port forwarding cisco 1811

jasonbrown23 · ‎10-27-2013

im trying to creat a port for a app on a desktop computer. the computer is the only computer pluged in to vlan1 ip address 192.168.5.2.

ip trying to open port 32669. i thought the nat to the inside would do it but when i try and open the app it still says thats blocked. Thanks

Current configuration : 1919 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname BrownTown

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

no logging console

!

no aaa new-model

clock timezone EST -5

!

dot11 syslog

ip source-route

!

ip dhcp pool 0

import all

network 192.168.5.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.5.1

lease 31

!

ip dhcp pool 1

import all

network 192.168.1.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.1.1

lease 31

!

ip cef

no ipv6 cef

!

multilink bundle-name authenticated

!

archive

log config

hidekeys

!

interface FastEthernet0

ip address dhcp

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

!

interface FastEthernet1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

ip address 192.168.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 FastEthernet0

no ip http server

no ip http secure-server

!

ip nat inside source list 101 interface FastEthernet0 overload

ip nat inside source static udp 192.168.5.2 32669 interface FastEthernet0 32669

ip nat inside source static tcp 192.168.5.2 32669 interface FastEthernet0 32669

!

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

control-plane

!

line con 0

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

login

!

end

Julio Carvajal · ‎10-28-2013

Hello Jason,

That actually should do it, you do not have any filtering configured on this router.

My recommendation:

Make sure the firewall is disabled on the PC and also if running any antivirus disabled and test cause traffic should be reaching your box right now.,

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎10-30-2013

Hello Jason,

Are u still having the issue

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jasonbrown23 · ‎10-30-2013

Hey Julio,

I ended up changing it around a little bit too changed the port it used and put it on the switch insted of the vlan

ip nat inside source static tcp 192.168.1.6 13531 68.204.31.25 13531 extendable

ip nat inside source static udp 192.168.1.6 13531 68.204.31.25 13531 extendable

my app still is telling me the port is blocked but every thing else is saying its good

Julio Carvajal · ‎10-30-2013

Hello Jason,

Just for test purposes do:

ip access-list extended out_in

permit tcp any host 68.204.31.25 eq 13531

permit ip any any

int FastEthernet0

ip access-group out_in in

Then try to connect and share the output of

show access-list out_in

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jasonbrown23 · ‎10-31-2013

Hey Julio,

dose this look good?

BrownTown# show access-list out_in

Extended IP access list out_in

10 permit tcp any host 68.204.31.25 eq 13531 (1895 matches)

20 permit ip any any (2595177 matches)

thanks

Julio Carvajal · ‎10-31-2013

Hello,

It does look good which means traffic is getting to the router.

Now lets do the followng

ip access-list extended in_out

permit tcp any host 192.168.5.2 eq 13531

permit ip any any

int vlan 1

ip access-group in_out out

Then connect and provide us

show ip access-list in_out

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jasonbrown23 · ‎11-01-2013

Hey Julio, i changed it around a little bit moved the computer over to the gi switch on the fast 1 port so id have gig on the interlan. i modified your comands to match let me know what you think. looks good to me. but im not home right now so i cant test the app on the computer ill let you know once i do

*******************

!

interface FastEthernet0

bandwidth 60000

ip address dhcp

ip access-group out_in in

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

!

interface FastEthernet1

ip address 192.168.1.1 255.255.255.0

ip access-group in_out out

ip nat inside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

!

ip nat inside source list 101 interface FastEthernet0 overload

!

ip nat inside source static tcp 192.168.1.6 13531 68.204.31.25 13531 extendable

ip nat inside source static udp 192.168.1.6 13531 68.204.31.25 13531 extendable

!

ip access-list extended in_out

permit tcp any host 192.168.1.6 eq 13531

permit ip any any

!

ip access-list extended out_in

permit tcp any host 68.204.31.25 eq 13531

permit ip any any

***********************

BrownTown#sho ip access-lists in_out

Extended IP access list in_out

10 permit tcp any host 192.168.1.6 eq 13531 (175 matches)

20 permit ip any any (5354 matches)

BrownTown#sho ip access-lists out_in

Extended IP access list out_in

10 permit tcp any host 68.204.31.25 eq 13531 (162906 matches)

20 permit ip any any (6543236 matches)

Thanks

Julio Carvajal · ‎11-01-2013

Hello Jason,

We let us know that traffic is going to the sever.

Can you run wireshark on the PC and make sure is replying to the outside user?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

jasonbrown23 · ‎11-01-2013

Hey Julio,

looks like it is working app is running fine but its still saying that the port might be blocked. .

but iv also tryed after removing the access list and get the same resultes in wire shark

Heck i mean i just removed the ip nat statemet and it still looks like its passing

#############

interface FastEthernet0

bandwidth 60000

ip address dhcp

ip nat outside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

!

interface FastEthernet1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

load-interval 30

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Vlan1

ip address 192.168.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Async1

no ip address

encapsulation slip

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

no ip http server

no ip http secure-server

!

ip nat inside source list 101 interface FastEthernet0 overload

ip nat inside source static tcp 192.168.1.129 1788 68.204.31.25 1788 extendable

ip nat inside source static udp 192.168.1.129 1788 68.204.31.25 1788 extendable

!

ip access-list extended in_out

permit tcp any host 192.168.1.6 eq 13531

permit udp any host 192.168.1.6 eq 13531

permit ip any any

ip access-list extended out_in

permit tcp any host 68.204.31.25 eq 13531

permit udp any host 68.204.31.25 eq 13531

permit ip any any

!

access-list 101 permit ip 192.168.5.0 0.0.0.255 any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

##########################