Simple Port Forwarding Question

keving9898 · ‎02-21-2014

Sorry if this has been asked and answered many times before but I I've been at this for hours and I'm getting nowhere.

We have a Cisco 861 router. I've taken over the IT responsibilities from someone else and I'm just trying to forward TCP/UDP ports 5899 and 9010 to our server. I can access the server using Remote Desktop so I can see the previous IT person has gotten that far. Below is the output of our "Running Configuration".

I can see the line "ip port-map user-protocol--4 port tcp 3389" but I can't figure out how to add my own 5899 and 9010 lines.

I'm using the Cisco Configuration Professional UI but I don't have a problem using the command line interface if I'm sure I have the right commands to input. I started adding an extended rule using the ACL Editor in CCP but I'm afraid to deliver the changes to the router because it doesn't look anything like the "ip port-map user-protocol--4 port tcp 3389" line.

Here is the information generated from the ACL editor (again, I haven't delivered it to the router):

ip access-list extended user-protocol--05
remark Radmin5899
remark CCP_ACL Category=1
remark Radmin5899
permit tcp any host 10.10.10.10 eq 5899
exit

I don't think the ACL output is correct because I don't see the public IP.

How do I create a cusom ip port-map like the ones listed in the "Running Configuration"?

Any help would be greatly appreciated.

Kevin G

Running Configuration:

Building configuration...

Current configuration : 10177 bytes
!
! Last configuration change at 09:45:33 PCTime Fri Feb 21 2014 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Summit
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$q6Ct$Wo7VDTQAbAL7BjYEvSXvJ/
!
no aaa new-model
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1582036946
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1582036946
revocation-check none
rsakeypair TP-self-signed-1582036946
!
!
crypto pki certificate chain TP-self-signed-1582036946
certificate self-signed 01
30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353832 30333639 3436301E 170D3933 30333031 30303030
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35383230
33363934 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A98F 75C0DEE6 FA35B0D2 3F42C711 3E622144 312E5DEC 8A721820 1E25EDCB
A8F10958 4DE48A8D AF5C0297 92526567 DCCCECC8 165C7A66 9CFF76C1 E8083FE2
807FD489 4A8EEF92 5528F079 F069690E 3F3A269B 4D948A32 E9F556B0 5AE8DC1A
9F753D60 58E0A298 1D1045C2 641D5976 E857FAE8 C853CF31 24356154 828F98E2
913D0203 010001A3 71306F30 0F060355 1D130101 FF040530 030101FF 301C0603
551D1104 15301382 1153756D 6D69742E 73706D63 2E6C6F63 616C301F 0603551D
23041830 16801436 F9B786F7 EB0AE78E DE16D0D8 EED4E8D5 E4679830 1D060355
1D0E0416 041436F9 B786F7EB 0AE78EDE 16D0D8EE D4E8D5E4 6798300D 06092A86
4886F70D 01010405 00038181 007B2A5E E5180062 70FD14E5 A1B9C29D C20C99D4
5897D077 B4F4250E 6788CF79 4640E214 C112724B 7EB04A9D 0754956E 2D5AF34A
0C1D1A6E 86AC0E07 FFFBEC66 B8DA4E35 E05B2AA9 F8FD084C A23A2E21 A92C409E
9AA9C45A F2B406BC E123869A 2989FBDD 65E96A95 8D6CB6C9 BAF33F75 19999CB3
4F8613BB 40251384 2D30F8A1 82
   quit
no ip source-route
!
!
ip port-map user-protocol--2 port tcp 100
ip port-map user-protocol--1 port tcp 101
ip port-map user-protocol--4 port tcp 3389
ip dhcp excluded-address 10.10.10.1 10.10.10.100
!
ip dhcp pool spmcpool
   network 10.10.10.0 255.255.255.0
   domain-name spmc.local
   dns-server 10.10.10.10 8.8.8.8
   default-router 10.10.10.1
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name spmc.local
!
!
license udi pid CISCO861-K9 sn FTX1446810J
!
!
username admin privilege 15 secret 5 $1$W2UZ$IvcuhFV2mkG0u/RI.XwUN0
username spmc privilege 15 secret 5 $1$P88u$ZEG5RuEVxxAaTXW3BQ1q3/
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 102
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 104
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-1
match access-group 102
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 103
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-all sdm-nat-smtp-1
match access-group 102
match protocol smtp
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-smtp-1
inspect
class type inspect sdm-nat-user-protocol--4-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Internet$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
ip address 66.x.x.x 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface Vlan1
description LAN$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip default-gateway 66.x.x.x
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
!
ip nat inside source list 3 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.100 100 66.x.x.x 100 extendable
ip nat inside source static tcp 10.10.10.101 101 66.x.x.x 101 extendable
ip nat inside source static tcp 10.10.10.10 25 66.x.x.x 25 extendable
ip nat inside source static tcp 10.10.10.10 80 66.x.x.x 80 extendable
ip nat inside source static tcp 10.10.10.10 443 66.x.x.x 443 extendable
ip nat inside source static tcp 10.10.10.10 3389 66.x.x.x 3389 extendable
ip nat inside source static tcp 10.10.10.10 5899 66.x.x.x 5899 extendable
ip nat inside source static tcp 10.10.10.10 9010 66.x.x.x 9010 extendable
ip nat inside source static udp 10.10.10.10 9010 66.x.x.x 9010 extendable
ip nat inside source static 10.10.10.10 66.x.x.x
ip route 0.0.0.0 0.0.0.0 FastEthernet4 66.x.x.x
!
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.10.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=16
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.10.10.10
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 10.10.10.101
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.10.10.100
no cdp run

snmp-server community agsl RO
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

keving9898 · ‎02-26-2014

Any takers?

IT infra · ‎02-26-2014

Under

policy-map type inspect sdm-pol-NATOutsideToInside-1

You have to add those ports in the class-map for out to in zone pair.. port 3389 is already present whichis why it is working.

The output generate in the CCP is correct. The port map is already setup.

ZBF is setup on this router,

keving9898 · ‎03-23-2014

Turns out, through some quirk of either Java, IE or CCP, the "Port to Application Mappings" page was blank. I added the necessary application protocol and it worked for opening a port I needed open on the server. Even with the screen blank I could click on the blank area in different spots and the "Edit..." button would become available. For whatever reason, whenever I go into CCP now, the page is no longer blank.

I'm having a different problem now with opening ports for our camera DVR. I'll start a new thread for that.

Thanks for the help.