Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2806
Views
0
Helpful
5
Replies

Cisco 877 Problem opening ports

ciberfuert
Level 1
Level 1

‎02-09-2012 07:48 AM - edited ‎03-04-2019 03:12 PM

Hi All,

I have a Cisco 877 connected to a VSAT modem, and I can't open ports outside, I dont know why?

The Cisco 877 Fa0 port is connected to the VSAT modem at VLAN9, and the rerst of ports are connected to the local lan network at Vlan2. I can enter to Internet, but I can't open port outside. ADSL over pots is not used here.

I need to open port 81 for ip address 192.168.1.130 and I dont know why this isn't working. Please could you look at my config and let me know what I'm doing wrong?

Also if I do: sh ip nat translations I see this:

sh ip nat translations

cisco877#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

tcp 172.30.xx.122:81   192.168.1.130:81   ---                ---

udp 172.30.xx.122:81   192.168.1.130:81   ---                ---

cisco877#sh ip int brief

Interface                  IP-Address      OK? Method Status                Protocol

ATM0                       unassigned      YES NVRAM  administratively down down

BVI1                       192.168.1.1     YES NVRAM  up                    up

FastEthernet0              unassigned      YES unset  up                    up

FastEthernet1              unassigned      YES unset  up                    up

FastEthernet2              unassigned      YES unset  down                  down

FastEthernet3              unassigned      YES unset  up                    up

NVI0                       unassigned      YES unset  administratively down down

Vlan1                      unassigned      YES NVRAM  up                    down

Vlan2                      unassigned      YES manual up                    up

Vlan9                      172.30.xx.122   YES DHCP   up                    up

Here is my current configuration:

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname cisco877

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login local_auth local

!

!

aaa session-id common

clock timezone GMT 0

clock summer-time GMT recurring

!

crypto pki trustpoint TP-self-signed-2198319652

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2198319652

revocation-check none

rsakeypair TP-self-signed-2198319652

!

!

crypto pki certificate chain TP-self-signed-2198319652

certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32313938 33313936 3532301E 170D3131 31313039 30393537

  33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31393833

  31393635 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100E2CA 9B0BDBCF 3F5F70A3 2BA8D47A A173FB67 CAE56F58 515348C0 C9C4469E

  66449590 074A3C68 F8063B96 4E6CC587 0C567501 9A345D86 08B54F4C FE1F3400

  86BB09F9 CC0F4DE9 04951942 9B66307C 0665B62E CA0438B5 233EC823 1606F3B7

  1E420EFB 586AD3EC 6DC1E251 5BCB3053 2E204128 951C4B92 9AD5EE59 57CA1C25

  EEF30203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

  551D1104 1B301982 17636973 636F3837 372E6369 73636F38 37372E6C 6F63616C

  301F0603 551D2304 18301680 147BFCA7 383BF174 FF88C536 78E27687 936BC9B1

  37301D06 03551D0E 04160414 7BFCA738 3BF174FF 88C53678 E2768793 6BC9B137

  300D0609 2A864886 F70D0101 04050003 8181004C BD6404DA 87FAAFD9 CF166E75

  919254EA DAA0364F 0C153897 1C7B3680 DABBC5FC 0CB60F92 DCBFE1DA 266C227A

  FE8EB273 CFD7EAD9 DBEDB7AF 400C18C8 DBC8B77A 7257EED2 851A762E 2C77FD3B

  E0619B04 75B6A789 76769D37 45B42A64 0A985BC4 F2F39713 0459961E BCBDA7FA

  ADC54486 965A6428 BD2E30E7 9C9CFBB0 C7D8B1

        quit

dot11 syslog

!

dot11 ssid 1

!

ip source-route

no ip gratuitous-arps

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.150 192.168.1.130

!

ip dhcp pool dhcppool

   import all

   network 192.168.1.0 255.255.255.0

   dns-server 85.62.229.133

   default-router 192.168.1.1

!

!

ip cef

no ip bootp server

ip domain name cisco877.local

ip name-server 85.62.229.133

ip name-server 85.62.229.134

ip ddns update method dyndns

HTTP

  add http://user:pass@members.dyndns.org/nic/update?system=dyndns&hostname=pass@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

  remove http://user:pass@members.dyndns.org/nic/update?system=dyndns&hostname=pass@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

interval maximum 0 0 5 0

interval minimum 0 0 5 0

!

login block-for 180 attempts 10 within 120

login on-failure log

login on-success log

no ipv6 cef

ntp server 163.117.202.33

!

multilink bundle-name authenticated

!

!

!

!

archive

log config

  hidekeys

!

!

!

bridge irb

!

!

interface ATM0

no ip address

no ip route-cache cef

no ip route-cache

shutdown

no atm ilmi-keepalive

!

interface FastEthernet0

switchport access vlan 9

!

interface FastEthernet1

switchport access vlan 2

!

interface FastEthernet2

switchport access vlan 2

!

interface FastEthernet3

switchport access vlan 2

!

interface Vlan1

no ip address

!

interface Vlan2

description **** LAN ****

no ip address

no ip redirects

ip nat inside

ip virtual-reassembly

bridge-group 1

bridge-group 1 spanning-disabled

!

interface Vlan9

description **** WAN ****

ip ddns update hostname myhost.dyndns.org

ip ddns update dyndns

ip address dhcp

ip nat outside

ip virtual-reassembly

!

interface BVI1

description $ES_LAN$

ip address 192.168.1.1 255.255.255.0

no ip redirects

ip nat inside

ip virtual-reassembly

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Vlan9 dhcp

ip http server

ip http secure-server

!

!

ip nat inside source list 11 interface Vlan9 overload

ip nat inside source list 102 interface Vlan9 overload

ip nat inside source static tcp 192.168.1.130 81 interface Vlan9 81

ip nat inside source static udp 192.168.1.130 81 interface Vlan9 81

!

!

access-list 11 remark *** LAN NAT***

access-list 11 permit 192.0.0.0 0.0.0.255

access-list 11 remark *** LAN NAT***

access-list 11 permit 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit tcp any any eq www

access-list 102 permit tcp any any

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

no modem enable

line aux 0

line vty 0 4

login authentication local_auth

!

scheduler max-task-time 5000

end

Best Regards.

Labels:
0 Helpful
5 Replies 5

tomas.ussher
Level 1
Level 1

‎02-10-2012 09:16 PM

Configure to have one single statement

ip nat inside source list ... overload

it does not make sense to have two.

0 Helpful

ebarticel
Level 4
Level 4

‎02-11-2012 01:10 AM

Can you ping any outside ip from router?

0 Helpful

ciberfuert
Level 1
Level 1

‎02-11-2012 03:16 AM

I have 2 "ip nat inside" because I was testing UDP and TCP to see if it make sense, but dont works.

With this config I can ping outside from the router, for example I access to console and ping google or cisco and I get response. Also the computers connected to this router can access to Internet correctly, but if I open ports dont work.

For example, I have a axis2100 network camera on ip 192.168.1.130 and I want to be visible outside on port 81.

From inside the LAN I can see the network camera on 192.168.1.130:81 correctly, but not from Internet, so I opened port 81 TCP and UDP but dont work.

Do you see any mistake on the configuration? It could be improved?

When I do "sh ip nat translations" why I dont see Outside local and global with ip?

sh ip nat translations

cisco877#sh ip nat translations

Pro Inside global      Inside local       Outside local      Outside global

tcp 172.30.xx.122:81   192.168.1.130:81   ---                ---

udp 172.30.xx.122:81   192.168.1.130:81   ---                ---

I have tried to ping 172.30.xx.122 from Internet and response was: destination network not accesable. Why? I'm behind a firewall by my VSAT operator?

Best Regards.

0 Helpful

Neeraj Arora
Level 3
Level 3
In response to ciberfuert

‎02-11-2012 11:55 AM

172.30.x.x is a PRIVATE IP ADDRESS, you cannot reach this ip address from the internet. You CANNOT host a service using this private ip address which your VSAT modem is providing you.

http://en.wikipedia.org/wiki/Private_network

Possible options for you:

You'd either have to configure static NAT on that modem itself (if it supports it) or get a pool of public addresses (2 or 3) from the ISP so that you can use it on the modem's inside and router's outside (vlan 9) interface. Only then you can configure this NAT static statement on the router

Another point I would like to make is that why are you using BVI when there is only one inside vlan i.e vlan 2. Configure the ip address as well as "ip nat inside" command on that vlan interface itself instead of making the config more complex by creating Bridging

Hope it helps

Neeraj

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to ciberfuert

‎02-12-2012 01:14 AM

Also, To ping devices behind a static NAT translation, you need to configure for that.

Since you didn't, you can't ping.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card