CrossRoadCS
asked on
Cisco 800 Series Router Config NIGHTMARE!!!!!
I have been battleling this problem for two weeks. Â I have consulted sevral articles, both on EE and off. Â We just installed a brand new Cisco 800 Series router in our small business. Â After laboring intensly, I was able to get the internet up with the help of a friend who knew just enough about configuring Cisco routers to get it going. Â But... Â for the life of me, I cannot get NAT, PAT Port Forwarding, whatever you want to call it, to work. Â We have 5 IP cameras and 2 Servers we need to be able to access from outside. Â The 2 Servers need to be able to remote desktop, and the 5 cameras have there own software that if (NAT, PAT, PF) works, can be accessed from outside. Â
The inside IP's for the devices are as follows (if it helps)
Cam 1: Â 192.168.1.201 Â Port 81
Cam 2: Â 192.168.1.202 Â Port 82
Cam 3: Â 192.168.1.203 Â Port 83
Cam 4: Â 192.168.1.204 Â Port 84
Cam 5: Â 192.168.1.205 Â Port 85
Server 1: Â 192.168.1.1
Server 2: Â 192.168.1.199
There is firewall set up on the router, but I have (to the best of my knowledge) created rules to allow these incoming transmissions. Â I have also created the PAT in the NAT section (again to the best of my knowledge).
Keep in mind that everything worked on the old (piece of crap) router the ISP gave us.
The inside IP's for the devices are as follows (if it helps)
Cam 1: Â 192.168.1.201 Â Port 81
Cam 2: Â 192.168.1.202 Â Port 82
Cam 3: Â 192.168.1.203 Â Port 83
Cam 4: Â 192.168.1.204 Â Port 84
Cam 5: Â 192.168.1.205 Â Port 85
Server 1: Â 192.168.1.1
Server 2: Â 192.168.1.199
There is firewall set up on the router, but I have (to the best of my knowledge) created rules to allow these incoming transmissions. Â I have also created the PAT in the NAT section (again to the best of my knowledge).
Keep in mind that everything worked on the old (piece of crap) router the ISP gave us.
ASKER
I'm not at the office so I'll try it in the morning.
But...
For parts 1 and 2, do I just enter "ip nat inside" and "ip nat outside" in the console? Â Or is there something that goes after? or before? Â I am guessing that what I need to do would be:
telnet into the router
and enter config mode
and type in the following commands
ip nat inside
ip nat outside
ip nat inside source static tcp 192.168.1.201 81 xxx.xxx.xxx.xxx 81
ip nat inside source static tcp 192.168.1.202 82 xxx.xxx.xxx.xxx 82
so on and so forth until all are entered?
This is my first Cisco router install, so forgive me for being a n00b!
But...
For parts 1 and 2, do I just enter "ip nat inside" and "ip nat outside" in the console? Â Or is there something that goes after? or before? Â I am guessing that what I need to do would be:
telnet into the router
and enter config mode
and type in the following commands
ip nat inside
ip nat outside
ip nat inside source static tcp 192.168.1.201 81 xxx.xxx.xxx.xxx 81
ip nat inside source static tcp 192.168.1.202 82 xxx.xxx.xxx.xxx 82
so on and so forth until all are entered?
This is my first Cisco router install, so forgive me for being a n00b!
hi,
for ip nat inside and outside, you must enter them on the proper interface.
router#config t
router(config)#inter s0/1
router(config-int)#ip nat inside
and so forth.
regards,
ASKER
I did everything you said. Â Still nothing. Â I can't even remote desktop within the network!
ASKER
I'm still having a hard time understanding exactly what i need to enter. Â Do i go into a specific interface and then enter the port forwarding.
for example
compren#config t
compren(config)#inter bvi1 Â (inside interface)
conpren(config-if)#ip nat inside source static tcp 192.168.1.201 81 xxx.xxx.xxx.xxx 81
so on and so forth
that is exactly how I did it still no access!
for example
compren#config t
compren(config)#inter bvi1 Â (inside interface)
conpren(config-if)#ip nat inside source static tcp 192.168.1.201 81 xxx.xxx.xxx.xxx 81
so on and so forth
that is exactly how I did it still no access!
ASKER
here's the router config if it helps!
User Access Verification
Username: compren
Password:
compren#config t
Enter configuration commands, one per line. Â End with CNTL/Z.
compren(config)#inter bvi1
compren(config-if)#$de source static tcp 192.168.1.201 81 67.78.160.54 81
compren(config)#^Z
compren#show config
Using 8363 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
!
appfw policy-name SDM_MEDIUM
 application im aol
  service default action allow alarm
  service text-chat action allow alarm
  server permit name login.oscar.aol.com
  server permit name toc.oscar.aol.com
  server permit name oam-d09a.blue.aol.com
 application im msn
  service default action allow alarm
  service text-chat action allow alarm
  server permit name messenger.hotmail.com
  server permit name gateway.messenger.hotmail. com
  server permit name webmessenger.msn.com
 application http
  strict-http action allow alarm
  port-misuse im action reset alarm
  port-misuse p2p action reset alarm
  port-misuse tunneling action allow alarm
 application im yahoo
  service default action allow alarm
  service text-chat action allow alarm
  server permit name scs.msg.yahoo.com
  server permit name scsa.msg.yahoo.com
  server permit name scsb.msg.yahoo.com
  server permit name scsc.msg.yahoo.com
  server permit name scsd.msg.yahoo.com
  server permit name cs16.msg.dcn.yahoo.com
  server permit name cs19.msg.dcn.yahoo.com
  server permit name cs42.msg.dcn.yahoo.com
  server permit name cs53.msg.dcn.yahoo.com
  server permit name cs54.msg.dcn.yahoo.com
  server permit name ads1.vip.scd.yahoo.com
  server permit name radio1.launch.vip.dal.yaho o.com
  server permit name in1.msg.vip.re2.yahoo.com
  server permit name data1.my.vip.sc5.yahoo.com
  server permit name address1.pim.vip.mud.yahoo .com
  server permit name edit.messenger.yahoo.com
  server permit name messenger.yahoo.com
  server permit name http.pager.yahoo.com
  server permit name privacy.yahoo.com
  server permit name csa.yahoo.com
  server permit name csb.yahoo.com
  server permit name csc.yahoo.com
!
!
crypto pki trustpoint TP-self-signed-636156691
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certifi cate-63615 6691
 revocation-check none
 rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
 certificate self-signed 01 nvram:IOS-Self-Sig#3102.ce r
username compren privilege 15 secret 5 $1$x5Ly$abpH9q73EK82MAfvAm qeQ.
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$$ES_W AN$
 ip address 67.78.160.54 255.255.255.0
 ip access-group 102 in
 ip verify unicast reverse-path
 ip inspect SDM_MEDIUM out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 0 037A64E3F29E74516AFA864565 transmit-key
 encryption mode wep mandatory
 !
 ssid Mine
  authentication open
  guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO- HWIC 4ESW$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
!
router rip
 version 2
 network 67.0.0.0
 network 192.168.1.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static udp 192.168.1.1 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.1 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.201 81 interface FastEthernet4 81
!
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 deny  ip 67.78.160.0 0.0.0.255 any
access-list 101 deny  ip host 255.255.255.255 any
access-list 101 deny  ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Remote Desk
access-list 102 permit udp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Remote Desk
access-list 102 permit tcp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Cam1
access-list 102 permit tcp any eq 81 host 192.168.1.201 eq 81
access-list 102 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 102 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 102 deny  ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 67.78.160.54 echo-reply
access-list 102 permit icmp any host 67.78.160.54 time-exceeded
access-list 102 permit icmp any host 67.78.160.54 unreachable
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 443
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 22
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq cmd
access-list 102 permit udp any any eq rip
access-list 102 permit ip any host 224.0.0.9
access-list 102 deny  ip 10.0.0.0 0.255.255.255 any
access-list 102 deny  ip 172.16.0.0 0.15.255.255 any
access-list 102 deny  ip 192.168.0.0 0.0.255.255 any
access-list 102 deny  ip 127.0.0.0 0.255.255.255 any
access-list 102 deny  ip host 255.255.255.255 any
access-list 102 deny  ip host 0.0.0.0 any
access-list 102 deny  ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
-------------------------- ---------- ---------- ---------- ---------- -----
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> Â privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-------------------------- ---------- ---------- ---------- ---------- -----
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end
compren#
User Access Verification
Username: compren
Password:
compren#config t
Enter configuration commands, one per line. Â End with CNTL/Z.
compren(config)#inter bvi1
compren(config-if)#$de source static tcp 192.168.1.201 81 67.78.160.54 81
compren(config)#^Z
compren#show config
Using 8363 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
!
appfw policy-name SDM_MEDIUM
 application im aol
  service default action allow alarm
  service text-chat action allow alarm
  server permit name login.oscar.aol.com
  server permit name toc.oscar.aol.com
  server permit name oam-d09a.blue.aol.com
 application im msn
  service default action allow alarm
  service text-chat action allow alarm
  server permit name messenger.hotmail.com
  server permit name gateway.messenger.hotmail.
  server permit name webmessenger.msn.com
 application http
  strict-http action allow alarm
  port-misuse im action reset alarm
  port-misuse p2p action reset alarm
  port-misuse tunneling action allow alarm
 application im yahoo
  service default action allow alarm
  service text-chat action allow alarm
  server permit name scs.msg.yahoo.com
  server permit name scsa.msg.yahoo.com
  server permit name scsb.msg.yahoo.com
  server permit name scsc.msg.yahoo.com
  server permit name scsd.msg.yahoo.com
  server permit name cs16.msg.dcn.yahoo.com
  server permit name cs19.msg.dcn.yahoo.com
  server permit name cs42.msg.dcn.yahoo.com
  server permit name cs53.msg.dcn.yahoo.com
  server permit name cs54.msg.dcn.yahoo.com
  server permit name ads1.vip.scd.yahoo.com
  server permit name radio1.launch.vip.dal.yaho
  server permit name in1.msg.vip.re2.yahoo.com
  server permit name data1.my.vip.sc5.yahoo.com
  server permit name address1.pim.vip.mud.yahoo
  server permit name edit.messenger.yahoo.com
  server permit name messenger.yahoo.com
  server permit name http.pager.yahoo.com
  server permit name privacy.yahoo.com
  server permit name csa.yahoo.com
  server permit name csb.yahoo.com
  server permit name csc.yahoo.com
!
!
crypto pki trustpoint TP-self-signed-636156691
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certifi
 revocation-check none
 rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
 certificate self-signed 01 nvram:IOS-Self-Sig#3102.ce
username compren privilege 15 secret 5 $1$x5Ly$abpH9q73EK82MAfvAm
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$$ES_W
 ip address 67.78.160.54 255.255.255.0
 ip access-group 102 in
 ip verify unicast reverse-path
 ip inspect SDM_MEDIUM out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 0 037A64E3F29E74516AFA864565
 encryption mode wep mandatory
 !
 ssid Mine
  authentication open
  guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
!
router rip
 version 2
 network 67.0.0.0
 network 192.168.1.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static udp 192.168.1.1 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.1 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.201 81 interface FastEthernet4 81
!
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 deny  ip 67.78.160.0 0.0.0.255 any
access-list 101 deny  ip host 255.255.255.255 any
access-list 101 deny  ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Remote Desk
access-list 102 permit udp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Remote Desk
access-list 102 permit tcp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Cam1
access-list 102 permit tcp any eq 81 host 192.168.1.201 eq 81
access-list 102 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 102 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 102 deny  ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 67.78.160.54 echo-reply
access-list 102 permit icmp any host 67.78.160.54 time-exceeded
access-list 102 permit icmp any host 67.78.160.54 unreachable
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 443
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 22
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq cmd
access-list 102 permit udp any any eq rip
access-list 102 permit ip any host 224.0.0.9
access-list 102 deny  ip 10.0.0.0 0.255.255.255 any
access-list 102 deny  ip 172.16.0.0 0.15.255.255 any
access-list 102 deny  ip 192.168.0.0 0.0.255.255 any
access-list 102 deny  ip 127.0.0.0 0.255.255.255 any
access-list 102 deny  ip host 255.255.255.255 any
access-list 102 deny  ip host 0.0.0.0 any
access-list 102 deny  ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> Â privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
--------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end
compren#
ASKER
I said to HELL with it and reset the router to factory and started over. Â I only put in all the basic settings to get online and setup wireless. Â no firewall. Â nat configured exactly as you showed me. Â so here is the new router config:
-------------------------- ---------- ---------- ---------- ---------- -----
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> Â privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-------------------------- ---------- ---------- ---------- ---------- -----
User Access Verification
Username: compren
Password:
compren#show config
Using 9051 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
!
!
crypto pki trustpoint TP-self-signed-636156691
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certifi cate-63615 6691
 revocation-check none
 rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
 certificate self-signed 01 nvram:IOS-Self-Sig#3102.ce r
username compren privilege 15 secret 5 $1$x5Ly$abpH9q73EK82MAfvAm qeQ.
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$$ETH-W AN$
 ip address 67.78.160.54 255.255.255.0
 ip verify unicast reverse-path
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 0 037A64E3F29E74516AFA864565 transmit-key
 encryption mode wep mandatory
 !
 ssid Mine
  authentication open
  guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO- HWIC 4ESW$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
router rip
 version 2
 network 67.0.0.0
 network 192.168.1.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.201 81 67.78.160.54 81 extendable
ip nat inside source static tcp 192.168.1.202 82 67.78.160.54 82 extendable
ip nat inside source static tcp 192.168.1.203 83 67.78.160.54 83 extendable
ip nat inside source static tcp 192.168.1.204 84 67.78.160.54 84 extendable
ip nat inside source static tcp 192.168.1.206 86 67.78.160.54 86 extendable
ip nat inside source static tcp 192.168.1.2 3389 67.78.160.54 3389 extendable
!
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any eq 3389 any eq 3389
access-list 101 deny  ip 67.78.160.0 0.0.0.255 any
access-list 101 deny  ip host 255.255.255.255 any
access-list 101 deny  ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Remote Desk
access-list 102 permit udp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Remote Desk
access-list 102 permit tcp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Cam1
access-list 102 permit tcp any eq 81 host 192.168.1.201 eq 81
access-list 102 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 102 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 102 deny  ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 67.78.160.54 echo-reply
access-list 102 permit icmp any host 67.78.160.54 time-exceeded
access-list 102 permit icmp any host 67.78.160.54 unreachable
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 443
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 22
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq cmd
access-list 102 permit udp any any eq rip
access-list 102 permit ip any host 224.0.0.9
access-list 102 deny  ip 10.0.0.0 0.255.255.255 any
access-list 102 deny  ip 172.16.0.0 0.15.255.255 any
access-list 102 deny  ip 192.168.0.0 0.0.255.255 any
access-list 102 deny  ip 127.0.0.0 0.255.255.255 any
access-list 102 deny  ip host 255.255.255.255 any
access-list 102 deny  ip host 0.0.0.0 any
access-list 102 deny  ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp any eq 81 any eq 81
access-list 103 deny  ip 67.78.160.0 0.0.0.255 any
access-list 103 deny  ip host 255.255.255.255 any
access-list 103 deny  ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any host 67.78.160.54 eq 81
access-list 104 permit tcp any host 67.78.160.54 eq 3389
access-list 104 permit udp any host 67.78.160.54 eq 3389
access-list 104 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 104 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 104 deny  ip 192.168.1.0 0.0.0.255 any
access-list 104 permit icmp any host 67.78.160.54 echo-reply
access-list 104 permit icmp any host 67.78.160.54 time-exceeded
access-list 104 permit icmp any host 67.78.160.54 unreachable
access-list 104 permit udp any any eq rip
access-list 104 permit ip any host 224.0.0.9
access-list 104 deny  ip 10.0.0.0 0.255.255.255 any
access-list 104 deny  ip 172.16.0.0 0.15.255.255 any
access-list 104 deny  ip 192.168.0.0 0.0.255.255 any
access-list 104 deny  ip 127.0.0.0 0.255.255.255 any
access-list 104 deny  ip host 255.255.255.255 any
access-list 104 deny  ip host 0.0.0.0 any
access-list 104 deny  ip any any log
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit tcp any eq 81 any eq 81
access-list 105 permit tcp any host 67.78.160.54 eq 81
access-list 105 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 105 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 105 deny  ip 192.168.1.0 0.0.0.255 any
access-list 105 permit icmp any host 67.78.160.54 echo-reply
access-list 105 permit icmp any host 67.78.160.54 time-exceeded
access-list 105 permit icmp any host 67.78.160.54 unreachable
access-list 105 permit udp any any eq rip
access-list 105 permit ip any host 224.0.0.9
access-list 105 deny  ip 10.0.0.0 0.255.255.255 any
access-list 105 deny  ip 172.16.0.0 0.15.255.255 any
access-list 105 deny  ip 192.168.0.0 0.0.255.255 any
access-list 105 deny  ip 127.0.0.0 0.255.255.255 any
access-list 105 deny  ip host 255.255.255.255 any
access-list 105 deny  ip host 0.0.0.0 any
access-list 105 deny  ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
-------------------------- ---------- ---------- ---------- ---------- -----
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> Â privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
-------------------------- ---------- ---------- ---------- ---------- -----
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end
compren#
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> Â privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
--------------------------
User Access Verification
Username: compren
Password:
compren#show config
Using 9051 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
!
!
crypto pki trustpoint TP-self-signed-636156691
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certifi
 revocation-check none
 rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
 certificate self-signed 01 nvram:IOS-Self-Sig#3102.ce
username compren privilege 15 secret 5 $1$x5Ly$abpH9q73EK82MAfvAm
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$$ETH-W
 ip address 67.78.160.54 255.255.255.0
 ip verify unicast reverse-path
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 0 037A64E3F29E74516AFA864565
 encryption mode wep mandatory
 !
 ssid Mine
  authentication open
  guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
router rip
 version 2
 network 67.0.0.0
 network 192.168.1.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.201 81 67.78.160.54 81 extendable
ip nat inside source static tcp 192.168.1.202 82 67.78.160.54 82 extendable
ip nat inside source static tcp 192.168.1.203 83 67.78.160.54 83 extendable
ip nat inside source static tcp 192.168.1.204 84 67.78.160.54 84 extendable
ip nat inside source static tcp 192.168.1.206 86 67.78.160.54 86 extendable
ip nat inside source static tcp 192.168.1.2 3389 67.78.160.54 3389 extendable
!
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any eq 3389 any eq 3389
access-list 101 deny  ip 67.78.160.0 0.0.0.255 any
access-list 101 deny  ip host 255.255.255.255 any
access-list 101 deny  ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Remote Desk
access-list 102 permit udp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Remote Desk
access-list 102 permit tcp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Cam1
access-list 102 permit tcp any eq 81 host 192.168.1.201 eq 81
access-list 102 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 102 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 102 deny  ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 67.78.160.54 echo-reply
access-list 102 permit icmp any host 67.78.160.54 time-exceeded
access-list 102 permit icmp any host 67.78.160.54 unreachable
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 443
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 22
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq cmd
access-list 102 permit udp any any eq rip
access-list 102 permit ip any host 224.0.0.9
access-list 102 deny  ip 10.0.0.0 0.255.255.255 any
access-list 102 deny  ip 172.16.0.0 0.15.255.255 any
access-list 102 deny  ip 192.168.0.0 0.0.255.255 any
access-list 102 deny  ip 127.0.0.0 0.255.255.255 any
access-list 102 deny  ip host 255.255.255.255 any
access-list 102 deny  ip host 0.0.0.0 any
access-list 102 deny  ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp any eq 81 any eq 81
access-list 103 deny  ip 67.78.160.0 0.0.0.255 any
access-list 103 deny  ip host 255.255.255.255 any
access-list 103 deny  ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any host 67.78.160.54 eq 81
access-list 104 permit tcp any host 67.78.160.54 eq 3389
access-list 104 permit udp any host 67.78.160.54 eq 3389
access-list 104 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 104 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 104 deny  ip 192.168.1.0 0.0.0.255 any
access-list 104 permit icmp any host 67.78.160.54 echo-reply
access-list 104 permit icmp any host 67.78.160.54 time-exceeded
access-list 104 permit icmp any host 67.78.160.54 unreachable
access-list 104 permit udp any any eq rip
access-list 104 permit ip any host 224.0.0.9
access-list 104 deny  ip 10.0.0.0 0.255.255.255 any
access-list 104 deny  ip 172.16.0.0 0.15.255.255 any
access-list 104 deny  ip 192.168.0.0 0.0.255.255 any
access-list 104 deny  ip 127.0.0.0 0.255.255.255 any
access-list 104 deny  ip host 255.255.255.255 any
access-list 104 deny  ip host 0.0.0.0 any
access-list 104 deny  ip any any log
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit tcp any eq 81 any eq 81
access-list 105 permit tcp any host 67.78.160.54 eq 81
access-list 105 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 105 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 105 deny  ip 192.168.1.0 0.0.0.255 any
access-list 105 permit icmp any host 67.78.160.54 echo-reply
access-list 105 permit icmp any host 67.78.160.54 time-exceeded
access-list 105 permit icmp any host 67.78.160.54 unreachable
access-list 105 permit udp any any eq rip
access-list 105 permit ip any host 224.0.0.9
access-list 105 deny  ip 10.0.0.0 0.255.255.255 any
access-list 105 deny  ip 172.16.0.0 0.15.255.255 any
access-list 105 deny  ip 192.168.0.0 0.0.255.255 any
access-list 105 deny  ip 127.0.0.0 0.255.255.255 any
access-list 105 deny  ip host 255.255.255.255 any
access-list 105 deny  ip host 0.0.0.0 any
access-list 105 deny  ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
--------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> Â privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use
.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to http://www.cisco.com/go/sdm
--------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end
compren#
ASKER
OOPS! Â Thats the old one again! Â Here's the new one!
Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
User Access Verification
Username: compren
Password:
compren#config
Configuring from terminal, memory, or network [terminal]? t
Enter configuration commands, one per line. Â End with CNTL/Z.
compren(config)#$de source static tcp 192.168.1.201 81 67.78.160.54 81
compren(config)#^Z
compren#show config
Using 3708 out of 131072 bytes
!
! Last configuration change at 15:42:55 PCTime Sat Oct 6 2007 by compren
! NVRAM config last updated at 15:42:55 PCTime Sat Oct 6 2007 by compren
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$9H0H$n6eIywz7T5q2JJwsao oZ.0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
!
!
ip cef
ip tcp synwait-time 10
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-636156691
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certifi cate-63615 6691
 revocation-check none
 rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
 certificate self-signed 01 nvram:IOS-Self-Sig#3104.ce r
username compren privilege 15 secret 5 $1$KJrH$vlukdskqrA4RnpU0Jk E.1/
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 67.78.160.54 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 7 70591870E5FFAD66525B3C8A37 4D transmit-key
 encryption mode wep mandatory
 !
 ssid Mine
  authentication open
  guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO- HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static udp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.206 86 interface FastEthernet4 86
ip nat inside source static tcp 192.168.1.204 84 interface FastEthernet4 84
ip nat inside source static tcp 192.168.1.203 83 interface FastEthernet4 83
ip nat inside source static tcp 192.168.1.202 82 interface FastEthernet4 82
ip nat inside source static tcp 192.168.1.201 81 interface FastEthernet4 81
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
compren#
Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
User Access Verification
Username: compren
Password:
compren#config
Configuring from terminal, memory, or network [terminal]? t
Enter configuration commands, one per line. Â End with CNTL/Z.
compren(config)#$de source static tcp 192.168.1.201 81 67.78.160.54 81
compren(config)#^Z
compren#show config
Using 3708 out of 131072 bytes
!
! Last configuration change at 15:42:55 PCTime Sat Oct 6 2007 by compren
! NVRAM config last updated at 15:42:55 PCTime Sat Oct 6 2007 by compren
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$9H0H$n6eIywz7T5q2JJwsao
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
!
!
ip cef
ip tcp synwait-time 10
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-636156691
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certifi
 revocation-check none
 rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
 certificate self-signed 01 nvram:IOS-Self-Sig#3104.ce
username compren privilege 15 secret 5 $1$KJrH$vlukdskqrA4RnpU0Jk
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 67.78.160.54 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 7 70591870E5FFAD66525B3C8A37
 encryption mode wep mandatory
 !
 ssid Mine
  authentication open
  guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static udp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.206 86 interface FastEthernet4 86
ip nat inside source static tcp 192.168.1.204 84 interface FastEthernet4 84
ip nat inside source static tcp 192.168.1.203 83 interface FastEthernet4 83
ip nat inside source static tcp 192.168.1.202 82 interface FastEthernet4 82
ip nat inside source static tcp 192.168.1.201 81 interface FastEthernet4 81
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
compren#
Hi,
the last config looks ok. what are you getting now? the old one had an access list and that could have been the cause of failure. are you able to use remote desktop within the network at least?
regards,
ASKER
I still cannot connect! Â To either the cams or the servers. Â I can telnet into the router from outside. Â But that is about it. Â I am so lost it's not funny! Â
Hi,
can you please confirm that your able to nat from inside to outside first?
regards,
ASKER
how?
you need to ping from the router to www.yahoo.com or any other site using the inside interface:
just write ping and press enter, it will ask you questions and one of them will be the interface that you want as your source interface.
ASKER
I did what you said and it does ping succesfully. Â But it never asked for an interface.
compren#ping
Protocol [ip]:
Target IP address: www.yahoo.com
Translating "www.yahoo.com"...domain server (65.32.1.65) [OK]
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.147.114.210, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/48 ms
compren#
Here's a thought. Â I have created the PATs like this
ip nat inside source static tcp 192.168.1.201 81 67.78.160.54 81
should I create ones that are opposite? Â Im just thinking maybe it's getting in but not getting out? Â But that wouldn't make sense. Â The router guide says incoming packets after NATing will go back to the source without having to make it so.
compren#ping
Protocol [ip]:
Target IP address: www.yahoo.com
Translating "www.yahoo.com"...domain server (65.32.1.65) [OK]
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.147.114.210, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/48 ms
compren#
Here's a thought. Â I have created the PATs like this
ip nat inside source static tcp 192.168.1.201 81 67.78.160.54 81
should I create ones that are opposite? Â Im just thinking maybe it's getting in but not getting out? Â But that wouldn't make sense. Â The router guide says incoming packets after NATing will go back to the source without having to make it so.
hi,
when doing ping, you need to say yes for the following option: Extended commands [n]:
regads,
ASKER
I did what you said. Â and specified the inside interface BVI1. Â here is the terminal
Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
User Access Verification
Username: compren
Password:
compren#ping
Protocol [ip]:
Target IP address: www.yahoo.com
Translating "www.yahoo.com"...domain server (65.32.1.65) [OK]
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: bvi1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.147.114.210, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/52 ms
compren#
Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!
User Access Verification
Username: compren
Password:
compren#ping
Protocol [ip]:
Target IP address: www.yahoo.com
Translating "www.yahoo.com"...domain server (65.32.1.65) [OK]
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: bvi1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.147.114.210, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/52 ms
compren#
O.K this means that natting is fine from inside to outside.
As for pat, i cant see the mistake.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Hi,
the commands for creating the port forwarding is as follows:
1- configure the outside interface: ip nat outside
2- configure the inside interface: ip nat inside
3- configure port forwarding as follows: ip nat inside source static  tcp 192.168.1.201 81 <external interface ip> 81
repeat all that for all cameras.
regards,