Link to home
Start Free TrialLog in
Avatar of LANengineer
LANengineer

asked on

Port Forwarding on Cisco 881

I am trying to access my phone system from the outside and am unable to. I can ping both ways internally and pull up the phone system internally, but cannot pull it up externally. I am pulling it up via a web browser and have all my port forwarding set on my TP-Link router, which is where the phone system is plugged in. I believe my problem is with the Cisco 881, which is my main router. I have four networks going off of my Cisco 881 with one of them being the TP-Link. Since I am coming from the outside and the first thing I hit is the Cisco 881 that is what I believe to be the culprit. I am no expert with Cisco routers and have limited knowledge with them. I have a couple other networks set up almost the same way (but with different model routers) and I have no problems. On the main router I enable DMZ, which points to the router with the port forwarding and then can access what is behind it. In this case I don't know how to configure DMZ on a Cisco 881 (if that is what you do). What I have tried in the Cisco 881 router is the following but neither one worked:
 router(config)# ip route 192.168.101.251 255.255.255.255 192.168.101.250
and
#ip nat inside source static 192.168.101.251 24.196.71.130 extendable
I need help on this ASAP! Thanks much!!
Network-Diagram.jpg
Avatar of Joseph Hornsey
Joseph Hornsey
Flag of United States of America image

Heya, LAN.

When I saw your diagram, I had to chuckle a little because I also manage a city network and so when I saw things like "City Hall", it just struck a little too close to home.

I think you're right about where you're running into your problem.  You always have to configure port forwarding on the device that connects the public network to the private.  That's going to be your 881.

One question:  Your diagram shows the phone system with a 192.168.101.0/24 segment which, according to the diagram is LAN2, not LAN1.  Shouldn't everything on LAN1 be on the 192.168.100.0/24 segment?

Regarding the port forwarding, I think you'll want that command to look like this:

router(conf)# ip nat inside source static tcp 192.168.101.251 24.196.71.130 80 extendable

If you're coming in via a web browser, you'll want port 80.

You can do multiple ports, too:
router(conf)# ip nat inside source static tcp 192.168.101.251 24.196.71.130 20 extendable
router(conf)# ip nat inside source static tcp 192.168.101.251 24.196.71.130 21 extendable
router(conf)# ip nat inside source static tcp 192.168.101.251 24.196.71.130 80 extendable
router(conf)# ip nat inside source static tcp 192.168.101.251 24.196.71.130 443 extendable

That gives you FTP, HTTP and HTTPS.

What do you think?
- static nat statement looks good (if that WAN ip addresss is reserved for phone system, otherwise you need to use port forward as Joseph Hornsey described)
- static route is not needed since it is directly connected interface

What is missing are firewall policies to permit matching traffic for your criteria so traffic can be permitted to be forwarded through firewall.

You have example with explanation - Zone-Based Firewall (ZBF) and Network Address Translation (NAT)
Great comment by Predrag... you do need firewall policies.

For the ports I listed, they'd look like this:

access-list 101 permit ip *.*.0.0 0.0.7.255 any
access-list 101 permit tcp any 24.196.71.130 eq ftp
access-list 101 permit tcp any 24.196.71.130 eq ftp-data
access-list 101 permit tcp any 24.196.71.130 eq www
access-list 101 permit tcp any 24.196.71.130 eq 443

Once it's created, you'll need to assign it to an interface.  If your 881, for example has that IP on interface FastEthernet0:

access-group 101 in FastEthernet0

One question... that IP address (24.196.71.130).. is that assigned to the modem or to the outside interface of the 881?
Avatar of LANengineer
LANengineer

ASKER

Hi Joseph,
I did have my diagram mixed up and the TP-Link is on LAN2. I have attached a correct network diagram. I tried to run the commands that you suggested and they all came back as invalid. Also, thanks for posting again and letting me know which firewall rules need to be done. I am nervous about doing any of this because I know so very little. I have attached my running config and if you could look at that and tell me EXACTLY what to do I would really appreciate it. What I need to be able to accomplish is: open a web browser, type in 24.196.71.130:4443 and it go right to my phone system. When I do this via a web browser with the LAN IP (192.168.101.251:4443) internally it does go right to my phone system webpage. Settings for the phone system are:
Phone System – 192.168.101.251 (IP) / 192.168.101.1 (GW)
Port forwarding – both TCP and UDP
      5002, 5003, 5102, 5103, 9777, 6000, 4443

Hi Predrag,
I removed the static route and it still did not work. I read the article, but I am so limited with Cisco firewalls that I would rather be told exactly what to do.

Thank you both for all your help with this! I need to get this done ASAP as they are starting to get antsy. Thanks much!!!!
RunningConfig.txt
Network-Diagram.jpg
ASKER CERTIFIED SOLUTION
Avatar of Joseph Hornsey
Joseph Hornsey
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I can not thank you enough for your help! Yes, that all makes sense. This is my only company that uses Cisco and the IT company that took care of them before me installed this. I typically stay away from Cisco just because they are so difficult, for me at least.
If I already have all the port forwarding done and all ports open on the TP-Link do I need to do it again in the Cisco? Normally all I do with all my other routers is enable DMZ and point it to the router that has the port forwarding all done. Do Cisco routers not have DMZ??
I have installed CCP Express on the router so I can access it through the GUI and this makes it similar to my other routers, but it does not include the security tab. Without the security tab I couldn't do the NAT and had to go onsite and plug directly in and do it all via putty. Do you know how I can get the security tab to show up so I can do all this remotely?
Thanks again for all your help!!
Unfortunately, I don't know enough about that model to help out with the security tab.

On your other question, yes... you have to forward it on both devices.  Each hop in the path has to be configured to send the traffic where you want it to go.

Good luck!
Ok, made some more changes and still not working. Ugh! I have attached the new config file for you to take a look at.
I did the NAT for the outside forwarding, did the static route for the inside forwarding, and then did the firewall rules for the port forwarding, What am I missing?? Or did I put something in wrong?? The one good thing about this whole project is I am starting to understand these darn things more :o) Obviously still not quite there yet though.
Cisco-Config-1-11-2017.txt
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK, so now I am really confused! Sorry, I have very little knowledge with Cisco (and I hate them) and just need to know the exact commands that I need to do. If you can just type up the commands and I can copy and paste them into my firewall that would be awesome. I really appreciate all the info and do understand the "deny" entries but am also worried about opening this firewall up to much so I don't want to delete the deny's. You guys have been great and I really appreciate your help and just want to get this done as my customer is getting less patient. Can you please just type up my commands so I can enter them and get this thing working. I do plan on getting some "dummies" books and start reading up on this so I am more knowledgeable and do understand it more. I just do not have the time to do that now. Thank you so much!!
YAHOO! HOORAY! It is working!!!!!!
I removed the following: access-list 100 deny   ip any any log-input
and then it worked. Of course it removed a bunch of other stuff along with it so I re-entered everything so it was identical to last night minus the above command and it still works!!! Am I safe without this command? Is my firewall safe from hackers with this command removed?
THANK YOU! THANK YOU! I really appreciate everything you both did to help me with this! I am headed to Amazon now to purchase some Cisco for dummies books now, lol! Once I know I am safe without that command and I do not have to do any more I will close out this question and award you both points. Thanks again!
Hey... sorry I didn't pick this back up until now.  Work has been crazy (which is a good thing!).  :)

Glad to know it's working!!!!!

Pretty much anything Predrag says, you can take as the Gospel truth, so always pay attention to him.  LOL
access-list 100 deny   ip any any log-input is not present, but access-list 100 deny   ip any any is present.
Every access list ends with deny all traffic (implicit deny) it is just not written. So difference is only that you are not logging hits to that one. You can configure that one, it will still working as it is now.

Basically it is working, but still to remind you that this is just filtering traffic and not firewall in the modern sense. Firewalls should keep session table etc...
Thank you both so much for all your help!!