Help with Port Forwarding not Working

jasonhammer30 · ‎02-03-2014

Hi,

I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:

TAMSATR1#show run

Building configuration...

Current configuration : 11082 bytes

version 15.2

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname TAMSATR1

!

boot-start-marker

boot system flash:/c880data-universalk9-mz.152-1.T.bin

boot-end-marker

!

logging count

logging buffered 16384

enable secret

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ipsec-vpn local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization console

aaa authorization exec default local

aaa authorization network groupauthor local

!

aaa session-id common

memory-size iomem 10

clock timezone CST -6 0

clock summer-time CDT recurring

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1879941380

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1879941380

revocation-check none

rsakeypair TP-self-signed-1879941380

!

crypto pki certificate chain TP-self-signed-1879941380

certificate self-signed 01

3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035

32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939

34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C

ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31

88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4

E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03

542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603

!

ip dhcp excluded-address 10.20.30.1 10.20.30.99

ip dhcp excluded-address 10.20.30.201 10.20.30.254

ip dhcp excluded-address 10.20.30.250

!

ip dhcp pool tamDHCPpool

import all

network 10.20.30.0 255.255.255.0

default-router 10.20.30.1

domain-name domain.com

dns-server 10.20.30.20 8.8.8.8

!

ip domain name tamgmt.com

ip name-server 10.20.30.20

ip cef

no ipv6 cef

!

license udi pid CISCO881W-GN-A-K9 sn

!

crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1

!

ip tftp source-interface Vlan1

!

class-map type inspect match-all CCP_SSLVPN

match access-group name CCP_IP

!

policy-map type inspect ccp-sslvpn-pol

class type inspect CCP_SSLVPN

pass

!

zone security sslvpn-zone

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

!

crypto isakmp policy 20

encr aes 192

authentication pre-share

group 2

crypto isakmp key password

!

crypto isakmp client configuration group ipsec-ra

key password

dns 10.20.30.20

domain tamgmt.com

pool sat-ipsec-vpn-pool

netmask 255.255.255.0

!

crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac

crypto ipsec transform-set TSET esp-aes esp-sha-hmac

!

crypto ipsec profile VTI

set security-association replay window-size 512

set transform-set TSET

!

crypto dynamic-map dynmap 10

set transform-set ipsec-ra

reverse-route

!

crypto map clientmap client authentication list ipsec-vpn

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface Loopback0

ip address 10.20.250.1 255.255.255.252

ip nat inside

ip virtual-reassembly in

!

interface Tunnel0

description To AUS

ip address 192.168.10.1 255.255.255.252

load-interval 30

tunnel source

tunnel mode ipsec ipv4

tunnel destination

tunnel protection ipsec profile VTI

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

ip address 1.2.3.4

ip access-group INTERNET_IN in

ip access-group INTERNET_OUT out

ip nat outside

ip virtual-reassembly in

no ip route-cache cef

ip route-cache policy

ip policy route-map IPSEC-RA-ROUTE-MAP

duplex auto

speed auto

crypto map clientmap

!

interface Virtual-Template1

ip unnumbered Vlan1

zone-member security sslvpn-zone

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

no ip address

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$

ip address 10.20.30.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239

ip default-gateway 71.41.20.129

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip dns server

ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload

ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389

ip nat inside source static 10.20.30.20 (public ip)

ip route 0.0.0.0 0.0.0.0 public ip

ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN

!

ip access-list extended ACL-POLICY-NAT

deny ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15

deny ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15

deny ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15

permit ip 10.20.30.0 0.0.0.255 any

permit ip 10.20.31.208 0.0.0.15 any

ip access-list extended CCP_IP

remark CCP_ACL Category=128

permit ip any any

ip access-list extended INTERNET_IN

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

permit esp host 24.153. host 66.196

permit udp host 24.153 host 71.41.eq isakmp

permit tcp host 70.123. host 71.41 eq 22

permit tcp host 72.177. host 71.41 eq 22

permit tcp host 70.123. host 71.41. eq 22

permit tcp any host 71..134 eq 443

permit tcp host 70.123. host 71.41 eq 443

permit tcp host 72.177. host 71.41. eq 443

permit udp host 198.82. host 71.41 eq ntp

permit udp any host 71.41. eq isakmp

permit udp any host 71.41eq non500-isakmp

permit tcp host 192.223. host 71.41. eq 4022

permit tcp host 155.199. host 71.41 eq 4022

permit tcp host 155.199. host 71.41. eq 4022

permit udp host 192.223. host 71.41. eq 4022

permit udp host 155.199. host 71.41. eq 4022

permit tcp any host 10.20.30.20 eq 3389

evaluate INTERNET_REFLECTED

deny ip any any

ip access-list extended INTERNET_OUT

permit ip any any reflect INTERNET_REFLECTED timeout 300

ip access-list extended IPSEC-RA-ROUTE-MAP

deny ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255

deny ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255

deny ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255

deny ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255

deny ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255

deny ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255

permit ip 10.20.30.208 0.0.0.15 any

deny ip any any

!

access-list 23 permit 70.123.

access-list 23 permit 10.20.30.0 0.0.0.255

access-list 24 permit 72.177.

no cdp run

!

route-map IPSEC-RA-ROUTE-MAP permit 10

match ip address IPSEC-RA-ROUTE-MAP

set ip next-hop 10.20.250.2

!

banner motd ^C

UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.

You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.

^C

!

line con 0

logging synchronous

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0

access-class 23 in

privilege level 15

logging synchronous

transport input telnet ssh

line vty 1 4

access-class 23 in

exec-timeout 5 0

privilege level 15

logging synchronous

transport input telnet ssh

!

scheduler max-task-time 5000

ntp server 198.82.1.201

!

webvpn gateway gateway_1

ip address 71.41. port 443

http-redirect port 80

ssl encryption rc4-md5

ssl trustpoint TP-self-signed-1879941380

inservice

!

webvpn context TAM-SSL-VPN

title "Titleist Asset Management"

logo file titleist_logo.jpg

secondary-color white

title-color #CCCC66

text-color black

login-message "RESTRICTED ACCESS"

!

policy group policy_1

functions svc-enabled

svc address-pool "sat-ipsec-vpn-pool"

svc default-domain "tamgmt.com"

svc keep-client-installed

svc split dns "tamgmt.com"

svc split include 10.0.0.0 255.0.0.0

svc split include 192.168.0.0 255.255.0.0

svc split include 172.16.0.0 255.240.0.0

svc dns-server primary 10.20.30.20

svc dns-server secondary 66.196.216.10

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

!

ssl authenticate verify all

inservice

!

end

Thanks,

Jason

Daniele Giordano · ‎02-04-2014

NAT config sounds ok.

Try to remove temporary your ACL.

If you reach the server you must check access-list statements.

Regards.

jasonhammer30 · ‎02-04-2014

I'll give it a try and let you know,

Thanks

jasonhammer30 · ‎02-05-2014

Daniele,

You are correct. I removed the ACL and it is now working.

Thank You