0
no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.201 81 67.78.160.54 81 extendable
ip nat inside source static tcp 192.168.1.202 82 67.78.160.54 82 extendable
ip nat inside source static tcp 192.168.1.203 83 67.78.160.54 83 extendable
ip nat inside source static tcp 192.168.1.204 84 67.78.160.54 84 extendable
ip nat inside source static tcp 192.168.1.206 86 67.78.160.54 86 extendable
ip nat inside source static tcp 192.168.1.2 3389 67.78.160.54 3389 extendable
!
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any eq 3389 any eq 3389
access-list 101 deny ip 67.78.160.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Remote Desk
access-list 102 permit udp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Remote Desk
access-list 102 permit tcp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Cam1
access-list 102 permit tcp any eq 81 host 192.168.1.201 eq 81
access-list 102 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 102 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 67.78.160.54 echo-reply
access-list 102 permit icmp any host 67.78.160.54 time-exceeded
access-list 102 permit icmp any host 67.78.160.54 unreachable
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 443
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 22
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq cmd
access-list 102 permit udp any any eq rip
access-list 102 permit ip any host 224.0.0.9
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp any eq 81 any eq 81
access-list 103 deny ip 67.78.160.0 0.0.0.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any host 67.78.160.54 eq 81
access-list 104 permit tcp any host 67.78.160.54 eq 3389
access-list 104 permit udp any host 67.78.160.54 eq 3389
access-list 104 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 104 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 104 deny ip 192.168.1.0 0.0.0.255 any
access-list 104 permit icmp any host 67.78.160.54 echo-reply
access-list 104 permit icmp any host 67.78.160.54 time-exceeded
access-list 104 permit icmp any host 67.78.160.54 unreachable
access-list 104 permit udp any any eq rip
access-list 104 permit ip any host 224.0.0.9
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit tcp any eq 81 any eq 81
access-list 105 permit tcp any host 67.78.160.54 eq 81
access-list 105 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 105 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 105 deny ip 192.168.1.0 0.0.0.255 any
access-list 105 permit icmp any host 67.78.160.54 echo-reply
access-list 105 permit icmp any host 67.78.160.54 time-exceeded
access-list 105 permit icmp any host 67.78.160.54 unreachable
access-list 105 permit udp any any eq rip
access-list 105 permit ip any host 224.0.0.9
access-list 105 deny ip 10.0.0.0 0.255.255.255 any
access-list 105 deny ip 172.16.0.0 0.15.255.255 any
access-list 105 deny ip 192.168.0.0 0.0.255.255 any
access-list 105 deny ip 127.0.0.0 0.255.255.255 any
access-list 105 deny ip host 255.255.255.255 any
access-list 105 deny ip host 0.0.0.0 any
access-list 105 deny ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
--------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
compren#
ASKER
OOPS! Thats the old one again! Here's the new one!
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
User Access Verification
Username: compren
Password:
compren#config
Configuring from terminal, memory, or network [terminal]? t
Enter configuration commands, one per line. End with CNTL/Z.
compren(config)#$de source static tcp 192.168.1.201 81 67.78.160.54 81
compren(config)#^Z
compren#show config
Using 3708 out of 131072 bytes
!
! Last configuration change at 15:42:55 PCTime Sat Oct 6 2007 by compren
! NVRAM config last updated at 15:42:55 PCTime Sat Oct 6 2007 by compren
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$9H0H$n6eIywz7T5q2JJwsao
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
!
!
ip cef
ip tcp synwait-time 10
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-636156691
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
certificate self-signed 01 nvram:IOS-Self-Sig#3104.ce
username compren privilege 15 secret 5 $1$KJrH$vlukdskqrA4RnpU0Jk
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 67.78.160.54 255.255.255.0
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit 7 70591870E5FFAD66525B3C8A37
encryption mode wep mandatory
!
ssid Mine
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static udp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.206 86 interface FastEthernet4 86
ip nat inside source static tcp 192.168.1.204 84 interface FastEthernet4 84
ip nat inside source static tcp 192.168.1.203 83 interface FastEthernet4 83
ip nat inside source static tcp 192.168.1.202 82 interface FastEthernet4 82
ip nat inside source static tcp 192.168.1.201 81 interface FastEthernet4 81
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
compren#
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
User Access Verification
Username: compren
Password:
compren#config
Configuring from terminal, memory, or network [terminal]? t
Enter configuration commands, one per line. End with CNTL/Z.
compren(config)#$de source static tcp 192.168.1.201 81 67.78.160.54 81
compren(config)#^Z
compren#show config
Using 3708 out of 131072 bytes
!
! Last configuration change at 15:42:55 PCTime Sat Oct 6 2007 by compren
! NVRAM config last updated at 15:42:55 PCTime Sat Oct 6 2007 by compren
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$9H0H$n6eIywz7T5q2JJwsao
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
!
!
ip cef
ip tcp synwait-time 10
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-636156691
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
revocation-check none
rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
certificate self-signed 01 nvram:IOS-Self-Sig#3104.ce
username compren privilege 15 secret 5 $1$KJrH$vlukdskqrA4RnpU0Jk
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 67.78.160.54 255.255.255.0
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 128bit 7 70591870E5FFAD66525B3C8A37
encryption mode wep mandatory
!
ssid Mine
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static udp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.206 86 interface FastEthernet4 86
ip nat inside source static tcp 192.168.1.204 84 interface FastEthernet4 84
ip nat inside source static tcp 192.168.1.203 83 interface FastEthernet4 83
ip nat inside source static tcp 192.168.1.202 82 interface FastEthernet4 82
ip nat inside source static tcp 192.168.1.201 81 interface FastEthernet4 81
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
compren#
Hi,
the last config looks ok. what are you getting now? the old one had an access list and that could have been the cause of failure. are you able to use remote desktop within the network at least?
regards,
ASKER
I still cannot connect! To either the cams or the servers. I can telnet into the router from outside. But that is about it. I am so lost it's not funny!
Hi,
can you please confirm that your able to nat from inside to outside first?
regards,
ASKER
how?
you need to ping from the router to www.yahoo.com or any other site using the inside interface:
just write ping and press enter, it will ask you questions and one of them will be the interface that you want as your source interface.
ASKER
I did what you said and it does ping succesfully. But it never asked for an interface.
compren#ping
Protocol [ip]:
Target IP address: www.yahoo.com
Translating "www.yahoo.com"...domain server (65.32.1.65) [OK]
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.147.114.210, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/48 ms
compren#
Here's a thought. I have created the PATs like this
ip nat inside source static tcp 192.168.1.201 81 67.78.160.54 81
should I create ones that are opposite? Im just thinking maybe it's getting in but not getting out? But that wouldn't make sense. The router guide says incoming packets after NATing will go back to the source without having to make it so.
compren#ping
Protocol [ip]:
Target IP address: www.yahoo.com
Translating "www.yahoo.com"...domain server (65.32.1.65) [OK]
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.147.114.210, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/48 ms
compren#
Here's a thought. I have created the PATs like this
ip nat inside source static tcp 192.168.1.201 81 67.78.160.54 81
should I create ones that are opposite? Im just thinking maybe it's getting in but not getting out? But that wouldn't make sense. The router guide says incoming packets after NATing will go back to the source without having to make it so.
hi,
when doing ping, you need to say yes for the following option: Extended commands [n]:
regads,
ASKER
I did what you said. and specified the inside interface BVI1. here is the terminal
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
User Access Verification
Username: compren
Password:
compren#ping
Protocol [ip]:
Target IP address: www.yahoo.com
Translating "www.yahoo.com"...domain server (65.32.1.65) [OK]
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: bvi1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.147.114.210, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/52 ms
compren#
Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
User Access Verification
Username: compren
Password:
compren#ping
Protocol [ip]:
Target IP address: www.yahoo.com
Translating "www.yahoo.com"...domain server (65.32.1.65) [OK]
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: bvi1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.147.114.210, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/52 ms
compren#
O.K this means that natting is fine from inside to outside.
As for pat, i cant see the mistake.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hi,
the commands for creating the port forwarding is as follows:
1- configure the outside interface: ip nat outside
2- configure the inside interface: ip nat inside
3- configure port forwarding as follows: ip nat inside source static tcp 192.168.1.201 81 <external interface ip> 81
repeat all that for all cameras.
regards,