Solved

Port Forwarding on Cisco 800 Series Router

Posted on 2008-06-23
3
2,952 Views
Last Modified: 2013-11-16
Below is my config - trying to get SSH or RDP to port forward from FastEthernet4 to 192.168.1.2 on Vlan1.

Please double-check my firewall and routing - I'm abit over my head in Cisco stuff right now.

Thanks for the assistance!

Andrew
Building configuration...
 

Current configuration : 7981 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname SpectrumCisco

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

enable secret 5 $1$NGPp$GmViZ0RBkTrlJJLZhLkvC/

!

no aaa new-model

!

resource policy

!

clock timezone PCTime -8

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

ip subnet-zero

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool sdm-pool1

   import all

   network 192.168.1.0 255.255.255.0

   dns-server 4.2.2.2 4.2.2.1 

   default-router 192.168.1.1 

!

!

ip tcp synwait-time 10

no ip bootp server

ip domain name cisco.SpectrumMarketing.net

ip name-server 4.2.2.2

ip name-server 4.2.2.1

ip ssh time-out 60

ip ssh authentication-retries 2

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

!

!

crypto pki trustpoint TP-self-signed-3431502892

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-3431502892

 revocation-check none

 rsakeypair TP-self-signed-3431502892

!

!

crypto pki certificate chain TP-self-signed-3431502892

 certificate self-signed 01

  30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 33343331 35303238 3932301E 170D3032 30333031 30303037 

  31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34333135 

  30323839 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 

  8100BCED 38D2F9EE 4E394FB5 6CF78F5A AB09A7E1 D6377F88 3E3D2C0A 9F3D6332 

  CC9F1F30 81188AE1 0EB376CE 8F6B8715 3172A3AD 2FFE4BFB 4C011559 2663B095 

  FB654517 2F490697 3A21791D 4C94903D 5F91AB54 48BF1A39 FAC35DDB E68D1F85 

  05881BB8 0E9FE478 0E08341F F28F4B45 883ADB99 61C7D6C3 64EAEEDA C72764C8 

  79990203 010001A3 818A3081 87300F06 03551D13 0101FF04 05300301 01FF3034 

  0603551D 11042D30 2B822953 70656374 72756D43 6973636F 2E636973 636F2E53 

  70656374 72756D4D 61726B65 74696E67 2E6E6574 301F0603 551D2304 18301680 

  14301FF9 84C5A8F8 F3BCF7D0 3FCB480F 58AE10FB 93301D06 03551D0E 04160414 

  301FF984 C5A8F8F3 BCF7D03F CB480F58 AE10FB93 300D0609 2A864886 F70D0101 

  04050003 818100A3 5CFB9C38 621BD01C 017DAB83 9B88E72E 074CE467 5598BA34 

  8B46631E 3BADD90A E3E8BFF7 25948537 34E451CD 6E4A2292 A6AF5AAB C63FF99D 

  65E0D4F6 8619D13C 72610DB1 21FBCEE3 B0DF9A1F 83604317 5F3B41E2 A6965921 

  359151DA CC0A3097 0F7D977E 09C3D41B 08171E66 0A583C80 0ED3DC1D 155EEAF8 

  51B042FE 9E6E33

  quit

username valuelogic privilege 15 secret 5 $1$SJpa$PaCLCHR3ab419jOZacZ3I0

!

! 

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

 description $ES_WAN$$FW_OUTSIDE$

 ip address 207.158.24.230 255.255.255.0

 ip access-group EXT-In in

 ip verify unicast reverse-path

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip inspect SDM_LOW out

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

 ip address 192.168.1.1 255.255.255.0

 ip access-group INT-In in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 ip tcp adjust-mss 1452

!

ip classless

ip route 0.0.0.0 0.0.0.0 207.158.24.225

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.2 23 interface FastEthernet4 23

ip nat inside source static tcp 192.168.1.2 22 interface FastEthernet4 22

ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389

ip nat inside source static udp 192.168.1.2 3389 interface FastEthernet4 3389

!

ip access-list extended EXT-In

 deny   ip 10.0.0.0 0.255.255.255 any log

 deny   ip 172.16.0.0 0.15.255.255 any log

 deny   ip 192.168.0.0 0.0.255.255 any log

 deny   ip 169.254.0.0 0.0.255.255 any log

 permit tcp any any eq 22 log

 permit tcp any any eq 3389 log

 deny   ip any any log

 permit tcp any any eq telnet log

ip access-list extended INT-In

 permit ip any host 192.168.1.1

 permit ip any host 255.255.255.255

 deny   ip any host 192.168.1.255

 deny   ip any 10.0.0.0 0.255.255.255 log

 deny   ip any 172.16.0.0 0.15.255.255 log

 deny   ip any 192.168.0.0 0.0.255.255 log

 deny   ip any 169.254.0.0 0.0.255.255 log

 permit icmp any any

 permit udp any any eq domain

 permit tcp any any eq domain

 permit tcp any any eq 3389

 permit tcp any any eq 22

 permit tcp any any eq www

 permit tcp any any eq 443

 permit tcp any any eq ftp

 permit udp any any eq ntp

 deny   ip any any log

 permit tcp any any eq telnet log

ip access-list extended sdm_fastethernet4_out

 remark SDM_ACL Category=1

 permit icmp any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 101 remark auto generated by Cisco SDM Express firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit udp host 4.2.2.1 eq domain host 207.158.24.230

access-list 101 permit udp host 4.2.2.2 eq domain host 207.158.24.230

access-list 101 deny   ip 192.168.1.0 0.0.0.255 any

access-list 101 permit icmp any host 207.158.24.230 echo-reply

access-list 101 permit icmp any host 207.158.24.230 time-exceeded

access-list 101 permit icmp any host 207.158.24.230 unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 permit udp host 4.2.2.1 eq domain host 207.158.24.230

access-list 102 permit udp host 4.2.2.2 eq domain host 207.158.24.230

access-list 102 deny   ip 192.168.1.0 0.0.0.255 any

access-list 102 permit icmp any host 207.158.24.230 echo-reply

access-list 102 permit icmp any host 207.158.24.230 time-exceeded

access-list 102 permit icmp any host 207.158.24.230 unreachable

access-list 102 deny   ip 10.0.0.0 0.255.255.255 any

access-list 102 deny   ip 172.16.0.0 0.15.255.255 any

access-list 102 deny   ip 192.168.0.0 0.0.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 deny   ip host 255.255.255.255 any

access-list 102 deny   ip host 0.0.0.0 any

access-list 102 deny   ip any any log

no cdp run

!

!

control-plane

!

banner login ^CAuthorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

 login local

 no modem enable

 transport output telnet

line aux 0

 login local

 transport output telnet

line vty 0 4

 privilege level 15

 login local

 transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Open in new window

0
Comment
Question by:Crazy_Penguins
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
red_nectar earned 500 total points
ID: 21854062
My config is very similar (and works), but instead of using the "interface" option in the static NATs. I have used the actual IP addresses - so my suggestion is to replace the ip nat statments with:

ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.2 23 207.158.24.230 23 extendable
ip nat inside source static tcp 192.168.1.2 22 207.158.24.230 22 extendable
ip nat inside source static tcp 192.168.1.2 3389 207.158.24.230 3389 extendable
ip nat inside source static udp 192.168.1.2 3389 207.158.24.230 3389 extendable
!

You also have a problem with your ACLs.  The following ACL (EXT-In) has the last two statements in the wrong order if you actually DO want to allow telnet in, because the  "deny   ip any any" will prevent the last line "permit tcp any any eq telnet log" from ever being matched.  I would suggest that you don't want to allow telnet access from outside anyway, so may you just delete that line.

ip access-list extended EXT-In
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 permit tcp any any eq 22 log
 permit tcp any any eq 3389 log
 deny   ip any any log
 permit tcp any any eq telnet log
 

The ACL INT-In has a sinilar problem regarding telnet, but of more concern are the first two lines of INT-In:
1. permit ip any host 192.168.1.1
2. permit ip any host 255.255.255.255
a) There should never be a packet arrive IN on this interface going to 192.168.1.1, so line 1 does nothing.  Perhaps you ment to allow 192.168.1.1 out - but 192.168.1.1 would be NATted so even that doesn't make sense.
b) traffic to 255.255.255.255 arriving on this interface isn't going to be forwarded anyway, so this line is just junk.

If this doesn't get you out of troubel, then there are a couple of other options you could try using route maps, but you shouldn't need to get into that much detail for this config.  Let me know if it doesn't work.
0
 
LVL 4

Expert Comment

by:red_nectar
ID: 21873059
Andrew (Crazy Penguins) - have you sorted out the problem yet?
0
 

Author Closing Comment

by:Crazy_Penguins
ID: 31469923
Wound up we had another person come and configure the router.  I do believe what you said would have worked, though.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now