877 Port Forwarding issue with Site to Site VPN and use of route-map
I have an issue on a Cisco 877 using IOS 12.4(20)T3 where I already have one port forward that works which uses a route-map to avoid dramas with the remote subnet begin subjected to the static port forward locally.
I need to create an additional port forward which uses a different external port than 3389 as I only have a single external static IP and 3389 is already is use for the first server on the local lan.
This is the specific section for the port forwarding rules.
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
This one does not work -----> ip nat inside source static tcp 192.168.100.3 3389 210.xxxx 8000 route-map SecureRDP extendable
I have tried using other external ports other than 8000 but they do not work either.
And below is listed the route-maps
route-map No-Eden-NAT permit 10 match ip address 120 ! route-map SDM_RMAP_1 permit 1 match ip address 107 ! route-map SecureRDP permit 10 description Map for direct RDP to both Servers from certain IP's match ip address 130
access-list 120 remark Deny Eden subnet being routed in via port forward access-list 120 deny ip host 192.168.100.2 192.168.101.0 0.0.0.255 access-list 120 permit ip host 192.168.100.2 any access-list 130 remark Deny Eden subnet and restrict RDP access access-list 130 deny ip host 192.168.100.3 192.168.101.0 0.0.0.255 access-list 130 permit ip host 192.168.100.3 any
Surely a Cisco router should be able to port forward from an alternate external port to a second server using 3389 ??
There is also a ZBFW but I have checked over those rules a million times and am convinced that they are correct as the rules match the port forwards that are working.
I believe that there is some bug in the IOS that will not port forward when the external port and the internal port do not match !!
Any help is greatly appreciated as I can't change the internal port for the second server as it's a Terminal Server.
Re: 877 Port Forwarding issue with Site to Site VPN and use of route-map
i know this post is real old now. but i would like to know why are you denying IP addresses . below is what i dont get specifically.
access-list 120 remark Deny Eden subnet being routed in via port forward access-list 120 deny ip host 192.168.100.2 192.168.101.0 0.0.0.255<-- why are you denying source of the server and what is "192.168.101.0 0.0.0.255"?? access-list 120 permit ip host 192.168.100.2 any<-- again why are you permitting the same ip here
i am asking this question because i am doing the same kind of thing without route-map and it is not working with me.
Currently when changing the Authentication Template under the Onboarding section, there is no choice but to remove SGTs, VNs and IP Pools which clearly disrupt existing services.
Hitless Authentication was introduced in...
Hi, I want to redistribute OMP routes to BGP, i have the doubt if all of the OMP prefixes located in the local vEdge will be redistributed to BGP or just the connected+static networks located in the vEdge. Also how can i restrict some OMP prefix...
Let's say we have two routers configured as RP candidates for auto-RP: R1 - "advertising" its loopback0 interface IP address 184.108.40.206 as the RP for these groups:220.127.116.11/3218.104.22.168/3222.214.171.124/24126.96.36.199/16 R2 - "advertising" its loopback0 int...
hi,i just performed an IOS upgrade and got a report that admin can't create L2 VLANs.i noticed the 'vtp primary force' and 'vtp primary mst' was applied to one of the core switch and perhaps got lost after the upgrade.how to keep the VTP primary persisten...