871 Port Forwarding

gooberpea
gooberpea used Ask the Experts™
on
I have a Cisco 871 and I am tring to gain access to a second RD server.  The first one is on port 3389 and I need the second one on Port 3390.  I can access the server from an internal address, but not an external address.  I am kind of sure I have the NAT set up ok.  I am not sure but I think my issue is in the firewall Settings.  I am having the same trouble with getting the port 8000 open to the phone box from a spacific IP.  I am an extreme novice and know nothing.  So be gentle with me and do the Step by Step.  Any way I have included the config (I hope i have taken out the passwords but left the juciy parts in).  thanks


version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ***
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 ***
!
no aaa new-model
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3367467111
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3367467111
 revocation-check none
 rsakeypair TP-self-signed-3367467111
!
!
crypto pki certificate chain TP-self-signed-3367467111
 certificate self-signed 01
  ********
  quit
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool wireless
   import all
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   dns-server 192.168.2.1 24.25.5.60
   lease 0 2
!
!
ip port-map user-protocol--1 port tcp 3389
ip inspect log drop-pkt
no ip bootp server
no ip domain lookup
ip domain name zsr.org
!
!
!
username Mark privilege 15 secret 5 ****.
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-nat-http-1
 match access-group 101
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 106
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 103
 match protocol smtp
class-map type inspect match-any PhoneTech
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-1
 match class-map PhoneTech
 match access-group 108
class-map type inspect match-any PhoneTech1
 match class-map PhoneTech
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-2
 match class-map PhoneTech1
 match access-group 107
class-map type inspect match-all sdm-nat-isakmp-1
 match access-group 104
 match protocol isakmp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
 match access-group 105
 match protocol pptp
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-https-1
 match access-group 102
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-nat-isakmp-1
  inspect
 class type inspect sdm-nat-pptp-1
  inspect
 class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-2
  pass
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
policy-map type inspect ccp-permit
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
interface FastEthernet0
!
interface FastEthernet1
 switchport access vlan 2
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $FW_OUTSIDE$$ES_WAN$
 ip address 24.199.175.222 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.7 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan2
 description wireless guest
 ip address 192.168.2.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1452
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 24.199.175.221
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.5 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.5 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.5 25 interface FastEthernet4 25
ip nat inside source static udp 192.168.1.5 500 interface FastEthernet4 500
ip nat inside source static tcp 192.168.1.5 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.1.5 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.10 3390 interface FastEthernet4 3390
ip nat inside source static tcp 192.168.1.235 8000 24.199.175.222 8000 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 24.199.175.220 0.0.0.3 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.5
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.5
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.1.5
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.1.5
access-list 107 remark CCP_ACL Category=128
access-list 107 permit ip host 68.143.170.9 host 192.168.1.235
access-list 108 remark CCP_ACL Category=128
access-list 108 permit ip host 68.143.170.9 host 192.168.1.235
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you
want to use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 no modem enable
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You redirect port 3390 to 3390, the default rdp port is 3389, so you must redirect outside 3390 to 3389 on th inside
Or change the default rdp port on the server: http://support.microsoft.com/kb/306759

Author

Commented:
Here is some more info.  I have one RD server in place on ip 192.168.1.5.  It is being replaced by the new server on 192.168.1.10.  Untill the new server is fully tested I need to have both servers up and running.  I have set the new server to listen on port 3390 and it does work internally.  The old server is listening on port 3389 and works well.  So directing traffic to using port 3389 would not get me to the new server.  So the new server is listening on 3390 and when I attempt to remote in I use the IP:3390.  fredvr666 I may not fully understand what you are telling me, but I should be able to request traffic on port 3390 to pass through from the outside to an inside computer.  
Top Expert 2014

Commented:
Have you allowed port 3390 inbound through the firewall?

Author

Commented:
The firewall on the test server is off.  I can connect using RDC the local network and through port 3390.  i cannot connect from outside the local network.
Top Expert 2014

Commented:
Sorry, I meant on the router.

Author

Commented:
I do not think that I have it passing through the router's firewall and this is what I think the problem is.  How do I get it through the Firewall?  I am a novice and do not know what to put where to get it through the Firewall.  Do I need access-list commands?  Do I need class-map commands?  Do I need an additional ip port-map lines?  Do I need more Rum and Coke-a-Cola?  If so what are the commands and where do I need to insert them?  Inquiring minds need to know!  Thanks
I’m not sure but:
access-list 104 permit ip any host 192.168.1.5
give you access to server 1.5
I'm not seeing
access-list 109 permit ip any host 192.168.1.10

Author

Commented:
I have added the command and still no joy.

Commented:
RDP to 192.168.1.10 then regedit

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

Change the PortNumber to 3390.
Reboot your server.

You should be able to RDP externally.

Commented:
Also, for you to RDP into the server with port 3390 you will need to enter externalIP:3390.

Author

Commented:
Thanks for the reply Goraek, it was the first thing I did and I do use the externalIP:3390 on the RDC system.  no joy.

Any one know how I can look at a log or something when I make the attemp to remote in to see what is going on?
Top Expert 2014

Commented:
Use Cisco Config Professional to create a security rule to allow everything from outside to get to the server's internal IP on port 3390.

Author

Commented:
In CCP, where to create the security rule.  I have gone into the Security>Firewall and attempted to create a rule for new traffic, but do not know what to use as service name or what to select.  So please guide me.

thanks
Top Expert 2014

Commented:

Commented:
Post your ip nat config and we will see what you have done. And also your internal and external IP if you like.

Author

Commented:
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.5 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.5 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.5 25 interface FastEthernet4 25
ip nat inside source static udp 192.168.1.5 500 interface FastEthernet4 500
ip nat inside source static tcp 192.168.1.5 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.1.5 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.10 3390 interface FastEthernet4 3390
ip nat inside source static tcp 192.168.1.235 8000 24.199.175.222 8000 extendable

tring to get
outside 24.199.175.222
inside 192.168.1.10
port 3390

I think the nat is ok, I think it is the firewall

Author

Commented:
I think outside should be any as I am trying to allow RDC on port 3390 (server already listening on 3390)

Author

Commented:
ACL
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 24.199.175.220 0.0.0.3 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.5
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.5
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.1.5
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.1.5

Author

Commented:
Class-map

class-map type inspect match-all sdm-nat-http-1
 match access-group 101
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 106
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 103
 match protocol smtp
class-map type inspect match-all sdm-nat-isakmp-1
 match access-group 104
 match protocol isakmp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
 match access-group 105
 match protocol pptp
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-nat-https-1
 match access-group 102
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http

Commented:
Try this

Remove this
ip nat inside source static tcp 192.168.1.10 3390 interface FastEthernet4 3390

And add this
ip nat inside source static tcp 192.168.1.10 3390 24.199.175.222 3390

You have another firewall?

Author

Commented:
I think I need to have an access-list command(s) and maybe a class-map command(s).  What I will need is the exact command syntax to enter to get the job done.  The Job is to allow RDC through port 3390 from any to 192.168.1.10.

Here is another line I found about port 3389, we currently have RDC to a TSS on port 3389 which we need to continue to maintain.
ip port-map user-protocol--1 port tcp 3389

Do I need to put in a command line like
ip port-map user-protocol--2 port tcp 3390
 
Thanks

Commented:
Did ya try the command I listed?

Commented:
Did you change the registry entry to 3390??

Author

Commented:
Hey goraek, thanks for replying.  I have done as you asked, romoving the one line and adding the other.  still no joy.  I have made the setting changes in the servers registry to listen on port 3390 and I can RDC to it inside the network.  I still cannot connect to it from outside.  

new nat and acl

ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.5 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.5 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.5 25 interface FastEthernet4 25
ip nat inside source static udp 192.168.1.5 500 interface FastEthernet4 500
ip nat inside source static tcp 192.168.1.5 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.1.5 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.10 3390 24.199.175.222 3390 extendable
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 24.199.175.220 0.0.0.3 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.5
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.5
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.1.5
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.1.5
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.1.5
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.1.5
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 192.168.1.10

Commented:
Ok, now that you have made changes to the server registry entry, for it to take effect, you will need to reboot that server.
Once this is rebooted, you should be able to connect.

Try that and let us know.

Commented:
I have just tested - it appears to be working.

Do you want to see if you can RDP to 24.199.175.222:3390?
I put in these commands around 2pm est today.

ip port-map user-protocol--2 port tcp 3390

ip nat inside source static tcp 192.168.1.10 3390 24.199.175.222 3390 extendable

access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 192.168.1.10

class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 107
 match protocol user-protocol--2

policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-protocol--2-1
   inspect

What I did was to try and figure out what commands were in place to make the current RDC through port 3389 work and replicated them for port 3390.  Doing just the ip nat and the access-list commands were not enough.  So to get the job done with this router I had to add a:

ip port-map command
ip-nat command
access-list command
class-map command
policy-map command

I want to thank all of you that replyed.  I would like to split the points up between all of you for pointing me in the correct direction, but for others that need a solution to this issue, I need to make this post the solution to this problem.

Author

Commented:
I have chosen this post as the solution so that others with this same issue can see all of the commands needed to ge the job done.  I do want to thank all of the folks that repliyed.

Commented:
Are you able to remote to it now?

Author

Commented:
Yes I can remote in.  Thanks for all of your replies

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial