Solved: Re: NAT Forwarding Cisco 871W

joshbuss2007 · ‎01-01-2011

Hello everybody, I am currenlty trying to configure a 871W to forward a port 3389 to the internal address 192.168.1.240. I have been playing with this for a couple days now, and I have not been able to figure out what I am doing wrong. Any help is appreciated, and if you see anything else wrong, please don't hesitate to correct me. I am still learning everything here :::BTW Outside interface utilizes DHCP for addressing...

Current configuration : 8415 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname SuperRT

!

boot-start-marker

boot-end-marker

!

logging buffered 100000 debugging

enable secret 5 REMOVED

enable password 7 REMOVED

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

!

resource policy

!

ip subnet-zero

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.100

ip dhcp excluded-address 192.168.2.1 192.168.2.100

!

ip dhcp pool VLAN10

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 8.8.8.8 8.8.4.4

lease 4

!

ip dhcp pool VLAN20

import all

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

lease 4

!

ip inspect log drop-pkt

ip inspect name MYFW udp

ip inspect name SDM_MEDIUM appfw SDM_MEDIUM

ip inspect name SDM_MEDIUM cuseeme

ip inspect name SDM_MEDIUM dns

ip inspect name SDM_MEDIUM ftp

ip inspect name SDM_MEDIUM h323

ip inspect name SDM_MEDIUM https

ip inspect name SDM_MEDIUM icmp

ip inspect name SDM_MEDIUM imap reset

ip inspect name SDM_MEDIUM pop3 reset

ip inspect name SDM_MEDIUM netshow

ip inspect name SDM_MEDIUM rcmd

ip inspect name SDM_MEDIUM realaudio

ip inspect name SDM_MEDIUM rtsp

ip inspect name SDM_MEDIUM esmtp

ip inspect name SDM_MEDIUM sqlnet

ip inspect name SDM_MEDIUM streamworks

ip inspect name SDM_MEDIUM tftp

ip inspect name SDM_MEDIUM udp

ip inspect name SDM_MEDIUM vdolive

ip name-server 8.8.4.4

ip name-server 8.8.8.8

!

appfw policy-name SDM_MEDIUM

application im aol

service default action allow alarm

service text-chat action allow alarm

server permit name login.oscar.aol.com

server permit name toc.oscar.aol.com

server permit name oam-d09a.blue.aol.com

audit-trail on

application im msn

service default action allow alarm

service text-chat action allow alarm

server permit name messenger.hotmail.com

server permit name gateway.messenger.hotmail.com

server permit name webmessenger.msn.com

audit-trail on

application http

strict-http action allow alarm

port-misuse im action reset alarm

port-misuse p2p action reset alarm

port-misuse tunneling action allow alarm

application im yahoo

service default action allow alarm

service text-chat action allow alarm

server permit name scs.msg.yahoo.com

server permit name scsa.msg.yahoo.com

server permit name scsb.msg.yahoo.com

server permit name scsc.msg.yahoo.com

server permit name scsd.msg.yahoo.com

server permit name cs16.msg.dcn.yahoo.com

server permit name cs19.msg.dcn.yahoo.com

server permit name cs42.msg.dcn.yahoo.com

server permit name cs53.msg.dcn.yahoo.com

server permit name cs54.msg.dcn.yahoo.com

server permit name ads1.vip.scd.yahoo.com

server permit name radio1.launch.vip.dal.yahoo.com

server permit name in1.msg.vip.re2.yahoo.com

server permit name data1.my.vip.sc5.yahoo.com

server permit name address1.pim.vip.mud.yahoo.com

server permit name edit.messenger.yahoo.com

server permit name messenger.yahoo.com

server permit name http.pager.yahoo.com

server permit name privacy.yahoo.com

server permit name csa.yahoo.com

server permit name csb.yahoo.com

server permit name csc.yahoo.com

audit-trail on

!

crypto pki trustpoint TP-self-signed-3692985937

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3692985937

revocation-check none

rsakeypair TP-self-signed-3692985937

!

crypto pki certificate chain TP-self-signed-3692985937

certificate self-signed 01

30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33363932 39383539 3337301E 170D3032 30333031 30303133

31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36393239

38353933 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100AF61 3D71E7FC A5126C66 AE63222A F8A7194F C2E02069 673A8689 C0458EAC

44E1AA1A E6FD61F4 89C254A4 69B6A9E2 73FDDD40 A140F9B3 D1D2EB46 3198F509

190D84D3 B77B5314 3FC40310 DF726EFF E99A53A7 C4FE6C05 732BBAC8 9CEF8FE6

25A8F4A8 F1F81D5F 7F9644E7 50CD4ED5 2E953A02 CA2583E2 8C3FA9C8 BE411909

35450203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603

551D1104 0C300A82 08537570 65725254 2E301F06 03551D23 04183016 80140A57

B1CF7305 680DA4C3 E7C761BA CB02A278 256E301D 0603551D 0E041604 140A57B1

CF730568 0DA4C3E7 C761BACB 02A27825 6E300D06 092A8648 86F70D01 01040500

03818100 77B8E5CD 5C1EA0F6 7A8FCC98 91A3448D F4E28353 DBF76E01 1EB57A8F

C062C979 7859DBB5 1A2B1DB5 536B283B 32B9323B 78B618F6 5178DECF 95805E78

4821B674 A8B51DFA 15F2AE68 EF372884 7902A2E2 FAF483A6 D9E425DF 32B9F606

EBA4D5DB BE49AC84 30E1118D 4CEE9CC0 D10ABC2D 8744E815 6FFD19ED 448E0502 D7444FBB

quit

username root privilege 15 password 7 REMOVED

!

bridge irb

!

interface FastEthernet0

spanning-tree portfast

!

interface FastEthernet1

spanning-tree portfast

!

interface FastEthernet2

spanning-tree portfast

!

interface FastEthernet3

spanning-tree portfast

!

interface FastEthernet4

description $ETH-WAN$$FW_OUTSIDE$$ES_WAN$

ip address dhcp client-id FastEthernet4

ip access-group 101 in

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Dot11Radio0

no ip address

!

encryption vlan 10 mode ciphers tkip

!

encryption vlan 20 mode ciphers tkip

!

ssid GuestWireless

vlan 20

authentication open

authentication key-management wpa

wpa-psk ascii 7 REMOVED

!

ssid SuperWRT

vlan 10

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii 7 REMOVED

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

channel 2452

station-role root

no dot11 extension aironet

no cdp enable

!

interface Dot11Radio0.10

encapsulation dot1Q 10

no snmp trap link-status

bridge-group 10

bridge-group 10 subscriber-loop-control

bridge-group 10 spanning-disabled

bridge-group 10 block-unknown-source

no bridge-group 10 source-learning

no bridge-group 10 unicast-flooding

!

interface Dot11Radio0.20

encapsulation dot1Q 20

no snmp trap link-status

!

interface Vlan1

no ip address

bridge-group 10

bridge-group 10 spanning-disabled

!

interface Dialer1

no ip address

ip access-group Internet-inbound-ACL in

ip inspect MYFW out

!

interface BVI10

description Bridge to Internal Network$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

!

ip classless

!

ip http server

ip http secure-server

ip nat log translations syslog

ip nat inside source list 2 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.240 3389 interface FastEthernet4 3389

!

ip access-list extended Internet-inbound-ACL

permit udp any eq bootps any eq bootpc

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any traceroute

permit gre any any

permit esp any any

permit tcp any any eq 4000

permit tcp any any eq 3389

!

logging trap debugging

access-list 1 remark INSIDE_IF=BVI10

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip any any log

access-list 101 permit udp host 8.8.4.4 eq domain any

access-list 101 permit udp host 8.8.8.8 eq domain any

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

!

control-plane

!

bridge 10 route ip

!

line con 0

password 7 REMOVED

no modem enable

line aux 0

line vty 0 4

password 7 REMOVED

!

scheduler max-task-time 5000

end

Jennifer Halim · ‎01-01-2011

Base on the configuration on the router, you should be able to RDP to 192.168.1.240. The NAT and ACL has allowed accessed for RDP.

Can you please check if 192.168.1.240 has any personal firewall, etc. that might be blocking RDP access from host not in the same subnet? You might want to disable the personal firewall and check the access again. Also I assume that the user can RDP to 192.168.1.240 from within the same network 192.168.1.0/24?

View solution in original post

Jennifer Halim · ‎01-02-2011

Can you try to change the following:

FROM: ip nat inside source static tcp 192.168.1.240 3389 interface FastEthernet4 3389

TO: ip nat inside source static tcp 192.168.1.240 3389 interface FastEthernet4 3389 extendable

Also, are you able to telnet on port 3389 from the Internet towards the FastEthernet4 ip address?

View solution in original post

Jennifer Halim · ‎01-02-2011

Does the traffic actually hit the 871 fa4 interface? Does your ACL "Internet-inbound-ACL" have any hitcount on the "permit tcp any any eq 3389" line when you try to RDP to it?

View solution in original post

Jennifer Halim · ‎01-01-2011

Base on the configuration on the router, you should be able to RDP to 192.168.1.240. The NAT and ACL has allowed accessed for RDP.

Can you please check if 192.168.1.240 has any personal firewall, etc. that might be blocking RDP access from host not in the same subnet? You might want to disable the personal firewall and check the access again. Also I assume that the user can RDP to 192.168.1.240 from within the same network 192.168.1.0/24?

joshbuss2007 · ‎01-02-2011

I have verified that there are no personal firewalls on the host. I have also tried changing which host I am forwarding to and it doesnt matter which host I forward to on any port. I can remote within the LAN, but not from outside.

I also have verified that the ISP does not block any ports by connecting the host directly to the ISP (bypassing the router). Any ideas or suggestions are welcome.

Jennifer Halim · ‎01-02-2011

Can you try to change the following:

FROM: ip nat inside source static tcp 192.168.1.240 3389 interface FastEthernet4 3389

TO: ip nat inside source static tcp 192.168.1.240 3389 interface FastEthernet4 3389 extendable

Also, are you able to telnet on port 3389 from the Internet towards the FastEthernet4 ip address?

joshbuss2007 · ‎01-02-2011

I am not able to perform the command that you have given me, the only way that I can make it extendable, is if I set by IP, not inteface. I reconfigured some items in order to achieve this but still same results...

I also tried telneting into FE4 via port3389 from the outside(internet) and am still not able to connect...

Jennifer Halim · ‎01-02-2011

Does the traffic actually hit the 871 fa4 interface? Does your ACL "Internet-inbound-ACL" have any hitcount on the "permit tcp any any eq 3389" line when you try to RDP to it?

joshbuss2007 · ‎01-03-2011

Yes, I had traffic hitting the router's ACls, but it just would not translate...I upgraded to the newer 150-1.XA IOS, and with the same config, it is working 100%. I'm not sure, bu i think there is a bug in the older 12.4 4t ios...or atleast with DHCP'ed outside interaces. I appreciate your help and have given you credit for makeing sure that my configs were correct.

Thanks

Jennifer Halim · ‎01-03-2011

Cheers, and thanks for the update, and it's good to know it's working now. Thanks for the ratings too.