02-22-2012 10:50 AM - edited 03-04-2019 03:23 PM
Hello,
I'm new to the Cisco world and have so far got internet and VPN working (without SDM) using the IOS commands.
I have hit a stubling block with port forwarding ports 80 (http) and 443 (https) to my small business server for outlook web access.
Could someone kindly look over my running config below and point me in the right direction?
I need to forward port 80 and 442 to internal LAN server 192.168.10.1
The Cisco 877 has a local IP address of 192.168.10.254
Many thanks in advance.
<Running Config>
Building configuration...
Current configuration : 8435 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service internal
service sequence-numbers
no service dhcp
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 10240 debugging
logging console critical
enable secret 5 $1$VdLO$6X5lAbsC8AlnUdormjzsm1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userlist local
aaa authentication ppp default local
aaa authorization network grouplist local
!
aaa session-id common
!
resource policy
!
clock timezone gmt 0
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00
no ip source-route
ip cef
!
!
!
!
ip tcp selective-ack
ip tcp timestamp
no ip bootp server
no ip domain lookup
ip domain name local
ip inspect name firewall tcp
ip inspect name firewall udp
ip inspect name firewall cuseeme
ip inspect name firewall h323
ip inspect name firewall rcmd
ip inspect name firewall realaudio
ip inspect name firewall streamworks
ip inspect name firewall vdolive
ip inspect name firewall sqlnet
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall icmp
ip inspect name firewall sip
ip inspect name firewall esmtp max-data 52428800
ip inspect name firewall fragment maximum 256 timeout 1
ip inspect name firewall netshow
ip inspect name firewall rtsp
ip inspect name firewall pptp
ip inspect name firewall skinny
ip ips name intrusion list 3
!
!
!
file verify auto
username xxxxx password xxxxx
username xxxxx password xxxxx
username xxxxx password xxxxx
username xxxxx privilege 15 secret xxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxx address xxxxx no-xauth
crypto isakmp key xxxxx address xxxxx no-xauth
!
crypto isakmp client configuration group kenilworth
key xxxxx
domain local
pool vpnclients
acl 106
!
!
crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set tr-3des-md5 esp-3des esp-md5-hmac
crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
crypto ipsec transform-set tr-aes-sha esp-aes esp-sha-hmac
!
crypto dynamic-map vpnusers 1
description Client to Site VPN Users
set transform-set tr-aes-sha
!
!
crypto map cm-cryptomap client authentication list userlist
crypto map cm-cryptomap isakmp authorization list grouplist
crypto map cm-cryptomap client configuration address respond
crypto map cm-cryptomap 110 ipsec-isakmp
set peer xxxxx
set peer xxxxx
set transform-set tr-aes-sha
match address 110
crypto map cm-cryptomap 65000 ipsec-isakmp dynamic vpnusers
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
dsl noise-margin 3
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Vlan1
ip address 192.168.10.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
ip nat outside
ip inspect firewall out
ip ips intrusion in
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password xxxxx
ppp pap sent-username xxxxx password xxxxx
ppp ipcp dns request
ppp ipcp route default
crypto map cm-cryptomap
!
ip local pool vpnclients 192.168.240.1 192.168.240.254
!
!
no ip http server
no ip http secure-server
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source static tcp 192.168.10.1 80 interface Dialer0 80
ip nat inside source static tcp 192.168.10.1 443 interface Dialer0 443
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 permit xxxxxx
access-list 2 permit 203.97.50.97
access-list 2 remark Where management can be done from.
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 3 remark Traffic not to check for intrustion detection.
access-list 3 deny 192.168.1.0 0.0.0.255
access-list 3 deny 192.168.240.0 0.0.0.255
access-list 3 permit any
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 permit ip 192.168.240.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 198.18.0.0 0.1.255.255 any
access-list 101 deny ip 224.0.0.0 0.15.255.255 any
access-list 101 deny ip any host 255.255.255.255
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit tcp any any eq 1723
access-list 101 permit gre any any
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 deny icmp any any echo
access-list 101 deny ip any any log
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 remark Traffic allowed to enter the router from the Internet
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 permit ip any host 192.168.10.254
access-list 102 deny ip any host 192.168.10.255
access-list 102 deny udp any any eq tftp log
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 102 deny ip any 0.0.0.0 0.255.255.255 log
access-list 102 deny ip any 10.0.0.0 0.255.255.255 log
access-list 102 deny ip any 127.0.0.0 0.255.255.255 log
access-list 102 deny ip any 169.254.0.0 0.0.255.255 log
access-list 102 deny ip any 172.16.0.0 0.15.255.255 log
access-list 102 deny ip any 192.0.2.0 0.0.0.255 log
access-list 102 deny ip any 192.168.0.0 0.0.255.255 log
access-list 102 deny ip any 198.18.0.0 0.1.255.255 log
access-list 102 deny udp any any eq 135 log
access-list 102 deny tcp any any eq 135 log
access-list 102 deny udp any any eq netbios-ns log
access-list 102 deny udp any any eq netbios-dgm log
access-list 102 deny tcp any any eq 445 log
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit ip any host 255.255.255.255
access-list 102 deny ip any any log
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 105 remark Traffic to NAT
access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.240.0 0.0.0.255
access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 permit ip 192.168.10.0 0.0.0.255 any
access-list 105 remark Traffic to NAT
access-list 106 remark User to Site VPN Clients
access-list 106 permit ip 192.168.10.0 0.0.0.255 any
access-list 106 remark User to Site VPN Clients
access-list 110 remark Site to Site VPN
access-list 110 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny ip 192.168.10.0 0.0.0.255 any
access-list 110 remark Site to Site VPN
dialer-list 1 protocol ip permit
!
!
<End Running Config>
02-22-2012 01:05 PM
The ACL applied inbound on the Dialer interface to permit those two ports, is placed after deny ip any any.
----
access-list 101 deny ip any any log
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
---
Please shift deny ip any any to the end.
Also, if you want access to these servers over NAT, and even regular end users in your lan to be able to access resources over the vpn hosted on remote sites, you need to call a route-map in your nat statements, which calls an ACL, which denies local - remote traffic so it doesn't get natted, and you permit the rest (remember to not use permit ip any any in nat acl).
For example:
ip access-list extended NATACL
deny ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.31.255.255
deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
permit ip 192.168.10.0 0.0.255.255 any
route-map NATMAP
match ip address NATACL
Remove these first:
---
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source static tcp 192.168.10.1 80 interface Dialer0 80
ip nat inside source static tcp 192.168.10.1 443 interface Dialer0 443
---
Then:
----
ip nat inside source route-map NATMAP interface Dialer0 overload
ip nat inside source static tcp 192.168.10.1 80 interface Dialer0 80 route-map NATMAP
ip nat inside source static tcp 192.168.10.1 443 interface Dialer0 443 route-map NATMAP
------
If the static NAT statements don't allow you to use route-map after dialer 0 80/443, then you can change that to the public ip you have , which should be static and known to you. I see you have ppp autoneg, and hope that you it gives you the same IP everytime.
02-22-2012 02:12 PM
Hi Gautman, many thanks for your reply!
If I telnet onto the cisco router and enter config terminal mode how can I shift the entry for www and https up?
I entered the entry by just typing it in conf terminal mode which is why I guess it ended up in the wrong place!
Many thanks in advance
Lee
02-23-2012 10:47 PM
Lee,
To modify ACLs, get a listing of the ACL to check the line numbers. Then go into ACL config mode and make changes.
In your case, line 200 is not needed as 210 denies all IP packets anyways (icmp goes over IP). So I removed 200 and 210, then added 210 back as 240, so that it appears after the last permit statement. Then I resequenced this ACL to start numbering the first statement from 10 and increment each sequence number by 10.
I'll show how it's done in your case:
-----
R1#show ip access-list 101
Extended IP access list 101
10 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.240.0 0.0.0.255 192.168.10.0 0.0.0.255
30 deny ip 0.0.0.0 0.255.255.255 any
40 deny ip 10.0.0.0 0.255.255.255 any
50 deny ip 127.0.0.0 0.255.255.255 any
60 deny ip 169.254.0.0 0.0.255.255 any
70 deny ip 172.16.0.0 0.15.255.255 any
80 deny ip 192.0.2.0 0.0.0.255 any
90 deny ip 192.168.0.0 0.0.255.255 any
100 deny ip 198.18.0.0 0.1.255.255 any
110 deny ip 224.0.0.0 0.15.255.255 any
120 deny ip any host 255.255.255.255
130 permit udp any any eq non500-isakmp
140 permit udp any any eq isakmp
150 permit esp any any
160 permit tcp any any eq 1723
170 permit gre any any
180 permit tcp any any eq 22
190 permit tcp any any eq telnet
200 deny icmp any any echo
210 deny ip any any log
220 permit tcp any any eq www
230 permit tcp any any eq 443
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#ip access-list extended 101
R1(config-ext-nacl)#no 200
R1(config-ext-nacl)#no 210
R1(config-ext-nacl)#240 deny ip any any log
R1(config-ext-nacl)#exit
R1(config)#ip access-list resequence 101 10 10
R1(config)#end
R1#show access-list 101
Extended IP access list 101
10 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.240.0 0.0.0.255 192.168.10.0 0.0.0.255
30 deny ip 0.0.0.0 0.255.255.255 any
40 deny ip 10.0.0.0 0.255.255.255 any
50 deny ip 127.0.0.0 0.255.255.255 any
60 deny ip 169.254.0.0 0.0.255.255 any
70 deny ip 172.16.0.0 0.15.255.255 any
80 deny ip 192.0.2.0 0.0.0.255 any
90 deny ip 192.168.0.0 0.0.255.255 any
100 deny ip 198.18.0.0 0.1.255.255 any
110 deny ip 224.0.0.0 0.15.255.255 any
120 deny ip any host 255.255.255.255
130 permit udp any any eq non500-isakmp
140 permit udp any any eq isakmp
150 permit esp any any
160 permit tcp any any eq 1723
170 permit gre any any
180 permit tcp any any eq 22
190 permit tcp any any eq telnet
200 permit tcp any any eq www
210 permit tcp any any eq 443
220 deny ip any any log
R1#
---------
02-24-2012 02:23 AM
Hello Gautam,
Thank you for this valuable information.
I have carried out your instructions above, however when I entered 240 deny ip any any log I received an error saying that cannot create duplicate entry so I entered it back as 250 then re-sequenced.
The show access-list 101 now shows the following:
R1W#show access-list 101
Extended IP access list 101
10 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
20 permit ip 192.168.240.0 0.0.0.255 192.168.10.0 0.0.0.255
30 deny ip 0.0.0.0 0.255.255.255 any
40 deny ip 10.0.0.0 0.255.255.255 any
50 deny ip 127.0.0.0 0.255.255.255 any
60 deny ip 169.254.0.0 0.0.255.255 any
70 deny ip 172.16.0.0 0.15.255.255 any
80 deny ip 192.0.2.0 0.0.0.255 any
90 deny ip 192.168.0.0 0.0.255.255 any
100 deny ip 198.18.0.0 0.1.255.255 any
110 deny ip 224.0.0.0 0.15.255.255 any
120 deny ip any host 255.255.255.255
130 permit udp any any eq non500-isakmp (862 matches)
140 permit udp any any eq isakmp (88 matches)
150 permit esp any any (17460 matches)
160 permit tcp any any eq 1723
170 permit gre any any
180 permit tcp any any eq 22 (830 matches)
190 permit tcp any any eq telnet (682 matches)
200 permit tcp any any eq www (9 matches)
210 permit tcp any any eq 443 (20 matches)
220 permit tcp any any eq chargen
230 deny ip any any log
R1#
The problem is that port 80 or 443 are still not getting through to the internal server (192.168.10.1) so exchange web access for the iphone using port 80 and 443 still don't work.
I didn't implement the NATACL route map suggestions, just shifted the deny IP as directed above, could this be why?
Am I doing something wrong?
Many thanks in advance
Lee
02-24-2012 05:00 AM
1. Allow the two ports explicitly in the inbound ACL applied on the inside interface. This is to see if we see matches, which will prove that the return packets are seen entering the router.
---
conf t
ip access-list ext 102
1 permit tcp host 192.168.10.1 eq 80 any
2. permit tcp host 192.168.10.1 eq 443 any
exit
---
2. You can also add another ACL, as below, to see if packets leave the router towards the servers.
----
conf t
ip access-list ext vlan1.out
permit tcp any host 192.168.10.1 eq 80
permit tcp any host 192.168.10.1 eq 443
permit ip any any
int vlan 1
ip access-group vlan1.out out
exit
----
3. You can use this ACL to see if packets for these translations leave the router towards the internet:
---
conf t
ip access-list ext dialer.out
permit tcp any eq 80 any
permit tcp any eq 443 any
permit ip any any
int Dialer0
ip access-group dialer.out out
exit
---
4. Now try to access the servers from the outside (internet), and send the output as follows:
show access-list 101
show access-list vlan1.out
show access-list 102
show access-list dialer.out
show ip nat trans | i 192.168.10.1|Pro
---
Please tell me the public IP of the machine (client) from which you were trying to access these servers, and the public ip assigned to your router's Dialer0.
02-24-2012 06:20 AM
Hi Gautam, I have just sent you a DM with those outputs for security reasons.
Many thanks
Lee
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide