Solved

cisco 877 config issue

Posted on 2009-04-08
3
593 Views
Last Modified: 2012-05-06
Hi all, im having problems with port forwarding on a cisco 877 dsl router
goal:
forward ports 53, 3074, 88 to ip: 192.168.60.136 (xbox live, issue with moderate nat)
forward port 3389 to 192.168.60.102

please take a look at my config and let me know what its not working
(general internet access works fine)
lock  Display configuration lock
  |     Output modifiers
  <cr>
 
TBz_877#sh configuration
Using 5419 out of 131072 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname TBz_877
!
boot-start-marker
boot-end-marker
!
logging buffered 10240 debugging
logging console critical
enable secret 5 $1$jlvH$5enSM9afzF3Um/MvSbXav.
enable password 7 094E5C59490E1513050717
!
no aaa new-model
!
resource policy
!
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.60.1 192.168.60.99
ip dhcp excluded-address 192.168.60.22
!
ip dhcp pool dhcppool
   import all
   network 192.168.60.0 255.255.255.0
   default-router 192.168.60.22
   update arp
!
!
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall skinny
ip tcp selective-ack
ip tcp timestamp
no ip bootp server
no ip domain lookup
ip domain name local
!
!
!
file verify auto
!
!
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 no snmp trap link-status
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 ip address 192.168.60.22 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
!
interface Dialer0
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 ip inspect firewall out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username *************.xnet.co.nz password 7 00170707164F5A545C
 ppp ipcp dns request
 ppp ipcp route default
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static udp 192.168.60.136 53 interface Dialer0 53
ip nat inside source static tcp 192.168.60.136 53 interface Dialer0 53
ip nat inside source static udp 192.168.60.136 88 interface Dialer0 88
ip nat inside source static udp 192.168.60.136 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.60.136 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.60.102 3389 interface Dialer0 3389
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.60.0 0.0.0.255
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.60.0 0.0.0.255
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
access-list 101 deny   ip any host 255.255.255.255
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 deny   icmp any any echo
access-list 101 deny   ip any any log
access-list 101 permit tcp any any eq 3074
access-list 101 permit udp any any eq 3074
access-list 101 permit udp any any eq 88
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq domain
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq www
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 192.168.60.22
access-list 102 deny   ip any host 192.168.60.255
access-list 102 deny   udp any any eq tftp log
access-list 102 deny   ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny   udp any any eq 135 log
access-list 102 deny   tcp any any eq 135 log
access-list 102 deny   udp any any eq netbios-ns log
access-list 102 deny   udp any any eq netbios-dgm log
access-list 102 deny   tcp any any eq 445 log
access-list 102 permit ip 192.168.60.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny   ip any any log
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 2 in
 password 7 0306495B5604234D40020A
 login
!
scheduler max-task-time 5000
end

Open in new window

0
Comment
Question by:CodeBlueEngineers
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
ID: 24095768
please use outside nat.

ip nat outside source static udp [DialerIP Address] 53 192.168.60.136 53

From outside to inside PAT you must define static IP address. I think dialer is always receving same IP in your configuration. I see you are using web hosting etc.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
ID: 24096103
Your NAT config is fine.  The problem is with the ordering in your access-list, do this:

conf t
ip access-list ext 101
no deny ip any any log
deny ip any any log
0
 
LVL 2

Expert Comment

by:e3user
ID: 24096608
to forward ports you just need this command for example:

ip nat inside source static tcp 192.168.60.136  53 interface Dialer0 53

this is correct in your config. Check your ACLs.
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Hit router interface limit 7 68
Receiving wifi on an underground station 22 130
adjusting startup config 6 55
Port Forwarding 4 53
Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question