03-27-2010 01:44 PM - edited 03-11-2019 10:26 AM
Hi All,
I'm hosting a Flash Media Server on tcp port 1935, but my Cisco 857 seems to refusing to forward packets from the external interface to the internal server. I swapped out the 857 for a Speedtouch ST510 and it fowarded the packets fine.
The rule I have on the 857 is :
ip nat inside source static tcp 192.168.0.2 1935 interface Dialer0 1935
which I assume is sufficient? Any handy debug statements to help me figure out why packets are being dropped?
Cheers,
Rich.
Solved! Go to Solution.
03-28-2010 03:44 PM
Richard,
Seems like
access-list 1 is tied to the nat overload
access-list 103 looks like it is applied IN on the outside
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any
access-list 103 permit tcp any any eq 1935 -----------> (the "deny ip any any" above this line will not permit this line)
The permit that you added, is below the deny so this flow is getting denied.
You need to remove the deny, add this line and then add the explicit deny or insert the permit for port 1935 above
the deny.
You can do the following
config t
ip access-list ext 103
1 permit tcp any any eq 1935
issue a sh access-list 103 and note down the sequence number for the last line after the "deny ip any any"
and you can remove that
conf t
ip access-list ext 103
no
-KS
03-27-2010 06:33 PM
I assume you already have "ip nat inside" on your internal interface, and "ip nat outside" on Dialer0 interface?
What about ACL, do you have any configured on the Dialer0 interface?
03-28-2010 10:26 AM
Thank for taking the time to reply.
I have the following configured:
interface Vlan1
ip nat insideinterface Dialer0
ip nat outsideip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25
ip nat inside source static tcp 192.168.0.2 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.2 110 interface Dialer0 110
ip nat inside source static tcp 192.168.0.2 993 interface Dialer0 993
ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443
ip nat inside source static tcp 192.168.0.2 1935 interface Dialer0 1935
ip nat inside source static tcp 192.168.0.2 6881 interface Dialer0 6881
ip nat inside source static udp 192.168.0.2 4444 interface Dialer0 4444access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark auto generated by Cisco SDM Express firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by Cisco SDM Express firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp any any eq 443
access-list 103 permit tcp any any eq 993
access-list 103 permit tcp any any eq pop3
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq smtp
access-list 103 deny ip 192.168.0.0 0.0.0.255 any
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any
access-list 103 permit tcp any any eq 1935
dialer-list 1 protocol ip permit
no cdp run
The 'first' lot of fw rules (ports 80,25,??) where configured via SDM Express (I'm learning, alright!) and I hoped by merely adding
ip nat inside source static tcp 192.168.0.2 1935 interface Dialer0 1935
access-list 103 permit tcp any any eq 1935
I would allow 1935 through - maybe there is more to it than that... Also, I did this:
cisco#debug ip packet detail
IP packet debugging is on (detailed)
cisco#
000170: *Mar 19 01:17:45.918: IP: s=82.132.248.155 (Dialer0), d=62.49.68.200, len 52, access denied
000171: *Mar 19 01:17:45.918: TCP src=44766, dst=1935, seq=568284441, ack=0, win=49640 SYN
000172: *Mar 19 01:17:46.370: IP: s=194.159.169.245 (Dialer0), d=224.0.0.5, len 76, access denied, proto=89
000173: *Mar 19 01:17:49.299: IP: s=82.132.248.155 (Dialer0), d=62.49.68.200, len 52, access denied
000174: *Mar 19 01:17:49.299: TCP src=44766, dst=1935, seq=568284441, ack=0, win=49640 SYN
82.132.248.155 is my client and 62.49.68.200 is my server - you can see an access denied message in the above log - is there any way of getting *what* rule caused that?
TIA
Rich.
03-28-2010 11:47 AM
Richard
Can you post router config as it is unclear which acls are applied to which interfaces ?
Jon
03-28-2010 03:44 PM
Richard,
Seems like
access-list 1 is tied to the nat overload
access-list 103 looks like it is applied IN on the outside
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any
access-list 103 permit tcp any any eq 1935 -----------> (the "deny ip any any" above this line will not permit this line)
The permit that you added, is below the deny so this flow is getting denied.
You need to remove the deny, add this line and then add the explicit deny or insert the permit for port 1935 above
the deny.
You can do the following
config t
ip access-list ext 103
1 permit tcp any any eq 1935
issue a sh access-list 103 and note down the sequence number for the last line after the "deny ip any any"
and you can remove that
conf t
ip access-list ext 103
no
-KS
03-29-2010 02:20 AM
Thanks all - working now.
I should've realised fw rules were applied sequentially, like in good 'ole ipchains / iptables.
I had to remove the offending 1935 rule before I was able to add it again with a lower sequence number, but that's to be expected.
I just need to remember to do a copy running-config startup-config...
Cheers,
Rich.
03-28-2010 04:47 PM
The permit statement for port 1935 should be above the deny any any statement, as the access-list is processed from top to bottom.
Here is what you can add:
ip access-list extended 103
1 permit tcp any any eq 1935
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide