[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2158
  • Last Modified:

Cisco 887 NAT confusion

Please see code below. However now my Internet is working but my NAT settings are not working as they should. Ports 8456, 80, 443 and 25 are available on all machines and port 5721 is not available at all even the machines configured to be open on.
cctrouter01#show config
Using 7834 out of 262136 bytes
!
! Last configuration change at 19:17:49 PCTime Thu Nov 25 2010 by cct
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cctrouter01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$HAts$4NA/VChIXXGxat0776leF0
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-241047421
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-241047421
 revocation-check none
 rsakeypair TP-self-signed-241047421
!
!
crypto pki certificate chain TP-self-signed-241047421
 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name cctbendigo.com.au
ip name-server 192.168.1.4
ip port-map user-protocol--1 port tcp 8456
no ipv6 cef
!
!
license udi pid CISCO887-K9 sn FHK142879H9
!
!
username cct privilege 15 secret 5 $1$iVMt$YFYAjU0830Ww8BPHX5mf8.
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-http-1
 match access-group 102
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 104
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 103
 match protocol smtp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all sdm-nat-https-1
 match access-group 101
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $FW_OUTSIDE$$ES_WAN$
 ip flow ingress
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 27.32.146.114 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname cctbgo
 ppp chap password 7 00100301550958525A
 ppp pap sent-username cctbgo password 7 105A191E5445415F59
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.1.4 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.7 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.4 25 interface Dialer0 25
ip nat inside source static tcp 192.168.1.12 8456 interface Dialer0 8456
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.1.3 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.1.7 5721 interface Dialer0 5721
ip route 0.0.0.0 0.0.0.0 Dialer0
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.4
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.7
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.4
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.12
dialer-list 1 protocol ip permit
no cdp run


!
!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------


Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.


It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.


username <myuser> privilege 15 secret 0 <mypassword>


Replace <myuser> and <mypassword> with the username and password you
want to use.


-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
Rondog_88
Asked:
Rondog_88
  • 10
  • 8
  • 2
  • +1
1 Solution
 
khuphucCommented:
hi, if you please confirm that in you the same net if you do a telnet 192.168.1.7 5721, the result is open?

0
 
Rondog_88Author Commented:
Using Putty when I attempt to telnet to 192.168.1.7 on 5721 (from 192.168.1.20) the first time it said connection closed. Now however nothing, the Putty window just hangs.
0
 
Rondog_88Author Commented:
Port 3389 also doesnt work and neither does 5060.
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
djcaponeCommented:
well port 5721 is not available because you appear to have forgot to define it anywhere except in the static translations.

the other ports being available on all machines seems extremely odd, since you there are only static nat translations for specific machines.  When you testing the availability of these ports are you doing it from inside the network or from outside the network using the public IP?  All traffic from within the same subnet should be permitted from what I can tell.  
0
 
Rondog_88Author Commented:
testing from outside the network. 5721 works on my old netgear modem just fine and nothing has changed on the server. the only change is the default gateway. 5060 is voip i know it doesnt work because my voip phone is offline. 3389 is terminal services and that used to work on my old modem too.
0
 
SkykingOHCommented:
I am not sure what you mean by port 25 "is available on all machines".  You have not blocked port 25 outbound, your would need an ACL for that.

As far as NAT, you have port 25 mapped from the IP on the Dialer0 interface to 192.168.1.4

You left off one keyword on the nat statements, extendable, IE:

ip nat inside source static tcp 192.168.1.249 22 207.58.213.6 8022 extendable

0
 
SkykingOHCommented:
Sorry for the double post, you also can test with the following command:

show ip nat translation

0
 
djcaponeCommented:
Hi Skyking,

I mae the assumption that he was referring to all those ports being open on all the machines from the outside.  As pointed out in my previous post, I cannot imagine this being accurate as there are only static translation setup for specific machines.

It would be helpful if it can clarified from what subnets the ports are available on all the machines.
0
 
Rondog_88Author Commented:
djcapone I am not sure what you mean. The only subnet we are using is 255.255.255.0, we dont have a need for anything bigger.

Sorry SkykingOH I am using the website www.canyouseeme.org to check to see if the ports are showing as open in the outside world.

This is my list of NAT settings:
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 25 27.32.146.114 25 extendable
ip nat inside source static tcp 192.168.1.7 80 27.32.146.114 80 extendable
ip nat inside source static tcp 192.168.1.4 443 27.32.146.114 443 extendable
ip nat inside source static udp 192.168.1.3 5060 27.32.146.114 5060 extendable
ip nat inside source static tcp 192.168.1.7 5721 27.32.146.114 5721 extendable
ip nat inside source static tcp 192.168.1.12 8456 27.32.146.114 8456 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0

On my old Netgear router I had the same settings. So when I logged onto the server 192.168.1.4 and used canyouseeme.org to check port 25, it would come back as active. But if I tried the same thing on 192.168.1.20 it would appear blocked. However, now I do the same thing and port 25 appears active on both machines. But as you can see, it is clearly only mapped to 192.168.1.4.

Perhaps some more information would help. I use some software called Kaseya that is in installed on client computers that makes connection to my server on my incoming port 5721. Below is my ip translation tables. Taking the line "tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:4430 203.17.42.115:4430" from my the nat translation I recognise the remote IP as one of my client IP's. But when I check my software, no clients are making the connection.

cctrouter01#show ip nat translation
Pro Inside global      Inside local       Outside local      Outside global
udp 27.32.146.114:5060 192.168.1.3:5060   ---                ---
tcp 27.32.146.114:25   192.168.1.4:25     ---                ---
udp 27.32.146.114:123  192.168.1.4:123    207.46.197.32:123  207.46.197.32:123
tcp 27.32.146.114:443  192.168.1.4:443    114.75.201.83:38264 114.75.201.83:38264
tcp 27.32.146.114:443  192.168.1.4:443    114.75.201.83:49040 114.75.201.83:49040
tcp 27.32.146.114:443  192.168.1.4:443    ---                ---
tcp 27.32.146.114:5770 192.168.1.4:5770   66.102.11.100:80   66.102.11.100:80
tcp 27.32.146.114:5771 192.168.1.4:5771   74.125.109.39:80   74.125.109.39:80
udp 27.32.146.114:51400 192.168.1.4:51400 203.12.160.35:53   203.12.160.35:53
tcp 27.32.146.114:80   192.168.1.7:80     ---                ---
tcp 27.32.146.114:5721 192.168.1.7:5721   120.151.100.122:58857 120.151.100.122:58857
tcp 27.32.146.114:5721 192.168.1.7:5721   125.255.127.190:4422 125.255.127.190:4422
tcp 27.32.146.114:5721 192.168.1.7:5721   125.255.127.190:44738 125.255.127.190:44738
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:1101 203.17.42.115:1101
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:1141 203.17.42.115:1141
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:1176 203.17.42.115:1176
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:1177 203.17.42.115:1177
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:1232 203.17.42.115:1232
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:1535 203.17.42.115:1535
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:2073 203.17.42.115:2073
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:2187 203.17.42.115:2187
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:2188 203.17.42.115:2188
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:3236 203.17.42.115:3236
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:3237 203.17.42.115:3237
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:3458 203.17.42.115:3458
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:3459 203.17.42.115:3459
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:4430 203.17.42.115:4430
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:4690 203.17.42.115:4690
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:4809 203.17.42.115:4809
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.42.115:24103 203.17.42.115:24103
tcp 27.32.146.114:5721 192.168.1.7:5721   203.17.46.127:1179 203.17.46.127:1179
tcp 27.32.146.114:5721 192.168.1.7:5721   203.45.78.2:59259  203.45.78.2:59259
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1397 210.23.137.90:1397
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1398 210.23.137.90:1398
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1455 210.23.137.90:1455
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1463 210.23.137.90:1463
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1684 210.23.137.90:1684
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1685 210.23.137.90:1685
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:1841 210.23.137.90:1841
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:3349 210.23.137.90:3349
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:3350 210.23.137.90:3350
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:3422 210.23.137.90:3422
tcp 27.32.146.114:5721 192.168.1.7:5721   210.23.137.90:4065 210.23.137.90:4065
tcp 27.32.146.114:5721 192.168.1.7:5721   ---                ---
tcp 27.32.146.114:8456 192.168.1.12:8456  ---                ---
udp 27.32.146.114:8456 192.168.1.12:8456  61.75.67.8:45682   61.75.67.8:45682
udp 27.32.146.114:8456 192.168.1.12:8456  65.34.233.251:21498 65.34.233.251:21498
udp 27.32.146.114:8456 192.168.1.12:8456  95.215.62.5:80     95.215.62.5:80
udp 27.32.146.114:8456 192.168.1.12:8456  95.215.62.26:80    95.215.62.26:80
udp 27.32.146.114:8456 192.168.1.12:8456  189.114.79.5:59436 189.114.79.5:59436
udp 27.32.146.114:51692 192.168.1.20:51692 192.168.8.141:161 192.168.8.141:161
tcp 27.32.146.114:59524 192.168.1.20:59524 66.102.11.83:443  66.102.11.83:443
tcp 27.32.146.114:59576 192.168.1.20:59576 216.219.117.244:443 216.219.117.244:443
tcp 27.32.146.114:59577 192.168.1.20:59577 64.74.80.187:443  64.74.80.187:443
tcp 27.32.146.114:59578 192.168.1.20:59578 216.219.118.244:443 216.219.118.244:443
tcp 27.32.146.114:59579 192.168.1.20:59579 216.219.115.250:443 216.219.115.250:443
tcp 27.32.146.114:59580 192.168.1.20:59580 216.219.117.244:443 216.219.117.244:443
tcp 27.32.146.114:59581 192.168.1.20:59581 216.219.118.244:443 216.219.118.244:443
tcp 27.32.146.114:59582 192.168.1.20:59582 216.219.115.250:443 216.219.115.250:443
tcp 27.32.146.114:59583 192.168.1.20:59583 64.74.80.187:443  64.74.80.187:443
tcp 27.32.146.114:59584 192.168.1.20:59584 216.219.117.244:443 216.219.117.244:443
tcp 27.32.146.114:59585 192.168.1.20:59585 216.219.118.244:443 216.219.118.244:443
tcp 27.32.146.114:59586 192.168.1.20:59586 216.219.115.250:443 216.219.115.250:443
tcp 27.32.146.114:59587 192.168.1.20:59587 64.74.80.187:443  64.74.80.187:443
tcp 27.32.146.114:59588 192.168.1.20:59588 216.219.117.244:443 216.219.117.244:443
tcp 27.32.146.114:59589 192.168.1.20:59589 216.219.118.244:443 216.219.118.244:443
tcp 27.32.146.114:59590 192.168.1.20:59590 216.219.115.250:443 216.219.115.250:443
tcp 27.32.146.114:59591 192.168.1.20:59591 64.74.80.187:443  64.74.80.187:443
tcp 27.32.146.114:59592 192.168.1.20:59592 216.219.117.244:443 216.219.117.244:443
tcp 27.32.146.114:59593 192.168.1.20:59593 216.219.118.244:443 216.219.118.244:443
tcp 27.32.146.114:59594 192.168.1.20:59594 216.219.115.250:443 216.219.115.250:443
tcp 27.32.146.114:59595 192.168.1.20:59595 64.74.80.187:443  64.74.80.187:443
tcp 27.32.146.114:59596 192.168.1.20:59596 66.102.11.83:443  66.102.11.83:443
tcp 27.32.146.114:59597 192.168.1.20:59597 203.12.160.185:443 203.12.160.185:443
0
 
djcaponeCommented:
Hi Rondog,

This makes a bit more sense now.

I am unsure why that site would show blocked from a different computer when using a different PC unless the configuration regarding static NAT translation included an additional public IP address.

As your configuration is now, any computer you navigate to canyouseeme.org from your local network is going to report those ports as being open.  This is because no matter what local machine you visit canyouseeme.org from on your local network, the same public IP is going to be scanned.  When scanning that public IP, the cisco configuration you have entered is ALWAYS going to translate the public on port 25 to map to port 25 on 192.168.1.7.  This does not mean that the port is open on any other systems, inf act as I have alluded to in the past it is impossible to reach this port on the other machines based on your configuration from an external IP address.

The only way that the netgear could have reported one local machine as blocked and the other as open is if there was additional public IPs setup for PAT and one to one NAT.  When looking at canyouseeme.org take note of the "your IP" listed and see how it differs with the Netgear.

I also recommend removing much of your last port to prevent the posting of your public IP on a public internet forum.

0
 
Rondog_88Author Commented:
Hi djcapone,

I didnt know you could edit posts. That still doesnt explain and allow access to port 5721 :)

Do you have any thoughts on this?
0
 
djcaponeCommented:
Hi Rondog,

There may be a time limit on edits, but I thought there was a way to do it, but I may be wrong.

As mentioned in my initial post, I do not see where in the config you defined allowing traffic on port 5721.

You setup the static translations, however in your class-maps/access-lists, port 5721 is not defined anywhere.
0
 
Rondog_88Author Commented:
Hi djcapone, sorry about that I consider myself reasonable at basic networking this Cisco is an entire new level for me so I'm learning as quick as I can. I understand what you now when you say not defined.

Please see new config below:

Building configuration...

Current configuration : 9581 bytes
!
! Last configuration change at 09:24:52 PCTime Sat Nov 27 2010 by cct
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cctrouter01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096
logging console critical
enable secret 5 $1$HasfasfasGxat0776leF0
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-241047421
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-241047421
 revocation-check none
 rsakeypair TP-self-signed-241047421
!
!
crypto pki certificate chain TP-self-signed-241047421
 certificate self-signed 01
        quit
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name cctbendigo.com.au
ip name-server 192.168.1.4
ip port-map user-protocol--1 port tcp 8456
ip port-map user-kaseya port tcp 5721
ip inspect log drop-pkt
no ipv6 cef
!
!
license udi pid CISCO887-K9 sn FHK142879H9
!
!
username cct privilege 15 secret 5 $1$iVMt$asfdasb8BPHX5mf8.
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-http-1
 match access-group 102
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 104
 match protocol user-protocol--1
class-map type inspect match-any Kaseya
 match protocol user-kaseya
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
 match class-map Kaseya
 match access-group name Kaseya
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 103
 match protocol smtp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all sdm-nat-https-1
 match access-group 101
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
  pass
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
!
!
!
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $FW_OUTSIDE$$ES_WAN$
 ip flow ingress
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address 27.xx.xx.114 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname cctbgo
 ppp chap password 7 0011235453658525A
 ppp pap sent-username c*****o password 7 105A3245D5415F59
 no cdp enable
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.4 25 27.32.146.114 25 extendable
ip nat inside source static tcp 192.168.1.7 80 27.32.146.114 80 extendable
ip nat inside source static tcp 192.168.1.4 443 27.32.146.114 443 extendable
ip nat inside source static udp 192.168.1.3 5060 27.32.146.114 5060 extendable
ip nat inside source static tcp 192.168.1.7 5721 27.32.146.114 5721 extendable
ip nat inside source static tcp 192.168.1.12 8456 27.32.146.114 8456 extendable
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended Kaseya
 remark CCP_ACL Category=128
 permit ip any host 192.168.1.7
!
logging trap debugging
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.4
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.7
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.4
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.12
access-list 105 remark CCP_ACL Category=2
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^CCC
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^CCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
 
djcaponeCommented:
Hi Rondog,

Do you have a Netgear Wireless router somewhere in the mix that may actually be filtering these ports?  
0
 
djcaponeCommented:
Well 5721 appears to be open now.

Add 3389 and 5060 in the same manner and you should be good to go.

Is it safe to assume that you are using CCP to configure this device?
0
 
Rondog_88Author Commented:
The servers in questions arent behind the netgear. The network is layed out.

Internet->Cisco 887-switch-servers
                                    L old netgear adsl modem router used as access point

5060 is working already for some reason. I am able to make and recieve VoIP calls.

I'll attempt with port 3389 and let you know.
0
 
Rondog_88Author Commented:
Excellent. Thank you so very much. You have really helped me out. 5721 are working and so is 3389.

One last issue I have discovered, I connect to a client of mine using a VPN connection to a Snapgear router on their end. I have a PPTP connection using Windows on my end.

It gets to the point of verifying username and password then drops out after 1 mintue. After a Google search I have found out it needs to be enabled, I would like to do this without opening up too much.

Also: how its currently configured, is my router secure or is there anything that needs to be tightened up?
0
 
djcaponeCommented:
Your Welcome.

2 things to check.

In the class map, ccp-cls-insp-traffic

add the pptp protocol to the inspection engine.

Additionally you may need to open port 1723.

If this does not work, you may want to consider opening a new question for the new problem so additional experts with more familiarity with PPTP respond.  I almost exclusively deal with IPSec and SSL VPNs.
0
 
Rondog_88Author Commented:
And just to be difficult, what commands would I use to achieve that :)
0
 
djcaponeCommented:
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
0
 
Rondog_88Author Commented:
Thank you very much, if that doesnt work I'll open a new question.
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

  • 10
  • 8
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now