cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1429
Views
0
Helpful
3
Replies

Cisco 887VA port mapping issue

delprofundo
Level 1
Level 1

Hi,

I'm pretty new to IOS configuration and am having some difficulties mapping some external ports to hosts on the inside of the network.

I have gone through the steps that I expected would work and the hosts on the inside of the network can connect to the outside world and the results of internal to external mappings are present as expected while viewing the debug information.

What is also interesting, as depicted here, is that the static mappings are showing in the transactions table:

tcp 1XX.1XX.1XX.1XX:19770  2YY.2YY.2YY:3389    ---                   --- These are as configured.

When I attempt to connect to the address using the external port I am not seeing any evidence in the logs that point to the attempted translation being made.

Here is my complete config:

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname broute1

!

boot-start-marker

boot-end-marker

!

!

logging buffered 65535

logging console informational

!

no aaa new-model

!

memory-size iomem 10

clock timezone ESTime 10 0

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

!

!

!

ip cef

no ip bootp server

ip domain name ninterface.com

ip name-server IPADDRESS DNS

ip name-server IPADDRESS DNS

ip inspect name CBAC appleqtc

ip inspect name CBAC dns

ip inspect name CBAC esmtp

ip inspect name CBAC http

ip inspect name CBAC https

ip inspect name CBAC ftp

ip inspect name CBAC h323

ip inspect name CBAC isakmp

ip inspect name CBAC l2tp

ip inspect name CBAC icmp

ip inspect name CBAC imap

ip inspect name CBAC imaps

ip inspect name CBAC ftps

ip inspect name CBAC ntp

ip inspect name CBAC sip

ip inspect name CBAC sip-tls

ip inspect name CBAC ssh

ip inspect name CBAC tcp

ip inspect name CBAC udp

login block-for 300 attempts 4 within 60

login delay 7

login quiet-mode access-class aclQuietMode

login on-failure log

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO887VA-SEC-K9 sn XXXXXXXXXX

!

!

archive

log config

  hidekeys

username PERSON privilege 15 secret 4 BLAHBLAH

!

!

!

!

controller VDSL 0

operating mode adsl2 annex A

!

ip ssh version 2

!

!

!

!

!

!

!

interface Loopback0

no ip address

!

interface Ethernet0

no ip address

shutdown

no fair-queue

!

interface ATM0

description --- Internode ADSL ----

no ip address

no ip route-cache

load-interval 30

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

no ip route-cache

pvc 8/35

  tx-ring-limit 3

  encapsulation aal5snap

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Vlan1

description Management Interface

ip address INTERNALADDRESS 255.255.255.0

ip nat inside

ip virtual-reassembly in

no ip route-cache cef

ip tcp adjust-mss 1420

!

interface Dialer0

no ip address

ip virtual-reassembly in

shutdown

no cdp enable

!

interface Dialer1

description -----INTERNODE ADSL------

mtu 1492

ip address negotiated

ip access-group 103 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1460

ip nat outside

ip inspect CBAC out

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp chap hostname INTERNETUSERNAME

ppp chap password 7 INTERNETPASSWORD

ppp ipcp dns request accept

no cdp enable

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip dns server

ip dns server

ip nat inside source static tcp 2YY.2YY.2YY 3389 interface Dialer1 19770

ip nat inside source static tcp 2YY.2YY.2YY 22 interface Dialer1 19771

ip nat inside source static tcp 2YY.2YY.2YY 5000 interface Dialer1 5000

ip nat inside source static tcp 2YY.2YY.2YY873 interface Dialer1 873

ip nat inside source static tcp 2YY.2YY.2YY 3389 interface Dialer1 31313

ip nat inside source static tcp 2YY.2YY.2YY 3389 interface Dialer1 19450

ip nat inside source list NAT-ACL interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list standard acINAT

ip access-list standard aclQuietMode

permit INTERNALRANGE 0.0.0.255

!

ip access-list extended NAT-ACL

permit ip INTERNALRANGE  0.0.0.255 any

ip access-list extended aclNat

permit ip INTERNALRANGE 0.0.0.255 any

!

logging trap debugging

access-list 43 permit INTERNALRANGE  0.0.0.255

access-list 103 permit tcp host 0.0.0.0 host STATICGLOBAL eq EX-PORT

access-list 103 permit icmp any any

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

route-map rmNatIn2Out permit 10

match ip address aclNat

!

!

control-plane

!

alias exec t10 term len 0

alias exec ps show process cpu

alias exec top show process cpu sort 5m | exc1 (0.00% 0.00% 0.00%)

alias exec version show version | include image

alias exec uptime show version | include uptime|ROM[^:]|restarted

alias exec hist show process cpu history

!

line con 0

login local

transport output ssh

line aux 0

transport output all

line vty 0 2

access-class aclNat in

exec-timeout 20 0

privilege level 15

login local

transport input ssh

line vty 3 4

access-class aclQuietMode in

exec-timeout 20 0

privilege level 15

login local

transport input ssh

!

scheduler max-task-time 5000

sntp server 192.231.203.132

end

Yep its a terrible hackjob and I am sure there are a few commands that dont belong any more but I'm perplexed as to what I have missed.

Can anyone help point me in the right direction?

Thanks!

Bruno

1 Accepted Solution

Accepted Solutions

paolo bevilacqua
Hall of Fame
Hall of Fame

Under dialer 1 remove ip access-group, ip inspect, ip mtu, and ip tcp mss adjust.

The latter has to be 1452 under vlan 1 only.

That shuld be enough.

View solution in original post

3 Replies 3

paolo bevilacqua
Hall of Fame
Hall of Fame

Under dialer 1 remove ip access-group, ip inspect, ip mtu, and ip tcp mss adjust.

The latter has to be 1452 under vlan 1 only.

That shuld be enough.

Wow, Paolo thank you so much! That got it going right away, now just to work out why i thought all that should stay!

Thanks again!

B

The longer you work with Cisco, the less commands you will use.

Thank you for the nice rating and good luck!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco