Solved

Cisco 887 NAT confusion

Posted on 2010-11-25
21
2,052 Views
Last Modified: 2012-05-10
Please see code below. However now my Internet is working but my NAT settings are not working as they should. Ports 8456, 80, 443 and 25 are available on all machines and port 5721 is not available at all even the machines configured to be open on.
cctrouter01#show config

Using 7834 out of 262136 bytes

!

! Last configuration change at 19:17:49 PCTime Thu Nov 25 2010 by cct

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cctrouter01

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$HAts$4NA/VChIXXGxat0776leF0

!

no aaa new-model

memory-size iomem 10

clock timezone PCTime 10

clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-241047421

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-241047421

 revocation-check none

 rsakeypair TP-self-signed-241047421

!

!

crypto pki certificate chain TP-self-signed-241047421

 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer

no ip source-route

!

!

!

!

ip cef

no ip bootp server

ip domain name cctbendigo.com.au

ip name-server 192.168.1.4

ip port-map user-protocol--1 port tcp 8456

no ipv6 cef

!

!

license udi pid CISCO887-K9 sn FHK142879H9

!

!

username cct privilege 15 secret 5 $1$iVMt$YFYAjU0830Ww8BPHX5mf8.

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-all sdm-nat-http-1

 match access-group 102

 match protocol http

class-map type inspect match-all sdm-nat-user-protocol--1-1

 match access-group 104

 match protocol user-protocol--1

class-map type inspect match-all sdm-nat-smtp-1

 match access-group 103

 match protocol smtp

class-map type inspect match-any ccp-cls-insp-traffic

 match protocol cuseeme

 match protocol dns

 match protocol ftp

 match protocol h323

 match protocol https

 match protocol icmp

 match protocol imap

 match protocol pop3

 match protocol netshow

 match protocol shell

 match protocol realmedia

 match protocol rtsp

 match protocol smtp

 match protocol sql-net

 match protocol streamworks

 match protocol tftp

 match protocol vdolive

 match protocol tcp

 match protocol udp

class-map type inspect match-all ccp-insp-traffic

 match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

 match protocol icmp

 match protocol tcp

 match protocol udp

class-map type inspect match-all ccp-icmp-access

 match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

 match access-group 100

class-map type inspect match-all sdm-nat-https-1

 match access-group 101

 match protocol https

class-map type inspect match-all ccp-protocol-http

 match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

 class type inspect ccp-icmp-access

  inspect

 class class-default

  pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

 class type inspect sdm-nat-https-1

  inspect

 class type inspect sdm-nat-http-1

  inspect

 class type inspect sdm-nat-smtp-1

  inspect

 class type inspect sdm-nat-user-protocol--1-1

  inspect

 class class-default

  drop

policy-map type inspect ccp-inspect

 class type inspect ccp-invalid-src

  drop log

 class type inspect ccp-protocol-http

  inspect

 class type inspect ccp-insp-traffic

  inspect

 class class-default

  drop

policy-map type inspect ccp-permit

 class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

 service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

 service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security ccp-zp-in-out source in-zone destination out-zone

 service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

 service-policy type inspect ccp-permit

!

!

!

!

!

!

!

interface BRI0

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 encapsulation hdlc

 shutdown

 isdn termination multidrop

!

interface ATM0

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

 description $FW_OUTSIDE$$ES_WAN$

 ip flow ingress

 pvc 8/35

  pppoe-client dial-pool-number 1

 !

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

 ip address 192.168.1.254 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 ip nat inside

 ip virtual-reassembly

 zone-member security in-zone

 ip tcp adjust-mss 1412

!

interface Dialer0

 description $FW_OUTSIDE$

 ip address 27.32.146.114 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip mtu 1452

 ip flow ingress

 ip nat outside

 ip virtual-reassembly

 zone-member security out-zone

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 ppp authentication chap pap callin

 ppp chap hostname cctbgo

 ppp chap password 7 00100301550958525A

 ppp pap sent-username cctbgo password 7 105A191E5445415F59

 no cdp enable

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source static tcp 192.168.1.4 443 interface Dialer0 443

ip nat inside source static tcp 192.168.1.7 80 interface Dialer0 80

ip nat inside source static tcp 192.168.1.4 25 interface Dialer0 25

ip nat inside source static tcp 192.168.1.12 8456 interface Dialer0 8456

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.4 3389 interface Dialer0 3389

ip nat inside source static tcp 192.168.1.3 5060 interface Dialer0 5060

ip nat inside source static tcp 192.168.1.7 5721 interface Dialer0 5721

ip route 0.0.0.0 0.0.0.0 Dialer0

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 192.168.1.4

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.1.7

access-list 103 remark CCP_ACL Category=0

access-list 103 permit ip any host 192.168.1.4

access-list 104 remark CCP_ACL Category=0

access-list 104 permit ip any host 192.168.1.12

dialer-list 1 protocol ip permit

no cdp run





!

!

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------





Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.





It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.





username <myuser> privilege 15 secret 0 <mypassword>





Replace <myuser> and <mypassword> with the username and password you

want to use.





-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

 login local

 no modem enable

 transport output telnet

line aux 0

 login local

 transport output telnet

line vty 0 4

 privilege level 15

 login local

 transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Open in new window

0
Comment
Question by:Rondog_88
  • 10
  • 8
  • 2
  • +1
21 Comments
 
LVL 3

Expert Comment

by:khuphuc
ID: 34212046
hi, if you please confirm that in you the same net if you do a telnet 192.168.1.7 5721, the result is open?

0
 

Author Comment

by:Rondog_88
ID: 34212175
Using Putty when I attempt to telnet to 192.168.1.7 on 5721 (from 192.168.1.20) the first time it said connection closed. Now however nothing, the Putty window just hangs.
0
 

Author Comment

by:Rondog_88
ID: 34212183
Port 3389 also doesnt work and neither does 5060.
0
 
LVL 6

Expert Comment

by:djcapone
ID: 34212307
well port 5721 is not available because you appear to have forgot to define it anywhere except in the static translations.

the other ports being available on all machines seems extremely odd, since you there are only static nat translations for specific machines.  When you testing the availability of these ports are you doing it from inside the network or from outside the network using the public IP?  All traffic from within the same subnet should be permitted from what I can tell.  
0
 

Author Comment

by:Rondog_88
ID: 34212424
testing from outside the network. 5721 works on my old netgear modem just fine and nothing has changed on the server. the only change is the default gateway. 5060 is voip i know it doesnt work because my voip phone is offline. 3389 is terminal services and that used to work on my old modem too.
0
 
LVL 6

Expert Comment

by:SkykingOH
ID: 34218512
I am not sure what you mean by port 25 "is available on all machines".  You have not blocked port 25 outbound, your would need an ACL for that.

As far as NAT, you have port 25 mapped from the IP on the Dialer0 interface to 192.168.1.4

You left off one keyword on the nat statements, extendable, IE:

ip nat inside source static tcp 192.168.1.249 22 207.58.213.6 8022 extendable

0
 
LVL 6

Expert Comment

by:SkykingOH
ID: 34218515
Sorry for the double post, you also can test with the following command:

show ip nat translation

0
 
LVL 6

Expert Comment

by:djcapone
ID: 34219175
Hi Skyking,

I mae the assumption that he was referring to all those ports being open on all the machines from the outside.  As pointed out in my previous post, I cannot imagine this being accurate as there are only static translation setup for specific machines.

It would be helpful if it can clarified from what subnets the ports are available on all the machines.
0
 

Author Comment

by:Rondog_88
ID: 34219384
djcapone I am not sure what you mean. The only subnet we are using is 255.255.255.0, we dont have a need for anything bigger.

Sorry SkykingOH I am using the website www.canyouseeme.org to check to see if the ports are showing as open in the outside world.

This is my list of NAT settings:
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 25 27.32.146.114 25 extendable
ip nat inside source static tcp 192.168.1.7 80 27.32.146.114 80 extendable
ip nat inside source static tcp 192.168.1.4 443 27.32.146.114 443 extendable
ip nat inside source static udp 192.168.1.3 5060 27.32.146.114 5060 extendable
ip nat inside source static tcp 192.168.1.7 5721 27.32.146.114 5721 extendable
ip nat inside source static tcp 192.168.1.12 8456 27.32.146.114 8456 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0

On my old Netgear router I had the same settings. So when I logged onto the server 192.168.1.4 and used canyouseeme.org to check port 25, it would come back as active. But if I tried the same thing on 192.168.1.20 it would appear blocked. However, now I do the same thing and port 25 appears active on both machines. But as you can see, it is clearly only mapped to 192.168.1.4.

Perhaps some more information would help. I use some software called Kaseya that is in installed on client computers that makes connection to my server on my incoming port 5721. Below is my ip translation tables. Taking the line "tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:4430 203.17.42.115:4430" from my the nat translation I recognise the remote IP as one of my client IP's. But when I check my software, no clients are making the connection.

cctrouter01#show ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
udp 27.32.146.114:5060 192.168.1.3:5060   ---                ---
tcp 27.32.146.114:25   192.168.1.4:25     ---                ---
udp 27.32.146.114:123  192.168.1.4:123    207.46.197.32:123  207.46.197.32:123
tcp 27.32.146.114:443  192.168.1.4:443    114.75.201.83:38264 114.75.201.83:38264
tcp 27.32.146.114:443  192.168.1.4:443    114.75.201.83:49040 114.75.201.83:49040
tcp 27.32.146.114:443  192.168.1.4:443    ---                ---
tcp 27.32.146.114:5770 192.168.1.4:5770   66.102.11.100:80   66.102.11.100:80
tcp 27.32.146.114:5771 192.168.1.4:5771   74.125.109.39:80   74.125.109.39:80
udp 27.32.146.114:51400 192.168.1.4:51400 203.12.160.35:53   203.12.160.35:53
tcp 27.32.146.114:80   192.168.1.7:80     ---                ---
tcp 27.32.146.114:5721 192.168.1.7:5721   120.151.100.122:58857 120.151.100.122:58857
tcp 27.32.146.114:5721 192.168.1.7:5721   125.255.127.190:4422 125.255.127.190:4422
tcp 27.32.146.114:5721 192.168.1.7:5721   125.255.127.190:44738 125.255.127.190:44738
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:1101 203.17.42.115:1101
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:1141 203.17.42.115:1141
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:1176 203.17.42.115:1176
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:1177 203.17.42.115:1177
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:1232 203.17.42.115:1232
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:1535 203.17.42.115:1535
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:2073 203.17.42.115:2073
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:2187 203.17.42.115:2187
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:2188 203.17.42.115:2188
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:3236 203.17.42.115:3236
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:3237 203.17.42.115:3237
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:3458 203.17.42.115:3458
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:3459 203.17.42.115:3459
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:4430 203.17.42.115:4430
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:4690 203.17.42.115:4690
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:4809 203.17.42.115:4809
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:24103 203.17.42.115:24103
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.46.127:1179 203.17.46.127:1179
tcp 27.32.146.114:5721 192.168.1.7:5721   203.45.78.2:59259  203.45.78.2:59259
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1397 210.23.137.90:1397
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1398 210.23.137.90:1398
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1455 210.23.137.90:1455
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1463 210.23.137.90:1463
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1684 210.23.137.90:1684
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1685 210.23.137.90:1685
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1841 210.23.137.90:1841
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:3349 210.23.137.90:3349
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:3350 210.23.137.90:3350
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:3422 210.23.137.90:3422
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:4065 210.23.137.90:4065
tcp 27.32.146.114:5721 192.168.1.7:5721   ---                ---
tcp 27.32.146.114:8456 192.168.1.12:8456  ---                ---
udp 27.32.146.114:8456 192.168.1.12:8456  61.75.67.8:45682   61.75.67.8:45682
udp 27.32.146.114:8456 192.168.1.12:8456  65.34.233.251:21498 65.34.233.251:21498
udp 27.32.146.114:8456 192.168.1.12:8456  95.215.62.5:80     95.215.62.5:80
udp 27.32.146.114:8456 192.168.1.12:8456  95.215.62.26:80    95.215.62.26:80
udp 27.32.146.114:8456 192.168.1.12:8456  189.114.79.5:59436 189.114.79.5:59436
udp 27.32.146.114:51692 192.168.1.20:51692 192.168.8.141:161 192.168.8.141:161
tcp 27.32.146.114:59524 192.168.1.20:59524 66.102.11.83:443  66.102.11.83:443
tcp 27.32.146.114:59576 192.168.1.20:59576 216.219.117.244:443 216.219.117.244:443
tcp 27.32.146.114:59577 192.168.1.20:59577 64.74.80.187:443  64.74.80.187:443
tcp 27.32.146.114:59578 192.168.1.20:59578 216.219.118.244:443 216.219.118.244:443
tcp 27.32.146.114:59579 192.168.1.20:59579 216.219.115.250:443 216.219.115.250:443
tcp 27.32.146.114:59580 192.168.1.20:59580 216.219.117.244:443 216.219.117.244:443
tcp 27.32.146.114:59581 192.168.1.20:59581 216.219.118.244:443 216.219.118.244:443
tcp 27.32.146.114:59582 192.168.1.20:59582 216.219.115.250:443 216.219.115.250:443
tcp 27.32.146.114:59583 192.168.1.20:59583 64.74.80.187:443  64.74.80.187:443
tcp 27.32.146.114:59584 192.168.1.20:59584 216.219.117.244:443 216.219.117.244:443
tcp 27.32.146.114:59585 192.168.1.20:59585 216.219.118.244:443 216.219.118.244:443
tcp 27.32.146.114:59586 192.168.1.20:59586 216.219.115.250:443 216.219.115.250:443
tcp 27.32.146.114:59587 192.168.1.20:59587 64.74.80.187:443  64.74.80.187:443
tcp 27.32.146.114:59588 192.168.1.20:59588 216.219.117.244:443 216.219.117.244:443
tcp 27.32.146.114:59589 192.168.1.20:59589 216.219.118.244:443 216.219.118.244:443
tcp 27.32.146.114:59590 192.168.1.20:59590 216.219.115.250:443 216.219.115.250:443
tcp 27.32.146.114:59591 192.168.1.20:59591 64.74.80.187:443  64.74.80.187:443
tcp 27.32.146.114:59592 192.168.1.20:59592 216.219.117.244:443 216.219.117.244:443
tcp 27.32.146.114:59593 192.168.1.20:59593 216.219.118.244:443 216.219.118.244:443
tcp 27.32.146.114:59594 192.168.1.20:59594 216.219.115.250:443 216.219.115.250:443
tcp 27.32.146.114:59595 192.168.1.20:59595 64.74.80.187:443  64.74.80.187:443
tcp 27.32.146.114:59596 192.168.1.20:59596 66.102.11.83:443  66.102.11.83:443
tcp 27.32.146.114:59597 192.168.1.20:59597 203.12.160.185:443 203.12.160.185:443
0
 
LVL 6

Expert Comment

by:djcapone
ID: 34219625
Hi Rondog,

This makes a bit more sense now.

I am unsure why that site would show blocked from a different computer when using a different PC unless the configuration regarding static NAT translation included an additional public IP address.

As your configuration is now, any computer you navigate to canyouseeme.org from your local network is going to report those ports as being open.  This is because no matter what local machine you visit canyouseeme.org from on your local network, the same public IP is going to be scanned.  When scanning that public IP, the cisco configuration you have entered is ALWAYS going to translate the public on port 25 to map to port 25 on 192.168.1.7.  This does not mean that the port is open on any other systems, inf act as I have alluded to in the past it is impossible to reach this port on the other machines based on your configuration from an external IP address.

The only way that the netgear could have reported one local machine as blocked and the other as open is if there was additional public IPs setup for PAT and one to one NAT.  When looking at canyouseeme.org take note of the "your IP" listed and see how it differs with the Netgear.

I also recommend removing much of your last port to prevent the posting of your public IP on a public internet forum.

0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:Rondog_88
ID: 34219805
Hi djcapone,

I didnt know you could edit posts. That still doesnt explain and allow access to port 5721 :)

Do you have any thoughts on this?
0
 
LVL 6

Expert Comment

by:djcapone
ID: 34219930
Hi Rondog,

There may be a time limit on edits, but I thought there was a way to do it, but I may be wrong.

As mentioned in my initial post, I do not see where in the config you defined allowing traffic on port 5721.

You setup the static translations, however in your class-maps/access-lists, port 5721 is not defined anywhere.
0
 

Author Comment

by:Rondog_88
ID: 34220241
Hi djcapone, sorry about that I consider myself reasonable at basic networking this Cisco is an entire new level for me so I'm learning as quick as I can. I understand what you now when you say not defined.

Please see new config below:

Building configuration...

Current configuration : 9581 bytes
!
! Last configuration change at 09:24:52 PCTime Sat Nov 27 2010 by cct
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cctrouter01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$HasfasfasGxat0776leF0
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-241047421
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-241047421
 revocation-check none
 rsakeypair TP-self-signed-241047421
!
!
crypto pki certificate chain TP-self-signed-241047421
 certificate self-signed 01
        quit
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name cctbendigo.com.au
ip name-server 192.168.1.4
ip port-map user-protocol--1 port tcp 8456
ip port-map user-kaseya port tcp 5721
ip inspect log drop-pkt
no ipv6 cef
!
!
license udi pid CISCO887-K9 sn FHK142879H9
!
!
username cct privilege 15 secret 5 $1$iVMt$asfdasb8BPHX5mf8.
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-http-1
 match access-group 102
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 104
 match protocol user-protocol--1
class-map type inspect match-any Kaseya
 match protocol user-kaseya
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
 match class-map Kaseya
 match access-group name Kaseya
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 103
 match protocol smtp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all sdm-nat-https-1
 match access-group 101
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
  pass
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $FW_OUTSIDE$$ES_WAN$
 ip flow ingress
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 27.xx.xx.114 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname cctbgo
 ppp chap password 7 0011235453658525A
 ppp pap sent-username c*****o password 7 105A3245D5415F59
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 25 27.32.146.114 25 extendable
ip nat inside source static tcp 192.168.1.7 80 27.32.146.114 80 extendable
ip nat inside source static tcp 192.168.1.4 443 27.32.146.114 443 extendable
ip nat inside source static udp 192.168.1.3 5060 27.32.146.114 5060 extendable
ip nat inside source static tcp 192.168.1.7 5721 27.32.146.114 5721 extendable
ip nat inside source static tcp 192.168.1.12 8456 27.32.146.114 8456 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended Kaseya
 remark CCP_ACL Category=128
 permit ip any host 192.168.1.7
!
logging trap debugging
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.4
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.7
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.4
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.12
access-list 105 remark CCP_ACL Category=2
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^CCC
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^CCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
 
LVL 6

Expert Comment

by:djcapone
ID: 34220855
Hi Rondog,

Do you have a Netgear Wireless router somewhere in the mix that may actually be filtering these ports?  
0
 
LVL 6

Accepted Solution

by:
djcapone earned 125 total points
ID: 34220875
Well 5721 appears to be open now.

Add 3389 and 5060 in the same manner and you should be good to go.

Is it safe to assume that you are using CCP to configure this device?
0
 

Author Comment

by:Rondog_88
ID: 34223565
The servers in questions arent behind the netgear. The network is layed out.

Internet->Cisco 887-switch-servers
                                    L old netgear adsl modem router used as access point

5060 is working already for some reason. I am able to make and recieve VoIP calls.

I'll attempt with port 3389 and let you know.
0
 

Author Comment

by:Rondog_88
ID: 34223872
Excellent. Thank you so very much. You have really helped me out. 5721 are working and so is 3389.

One last issue I have discovered, I connect to a client of mine using a VPN connection to a Snapgear router on their end. I have a PPTP connection using Windows on my end.

It gets to the point of verifying username and password then drops out after 1 mintue. After a Google search I have found out it needs to be enabled, I would like to do this without opening up too much.

Also: how its currently configured, is my router secure or is there anything that needs to be tightened up?
0
 
LVL 6

Expert Comment

by:djcapone
ID: 34224074
Your Welcome.

2 things to check.

In the class map, ccp-cls-insp-traffic

add the pptp protocol to the inspection engine.

Additionally you may need to open port 1723.

If this does not work, you may want to consider opening a new question for the new problem so additional experts with more familiarity with PPTP respond.  I almost exclusively deal with IPSec and SSL VPNs.
0
 

Author Comment

by:Rondog_88
ID: 34224078
And just to be difficult, what commands would I use to achieve that :)
0
 
LVL 6

Expert Comment

by:djcapone
ID: 34225048
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
0
 

Author Comment

by:Rondog_88
ID: 34225079
Thank you very much, if that doesnt work I'll open a new question.
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now