Link to home
Create AccountLog in
Avatar of CrossRoadCS
CrossRoadCS

asked on

Cisco 800 Series Router Config NIGHTMARE!!!!!

I have been battleling this problem for two weeks.  I have consulted sevral articles, both on EE and off.  We just installed a brand new Cisco 800 Series router in our small business.  After laboring intensly, I was able to get the internet up with the help of a friend who knew just enough about configuring Cisco routers to get it going.  But...  for the life of me, I cannot get NAT, PAT Port Forwarding, whatever you want to call it, to work.  We have 5 IP cameras and 2 Servers we need to be able to access from outside.  The 2 Servers need to be able to remote desktop, and the 5 cameras have there own software that if (NAT, PAT, PF) works, can be accessed from outside.  

The inside IP's for the devices are as follows (if it helps)
Cam 1:  192.168.1.201  Port 81
Cam 2:  192.168.1.202  Port 82
Cam 3:  192.168.1.203  Port 83
Cam 4:  192.168.1.204  Port 84
Cam 5:  192.168.1.205  Port 85
Server 1:  192.168.1.1
Server 2:  192.168.1.199

There is firewall set up on the router, but I have (to the best of my knowledge) created rules to allow these incoming transmissions.  I have also created the PAT in the NAT section (again to the best of my knowledge).

Keep in mind that everything worked on the old (piece of crap) router the ISP gave us.
Avatar of adnanmig
adnanmig


Hi,

the commands for creating the port forwarding is as follows:
1- configure the outside interface: ip nat outside
2- configure the inside interface: ip nat inside
3- configure port forwarding as follows: ip nat inside source static  tcp 192.168.1.201 81 <external interface ip> 81
repeat all that for all cameras.

regards,
Avatar of CrossRoadCS

ASKER

I'm not at the office so I'll try it in the morning.

But...

For parts 1 and 2, do I just enter "ip nat inside" and "ip nat outside" in the console?  Or is there something that goes after? or before?  I am guessing that what I need to do would be:

telnet into the router

and enter config mode

and type in the following commands

ip nat inside
ip nat outside
ip nat inside source static tcp 192.168.1.201 81 xxx.xxx.xxx.xxx 81
ip nat inside source static tcp 192.168.1.202 82 xxx.xxx.xxx.xxx 82

so on and so forth until all are entered?

This is my first Cisco router install, so forgive me for being a n00b!

hi,

for ip nat inside and outside, you must enter them on the proper interface.
router#config t
router(config)#inter s0/1
router(config-int)#ip nat inside
and so forth.

regards,
I did everything you said.  Still nothing.  I can't even remote desktop within the network!
I'm still having a hard time understanding exactly what i need to enter.  Do i go into a specific interface and then enter the port forwarding.

for example

compren#config t
compren(config)#inter bvi1   (inside interface)
conpren(config-if)#ip nat inside source static tcp 192.168.1.201 81 xxx.xxx.xxx.xxx 81

so on and so forth

that is exactly how I did it still no access!
here's the router config if it helps!


User Access Verification

Username: compren
Password:
compren#config t
Enter configuration commands, one per line.  End with CNTL/Z.
compren(config)#inter bvi1
compren(config-if)#$de source static tcp 192.168.1.201 81 67.78.160.54 81
compren(config)#^Z
compren#show config
Using 8363 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
!
appfw policy-name SDM_MEDIUM
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
!
!
crypto pki trustpoint TP-self-signed-636156691
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-636156691
 revocation-check none
 rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
 certificate self-signed 01 nvram:IOS-Self-Sig#3102.cer
username compren privilege 15 secret 5 $1$x5Ly$abpH9q73EK82MAfvAmqeQ.
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$$ES_WAN$
 ip address 67.78.160.54 255.255.255.0
 ip access-group 102 in
 ip verify unicast reverse-path
 ip inspect SDM_MEDIUM out
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 0 037A64E3F29E74516AFA864565 transmit-key
 encryption mode wep mandatory
 !
 ssid Mine
    authentication open
    guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
!
router rip
 version 2
 network 67.0.0.0
 network 192.168.1.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static udp 192.168.1.1 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.1 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.201 81 interface FastEthernet4 81
!
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 67.78.160.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Remote Desk
access-list 102 permit udp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Remote Desk
access-list 102 permit tcp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Cam1
access-list 102 permit tcp any eq 81 host 192.168.1.201 eq 81
access-list 102 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 102 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 102 deny   ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 67.78.160.54 echo-reply
access-list 102 permit icmp any host 67.78.160.54 time-exceeded
access-list 102 permit icmp any host 67.78.160.54 unreachable
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 443
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 22
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq cmd
access-list 102 permit udp any any eq rip
access-list 102 permit ip any host 224.0.0.9
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

compren#
I said to HELL with it and reset the router to factory and started over.  I only put in all the basic settings to get online and setup wireless.  no firewall.  nat configured exactly as you showed me.  so here is the new router config:


-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------


User Access Verification

Username: compren
Password:
compren#show config
Using 9051 out of 131072 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
ip subnet-zero
!
!
ip cef
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
!
!
crypto pki trustpoint TP-self-signed-636156691
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-636156691
 revocation-check none
 rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
 certificate self-signed 01 nvram:IOS-Self-Sig#3102.cer
username compren privilege 15 secret 5 $1$x5Ly$abpH9q73EK82MAfvAmqeQ.
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 67.78.160.54 255.255.255.0
 ip verify unicast reverse-path
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 0 037A64E3F29E74516AFA864565 transmit-key
 encryption mode wep mandatory
 !
 ssid Mine
    authentication open
    guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
router rip
 version 2
 network 67.0.0.0
 network 192.168.1.0
 no auto-summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.201 81 67.78.160.54 81 extendable
ip nat inside source static tcp 192.168.1.202 82 67.78.160.54 82 extendable
ip nat inside source static tcp 192.168.1.203 83 67.78.160.54 83 extendable
ip nat inside source static tcp 192.168.1.204 84 67.78.160.54 84 extendable
ip nat inside source static tcp 192.168.1.206 86 67.78.160.54 86 extendable
ip nat inside source static tcp 192.168.1.2 3389 67.78.160.54 3389 extendable
!
access-list 100 remark SDM_ACL Category=2
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any eq 3389 any eq 3389
access-list 101 deny   ip 67.78.160.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 remark Remote Desk
access-list 102 permit udp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Remote Desk
access-list 102 permit tcp any eq 3389 host 192.168.1.1 eq 3389
access-list 102 remark Cam1
access-list 102 permit tcp any eq 81 host 192.168.1.201 eq 81
access-list 102 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 102 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 102 deny   ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 67.78.160.54 echo-reply
access-list 102 permit icmp any host 67.78.160.54 time-exceeded
access-list 102 permit icmp any host 67.78.160.54 unreachable
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 443
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq 22
access-list 102 permit tcp 192.168.1.0 0.0.0.255 host 67.78.160.54 eq cmd
access-list 102 permit udp any any eq rip
access-list 102 permit ip any host 224.0.0.9
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp any eq 81 any eq 81
access-list 103 deny   ip 67.78.160.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit tcp any host 67.78.160.54 eq 81
access-list 104 permit tcp any host 67.78.160.54 eq 3389
access-list 104 permit udp any host 67.78.160.54 eq 3389
access-list 104 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 104 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 104 deny   ip 192.168.1.0 0.0.0.255 any
access-list 104 permit icmp any host 67.78.160.54 echo-reply
access-list 104 permit icmp any host 67.78.160.54 time-exceeded
access-list 104 permit icmp any host 67.78.160.54 unreachable
access-list 104 permit udp any any eq rip
access-list 104 permit ip any host 224.0.0.9
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
access-list 104 deny   ip host 255.255.255.255 any
access-list 104 deny   ip host 0.0.0.0 any
access-list 104 deny   ip any any log
access-list 105 remark auto generated by SDM firewall configuration
access-list 105 remark SDM_ACL Category=1
access-list 105 permit tcp any eq 81 any eq 81
access-list 105 permit tcp any host 67.78.160.54 eq 81
access-list 105 permit udp host 65.32.1.70 eq domain host 67.78.160.54
access-list 105 permit udp host 65.32.1.65 eq domain host 67.78.160.54
access-list 105 deny   ip 192.168.1.0 0.0.0.255 any
access-list 105 permit icmp any host 67.78.160.54 echo-reply
access-list 105 permit icmp any host 67.78.160.54 time-exceeded
access-list 105 permit icmp any host 67.78.160.54 unreachable
access-list 105 permit udp any any eq rip
access-list 105 permit ip any host 224.0.0.9
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any log
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
end

compren#
OOPS!  Thats the old one again!  Here's the new one!

Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!

User Access Verification

Username: compren
Password:
compren#config
Configuring from terminal, memory, or network [terminal]? t
Enter configuration commands, one per line.  End with CNTL/Z.
compren(config)#$de source static tcp 192.168.1.201 81 67.78.160.54 81
compren(config)#^Z
compren#show config
Using 3708 out of 131072 bytes
!
! Last configuration change at 15:42:55 PCTime Sat Oct 6 2007 by compren
! NVRAM config last updated at 15:42:55 PCTime Sat Oct 6 2007 by compren
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname compren
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$9H0H$n6eIywz7T5q2JJwsaooZ.0
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
!
!
ip cef
ip tcp synwait-time 10
ip domain name compren.local
ip name-server 65.32.1.65
ip name-server 65.32.1.70
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-636156691
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-636156691
 revocation-check none
 rsakeypair TP-self-signed-636156691
!
!
crypto pki certificate chain TP-self-signed-636156691
 certificate self-signed 01 nvram:IOS-Self-Sig#3104.cer
username compren privilege 15 secret 5 $1$KJrH$vlukdskqrA4RnpU0JkE.1/
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 67.78.160.54 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 128bit 7 70591870E5FFAD66525B3C8A374D transmit-key
 encryption mode wep mandatory
 !
 ssid Mine
    authentication open
    guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$
 ip address 192.168.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip classless
ip route 0.0.0.0 0.0.0.0 67.78.160.53
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static udp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.206 86 interface FastEthernet4 86
ip nat inside source static tcp 192.168.1.204 84 interface FastEthernet4 84
ip nat inside source static tcp 192.168.1.203 83 interface FastEthernet4 83
ip nat inside source static tcp 192.168.1.202 82 interface FastEthernet4 82
ip nat inside source static tcp 192.168.1.201 81 interface FastEthernet4 81
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

compren#

Hi,

the last config looks ok. what are you getting now? the old one had an access list and that could have been the cause of failure. are you able to use remote desktop within the network at least?

regards,
I still cannot connect!  To either the cams or the servers.  I can telnet into the router from outside.  But that is about it.  I am so lost it's not funny!  

Hi,

can you please confirm that your able to nat from inside to outside first?

regards,
how?

you need to ping from the router to www.yahoo.com or any other site using the inside interface:
just write ping and press enter, it will ask you questions and one of them will be the interface that you want as your source interface.
I did what you said and it does ping succesfully.  But it never asked for an interface.

compren#ping
Protocol [ip]:
Target IP address: www.yahoo.com
Translating "www.yahoo.com"...domain server (65.32.1.65) [OK]

Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.147.114.210, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/44/48 ms
compren#



Here's a thought.  I have created the PATs like this

ip nat inside source static tcp 192.168.1.201 81 67.78.160.54 81


should I create ones that are opposite?  Im just thinking maybe it's getting in but not getting out?  But that wouldn't make sense.  The router guide says incoming packets after NATing will go back to the source without having to make it so.

hi,

when doing ping, you need to say yes for the following option: Extended commands [n]:

regads,
I did what you said.  and specified the inside interface BVI1.  here is the terminal

Authorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!

User Access Verification

Username: compren
Password:
compren#ping
Protocol [ip]:
Target IP address: www.yahoo.com
Translating "www.yahoo.com"...domain server (65.32.1.65) [OK]

Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: bvi1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 69.147.114.210, timeout is 2 seconds:
Packet sent with a source address of 192.168.1.254
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/43/52 ms
compren#

O.K this means that natting is fine from inside to outside.

As for pat, i cant see the mistake.
ASKER CERTIFIED SOLUTION
Avatar of CrossRoadCS
CrossRoadCS

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer