02-09-2012 07:48 AM - edited 03-04-2019 03:12 PM
Hi All,
I have a Cisco 877 connected to a VSAT modem, and I can't open ports outside, I dont know why?
The Cisco 877 Fa0 port is connected to the VSAT modem at VLAN9, and the rerst of ports are connected to the local lan network at Vlan2. I can enter to Internet, but I can't open port outside. ADSL over pots is not used here.
I need to open port 81 for ip address 192.168.1.130 and I dont know why this isn't working. Please could you look at my config and let me know what I'm doing wrong?
Also if I do: sh ip nat translations I see this:
sh ip nat translations
cisco877#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 172.30.xx.122:81 192.168.1.130:81 --- ---
udp 172.30.xx.122:81 192.168.1.130:81 --- ---
cisco877#sh ip int brief
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM administratively down down
BVI1 192.168.1.1 YES NVRAM up up
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset down down
FastEthernet3 unassigned YES unset up up
NVI0 unassigned YES unset administratively down down
Vlan1 unassigned YES NVRAM up down
Vlan2 unassigned YES manual up up
Vlan9 172.30.xx.122 YES DHCP up up
Here is my current configuration:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco877
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
aaa session-id common
clock timezone GMT 0
clock summer-time GMT recurring
!
crypto pki trustpoint TP-self-signed-2198319652
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2198319652
revocation-check none
rsakeypair TP-self-signed-2198319652
!
!
crypto pki certificate chain TP-self-signed-2198319652
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313938 33313936 3532301E 170D3131 31313039 30393537
33365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31393833
31393635 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E2CA 9B0BDBCF 3F5F70A3 2BA8D47A A173FB67 CAE56F58 515348C0 C9C4469E
66449590 074A3C68 F8063B96 4E6CC587 0C567501 9A345D86 08B54F4C FE1F3400
86BB09F9 CC0F4DE9 04951942 9B66307C 0665B62E CA0438B5 233EC823 1606F3B7
1E420EFB 586AD3EC 6DC1E251 5BCB3053 2E204128 951C4B92 9AD5EE59 57CA1C25
EEF30203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17636973 636F3837 372E6369 73636F38 37372E6C 6F63616C
301F0603 551D2304 18301680 147BFCA7 383BF174 FF88C536 78E27687 936BC9B1
37301D06 03551D0E 04160414 7BFCA738 3BF174FF 88C53678 E2768793 6BC9B137
300D0609 2A864886 F70D0101 04050003 8181004C BD6404DA 87FAAFD9 CF166E75
919254EA DAA0364F 0C153897 1C7B3680 DABBC5FC 0CB60F92 DCBFE1DA 266C227A
FE8EB273 CFD7EAD9 DBEDB7AF 400C18C8 DBC8B77A 7257EED2 851A762E 2C77FD3B
E0619B04 75B6A789 76769D37 45B42A64 0A985BC4 F2F39713 0459961E BCBDA7FA
ADC54486 965A6428 BD2E30E7 9C9CFBB0 C7D8B1
quit
dot11 syslog
!
dot11 ssid 1
!
ip source-route
no ip gratuitous-arps
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.150 192.168.1.130
!
ip dhcp pool dhcppool
import all
network 192.168.1.0 255.255.255.0
dns-server 85.62.229.133
default-router 192.168.1.1
!
!
ip cef
no ip bootp server
ip domain name cisco877.local
ip name-server 85.62.229.133
ip name-server 85.62.229.134
ip ddns update method dyndns
HTTP
add http://user:pass@members.dyndns.org/nic/update?system=dyndns&hostname=pass@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://user:pass@members.dyndns.org/nic/update?system=dyndns&hostname=pass@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 0 0 5 0
interval minimum 0 0 5 0
!
login block-for 180 attempts 10 within 120
login on-failure log
login on-success log
no ipv6 cef
ntp server 163.117.202.33
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no ip route-cache cef
no ip route-cache
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 9
!
interface FastEthernet1
switchport access vlan 2
!
interface FastEthernet2
switchport access vlan 2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
no ip address
!
interface Vlan2
description **** LAN ****
no ip address
no ip redirects
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan9
description **** WAN ****
ip ddns update hostname myhost.dyndns.org
ip ddns update dyndns
ip address dhcp
ip nat outside
ip virtual-reassembly
!
interface BVI1
description $ES_LAN$
ip address 192.168.1.1 255.255.255.0
no ip redirects
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Vlan9 dhcp
ip http server
ip http secure-server
!
!
ip nat inside source list 11 interface Vlan9 overload
ip nat inside source list 102 interface Vlan9 overload
ip nat inside source static tcp 192.168.1.130 81 interface Vlan9 81
ip nat inside source static udp 192.168.1.130 81 interface Vlan9 81
!
!
access-list 11 remark *** LAN NAT***
access-list 11 permit 192.0.0.0 0.0.0.255
access-list 11 remark *** LAN NAT***
access-list 11 permit 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
login authentication local_auth
!
scheduler max-task-time 5000
end
Best Regards.
02-10-2012 09:16 PM
Configure to have one single statement
ip nat inside source list ... overload
it does not make sense to have two.
02-11-2012 01:10 AM
Can you ping any outside ip from router?
02-11-2012 03:16 AM
I have 2 "ip nat inside" because I was testing UDP and TCP to see if it make sense, but dont works.
With this config I can ping outside from the router, for example I access to console and ping google or cisco and I get response. Also the computers connected to this router can access to Internet correctly, but if I open ports dont work.
For example, I have a axis2100 network camera on ip 192.168.1.130 and I want to be visible outside on port 81.
From inside the LAN I can see the network camera on 192.168.1.130:81 correctly, but not from Internet, so I opened port 81 TCP and UDP but dont work.
Do you see any mistake on the configuration? It could be improved?
When I do "sh ip nat translations" why I dont see Outside local and global with ip?
sh ip nat translations
cisco877#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 172.30.xx.122:81 192.168.1.130:81 --- ---
udp 172.30.xx.122:81 192.168.1.130:81 --- ---
I have tried to ping 172.30.xx.122 from Internet and response was: destination network not accesable. Why? I'm behind a firewall by my VSAT operator?
Best Regards.
02-11-2012 11:55 AM
172.30.x.x is a PRIVATE IP ADDRESS, you cannot reach this ip address from the internet. You CANNOT host a service using this private ip address which your VSAT modem is providing you.
http://en.wikipedia.org/wiki/Private_network
Possible options for you:
You'd either have to configure static NAT on that modem itself (if it supports it) or get a pool of public addresses (2 or 3) from the ISP so that you can use it on the modem's inside and router's outside (vlan 9) interface. Only then you can configure this NAT static statement on the router
Another point I would like to make is that why are you using BVI when there is only one inside vlan i.e vlan 2. Configure the ip address as well as "ip nat inside" command on that vlan interface itself instead of making the config more complex by creating Bridging
Hope it helps
Neeraj
02-12-2012 01:14 AM
Also, To ping devices behind a static NAT translation, you need to configure for that.
Since you didn't, you can't ping.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide