Cisco 831 port forwarding issue

askrabbit
askrabbit used Ask the Experts™
on
The requirement is to enable port forwarding to an internal device. The external IP address is 83.xxx.xxx.130, the internal IP address is 192.168.100.110. The destination port is 5000. If a user external to the network browses to http://83.xxx.xxx.130:5000, the traffic should be allowed through the Cisco and forwarded to 192.168.100.110:5000.

I can access 192.168.100.110:5000 from within the network.

The config of the Cisco 831 is given below. The new NAT and ACL entries were added by way of the SDM GUI. However, the device is not able to be accessed from outside of the LAN. Help!

=============
Building configuration...

Current configuration : 19298 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname pem_01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
no ip source-route
!
!
ip tcp synwait-time 10
ip cef
no ip domain lookup
ip domain name xxx.xxx
no ip bootp server
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-638752264
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-638752264
 revocation-check none
 rsakeypair TP-self-signed-638752264
!
!
crypto pki certificate chain TP-self-signed-638752264
 certificate self-signed 01
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 22222222 33333333 44444444 55555555 66666666 77777777
  00000000 11111111 222222
  quit
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxxxxxxxxxxxx address 194.xxx.xxx.xxx no-xauth
!
crypto isakmp client configuration group remoteuser
 key xxxxxxxx
 dns 192.168.100.200
 wins 192.168.100.200
 domain xxx.xxx
 pool SDM_POOL_1
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp
 set peer 194.xxx.xxx.xxx
 set transform-set ESP-3DES-MD5
 match address 103
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Ethernet0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet 10/100$$ES_LAN$$FW_INSIDE$
 ip address 192.168.100.254 255.255.255.0
 ip access-group 100 in
 ip access-group 105 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Ethernet1
 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
 ip address 83.xxx.xxx.130 255.255.255.248
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 crypto map SDM_CMAP_1
!
interface Ethernet2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
ip local pool SDM_POOL_1 192.168.105.1 192.168.105.100
ip route 0.0.0.0 0.0.0.0 83.xxx.xxx.129
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.100.110 5000 interface Ethernet1 5000
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip 83.xxx.xxx.128 0.0.0.7 any
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 83.238.255.76 eq domain any
access-list 101 permit udp host 83.xxx.xxx.129 eq domain any
access-list 101 permit ahp host 194.xxx.xxx.xxx host 83.xxx.xxx.130
access-list 101 permit ahp any host 83.xxx.xxx.130
access-list 101 permit esp host 194.xxx.xxx.xxx host 83.xxx.xxx.130
access-list 101 permit esp any host 83.xxx.xxx.130
access-list 101 permit udp host 194.xxx.xxx.xxx host 83.xxx.xxx.130 eq isakmp
access-list 101 permit udp any host 83.xxx.xxx.130 eq isakmp
access-list 101 permit udp host 194.xxx.xxx.xxx host 83.xxx.xxx.130 eq non500-isakmp
access-list 101 permit udp any host 83.xxx.xxx.130 eq non500-isakmp
access-list 101 remark IPSec Rule
access-list 101 permit ip host 10.100.100.44 192.168.100.0 0.0.0.255
access-list 101 permit udp host 194.xxx.xxx.xxx host 83.xxx.xxx.106 eq non500-isakmp
access-list 101 permit udp host 194.xxx.xxx.xxx host 83.xxx.xxx.106 eq isakmp
access-list 101 permit esp host 194.xxx.xxx.xxx host 83.xxx.xxx.106
access-list 101 permit ahp host 194.xxx.xxx.xxx host 83.xxx.xxx.106
access-list 101 permit tcp any host 83.xxx.xxx.130 eq 5000
access-list 101 permit ip host 192.168.105.1 any
access-list 101 permit ip host 192.168.105.2 any
access-list 101 permit ip host 192.168.105.3 any
access-list 101 permit ip host 192.168.105.4 any
access-list 101 permit ip host 192.168.105.5 any
access-list 101 permit ip host 192.168.105.6 any
access-list 101 permit ip host 192.168.105.7 any
access-list 101 permit ip host 192.168.105.8 any
access-list 101 permit ip host 192.168.105.9 any
access-list 101 permit ip host 192.168.105.10 any
access-list 101 permit ip host 192.168.105.11 any
access-list 101 permit ip host 192.168.105.12 any
access-list 101 permit ip host 192.168.105.13 any
access-list 101 permit ip host 192.168.105.14 any
access-list 101 permit ip host 192.168.105.15 any
access-list 101 permit ip host 192.168.105.16 any
access-list 101 permit ip host 192.168.105.17 any
access-list 101 permit ip host 192.168.105.18 any
access-list 101 permit ip host 192.168.105.19 any
access-list 101 permit ip host 192.168.105.20 any
access-list 101 permit ip host 192.168.105.21 any
access-list 101 permit ip host 192.168.105.22 any
access-list 101 permit ip host 192.168.105.23 any
access-list 101 permit ip host 192.168.105.24 any
access-list 101 permit ip host 192.168.105.25 any
access-list 101 permit ip host 192.168.105.26 any
access-list 101 permit ip host 192.168.105.27 any
access-list 101 permit ip host 192.168.105.28 any
access-list 101 permit ip host 192.168.105.29 any
access-list 101 permit ip host 192.168.105.30 any
access-list 101 permit ip host 192.168.105.31 any
access-list 101 permit ip host 192.168.105.32 any
access-list 101 permit ip host 192.168.105.33 any
access-list 101 permit ip host 192.168.105.34 any
access-list 101 permit ip host 192.168.105.35 any
access-list 101 permit ip host 192.168.105.36 any
access-list 101 permit ip host 192.168.105.37 any
access-list 101 permit ip host 192.168.105.38 any
access-list 101 permit ip host 192.168.105.39 any
access-list 101 permit ip host 192.168.105.40 any
access-list 101 permit ip host 192.168.105.41 any
access-list 101 permit ip host 192.168.105.42 any
access-list 101 permit ip host 192.168.105.43 any
access-list 101 permit ip host 192.168.105.44 any
access-list 101 permit ip host 192.168.105.45 any
access-list 101 permit ip host 192.168.105.46 any
access-list 101 permit ip host 192.168.105.47 any
access-list 101 permit ip host 192.168.105.48 any
access-list 101 permit ip host 192.168.105.49 any
access-list 101 permit ip host 192.168.105.50 any
access-list 101 permit ip host 192.168.105.51 any
access-list 101 permit ip host 192.168.105.52 any
access-list 101 permit ip host 192.168.105.53 any
access-list 101 permit ip host 192.168.105.54 any
access-list 101 permit ip host 192.168.105.55 any
access-list 101 permit ip host 192.168.105.56 any
access-list 101 permit ip host 192.168.105.57 any
access-list 101 permit ip host 192.168.105.58 any
access-list 101 permit ip host 192.168.105.59 any
access-list 101 permit ip host 192.168.105.60 any
access-list 101 permit ip host 192.168.105.61 any
access-list 101 permit ip host 192.168.105.62 any
access-list 101 permit ip host 192.168.105.63 any
access-list 101 permit ip host 192.168.105.64 any
access-list 101 permit ip host 192.168.105.65 any
access-list 101 permit ip host 192.168.105.66 any
access-list 101 permit ip host 192.168.105.67 any
access-list 101 permit ip host 192.168.105.68 any
access-list 101 permit ip host 192.168.105.69 any
access-list 101 permit ip host 192.168.105.70 any
access-list 101 permit ip host 192.168.105.71 any
access-list 101 permit ip host 192.168.105.72 any
access-list 101 permit ip host 192.168.105.73 any
access-list 101 permit ip host 192.168.105.74 any
access-list 101 permit ip host 192.168.105.75 any
access-list 101 permit ip host 192.168.105.76 any
access-list 101 permit ip host 192.168.105.77 any
access-list 101 permit ip host 192.168.105.78 any
access-list 101 permit ip host 192.168.105.79 any
access-list 101 permit ip host 192.168.105.80 any
access-list 101 permit ip host 192.168.105.81 any
access-list 101 permit ip host 192.168.105.82 any
access-list 101 permit ip host 192.168.105.83 any
access-list 101 permit ip host 192.168.105.84 any
access-list 101 permit ip host 192.168.105.85 any
access-list 101 permit ip host 192.168.105.86 any
access-list 101 permit ip host 192.168.105.87 any
access-list 101 permit ip host 192.168.105.88 any
access-list 101 permit ip host 192.168.105.89 any
access-list 101 permit ip host 192.168.105.90 any
access-list 101 permit ip host 192.168.105.91 any
access-list 101 permit ip host 192.168.105.92 any
access-list 101 permit ip host 192.168.105.93 any
access-list 101 permit ip host 192.168.105.94 any
access-list 101 permit ip host 192.168.105.95 any
access-list 101 permit ip host 192.168.105.96 any
access-list 101 permit ip host 192.168.105.97 any
access-list 101 permit ip host 192.168.105.98 any
access-list 101 permit ip host 192.168.105.99 any
access-list 101 permit ip host 192.168.105.100 any
access-list 101 permit udp any host 83.xxx.xxx.106 eq non500-isakmp
access-list 101 permit udp any host 83.xxx.xxx.106 eq isakmp
access-list 101 permit esp any host 83.xxx.xxx.106
access-list 101 permit ahp any host 83.xxx.xxx.106
access-list 101 deny   ip 192.168.100.0 0.0.0.255 any
access-list 101 permit icmp any host 83.xxx.xxx.106 echo-reply
access-list 101 permit icmp any host 83.xxx.xxx.106 time-exceeded
access-list 101 permit icmp any host 83.xxx.xxx.106 unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 remark IPSec Rule
access-list 102 deny   ip 192.168.100.0 0.0.0.255 host 10.100.100.44
access-list 102 deny   ip any host 192.168.105.1
access-list 102 deny   ip any host 192.168.105.2
access-list 102 deny   ip any host 192.168.105.3
access-list 102 deny   ip any host 192.168.105.4
access-list 102 deny   ip any host 192.168.105.5
access-list 102 deny   ip any host 192.168.105.6
access-list 102 deny   ip any host 192.168.105.7
access-list 102 deny   ip any host 192.168.105.8
access-list 102 deny   ip any host 192.168.105.9
access-list 102 deny   ip any host 192.168.105.10
access-list 102 deny   ip any host 192.168.105.11
access-list 102 deny   ip any host 192.168.105.12
access-list 102 deny   ip any host 192.168.105.13
access-list 102 deny   ip any host 192.168.105.14
access-list 102 deny   ip any host 192.168.105.15
access-list 102 deny   ip any host 192.168.105.16
access-list 102 deny   ip any host 192.168.105.17
access-list 102 deny   ip any host 192.168.105.18
access-list 102 deny   ip any host 192.168.105.19
access-list 102 deny   ip any host 192.168.105.20
access-list 102 deny   ip any host 192.168.105.21
access-list 102 deny   ip any host 192.168.105.22
access-list 102 deny   ip any host 192.168.105.23
access-list 102 deny   ip any host 192.168.105.24
access-list 102 deny   ip any host 192.168.105.25
access-list 102 deny   ip any host 192.168.105.26
access-list 102 deny   ip any host 192.168.105.27
access-list 102 deny   ip any host 192.168.105.28
access-list 102 deny   ip any host 192.168.105.29
access-list 102 deny   ip any host 192.168.105.30
access-list 102 deny   ip any host 192.168.105.31
access-list 102 deny   ip any host 192.168.105.32
access-list 102 deny   ip any host 192.168.105.33
access-list 102 deny   ip any host 192.168.105.34
access-list 102 deny   ip any host 192.168.105.35
access-list 102 deny   ip any host 192.168.105.36
access-list 102 deny   ip any host 192.168.105.37
access-list 102 deny   ip any host 192.168.105.38
access-list 102 deny   ip any host 192.168.105.39
access-list 102 deny   ip any host 192.168.105.40
access-list 102 deny   ip any host 192.168.105.41
access-list 102 deny   ip any host 192.168.105.42
access-list 102 deny   ip any host 192.168.105.43
access-list 102 deny   ip any host 192.168.105.44
access-list 102 deny   ip any host 192.168.105.45
access-list 102 deny   ip any host 192.168.105.46
access-list 102 deny   ip any host 192.168.105.47
access-list 102 deny   ip any host 192.168.105.48
access-list 102 deny   ip any host 192.168.105.49
access-list 102 deny   ip any host 192.168.105.50
access-list 102 deny   ip any host 192.168.105.51
access-list 102 deny   ip any host 192.168.105.52
access-list 102 deny   ip any host 192.168.105.53
access-list 102 deny   ip any host 192.168.105.54
access-list 102 deny   ip any host 192.168.105.55
access-list 102 deny   ip any host 192.168.105.56
access-list 102 deny   ip any host 192.168.105.57
access-list 102 deny   ip any host 192.168.105.58
access-list 102 deny   ip any host 192.168.105.59
access-list 102 deny   ip any host 192.168.105.60
access-list 102 deny   ip any host 192.168.105.61
access-list 102 deny   ip any host 192.168.105.62
access-list 102 deny   ip any host 192.168.105.63
access-list 102 deny   ip any host 192.168.105.64
access-list 102 deny   ip any host 192.168.105.65
access-list 102 deny   ip any host 192.168.105.66
access-list 102 deny   ip any host 192.168.105.67
access-list 102 deny   ip any host 192.168.105.68
access-list 102 deny   ip any host 192.168.105.69
access-list 102 deny   ip any host 192.168.105.70
access-list 102 deny   ip any host 192.168.105.71
access-list 102 deny   ip any host 192.168.105.72
access-list 102 deny   ip any host 192.168.105.73
access-list 102 deny   ip any host 192.168.105.74
access-list 102 deny   ip any host 192.168.105.75
access-list 102 deny   ip any host 192.168.105.76
access-list 102 deny   ip any host 192.168.105.77
access-list 102 deny   ip any host 192.168.105.78
access-list 102 deny   ip any host 192.168.105.79
access-list 102 deny   ip any host 192.168.105.80
access-list 102 deny   ip any host 192.168.105.81
access-list 102 deny   ip any host 192.168.105.82
access-list 102 deny   ip any host 192.168.105.83
access-list 102 deny   ip any host 192.168.105.84
access-list 102 deny   ip any host 192.168.105.85
access-list 102 deny   ip any host 192.168.105.86
access-list 102 deny   ip any host 192.168.105.87
access-list 102 deny   ip any host 192.168.105.88
access-list 102 deny   ip any host 192.168.105.89
access-list 102 deny   ip any host 192.168.105.90
access-list 102 deny   ip any host 192.168.105.91
access-list 102 deny   ip any host 192.168.105.92
access-list 102 deny   ip any host 192.168.105.93
access-list 102 deny   ip any host 192.168.105.94
access-list 102 deny   ip any host 192.168.105.95
access-list 102 deny   ip any host 192.168.105.96
access-list 102 deny   ip any host 192.168.105.97
access-list 102 deny   ip any host 192.168.105.98
access-list 102 deny   ip any host 192.168.105.99
access-list 102 deny   ip any host 192.168.105.100
access-list 102 permit ip 192.168.100.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.100.0 0.0.0.255 host 10.100.100.44
access-list 105 permit tcp any any established
access-list 105 permit udp any any
access-list 105 permit ip 192.168.105.0 0.0.0.255 any
access-list 105 deny   ip any any log
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
end
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2009
Commented:
Access-list 105 is blocking it outbound on the LAN interface.

Add this:

conf t
ip access-list ext 105
no deny ip any any log
permit tcp any host 192.168.100.110 eq 5000
deny ip any any log
Istvan KalmarHead of IT Security Division
Top Expert 2010
Commented:
Hi,

you need:

conf t
ip access-list extended 105
5 permit tcp any host 192.168.100.110 eq 5000
It looks like from the given configuration, you have the following,

route-map SDM_RMAP_1 permit 1
 match ip address 102

This route map matches the IP address in access list 102.  Either you can add the IP into the 102 ACL and modify the route MAP config to 105.

Best,
Sankar.K

Author

Commented:
I tried the first solution, which worked perfectly! The missing info was that I needed to update the Cisco config via telnet (and not via the SDM GUI) by loggin on and then typing en (or enable) and then the commands given in the solution.

Thank you to JFrederick29 who was first (just!) with the solution which worked for me. Some points also to ikalmar who gave a similar solution and Sankar1985 for a speedy response.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial