Solved

cisco 877 config issue

Posted on 2009-04-08
3
588 Views
Last Modified: 2012-05-06
Hi all, im having problems with port forwarding on a cisco 877 dsl router
goal:
forward ports 53, 3074, 88 to ip: 192.168.60.136 (xbox live, issue with moderate nat)
forward port 3389 to 192.168.60.102

please take a look at my config and let me know what its not working
(general internet access works fine)
lock  Display configuration lock

  |     Output modifiers

  <cr>

 

TBz_877#sh configuration

Using 5419 out of 131072 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service sequence-numbers

!

hostname TBz_877

!

boot-start-marker

boot-end-marker

!

logging buffered 10240 debugging

logging console critical

enable secret 5 $1$jlvH$5enSM9afzF3Um/MvSbXav.

enable password 7 094E5C59490E1513050717

!

no aaa new-model

!

resource policy

!

clock timezone NZST 12

clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.60.1 192.168.60.99

ip dhcp excluded-address 192.168.60.22

!

ip dhcp pool dhcppool

   import all

   network 192.168.60.0 255.255.255.0

   default-router 192.168.60.22

   update arp

!

!

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall cuseeme

ip inspect name firewall h323

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall streamworks

ip inspect name firewall vdolive

ip inspect name firewall sqlnet

ip inspect name firewall tftp

ip inspect name firewall ftp

ip inspect name firewall icmp

ip inspect name firewall sip

ip inspect name firewall esmtp max-data 52428800

ip inspect name firewall fragment maximum 256 timeout 1

ip inspect name firewall netshow

ip inspect name firewall rtsp

ip inspect name firewall pptp

ip inspect name firewall skinny

ip tcp selective-ack

ip tcp timestamp

no ip bootp server

no ip domain lookup

ip domain name local

!

!

!

file verify auto

!

!

!

!

!

!

interface ATM0

 no ip address

 no atm ilmi-keepalive

 dsl operating-mode auto

!

interface ATM0.1 point-to-point

 no snmp trap link-status

 pvc 0/100

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

 ip address 192.168.60.22 255.255.255.0

 ip access-group 102 in

 ip nat inside

 ip virtual-reassembly

!

interface Dialer0

 ip address negotiated

 ip access-group 101 in

 no ip redirects

 no ip unreachables

 ip inspect firewall out

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp pap sent-username *************.xnet.co.nz password 7 00170707164F5A545C

 ppp ipcp dns request

 ppp ipcp route default

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static udp 192.168.60.136 53 interface Dialer0 53

ip nat inside source static tcp 192.168.60.136 53 interface Dialer0 53

ip nat inside source static udp 192.168.60.136 88 interface Dialer0 88

ip nat inside source static udp 192.168.60.136 3074 interface Dialer0 3074

ip nat inside source static tcp 192.168.60.136 3074 interface Dialer0 3074

ip nat inside source static tcp 192.168.60.102 3389 interface Dialer0 3389

!

access-list 1 remark The local LAN.

access-list 1 permit 192.168.60.0 0.0.0.255

access-list 2 remark Where management can be done from.

access-list 2 permit 192.168.60.0 0.0.0.255

access-list 101 remark Traffic allowed to enter the router from the Internet

access-list 101 deny   ip 0.0.0.0 0.255.255.255 any

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip 169.254.0.0 0.0.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.0.2.0 0.0.0.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 198.18.0.0 0.1.255.255 any

access-list 101 deny   ip 224.0.0.0 0.15.255.255 any

access-list 101 deny   ip any host 255.255.255.255

access-list 101 permit tcp any any eq 1723

access-list 101 permit gre any any

access-list 101 deny   icmp any any echo

access-list 101 deny   ip any any log

access-list 101 permit tcp any any eq 3074

access-list 101 permit udp any any eq 3074

access-list 101 permit udp any any eq 88

access-list 101 permit tcp any any eq 3389

access-list 101 permit tcp any any eq domain

access-list 101 permit udp any any eq domain

access-list 101 permit tcp any any eq www

access-list 102 remark Traffic allowed to enter the router from the Ethernet

access-list 102 permit ip any host 192.168.60.22

access-list 102 deny   ip any host 192.168.60.255

access-list 102 deny   udp any any eq tftp log

access-list 102 deny   ip any 0.0.0.0 0.255.255.255 log

access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log

access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log

access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log

access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log

access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log

access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log

access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log

access-list 102 deny   udp any any eq 135 log

access-list 102 deny   tcp any any eq 135 log

access-list 102 deny   udp any any eq netbios-ns log

access-list 102 deny   udp any any eq netbios-dgm log

access-list 102 deny   tcp any any eq 445 log

access-list 102 permit ip 192.168.60.0 0.0.0.255 any

access-list 102 permit ip any host 255.255.255.255

access-list 102 deny   ip any any log

dialer-list 1 protocol ip permit

!

!

!

control-plane

!

!

line con 0

 no modem enable

line aux 0

line vty 0 4

 access-class 2 in

 password 7 0306495B5604234D40020A

 login

!

scheduler max-task-time 5000

end

Open in new window

0
Comment
Question by:CodeBlueEngineers
3 Comments
 
LVL 12

Expert Comment

by:Faruk Onder Yerli
Comment Utility
please use outside nat.

ip nat outside source static udp [DialerIP Address] 53 192.168.60.136 53

From outside to inside PAT you must define static IP address. I think dialer is always receving same IP in your configuration. I see you are using web hosting etc.
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
Comment Utility
Your NAT config is fine.  The problem is with the ordering in your access-list, do this:

conf t
ip access-list ext 101
no deny ip any any log
deny ip any any log
0
 
LVL 2

Expert Comment

by:e3user
Comment Utility
to forward ports you just need this command for example:

ip nat inside source static tcp 192.168.60.136  53 interface Dialer0 53

this is correct in your config. Check your ACLs.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
This article will cover setting up redundant ISPs for outbound connectivity on an ASA 5510 (although the same should work on the 5520s and up as well).  It’s important to note that this covers outbound connectivity only.  The ASA does not have built…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now