01-09-2023 09:51 AM
Hello all.
I'm hoping for some beginner guidance to set up port forwarding on a Cisco ISR 1100. Easy if you know how I'm sure but I've tried several tutorials and I'm struggling to open the ports. I need to forward 993 to host an IMAP server on 192.168.10.32 and 31194 for a VPN on 192.168.10.31 using a single static IP from my ISP. I've attached my config below. WAN IP has been changed for security to 999.999.999.999.
I expect the NAT rules are ok but I'm misunderstanding how the ACLs work. If I remove the allow any statement there is no internet access. Regardless of how I've tried to apply the rules, the ports 993 and 31194 aren't opened (validated with several online port scanners so it's testing from the WAN side). Any pointers greatly appreciated as to how to make this work. Thank you.
---
Current configuration : 11120 bytes
!
! Last configuration change at 17:27:45 GMT Mon Jan 9 2023 by admin
!
version 16.9
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto unthrottled
!
hostname router-lowcroft
!
boot-start-marker
boot system bootflash:c1100-universalk9_ias.16.09.03.SPA.bin
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
ip nbar http-services
!
!
!
no ip bootp server
ip name-server 9.9.9.9 1.1.1.1
ip domain name removed.com
!
ip dhcp pool HMGLC-IoT
network 192.168.30.0 255.255.255.0
dns-server 9.9.9.9
default-router 192.168.30.254
!
!
!
login block-for 300 attempts 5 within 30
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
license udi pid C1111-8P sn FCZ2330C1KC
license accept end user agreement
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
et-analytics
!
!
username admin privilege 15 secret
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map match-all WEBUI-MULTIMEDIA_CONFERENCING-DSCP
match dscp af41
class-map match-all WEBUI-BROADCAST_VIDEO-NBAR
match protocol attribute traffic-class broadcast-video
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-VOICE-NBAR
match protocol attribute traffic-class voip-telephony
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-BULK_DATA-NBAR
match protocol attribute traffic-class bulk-data
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-SIGNALING-NBAR
match protocol attribute traffic-class signaling
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-NETWORK_CONTROL-DSCP
match dscp cs6
class-map match-all WEBUI-SCAVENGER-NBAR
match protocol attribute business-relevance business-irrelevant
class-map match-all WEBUI-SCAVENGER-DSCP
match dscp cs1
class-map match-all WEBUI-NETWORK_CONTROL-NBAR
match protocol attribute traffic-class network-control
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-SIGNALING-DSCP
match dscp cs3
class-map match-all WEBUI-BULK_DATA-DSCP
match dscp af11
class-map match-all WEBUI-BROADCAST_VIDEO-DSCP
match dscp cs5
class-map match-all WEBUI-MULTIMEDIA_CONFERENCING-NBAR
match protocol attribute traffic-class multimedia-conferencing
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-VOICE-DSCP
match dscp ef
class-map match-all WEBUI-NETWORK_MANAGEMENT-NBAR
match protocol attribute traffic-class ops-admin-mgmt
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-MULTIMEDIA_STREAMING-DSCP
match dscp af31
class-map match-all WEBUI-REALTIME_INTERACTIVE-NBAR
match protocol attribute traffic-class real-time-interactive
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-TRANSACTIONAL_DATA-DSCP
match dscp af21
class-map match-all WEBUI-REALTIME_INTERACTIVE-DSCP
match dscp cs4
class-map match-all WEBUI-TRANSACTIONAL_DATA-NBAR
match protocol attribute traffic-class transactional-data
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-NETWORK_MANAGEMENT-DSCP
match dscp cs2
class-map match-all WEBUI-MULTIMEDIA_STREAMING-NBAR
match protocol attribute traffic-class multimedia-streaming
match protocol attribute business-relevance business-relevant
!
policy-map WEBUI-MARKING-IN
class WEBUI-VOICE-NBAR
set dscp ef
class WEBUI-BROADCAST_VIDEO-NBAR
set dscp cs5
class WEBUI-REALTIME_INTERACTIVE-NBAR
set dscp cs4
class WEBUI-MULTIMEDIA_CONFERENCING-NBAR
set dscp af41
class WEBUI-MULTIMEDIA_STREAMING-NBAR
set dscp af31
class WEBUI-SIGNALING-NBAR
set dscp cs3
class WEBUI-NETWORK_CONTROL-NBAR
set dscp cs6
class WEBUI-NETWORK_MANAGEMENT-NBAR
set dscp cs2
class WEBUI-TRANSACTIONAL_DATA-NBAR
set dscp af21
class WEBUI-BULK_DATA-NBAR
set dscp af11
class WEBUI-SCAVENGER-NBAR
set dscp cs1
class class-default
set dscp default
policy-map WEBUI-QUEUING-OUT
class WEBUI-VOICE-DSCP
priority percent 10
class WEBUI-BROADCAST_VIDEO-DSCP
priority percent 10
class WEBUI-REALTIME_INTERACTIVE-DSCP
priority percent 13
class WEBUI-NETWORK_CONTROL-DSCP
bandwidth percent 2
class WEBUI-SIGNALING-DSCP
bandwidth percent 2
class WEBUI-NETWORK_MANAGEMENT-DSCP
bandwidth percent 3
class WEBUI-MULTIMEDIA_CONFERENCING-DSCP
bandwidth percent 10
fair-queue
random-detect dscp-based
class WEBUI-MULTIMEDIA_STREAMING-DSCP
bandwidth percent 10
fair-queue
random-detect dscp-based
class WEBUI-TRANSACTIONAL_DATA-DSCP
bandwidth percent 10
fair-queue
random-detect dscp-based
class WEBUI-BULK_DATA-DSCP
bandwidth percent 4
fair-queue
random-detect dscp-based
class WEBUI-SCAVENGER-DSCP
bandwidth percent 1
class class-default
bandwidth percent 25
fair-queue
random-detect dscp-based
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip nbar protocol-discovery
ip verify unicast source reachable-via rx 100
ip access-group autosec_firewall_acl in
negotiation auto
no cdp enable
pppoe enable group global
pppoe-client dial-pool-number 1
no mop enabled
service-policy input WEBUI-MARKING-IN
service-policy output WEBUI-QUEUING-OUT
!
interface GigabitEthernet0/0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nbar protocol-discovery
negotiation auto
no mop enabled
service-policy input WEBUI-MARKING-IN
service-policy output WEBUI-QUEUING-OUT
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
description HMGL
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
description HMGLC-IoT
switchport access vlan 3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
ip address 192.168.10.253 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no mop enabled
!
interface Vlan3
description HMGL-IoT
ip address 192.168.30.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no mop enabled
!
interface Dialer0
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1448
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp mtu adaptive
ppp authentication pap callin
ppp pap sent-username password 7
ppp ipcp dns request
ppp ipcp route default
!
ip nat inside source static tcp 192.168.10.32 993 999.999.999.999 993 extendable
ip nat inside source static udp 192.168.10.31 31194 999.999.999.999 31194 extendable
ip nat inside source list 101 interface Dialer1 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
ip access-list standard Internet-Permitted
remark == Permit NAT for Internet Access ==
permit any
!
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 101 permit udp any eq 31194 host 999.999.999.999 eq 31194
access-list 101 permit tcp any eq 993 host 999.999.999.999 eq 993
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
!
!
route-map track-primary-if permit 1
match ip address 197
set interface Dialer1
!
!
!
!
!
control-plane
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport input none
transport output telnet
stopbits 1
line vty 0 4
login authentication local_auth
length 0
transport input telnet ssh
!
ntp server 0.uk.pool.ntp.org prefer
ntp server 1.uk.pool.ntp.org
!
!
!
!
!
end
---
#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
udp 999.999.999.999:31194 192.168.10.31:31194 --- ---
tcp 999.999.999.999:993 192.168.10.32:993 --- ---
tcp 999.999.999.999:551 999.999.999.999:884 51.89.92.241:25565 51.89.92.241:25565
icmp 999.999.999.999:2 999.999.999.999:16 13.49.41.242:16 13.49.41.242:2
tcp 999.999.999.999:5063 999.999.999.999:60358 9.9.9.9:53 9.9.9.9:53
tcp 999.999.999.999:549 999.999.999.999:23 131.213.41.128:23091 131.213.41.128:23091
tcp 999.999.999.999:5062 999.999.999.999:11110 89.248.163.205:49719 89.248.163.205:49719
tcp 999.999.999.999:5064 999.999.999.999:60550 8.8.8.8:53 8.8.8.8:53
tcp 999.999.999.999:5066 999.999.999.999:27027 1.1.1.1:53 1.1.1.1:53
tcp 999.999.999.999:5069 999.999.999.999:21108 1.1.1.1:53 1.1.1.1:53
tcp 999.999.999.999:5065 999.999.999.999:23609 92.63.197.154:43210 92.63.197.154:43210
tcp 999.999.999.999:546 999.999.999.999:81 141.255.160.234:47504 141.255.160.234:47504
01-10-2023 12:51 AM
- For starters I can see that the autosec_firewall_acl is not defined anywhere in the configuration ,
M.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide