04-11-2022
04:40 AM
- last edited on
04-15-2022
01:01 AM
by
Translator
Hi!
Cisco IRS 1100 Series, C1111-4PLTE
I was pushed to create config for small company.
Outside ip: 10.100.100.182
Inside ip: 10.10.10.2
There is command:
ip nat inside source static tcp 10.10.10.2 587 10.100.100.182 587 vrf OVERISP extendable
The response is:
%Port 587 is being used by system
I can't find which process on cisco holds it.
"version 17.3
boot system bootflash:c1100-universalk9.17.03.04a.SPA.bin"
What is the command which can show what kind of service blocks redirect port 587 tcp from outside interface to the inside ip?
I can redirect UDP 587 but it is not what 'smtp submission' requires.
#show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 10.100.100.182 67 0 0 2002211 0
17 255.255.255.255 53 --any-- 53203 0 0 211 0
#show ip ports all
Proto Local Address Foreign Address State PID/Program Name
TCB Local Address Foreign Address (state)
tcp :::21111 :::* LISTEN 296/[IOS]HTTP CORE
tcp *:21111 *:* LISTEN 296/[IOS]HTTP CORE
udp 10.100.100.182:67 0.0.0.0:0 599/[IOS]DHCPD Receive
The main deal with cisco device is:
- redirect some ports from outside interface to inside server,
- redirect another ports to machines in separated vlans created on 4 port switch internal device.
I need to disable 'process' which occupied 587 port over tcp, because I want to redirect it.
Michal
Solved! Go to Solution.
04-11-2022
08:37 AM
- last edited on
04-15-2022
12:58 AM
by
Translator
Hi!
Solution to my problem is:
- remove lines:
ip nat inside source list from_vlan10 interface GigabitEthernet0/0/0 vrf OVERISP overload
ip nat inside source list from_vlan20 interface Cellular0/2/0 vrf OVERLTE overload
- add 22 and 587
- add back again lines:
ip nat inside source list from_vlan10 interface GigabitEthernet0/0/0 vrf OVERISP overload
ip nat inside source list from_vlan20 interface Cellular0/2/0 vrf OVERLTE overload
I wonder why 'overload' blocked 'redirect' setup ... Quite interesting.
Anyway, I was not able to find that link with someones problem, but it was what I read, then I was able to 'fix' my problem.
Regards,
Michal
ps: My config is (i was not able to post it ... maybe this time):
CISCO-ROUTER01#sh run
Building configuration...
Current configuration : 11461 bytes
!
! Last configuration change at 10:57:21 UTC Mon Apr 11 2022
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CISCO-ROUTER01
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.03.04a.SPA.bin
boot system bootflash:c1100-universalk9_ias.16.10.01b.SPA.bin
boot-end-marker
!
!
!
no aaa new-model
!
ip vrf OVERISP
!
ip vrf OVERLTE
!
!
!
!
!
!
!
ip domain name add.local
ip dhcp excluded-address 172.16.100.2 172.16.100.20
ip dhcp excluded-address 172.16.101.2 172.16.101.20
ip dhcp excluded-address 172.16.102.2 172.16.102.20
ip dhcp excluded-address 172.16.103.2 172.16.103.20
!
ip dhcp pool 100
network 172.16.100.0 255.255.255.0
default-router 172.16.100.1
dns-server 8.8.8.8 194.204.152.34
!
ip dhcp pool 101
network 172.16.101.0 255.255.255.0
default-router 172.16.101.1
dns-server 8.8.8.8 194.204.152.34
!
ip dhcp pool 102
network 172.16.102.0 255.255.255.0
default-router 172.16.102.1
dns-server 8.8.8.8 194.204.152.34
!
ip dhcp pool 103
network 172.16.103.0 255.255.255.0
default-router 172.16.103.1
dns-server 8.8.8.8 194.204.152.34
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
no device-tracking logging theft
!
!
!
crypto pki trustpoint TP-self-signed-550789721
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-550789721
revocation-check none
rsakeypair TP-self-signed-550789721
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-550789721
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
3
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
3
D697DF7F 28
quit
!
!
license udi pid C1111-4PLTEEA sn FCZ2528R1R7
memory free low-watermark processor 71810
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret 9 $9$qXXXXXXXXXXXXXXXX
username SIM0 privilege 0 password 7 115F4D5343
username admin01 privilege 15 secret 9 $9$qXXXXXXXXXXXXXXXX
!
redundancy
mode none
!
controller Cellular 0/2/0
lte sim authenticate 7 115F4D5343 slot 0
lte sim data-profile 2 attach-profile 2 slot 0
lte modem crash-action boot-and-hold
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description TO_INTERNET
ip vrf forwarding OVERISP
ip address 10.100.100.182 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/1
description LINK_TO_SERVER
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.10
description VLAN_10
encapsulation dot1Q 10
ip vrf forwarding OVERISP
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
!
interface GigabitEthernet0/0/1.20
description VLAN_20
encapsulation dot1Q 20
ip vrf forwarding OVERLTE
ip address 10.10.20.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
!
interface GigabitEthernet0/1/0
description SWITCH_PORT_FOR_VLAN_100_SIP
switchport access vlan 100
no cdp enable
!
interface GigabitEthernet0/1/1
description SWITCH_PORT_FOR_VLAN_101_SERVIS_ROOM
switchport access vlan 101
no cdp enable
!
interface GigabitEthernet0/1/2
description SWITCH_PORT_FOR_VLAN_102_DEMO_ROOM
switchport access vlan 102
no cdp enable
!
interface GigabitEthernet0/1/3
description SWITCH_PORT_FOR_VLAN_103_FULL_ACCESS_ROOM
switchport access vlan 103
no cdp enable
!
interface Cellular0/2/0
description LTE modem IP X.Y.Z.A
ip vrf forwarding OVERLTE
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip tcp adjust-mss 1460
shutdown
dialer in-band
dialer idle-timeout 0
dialer watch-group 1
dialer-group 1
pulse-time 10
ip virtual-reassembly
!
interface Cellular0/2/1
no ip address
shutdown
!
interface Vlan1
description Default_Vlan1_notremovable
no ip address
shutdown
!
interface Vlan100
description VLAN_100_SIP
ip address 172.16.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan101
description VLAN_101_SERVIS_ROOM
ip address 172.16.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan102
description VLAN_102_DEMO_ROOM
ip address 172.16.102.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan103
description VLAN_103_FULL_ACCESS_ROOM
ip address 172.16.103.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
no ip http server
ip http authentication local
no ip http secure-server
ip forward-protocol nd
ip nat inside source static tcp 10.10.10.2 20 10.100.100.182 20 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 21 10.100.100.182 21 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 25 10.100.100.182 25 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 53 10.100.100.182 53 vrf OVERISP extendable
ip nat inside source static udp 10.10.10.2 53 10.100.100.182 53 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 80 10.100.100.182 80 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 110 10.100.100.182 110 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 143 10.100.100.182 143 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 221 10.100.100.182 221 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 222 10.100.100.182 222 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 223 10.100.100.182 223 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 224 10.100.100.182 224 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 443 10.100.100.182 443 vrf OVERISP extendable
ip nat inside source static udp 10.10.10.2 587 10.100.100.182 587 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 993 10.100.100.182 993 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 995 10.100.100.182 995 vrf OVERISP extendable
! before adding 22 and 587 -> remove this lines with 'overload'
ip nat inside source list from_vlan10 interface GigabitEthernet0/0/0 vrf OVERISP overload
ip nat inside source list from_vlan20 interface Cellular0/2/0 vrf OVERLTE overload
ip route vrf OVERISP 0.0.0.0 0.0.0.0 10.100.100.181
ip route vrf OVERLTE 0.0.0.0 0.0.0.0 Cellular0/2/0
ip ssh time-out 60
ip ssh source-interface GigabitEthernet0/0/1.10
ip ssh version 2
!
!
ip access-list standard TerminalAccess
10 permit 10.10.10.2 log
ip access-list standard from_vlan10
10 permit 10.10.10.0 0.0.0.255
ip access-list standard from_vlan20
10 permit 10.10.20.0 0.0.0.255
!
!
dialer watch-list 1 ip 8.8.8.8 255.255.255.255
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 60
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
access-class TerminalAccess in vrfname OVERISP
login local
transport input ssh
line vty 5 15
access-class TerminalAccess in vrfname OVERISP
login local
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH not.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
!
end
04-11-2022 05:42 AM
check this thread. HTH
04-11-2022
08:37 AM
- last edited on
04-15-2022
12:58 AM
by
Translator
Hi!
Solution to my problem is:
- remove lines:
ip nat inside source list from_vlan10 interface GigabitEthernet0/0/0 vrf OVERISP overload
ip nat inside source list from_vlan20 interface Cellular0/2/0 vrf OVERLTE overload
- add 22 and 587
- add back again lines:
ip nat inside source list from_vlan10 interface GigabitEthernet0/0/0 vrf OVERISP overload
ip nat inside source list from_vlan20 interface Cellular0/2/0 vrf OVERLTE overload
I wonder why 'overload' blocked 'redirect' setup ... Quite interesting.
Anyway, I was not able to find that link with someones problem, but it was what I read, then I was able to 'fix' my problem.
Regards,
Michal
ps: My config is (i was not able to post it ... maybe this time):
CISCO-ROUTER01#sh run
Building configuration...
Current configuration : 11461 bytes
!
! Last configuration change at 10:57:21 UTC Mon Apr 11 2022
!
version 17.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname CISCO-ROUTER01
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.03.04a.SPA.bin
boot system bootflash:c1100-universalk9_ias.16.10.01b.SPA.bin
boot-end-marker
!
!
!
no aaa new-model
!
ip vrf OVERISP
!
ip vrf OVERLTE
!
!
!
!
!
!
!
ip domain name add.local
ip dhcp excluded-address 172.16.100.2 172.16.100.20
ip dhcp excluded-address 172.16.101.2 172.16.101.20
ip dhcp excluded-address 172.16.102.2 172.16.102.20
ip dhcp excluded-address 172.16.103.2 172.16.103.20
!
ip dhcp pool 100
network 172.16.100.0 255.255.255.0
default-router 172.16.100.1
dns-server 8.8.8.8 194.204.152.34
!
ip dhcp pool 101
network 172.16.101.0 255.255.255.0
default-router 172.16.101.1
dns-server 8.8.8.8 194.204.152.34
!
ip dhcp pool 102
network 172.16.102.0 255.255.255.0
default-router 172.16.102.1
dns-server 8.8.8.8 194.204.152.34
!
ip dhcp pool 103
network 172.16.103.0 255.255.255.0
default-router 172.16.103.1
dns-server 8.8.8.8 194.204.152.34
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
no device-tracking logging theft
!
!
!
crypto pki trustpoint TP-self-signed-550789721
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-550789721
revocation-check none
rsakeypair TP-self-signed-550789721
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-550789721
certificate self-signed 01
3082032E 30820216 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
3
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
30820321 30820209 A0030201 02020101 300D0609 2A864886 F70D0101 0B050030
3
D697DF7F 28
quit
!
!
license udi pid C1111-4PLTEEA sn FCZ2528R1R7
memory free low-watermark processor 71810
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 secret 9 $9$qXXXXXXXXXXXXXXXX
username SIM0 privilege 0 password 7 115F4D5343
username admin01 privilege 15 secret 9 $9$qXXXXXXXXXXXXXXXX
!
redundancy
mode none
!
controller Cellular 0/2/0
lte sim authenticate 7 115F4D5343 slot 0
lte sim data-profile 2 attach-profile 2 slot 0
lte modem crash-action boot-and-hold
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description TO_INTERNET
ip vrf forwarding OVERISP
ip address 10.100.100.182 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/1
description LINK_TO_SERVER
no ip address
negotiation auto
!
interface GigabitEthernet0/0/1.10
description VLAN_10
encapsulation dot1Q 10
ip vrf forwarding OVERISP
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
!
interface GigabitEthernet0/0/1.20
description VLAN_20
encapsulation dot1Q 20
ip vrf forwarding OVERLTE
ip address 10.10.20.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no cdp enable
!
interface GigabitEthernet0/1/0
description SWITCH_PORT_FOR_VLAN_100_SIP
switchport access vlan 100
no cdp enable
!
interface GigabitEthernet0/1/1
description SWITCH_PORT_FOR_VLAN_101_SERVIS_ROOM
switchport access vlan 101
no cdp enable
!
interface GigabitEthernet0/1/2
description SWITCH_PORT_FOR_VLAN_102_DEMO_ROOM
switchport access vlan 102
no cdp enable
!
interface GigabitEthernet0/1/3
description SWITCH_PORT_FOR_VLAN_103_FULL_ACCESS_ROOM
switchport access vlan 103
no cdp enable
!
interface Cellular0/2/0
description LTE modem IP X.Y.Z.A
ip vrf forwarding OVERLTE
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip tcp adjust-mss 1460
shutdown
dialer in-band
dialer idle-timeout 0
dialer watch-group 1
dialer-group 1
pulse-time 10
ip virtual-reassembly
!
interface Cellular0/2/1
no ip address
shutdown
!
interface Vlan1
description Default_Vlan1_notremovable
no ip address
shutdown
!
interface Vlan100
description VLAN_100_SIP
ip address 172.16.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan101
description VLAN_101_SERVIS_ROOM
ip address 172.16.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan102
description VLAN_102_DEMO_ROOM
ip address 172.16.102.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan103
description VLAN_103_FULL_ACCESS_ROOM
ip address 172.16.103.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
!
no ip http server
ip http authentication local
no ip http secure-server
ip forward-protocol nd
ip nat inside source static tcp 10.10.10.2 20 10.100.100.182 20 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 21 10.100.100.182 21 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 25 10.100.100.182 25 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 53 10.100.100.182 53 vrf OVERISP extendable
ip nat inside source static udp 10.10.10.2 53 10.100.100.182 53 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 80 10.100.100.182 80 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 110 10.100.100.182 110 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 143 10.100.100.182 143 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 221 10.100.100.182 221 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 222 10.100.100.182 222 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 223 10.100.100.182 223 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 224 10.100.100.182 224 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 443 10.100.100.182 443 vrf OVERISP extendable
ip nat inside source static udp 10.10.10.2 587 10.100.100.182 587 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 993 10.100.100.182 993 vrf OVERISP extendable
ip nat inside source static tcp 10.10.10.2 995 10.100.100.182 995 vrf OVERISP extendable
! before adding 22 and 587 -> remove this lines with 'overload'
ip nat inside source list from_vlan10 interface GigabitEthernet0/0/0 vrf OVERISP overload
ip nat inside source list from_vlan20 interface Cellular0/2/0 vrf OVERLTE overload
ip route vrf OVERISP 0.0.0.0 0.0.0.0 10.100.100.181
ip route vrf OVERLTE 0.0.0.0 0.0.0.0 Cellular0/2/0
ip ssh time-out 60
ip ssh source-interface GigabitEthernet0/0/1.10
ip ssh version 2
!
!
ip access-list standard TerminalAccess
10 permit 10.10.10.2 log
ip access-list standard from_vlan10
10 permit 10.10.10.0 0.0.0.255
ip access-list standard from_vlan20
10 permit 10.10.20.0 0.0.0.255
!
!
dialer watch-list 1 ip 8.8.8.8 255.255.255.255
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 60
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
access-class TerminalAccess in vrfname OVERISP
login local
transport input ssh
line vty 5 15
access-class TerminalAccess in vrfname OVERISP
login local
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH not.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide