Solved

port forwarding rule not working cisco 837

Posted on 2008-10-15
6
298 Views
Last Modified: 2012-05-05
hi i am trying to port forward port 80 to my network drive that listens on this port.
can someone take a look at my config, it doesnt seem to be working.
the internal ip of the drive is 10.11.1.3 and i would like to access it from the outside for administrative purposes thanks...
Building configuration...
 
Current configuration : 5814 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$z9rX$ZH3myMhQ7t/j/Gb4bqOh.0
enable password password
!
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 10.11.1.1 10.11.1.99
!
ip dhcp pool Default
   import all
   network 10.11.1.0 255.255.255.0
   dns-server 194.72.0.114 62.6.40.162 
   default-router 10.11.1.1 
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip ips po max-events 100
no ftp-server write-enable
!
!
username admin privilege 15 view root secret 5 $1$r3GO$v2o3/79JBJjz2TJmKC2ya0
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key password address 90.x.x.x
crypto isakmp key password address 82.x.x.x
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to90.x.x.x
 set peer 90.x.x.x
 set transform-set ESP-3DES-SHA 
 match address 102
crypto map SDM_CMAP_1 2 ipsec-isakmp 
 description Tunnel to82.x.x.x
 set peer 82.x.x.x
 set security-association lifetime seconds 86400
 set transform-set ESP-3DES-SHA1 
 match address 104
!
!
!
interface Ethernet0
 description $FW_INSIDE$
 ip address 10.11.1.1 255.255.255.0
 ip access-group 100 in
 ip nat inside
 ip virtual-reassembly
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 213.x.x.x255.255.255.248
 ip access-group 101 in
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname 
 ppp chap password 0 
 crypto map SDM_CMAP_1
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 10.11.1.3 80 213.x.x.x80 extendable
!
!
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.11.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 213.120.112.136 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 10.12.1.0 0.0.0.255 10.11.1.0 0.0.0.255
access-list 101 permit udp host 82.x.x.x host 213.x.x.xeq non500-isakmp
access-list 101 permit udp host 82.x.x.x host 213.x.x.xeq isakmp
access-list 101 permit esp host 82.x.x.x host 213.120.112.140
access-list 101 permit ahp host 82.x.x.x host 213.120.112.140
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 10.11.1.0 0.0.0.255
access-list 101 permit udp host 90.x.x.x host 213.x.x.xeq non500-isakmp
access-list 101 permit udp host 90.x.x.x host 213.x.x.xeq isakmp
access-list 101 permit esp host 90.x.x.x host 213.120.112.140
access-list 101 permit ahp host 90.x.x.x host 213.120.112.140
access-list 101 deny   ip 10.11.1.0 0.0.0.255 any
access-list 101 permit icmp any host 213.x.x.xecho-reply
access-list 101 permit icmp any host 213.x.x.xtime-exceeded
access-list 101 permit icmp any host 213.x.x.xunreachable
access-list 101 permit tcp any host 213.x.x.xeq www
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.11.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.11.1.0 0.0.0.255 10.12.1.0 0.0.0.255
access-list 103 remark IPSec Rule
access-list 103 deny   ip 10.11.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 103 permit ip 10.11.1.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.11.1.0 0.0.0.255 10.12.1.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
 match ip address 103
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 120 0
 password password
 login
 length 0
!
scheduler max-task-time 5000
end

Open in new window

0
Comment
Question by:Dan560
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
6 Comments
 
LVL 2

Author Comment

by:Dan560
ID: 22723035
this is the spec of the drive, i think what i am trying to should work
http://www.lacie.com/products/product.htm?pid=10994
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22723057
Your WAN interface access-list is blocking your attempt.

Add this:

conf t
ip access-list ext 101
no deny ip any any log
permit tcp any host 213.x.x.x eq 80
deny ip any any log
0
 
LVL 43

Expert Comment

by:JFrederick29
ID: 22723074
Oops, sorry, didn't see you had the entry in your ACL...
0
Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

 
LVL 43

Expert Comment

by:JFrederick29
ID: 22723098
From internal, can you access it on port 80?

You may need to disable the HTTP server on the router as it may conflict with your drive.

conf t
no ip http server   <--this of course disable HTTP access to the router (if you are using it)
0
 
LVL 2

Author Comment

by:Dan560
ID: 22723132
does SDM use http?
preferably i'd like to keep it.
I know the lacie can listen on port 443.

so shall i do this..?
conf t
ip access-list ext 101
no deny ip any any log
permit tcp any host 213.x.x.x eq 443
deny ip any any log

how to I configure the nat route?
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 22723143
Yes, SDM uses the HTTP server.  You can use 443 since the drive supports it.

Remove the 80 rule and add the 443 rule.

conf t
no ip nat inside source static tcp 10.11.1.3 80 213.x.x.x80 extendable
ip nat inside source static tcp 10.11.1.3 443 213.x.x.x 443 extendable
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ospf neighbors not coming up 6 83
Use multiple VLANs on the same interface on a Cisco 877 4 69
Access-List 15 64
Routing Issue 26 69
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question