12-28-2011 10:08 AM - edited 03-11-2019 03:07 PM
All,
I need to update my Cisco 881W config to allow port forwarding FROM the Internet TO the following inside device as follows:
IP Address: 192.168.1.254
Protocol: TCP/UDP
Port: 5001
This device is a Slingbox Pro-HD and I want to be able to view it from the Internet.
Attached is a copy of my 881W config. I am horrible at properly configuring my zone based firewall (ZBFW) config, which is why I desperately need help. I appreciate the help from this forum!
Thanks very much!
James E
12-28-2011 11:05 AM
Hello Jaesposito,
-First thing to say here is that you want to allow inbound access to one ip address on the inside, so you will need to do a static port forwarding for each port:
ip nat inside source static tcp 192.168.1.254 5001 interface Dialer0 5001
ip nat inside source static tcp 192.168.1.254 5001 interface Dialer0 5001
-Second thing: As you know we are going to try to access from the outside to the inside so we need to create a new zone-pair and their respective policies
ip access-list extended Slingbox_access
permit tcp any host x.x.x.x (dialer0 ip) eq 5001
permit udp any host x.x.x.x (dialer0 ip) eq 5001
class-map type inspect ccp-Slingbox
match access-group Slingbox_access
policy-map type inspect ccp-Slingbox-access-in
class type inspect ccp-Slingbox
inspect
zone-pair security ccp-zp-out-in source outside destination inside
service-policy type inspect ccp-Slingbox-access-in
Please let me know the result of this.
Do please rate helpful posts!
Julio
12-28-2011 09:36 PM
Julio,
Thanks for the response. I have two questions about your recommended config changes:
1.) Did you mean to indicate "udp" in the second "ip nat" statement? You listed TCP twice and I just want to confirm that this
was a simple typo.
2.) With regards to the extended access-list, the public ip address on my Dialer0 interface is NOT static. It changes anytime my modem restarts. So this approach will be problematic if my modem restarts and thereby makes my ip forwarding config useless. Any ideas on how to work around this?
Thanks for the help!
James
12-28-2011 10:31 PM
Hello Jae,
1- Just a typo, I am sorry it got to be UDP
2- Do not pay attention to the ACL, I do not know what I was thinking ( today was a really long day)
This is the ACL you need to have there:
ip access-list extended Slingbox_access
permit tcp any host 192.168.1.254 eq 5001
permit udp any host 192.168.1.254 eq 5001
This because Nat goes first than ZBFW.
Do please rate helpful posts.
Let me know the result of the changes,
Julio
12-29-2011 10:23 AM
I got an error message after inputting the "class access-group" line. Here was the input leading up to the error message:
Pinecrest-rtr(config)#ip access-list extended Slingbox_access
Pinecrest-rtr(config-ext-nacl)#permit tcp any host 192.168.1.254 eq 5001
Pinecrest-rtr(config-ext-nacl)#permit udp any host 192.168.1.254 eq 5001
Pinecrest-rtr(config-ext-nacl)#exit
Pinecrest-rtr(config)#class-map type inspect ccp-Slingbox
Pinecrest-rtr(config-cmap)#match access-group Slingbox_access
^
% Invalid input detected at '^' marker.
Pinecrest-rtr(config-cmap)#
Any idea what is wrong with the config leading up to this error message?
Thanks,
James
12-29-2011 10:32 AM
Hello Jae,
Pinecrest-rtr(config)#class-map type inspect ccp-Slingbox
Pinecrest-rtr(config-cmap)#match access-group name Slingbox_access
Regards,
12-29-2011 10:37 AM
OK. It looks like we are down to one error message now. Here is the last one:
Pinecrest-rtr#config t
Enter configuration commands, one per line. End with CNTL/Z.
Pinecrest-rtr(config)#$static tcp 192.168.1.254 5001 interface Dialer0 5001
Pinecrest-rtr(config)#$static tcp 192.168.1.254 5001 interface Dialer0 5001
Pinecrest-rtr(config)#
Pinecrest-rtr(config)#ip access-list extended Slingbox_access
Pinecrest-rtr(config-ext-nacl)#permit tcp any host 192.168.1.254 eq 5001
Pinecrest-rtr(config-ext-nacl)#permit udp any host 192.168.1.254 eq 5001
Pinecrest-rtr(config-ext-nacl)#
Pinecrest-rtr(config-ext-nacl)#class-map type inspect ccp-Slingbox
Pinecrest-rtr(config-cmap)#match access-group name Slingbox_access
Pinecrest-rtr(config-cmap)#
Pinecrest-rtr(config-cmap)#
Pinecrest-rtr(config-cmap)#policy-map type inspect ccp-Slingbox-access-in
Pinecrest-rtr(config-pmap)#class type inspect ccp-Slingbox
Pinecrest-rtr(config-pmap-c)#inspect
Pinecrest-rtr(config-pmap-c)#
Pinecrest-rtr(config-pmap-c)#
Pinecrest-rtr(config-pmap-c)#$ice-policy type inspect ccp-Slingbox-access-in
zone-pair security ccp-zp-out-in source outside destination inside service-polic ^y type inspect ccp-Slingbox-access-in
% Invalid input detected at '^' marker.
Pinecrest-rtr(config-pmap-c)#
Any ideas?
James
12-29-2011 10:45 AM
Hello Jae,
On configuration mode please add the following two commands:
zone-pair security ccp-zp-out-in source outside destination inside
service-policy type inspect ccp-Slingbox-access-in
It should work
Julio
12-29-2011 10:48 AM
Do I use these two new lines in replacement of OR in addition to the last "zone-pair" config line?
zone-pair security ccp-zp-out-in source outside destination inside service-policy type inspect ccp-slingbox-access-in
Please clarify. Thanks.
James
12-29-2011 10:50 AM
They are two different lines , not one, that is why was not accepted.
zone-pair security ccp-zp-out-in source outside destination inside
service-policy type inspect ccp-Slingbox-access-in
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide