Solved

Port Forwarding on Cisco 800 Series Router

Posted on 2008-06-23
3
2,969 Views
Last Modified: 2013-11-16
Below is my config - trying to get SSH or RDP to port forward from FastEthernet4 to 192.168.1.2 on Vlan1.

Please double-check my firewall and routing - I'm abit over my head in Cisco stuff right now.

Thanks for the assistance!

Andrew
Building configuration...
 
Current configuration : 7981 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SpectrumCisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$NGPp$GmViZ0RBkTrlJJLZhLkvC/
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 4.2.2.2 4.2.2.1 
   default-router 192.168.1.1 
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name cisco.SpectrumMarketing.net
ip name-server 4.2.2.2
ip name-server 4.2.2.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
crypto pki trustpoint TP-self-signed-3431502892
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3431502892
 revocation-check none
 rsakeypair TP-self-signed-3431502892
!
!
crypto pki certificate chain TP-self-signed-3431502892
 certificate self-signed 01
  30820263 308201CC A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33343331 35303238 3932301E 170D3032 30333031 30303037 
  31305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34333135 
  30323839 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100BCED 38D2F9EE 4E394FB5 6CF78F5A AB09A7E1 D6377F88 3E3D2C0A 9F3D6332 
  CC9F1F30 81188AE1 0EB376CE 8F6B8715 3172A3AD 2FFE4BFB 4C011559 2663B095 
  FB654517 2F490697 3A21791D 4C94903D 5F91AB54 48BF1A39 FAC35DDB E68D1F85 
  05881BB8 0E9FE478 0E08341F F28F4B45 883ADB99 61C7D6C3 64EAEEDA C72764C8 
  79990203 010001A3 818A3081 87300F06 03551D13 0101FF04 05300301 01FF3034 
  0603551D 11042D30 2B822953 70656374 72756D43 6973636F 2E636973 636F2E53 
  70656374 72756D4D 61726B65 74696E67 2E6E6574 301F0603 551D2304 18301680 
  14301FF9 84C5A8F8 F3BCF7D0 3FCB480F 58AE10FB 93301D06 03551D0E 04160414 
  301FF984 C5A8F8F3 BCF7D03F CB480F58 AE10FB93 300D0609 2A864886 F70D0101 
  04050003 818100A3 5CFB9C38 621BD01C 017DAB83 9B88E72E 074CE467 5598BA34 
  8B46631E 3BADD90A E3E8BFF7 25948537 34E451CD 6E4A2292 A6AF5AAB C63FF99D 
  65E0D4F6 8619D13C 72610DB1 21FBCEE3 B0DF9A1F 83604317 5F3B41E2 A6965921 
  359151DA CC0A3097 0F7D977E 09C3D41B 08171E66 0A583C80 0ED3DC1D 155EEAF8 
  51B042FE 9E6E33
  quit
username valuelogic privilege 15 secret 5 $1$SJpa$PaCLCHR3ab419jOZacZ3I0
!
! 
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 207.158.24.230 255.255.255.0
 ip access-group EXT-In in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group INT-In in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip classless
ip route 0.0.0.0 0.0.0.0 207.158.24.225
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.2 23 interface FastEthernet4 23
ip nat inside source static tcp 192.168.1.2 22 interface FastEthernet4 22
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static udp 192.168.1.2 3389 interface FastEthernet4 3389
!
ip access-list extended EXT-In
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 permit tcp any any eq 22 log
 permit tcp any any eq 3389 log
 deny   ip any any log
 permit tcp any any eq telnet log
ip access-list extended INT-In
 permit ip any host 192.168.1.1
 permit ip any host 255.255.255.255
 deny   ip any host 192.168.1.255
 deny   ip any 10.0.0.0 0.255.255.255 log
 deny   ip any 172.16.0.0 0.15.255.255 log
 deny   ip any 192.168.0.0 0.0.255.255 log
 deny   ip any 169.254.0.0 0.0.255.255 log
 permit icmp any any
 permit udp any any eq domain
 permit tcp any any eq domain
 permit tcp any any eq 3389
 permit tcp any any eq 22
 permit tcp any any eq www
 permit tcp any any eq 443
 permit tcp any any eq ftp
 permit udp any any eq ntp
 deny   ip any any log
 permit tcp any any eq telnet log
ip access-list extended sdm_fastethernet4_out
 remark SDM_ACL Category=1
 permit icmp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 101 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 101 deny   ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 207.158.24.230 echo-reply
access-list 101 permit icmp any host 207.158.24.230 time-exceeded
access-list 101 permit icmp any host 207.158.24.230 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp host 4.2.2.1 eq domain host 207.158.24.230
access-list 102 permit udp host 4.2.2.2 eq domain host 207.158.24.230
access-list 102 deny   ip 192.168.1.0 0.0.0.255 any
access-list 102 permit icmp any host 207.158.24.230 echo-reply
access-list 102 permit icmp any host 207.158.24.230 time-exceeded
access-list 102 permit icmp any host 207.158.24.230 unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
Comment
Question by:Crazy_Penguins
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
red_nectar earned 500 total points
ID: 21854062
My config is very similar (and works), but instead of using the "interface" option in the static NATs. I have used the actual IP addresses - so my suggestion is to replace the ip nat statments with:

ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.2 23 207.158.24.230 23 extendable
ip nat inside source static tcp 192.168.1.2 22 207.158.24.230 22 extendable
ip nat inside source static tcp 192.168.1.2 3389 207.158.24.230 3389 extendable
ip nat inside source static udp 192.168.1.2 3389 207.158.24.230 3389 extendable
!

You also have a problem with your ACLs.  The following ACL (EXT-In) has the last two statements in the wrong order if you actually DO want to allow telnet in, because the  "deny   ip any any" will prevent the last line "permit tcp any any eq telnet log" from ever being matched.  I would suggest that you don't want to allow telnet access from outside anyway, so may you just delete that line.

ip access-list extended EXT-In
 deny   ip 10.0.0.0 0.255.255.255 any log
 deny   ip 172.16.0.0 0.15.255.255 any log
 deny   ip 192.168.0.0 0.0.255.255 any log
 deny   ip 169.254.0.0 0.0.255.255 any log
 permit tcp any any eq 22 log
 permit tcp any any eq 3389 log
 deny   ip any any log
 permit tcp any any eq telnet log
 

The ACL INT-In has a sinilar problem regarding telnet, but of more concern are the first two lines of INT-In:
1. permit ip any host 192.168.1.1
2. permit ip any host 255.255.255.255
a) There should never be a packet arrive IN on this interface going to 192.168.1.1, so line 1 does nothing.  Perhaps you ment to allow 192.168.1.1 out - but 192.168.1.1 would be NATted so even that doesn't make sense.
b) traffic to 255.255.255.255 arriving on this interface isn't going to be forwarded anyway, so this line is just junk.

If this doesn't get you out of troubel, then there are a couple of other options you could try using route maps, but you shouldn't need to get into that much detail for this config.  Let me know if it doesn't work.
0
 
LVL 4

Expert Comment

by:red_nectar
ID: 21873059
Andrew (Crazy Penguins) - have you sorted out the problem yet?
0
 

Author Closing Comment

by:Crazy_Penguins
ID: 31469923
Wound up we had another person come and configure the router.  I do believe what you said would have worked, though.
0

Featured Post

Is your NGFW recommended by NSS Labs?

Ours is! NSS Labs Next Generation Firewall Test gives the WatchGuard Firebox M4600 a "Recommended" rating! Curious where your NGFW landed on the  Security Value Map? See the map and download the full report today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question