Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1065
Views
0
Helpful
1
Replies

ISR 1100 Port Forwarding Advice

Ben Stephenson
Level 1
Level 1

‎01-09-2023 09:51 AM

Hello all.

I'm hoping for some beginner guidance to set up port forwarding on a Cisco ISR 1100. Easy if you know how I'm sure but I've tried several tutorials and I'm struggling to open the ports. I need to forward 993 to host an IMAP server on 192.168.10.32 and 31194 for a VPN on 192.168.10.31 using a single static IP from my ISP. I've attached my config below. WAN IP has been changed for security to 999.999.999.999. 

I expect the NAT rules are ok but I'm misunderstanding how the ACLs work. If I remove the allow any statement there is no internet access. Regardless of how I've tried to apply the rules, the ports 993 and 31194 aren't opened (validated with several online port scanners so it's testing from the WAN side). Any pointers greatly appreciated as to how to make this work. Thank you.

 

---


Current configuration : 11120 bytes
!
! Last configuration change at 17:27:45 GMT Mon Jan 9 2023 by admin
!
version 16.9
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
platform hardware throughput crypto unthrottled
!
hostname router-lowcroft
!
boot-start-marker
boot system bootflash:c1100-universalk9_ias.16.09.03.SPA.bin
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5
enable password 7
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
!
aaa session-id common
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
ip nbar http-services
!
!
!
no ip bootp server
ip name-server 9.9.9.9 1.1.1.1
ip domain name removed.com
!
ip dhcp pool HMGLC-IoT
network 192.168.30.0 255.255.255.0
dns-server 9.9.9.9
default-router 192.168.30.254
!
!
!
login block-for 300 attempts 5 within 30
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
license udi pid C1111-8P sn FCZ2330C1KC
license accept end user agreement
no license smart enable
!
diagnostic bootup level minimal
!
spanning-tree extend system-id

et-analytics
!
!
username admin privilege 15 secret
!
redundancy
mode none
!
!
!
!
!
vlan internal allocation policy ascending
!
!
class-map match-all WEBUI-MULTIMEDIA_CONFERENCING-DSCP
match dscp af41
class-map match-all WEBUI-BROADCAST_VIDEO-NBAR
match protocol attribute traffic-class broadcast-video
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-VOICE-NBAR
match protocol attribute traffic-class voip-telephony
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-BULK_DATA-NBAR
match protocol attribute traffic-class bulk-data
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-SIGNALING-NBAR
match protocol attribute traffic-class signaling
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-NETWORK_CONTROL-DSCP
match dscp cs6
class-map match-all WEBUI-SCAVENGER-NBAR
match protocol attribute business-relevance business-irrelevant
class-map match-all WEBUI-SCAVENGER-DSCP
match dscp cs1
class-map match-all WEBUI-NETWORK_CONTROL-NBAR
match protocol attribute traffic-class network-control
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-SIGNALING-DSCP
match dscp cs3
class-map match-all WEBUI-BULK_DATA-DSCP
match dscp af11
class-map match-all WEBUI-BROADCAST_VIDEO-DSCP
match dscp cs5
class-map match-all WEBUI-MULTIMEDIA_CONFERENCING-NBAR
match protocol attribute traffic-class multimedia-conferencing
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-VOICE-DSCP
match dscp ef
class-map match-all WEBUI-NETWORK_MANAGEMENT-NBAR
match protocol attribute traffic-class ops-admin-mgmt
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-MULTIMEDIA_STREAMING-DSCP
match dscp af31
class-map match-all WEBUI-REALTIME_INTERACTIVE-NBAR
match protocol attribute traffic-class real-time-interactive
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-TRANSACTIONAL_DATA-DSCP
match dscp af21
class-map match-all WEBUI-REALTIME_INTERACTIVE-DSCP
match dscp cs4
class-map match-all WEBUI-TRANSACTIONAL_DATA-NBAR
match protocol attribute traffic-class transactional-data
match protocol attribute business-relevance business-relevant
class-map match-all WEBUI-NETWORK_MANAGEMENT-DSCP
match dscp cs2
class-map match-all WEBUI-MULTIMEDIA_STREAMING-NBAR
match protocol attribute traffic-class multimedia-streaming
match protocol attribute business-relevance business-relevant
!
policy-map WEBUI-MARKING-IN
class WEBUI-VOICE-NBAR
set dscp ef
class WEBUI-BROADCAST_VIDEO-NBAR
set dscp cs5
class WEBUI-REALTIME_INTERACTIVE-NBAR
set dscp cs4
class WEBUI-MULTIMEDIA_CONFERENCING-NBAR
set dscp af41
class WEBUI-MULTIMEDIA_STREAMING-NBAR
set dscp af31
class WEBUI-SIGNALING-NBAR
set dscp cs3
class WEBUI-NETWORK_CONTROL-NBAR
set dscp cs6
class WEBUI-NETWORK_MANAGEMENT-NBAR
set dscp cs2
class WEBUI-TRANSACTIONAL_DATA-NBAR
set dscp af21
class WEBUI-BULK_DATA-NBAR
set dscp af11
class WEBUI-SCAVENGER-NBAR
set dscp cs1
class class-default
set dscp default
policy-map WEBUI-QUEUING-OUT
class WEBUI-VOICE-DSCP
priority percent 10
class WEBUI-BROADCAST_VIDEO-DSCP
priority percent 10
class WEBUI-REALTIME_INTERACTIVE-DSCP
priority percent 13
class WEBUI-NETWORK_CONTROL-DSCP
bandwidth percent 2
class WEBUI-SIGNALING-DSCP
bandwidth percent 2
class WEBUI-NETWORK_MANAGEMENT-DSCP
bandwidth percent 3
class WEBUI-MULTIMEDIA_CONFERENCING-DSCP
bandwidth percent 10
fair-queue
random-detect dscp-based
class WEBUI-MULTIMEDIA_STREAMING-DSCP
bandwidth percent 10
fair-queue
random-detect dscp-based
class WEBUI-TRANSACTIONAL_DATA-DSCP
bandwidth percent 10
fair-queue
random-detect dscp-based
class WEBUI-BULK_DATA-DSCP
bandwidth percent 4
fair-queue
random-detect dscp-based
class WEBUI-SCAVENGER-DSCP
bandwidth percent 1
class class-default
bandwidth percent 25
fair-queue
random-detect dscp-based
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip nbar protocol-discovery
ip verify unicast source reachable-via rx 100
ip access-group autosec_firewall_acl in
negotiation auto
no cdp enable
pppoe enable group global
pppoe-client dial-pool-number 1
no mop enabled
service-policy input WEBUI-MARKING-IN
service-policy output WEBUI-QUEUING-OUT
!
interface GigabitEthernet0/0/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nbar protocol-discovery
negotiation auto
no mop enabled
service-policy input WEBUI-MARKING-IN
service-policy output WEBUI-QUEUING-OUT
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
description HMGL
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
description HMGLC-IoT
switchport access vlan 3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface Vlan1
ip address 192.168.10.253 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no mop enabled
!
interface Vlan3
description HMGL-IoT
ip address 192.168.30.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
no mop enabled
!
interface Dialer0
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1448
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp mtu adaptive
ppp authentication pap callin
ppp pap sent-username password 7
ppp ipcp dns request
ppp ipcp route default
!
ip nat inside source static tcp 192.168.10.32 993 999.999.999.999 993 extendable
ip nat inside source static udp 192.168.10.31 31194 999.999.999.999 31194 extendable
ip nat inside source list 101 interface Dialer1 overload
ip forward-protocol nd
no ip http server
ip http secure-server
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
ip access-list standard Internet-Permitted
remark == Permit NAT for Internet Access ==
permit any
!
ip access-list extended autosec_firewall_acl
permit udp any any eq bootpc
deny ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 101 permit udp any eq 31194 host 999.999.999.999 eq 31194
access-list 101 permit tcp any eq 993 host 999.999.999.999 eq 993
access-list 101 permit ip any any
dialer-list 1 protocol ip permit
!
!
route-map track-primary-if permit 1
match ip address 197
set interface Dialer1
!
!
!
!
!
control-plane
!

line con 0
exec-timeout 5 0
login authentication local_auth
transport input none
transport output telnet
stopbits 1
line vty 0 4
login authentication local_auth
length 0
transport input telnet ssh
!
ntp server 0.uk.pool.ntp.org prefer
ntp server 1.uk.pool.ntp.org
!
!
!
!
!
end

 

---

#sh ip nat translations

Pro  Inside global         Inside local          Outside local         Outside global

udp  999.999.999.999:31194   192.168.10.31:31194   ---                   ---

tcp  999.999.999.999:993     192.168.10.32:993     ---                   ---

tcp  999.999.999.999:551     999.999.999.999:884     51.89.92.241:25565    51.89.92.241:25565

icmp 999.999.999.999:2       999.999.999.999:16      13.49.41.242:16       13.49.41.242:2

tcp  999.999.999.999:5063    999.999.999.999:60358   9.9.9.9:53            9.9.9.9:53

tcp  999.999.999.999:549     999.999.999.999:23      131.213.41.128:23091  131.213.41.128:23091

tcp  999.999.999.999:5062    999.999.999.999:11110   89.248.163.205:49719  89.248.163.205:49719

tcp  999.999.999.999:5064    999.999.999.999:60550   8.8.8.8:53            8.8.8.8:53

tcp  999.999.999.999:5066    999.999.999.999:27027   1.1.1.1:53            1.1.1.1:53

tcp  999.999.999.999:5069    999.999.999.999:21108   1.1.1.1:53            1.1.1.1:53

tcp  999.999.999.999:5065    999.999.999.999:23609   92.63.197.154:43210   92.63.197.154:43210

tcp  999.999.999.999:546     999.999.999.999:81      141.255.160.234:47504 141.255.160.234:47504

 

Labels:
0 Helpful
1 Reply 1

marce1000
VIP
VIP

‎01-10-2023 12:51 AM

 

 - For starters I can see that the autosec_firewall_acl is not defined anywhere in the configuration , 

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card