11-30-2014 03:16 PM - edited 03-05-2019 12:15 AM
Hi To All,
Its the same old help question,
I have a small network , a Cisco 1841 router configured with pppoe and connected,(no extra public IP), I have server which I would like to reach from outside through port 23424 , and I'm not able to do it, I tried the usuall way known to me, nat rule mapping the dialer to the inside ip address of server and an access list permiting the port the port on Dialer but my intenet disconnects when ever I create the access rule. so the router version is:
================================================================================
#sh ver
Cisco IOS Software, 1841 Software (C1841-SPSERVICESK9-M), Version 12.4(12a), RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Thu 22-Feb-07 15:56 by prod_rel_team
ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)
jerdi uptime is 12 hours, 46 minutes
System returned to ROM by reload at 11:04:04 UTC Sun Nov 30 2014
System image file is "flash:c1841-spservicesk9-mz.124-12a.bin"
================================================================================
and my config is
================================================================================
Using 1972 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname jerdi
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.115
!
ip dhcp pool home
import all
network 192.168.1.0 255.255.255.0
dns-server xxx.xxx.xxx.xxx
default-router 192.168.1.254
domain-name xxxxx.xxx
!
!
vpdn enable
!
!
!
!
!
controller E1 0/0/0
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description ADSL WAN Interface
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
!
interface Dialer1
description ADSL WAN Dialer
ip address negotiated
no ip unreachables
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxx
ppp chap password 0 xxxxxxx
ppp pap sent-username xxxxxxx password 0 xxxxxxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.115 23424 interface Dialer1 23424
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 101 permit tcp any host 192.168.1.115 eq 23424
dialer-list 1 protocol ip permit
disable-eadi
no cdp run
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
============================================================
the configuration is at the very basic yet, now I have only inserted the nat for the internal server
"ip nat inside source static tcp 192.168.1.115 23424 interface Dialer1 23424"
if I will insert the access-list
"ip access-list extended 100"
"permit any any eq 23424"
and then I bound this access list to interface Dialer1
"interface Dialer1''
"ip access-group 100 in"
my internet disconnects....., If I remove the "ip access-group 100 in", my internet connection resumes at once,
I made a test and I was able to portforward ssh (22), by only implementing the IP nat rule to same server and want to portforward 23424 , it was worked normally,
please any Idea what I'm doing wrong.
very thanks
Jordi
Solved! Go to Solution.
11-30-2014 07:39 PM
With the configuration posted, is your port-forward working? My cursory glance says that it should be, as you have the line, "ip nat inside source static tcp 192.168.1.115 23424 interface Dialer1 23424" in there.
Your access-list is breaking everything, because ACL 100 deny's all traffic other than the port forward. You could solve this easily by adding a second line to access-list 100:
permit ip any any
12-01-2014 12:04 PM
Try "permit ip any any" instead of "permit tcp any any".
11-30-2014 07:39 PM
With the configuration posted, is your port-forward working? My cursory glance says that it should be, as you have the line, "ip nat inside source static tcp 192.168.1.115 23424 interface Dialer1 23424" in there.
Your access-list is breaking everything, because ACL 100 deny's all traffic other than the port forward. You could solve this easily by adding a second line to access-list 100:
permit ip any any
12-01-2014 01:45 AM
Hi
no its not working, in this config, and thats why I tried to put the access list 100 , but your are correct, its breaking everything, I missed the permit ip any any,
I will give it a try and hope it will work, and be back.
Thanks alot
12-01-2014 11:39 AM
sorry , still not working, and still it breaks my internet connection when I bind the access list to the dialer1 interface. any way this is my config now: (which is breaking the internet)
---------------------------------------------------------------------------------------------------------------------------
Using 2206 out of 196600 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname jerdi
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
enable secret 5 xxxxxxxxxxxx
!
no aaa new-model
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp excluded-address 192.168.1.254
!
ip dhcp pool home
import all
network 192.168.1.0 255.255.255.0
dns-server xxx.xxx.xxx.xxx
default-router 192.168.1.254
domain-name xxx.xxx
!
!
no ip domain lookup
vpdn enable
!
!
!
username xxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxx!
!
controller E1 0/0/0
!
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no ip mroute-cache
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description ADSL WAN Interface
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface BRI0/1/0
no ip address
encapsulation hdlc
shutdown
!
interface Dialer1
description ADSL WAN Dialer
ip address negotiated
no ip unreachables
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxx
ppp chap password 7 xxxxxxxxxxxxx
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.115 23424 interface Dialer1 23424
!
access-list 10 permit 192.168.1.0 0.0.0.255
access-list 100 permit tcp any any eq 23424
access-list 100 permit tcp any any
dialer-list 1 protocol ip permit
disable-eadi
no cdp run
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
!
scheduler allocate 20000 1000
end
-------------------------------------------------------------------------------------------------------------
which i dont see is the line
ip access-group 100 in
because when ever I put this line under Dialer1 interface to bind the access list , it breaks everything , is this incompatible ?
please let me know your opinion.
Thanks alot
jordi
12-01-2014 12:04 PM
Try "permit ip any any" instead of "permit tcp any any".
12-01-2014 02:26 PM
Hi
with the permit ip any any , now my connection do not break down, but still my portforward rule is not active sorry
I binded it to the dialer1 interface hope its correct, 'ip access-group 100 in' , made a reboot
but still not working
12-01-2014 03:30 PM
Dear Damastrs
sorry but i didnt notice
but your solution works perfect
so my solution was to add the second line permit correctly
thank you very much
12-02-2014 05:54 AM
That's great. However, so this is the new access list:
access-list 100 permit tcp any any eq 23424
access-list 100 permit ip any any
This access-list effectively does nothing (technically, it blocks non-IP protocols, but there probably aren't any of those coming across your PPPoE connection). So you may as well have left the ACL out.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide