Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2385
Views
0
Helpful
1
Replies

877 Port Forwarding issue with Site to Site VPN and use of route-map

brettm
Level 1
Level 1

‎05-25-2010 10:42 PM - edited ‎03-04-2019 08:35 AM

I have an issue on a Cisco 877 using IOS 12.4(20)T3 where I already have one port forward that works which uses a route-map to avoid dramas with the remote subnet begin subjected to the static port forward locally.

I need to create an additional port forward which uses a different external port than 3389 as I only have a single external static IP and 3389 is already is use for the first server on the local lan.

This is the specific section for the port forwarding rules.

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip nat inside source static tcp 192.168.100.2 80 210.xxxx 80 route-map No-Eden-NAT extendable

ip nat inside source static tcp 192.168.100.2 443 210.xxxx 443 route-map No-Eden-NAT extendable

ip nat inside source static tcp 192.168.100.2 3389 210.xxxx 3389 route-map No-Eden-NAT extendable

This one does not work  ----->  ip nat inside source static tcp 192.168.100.3 3389 210.xxxx 8000 route-map SecureRDP extendable

I have tried using other external ports other than 8000 but they do not work either.

And below is listed the route-maps

route-map No-Eden-NAT permit 10
match ip address 120
!
route-map SDM_RMAP_1 permit 1
match ip address 107
!
route-map SecureRDP permit 10
description Map for direct RDP to both Servers from certain IP's
match ip address 130

access-list 120 remark Deny Eden subnet being routed in via port forward
access-list 120 deny   ip host 192.168.100.2 192.168.101.0 0.0.0.255
access-list 120 permit ip host 192.168.100.2 any
access-list 130 remark Deny Eden subnet and restrict RDP access
access-list 130 deny   ip host 192.168.100.3 192.168.101.0 0.0.0.255
access-list 130 permit ip host 192.168.100.3 any

Surely a Cisco router should be able to port forward from an alternate external port to a second server using 3389 ??

There is also a ZBFW but I have checked over those rules a million times and am convinced that they are correct as the rules match the port forwards that are working.

I believe that there is some bug in the IOS that will not port forward when the external port and the internal port do not match !!

Any help is greatly appreciated as I can't change the internal port for the second server as it's a Terminal Server.

Labels:
0 Helpful
1 Reply 1

nemat.exe
Level 1
Level 1

‎10-23-2017 12:00 AM

hello brother,

 

i know this post is real old now. but i would like to know why are you denying IP addresses . below is what i dont get specifically.

 

access-list 120 remark Deny Eden subnet being routed in via port forward
access-list 120 deny   ip host 192.168.100.2 192.168.101.0 0.0.0.255<-- why are you denying source of the server and what is "192.168.101.0 0.0.0.255"??
access-list 120 permit ip host 192.168.100.2 any<-- again why are you permitting the same ip here

 

 

 

i am asking this question because i am doing the same kind of thing without route-map and it is not working with me.

 

Many thanks

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card