Cisco 800 Series not forwarding ports

nwteam
nwteam used Ask the Experts™
on
Hi experts,
I have a Cisco 800 that is refusing to forward to ports to a freshly installed SBS 2008 server, particuarly those required for SBS: 25, 80, 443, 987.  The configuration is below.  The odd thing is that port 80 was working for about half a day and then stopped working - and a non Microsoft FTP service was also working for a few hours which originally led me to believe it was an issue relating to Microsoft based applications. There is no antivirus installed yet and all fiirewalls - domain/public/private are off.  The configuration seems a little messy - years of various technicians working on it.  Any ideas?


!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
no service dhcp
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
enable password xxx
!
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local
aaa authorization exec default local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip dhcp excluded-address 10.200.131.1 10.200.131.195
!
ip dhcp pool dhcppool
   import all
   network 10.200.131.0 255.255.255.0
   default-router 10.200.131.2
   dns-server 10.200.131.3
   update arp
!
!
no ip domain lookup
ip domain name local
ip name-server 10.200.146.68
no ip bootp server
ip inspect name Dialer_0 tcp
ip inspect name Dialer_0 udp
ip inspect name Dialer_0 cuseeme
ip inspect name Dialer_0 ftp
ip inspect name Dialer_0 h323
ip inspect name Dialer_0 rcmd
ip inspect name Dialer_0 realaudio
ip inspect name Dialer_0 streamworks
ip inspect name Dialer_0 vdolive
ip inspect name Dialer_0 sqlnet
ip inspect name Dialer_0 tftp
ip inspect name Dialer_0 icmp
ip ips po max-events 100
ip dhcp-server 10.200.131.1
vpdn enable
!
vpdn-group chap
!
vpdn-group pptp
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
no ftp-server write-enable
!
!
username admin password 7 xxx
username datacom password 7 xxx
username auto privilege 15 password 7 xxx
username hospital password 7 xxx
username ifm privilege 15 secret 5 xxx
username stephen password 7 xxx
!
!
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key xxx address xxx.xxx.xxx.xxx no-xauth
crypto isakmp keepalive 300
no crypto isakmp ccm
!
!
crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac
!
!
!
crypto ipsec client ezvpn easy_vpn_remote
 connect auto
 group easy_vpn_remote key #!asroot
 mode client
 peer xxx.xxx.xxx.xxx
!
!
crypto map cm-cryptomap 110 ipsec-isakmp
 set peer xxx.xxx.xxx.xxx
 set transform-set tr-des-sha
 match address 110
!
!
!
interface Tunnel0
 ip address 192.168.100.1 255.255.255.252
 tunnel source xxx.xxx.xxx.xxx
 tunnel destination xxx.xxx.xxx.xxx
 tunnel key xxx
!
interface Loopback0
 ip address 10.220.131.1 255.255.255.0
!
interface Loopback1
 ip address 10.200.214.55 255.255.255.255
!
interface Loopback2
 ip address 10.200.214.4 255.255.255.255
!
interface Loopback3
 ip address 10.200.214.3 255.255.255.255
!
interface Loopback4
 no ip address
!
interface Ethernet0
 ip address 10.200.131.2 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
 crypto ipsec client ezvpn easy_vpn_remote inside
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
interface Virtual-Template1
 ip unnumbered Ethernet0
 peer default ip address dhcp
 ppp encrypt mppe auto
 ppp authentication chap ms-chap
 ppp ipcp dns 10.200.131.3
 ppp ipcp wins 10.200.131.3
!
interface Dialer0
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 ip nat outside
 ip inspect Dialer_0 out
 ip virtual-reassembly
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username xxx@isp password xxx
 ppp ipcp dns request
 crypto ipsec client ezvpn easy_vpn_remote
!
interface Dialer1
 no ip address
!
ip local pool pptp 10.220.131.20 10.220.131.60
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 192.168.100.2
!
no ip http server
no ip http secure-server
!
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source static tcp 10.200.131.1 25 interface Dialer0 25
ip nat inside source static tcp 10.200.131.1 443 interface Dialer0 443
ip nat inside source static tcp 10.200.131.1 80 interface Dialer0 80
ip nat inside source static tcp 10.200.131.1 987 interface Dialer0 987
!
access-list 2 permit xxx.xxx.xxx.xxx
access-list 2 permit xxx.xxx.xxx.xxx
access-list 2 permit xxx.xxx.xxx.xxx
access-list 2 remark Where management can be done from.
access-list 2 permit 10.200.131.0 0.0.0.255
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.200.131.0 0.0.0.255
access-list 101 permit tcp host xxx.xxx.xxx.xxx any eq 22
access-list 101 permit tcp host xxx.xxx.xxx.xxx any eq 22
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 987
access-list 101 deny   ip 0.0.0.0 0.255.255.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
access-list 101 deny   ip any host 255.255.255.255
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any administratively-prohibited
access-list 101 deny   icmp any any echo
access-list 101 deny   ip any any log
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 10.200.131.2
access-list 102 deny   ip any host 10.200.131.255
access-list 102 deny   udp any any eq tftp log
access-list 102 permit ip 10.200.131.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 10.200.131.0 0.0.0.255 192.168.100.0 0.0.0.3
access-list 102 permit ip 10.200.131.0 0.0.0.255 10.220.131.0 0.0.0.255
access-list 102 permit ip 10.200.131.0 0.0.0.255 10.200.0.0 0.0.255.255
access-list 102 deny   ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny   ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny   ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny   ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny   ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny   ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny   udp any any eq 135 log
access-list 102 deny   tcp any any eq 135 log
access-list 102 deny   udp any any eq netbios-ns log
access-list 102 deny   udp any any eq netbios-dgm log
access-list 102 deny   tcp any any eq 445 log
access-list 102 permit ip 10.200.131.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny   ip any any log
access-list 105 remark Traffic to NAT
access-list 105 permit ip 10.200.131.0 0.0.0.255 any
access-list 110 remark Site to Site VPN
access-list 110 permit gre host xxx.xxx.xxx.xxx host xxx.xxx.xxx.xxx
dialer-list 1 protocol ip permit
!
!
control-plane
!
banner motd ^C

You require authorisation to connect to this device.
If you are not authorised to connect to this device please disconnect now.  

^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 2 in
 transport input telnet ssh
 transport output none
!
scheduler max-task-time 5000
end
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
cisco 800 router has some problem in NAT operation. please use below command.
clear ip nat translation *

Most probably it will work after cleaning nat table. If your traffic is so high,800 seies router can not handle to much session. Finally NAT operation start to be slowly then stop.

Author

Commented:
Thanks equalizer, afraid that didn't work though - nothing responded on any of the ports except port 80 which responds to a telnet, but doesn't return IIS's default page as it was for a short while yesterday.

Commented:
what IOS is the router running?

Yesterday I had an issue with an ip route command on an 800 router that went like:

ip route 0.0.0.0 0.0.0.0 interface fa0/0

when i changed it to: ip route 0.0.0.0 0.0.0.0 172.16.1.1   it worked.. (172.16.1.1 being the IP from fa0/0)

Get the IP from dialer0, and rewrite your nat commands as for testing:

ip nat inside source static tcp 10.200.131.1 25 <ip from dialer0> 25
ip nat inside source static tcp 10.200.131.1 443 <ip from dialer0> 443
ip nat inside source static tcp 10.200.131.1 80  <ip from dialer0> 80
ip nat inside source static tcp 10.200.131.1 987  <ip from dialer0> 987

If that works, see if there's any upgrades to your IOS


Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I tested this with a telet into port 25 and something responds - but not the actual exchange server - it doesn't return "220 <server> Microsoft ESMTP MAIL Service ready" as would be expected.  However, I'm still unsure as to if it's an SBS or router problem - I forwarded RDP port 3389 through to another server on the LAN and that works just fine.  However, like the earlier tests with HTTP and FTP - it may only work for the next few hours.  I'm open to suggestions on either side of things, thanks.

IOS Version:
Cisco IOS Software, C837 Software (C837-K9O3SY6-M), Version 12.3(11)T9, RELEASE
SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 13-Dec-05 16:22 by ccai

Author

Commented:
Seems to definitely be a router problem - RDP stopped working to the other server this morning.

Commented:
I know it is highly unlikely,but maybe there's another host with the same ip around confusing the router?

Or maybe try upgrading the IOS since the 800 series have lots of bugs around

Author

Commented:
Nope, it's nothing like that - I wish it were that simple.  I'm hearing a lot about the buggy IOS.  I don't know if there are any IOS updates, and if there are I can't do them - I've also told by that the guy who originally set it up that the IOS can't be changed due to compatability with the tunnel endpoints.  Unless there's a way to roll back the IOS update in case it does break something??
I told you. Cisco 800 series has such problem. 800 series router is branch or small office connections. If there is more than 30 user in network who uses NAT, in a while 800 router NAT isnot working correctly. There hust one option, you can use PIX501 with 800 series router. You can give all NAT activitiy on pIX. All your problem will be solved.

PS : In ay network, we are using about 60 800 series router. All of them are enough complex conf. We saw so much time same problem in any IOS. I think the hardware is not enough to manage complex sessions...  

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial