05-11-2017 08:51 AM
Hello,
Thanks very much for taking the time to look at this. About three years ago I set up a simple router configuration for a small museum as some volunteer work. Recently they installed a new building security system and needed some ports opened up so the owners could check the cameras from home. I’ve changed careers and my network skills have atrophied some, so I’m having issues getting port forwarding to work. I’m pretty sure my port forwarding commands are correct but I’m doing something wrong with the ACL. When I use one of those open port checking websites it keeps saying they are closed.
The basic network setup is this.
The router is a Cisco 881. It connects to the Time Warner line through port FastEthernet4 with the assigned external IP address of 50.84.145.146 and set up as the NAT outside port. From there I have a Vlan set up on Port FastEthernet3 that connects to a forty port switch, which then connects to all the end devices.
I used the following commands when setting up port forwarding. I have a server at 192.168.0.55 that needs port 9010 and 21 open. And the security system at 192.168.0.8 that needs port 9010, 9011, 8245 tcp and 80 open. Note, the default route at the end goes to 145.145 instead of 145.146. If my memory is right, 50.84.145.145 is the IP of the port on the Time Warner demark equipment that connects to our router. I guess that would be the outside global?
ip nat pool PATextra 10.10.10.8 10.10.10.254 netmask 255.255.255.0
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.55 9010 interface FastEthernet4 9010
ip nat inside source static udp 192.168.0.55 9010 interface FastEthernet4 9010
ip nat inside source static tcp 192.168.0.55 21 interface FastEthernet4 21
ip nat inside source static udp 192.168.0.55 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.0.8 9010 interface FastEthernet4 9010
ip nat inside source static udp 192.168.0.8 9010 interface FastEthernet4 9010
ip nat inside source static tcp 192.168.0.8 9011 interface FastEthernet4 9011
ip nat inside source static udp 192.168.0.8 9011 interface FastEthernet4 9011
ip nat inside source static tcp 192.168.0.8 8245 interface FastEthernet4 8245
ip nat inside source static udp 192.168.0.8 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.0.8 80 interface FastEthernet4 80
ip route 0.0.0.0 0.0.0.0 50.84.145.145 permanent
When researching it looks like I needed to apply an ACL to port FastEthernet4 to allow these through. I never had a lot of practice with ACLs but this is what I came up with. List 1 and 2 were created when I first set up the router for the two VLans, 100 is brand new.
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.7
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.7
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark NAT port opening
access-list 100 remark CCP_ACL Category=2
access-list 100 permit tcp any eq 9010 any eq 9010
access-list 100 permit udp any eq 9010 any eq 9010
access-list 100 permit tcp any eq 8245 any eq 8245
access-list 100 permit udp any eq 8245 any eq 8245
access-list 100 permit tcp any eq 80 any eq 80
access-list 100 permit udp any eq 80 any eq 80
access-list 100 permit tcp any eq 9011 any eq 9011
access-list 100 permit udp any eq 9011 any eq 9011
access-list 100 permit tcp any eq 8000 any eq 8000
access-list 100 permit udp any eq 8000 any eq 8000
access-list 100 permit tcp any eq 21 any eq 21
access-list 100 permit udp any eq 21 any eq 21
no cdp run
I then tried apply it with these commands if I remember right.
Config T
Int FastEthernet4
Ip access-group 100 in
End
After applying the ACL, the entire network went down and I had to reboot the router to the startup config to get everything back online. Port forwarding doesn’t normally need you to reload the router correct? I’ve attached the current start up config for the router. If you someone could take a look and see where I went wrong I would greatly appreciate it. Thanks very much.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide