Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1944
Views
0
Helpful
2
Replies

NAT Port Forwarding on 800 Series

timitworks
Level 1
Level 1

‎11-04-2013 08:58 AM - edited ‎03-04-2019 09:29 PM

Hi all,

I have what is probably a dumb problem with a simple solution. Any help you all might offer would be hugely appreciated.

The issue is with an 800-Series firewall: the customer has a single static WAN IP and it's being NATTED -- successfully at this point -- to a simple LAN; it's all quite basic.

Unfortunately, I need to make ports 80 and 8080 on a local IP available to the WAN, and have run into a lot of trouble.

I've defined an ip nat policy for each port -- I think that's fine.
But since the firewall is configured for zone security, I have a hunch something therein is broken.

I followed the steps here to set up a zone, but still can't access the web server.

Pls halp? The config is below.

Thanks.
t

Building configuration...
Current configuration : 7741 bytes
!
! Last configuration change at 16:36:07 UTC Mon Nov 4 2013 by innerpc
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname carouter
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1087172924
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1087172924
 revocation-check none
 rsakeypair TP-self-signed-1087172924
!
!
crypto pki certificate chain TP-self-signed-1087172924
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31303837 31373239 3234301E 170D3133 31303137 31343431 
  35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30383731 
  37323932 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100DA61 8F34B4F4 77AD7EAA AD109608 77172069 DB9FB4CB 521978A6 201149CC 
  F6E08C5B CEF7F38E 70120B5D B56E9DF5 02C74B67 227D1F9E A108FE7C 05A7C0E4 
  4FE13E0A FED0237B D0A4A56E AF241B23 0091BCA4 C48528F0 2AD11EF0 4F0AC329 
  37EF85AD 30D108AB 8B16DAF2 88F2362C 5D793652 F5C46967 61B70CDE E7F7AB93 
  81870203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 
  551D2304 18301680 1405404E B1282FF8 F4E53982 0BA770DC 00F6B34F 93301D06 
  03551D0E 04160414 05404EB1 282FF8F4 E539820B A770DC00 F6B34F93 300D0609 
  2A864886 F70D0101 05050003 818100C3 D2A68A1B 8DEDB513 789C752A E5C8DC6A 
  F785DE7B D45BC11B FFEAF2F4 3805D241 96AF24AF 27EA4F90 9ACC9E45 FDBB6B83 
  D6CB6ECE 562668D1 C58BBE5D B0895365 A7CDA988 2FA39DD6 1F45A276 E40EB33B 
  9E8C15C7 5AEB160F 00997B71 C4F4D598 6D217AA3 FFA9E87D 1F8DDB7C F985FAC3 
  D3603752 4EFFF39A 4126F933 F96373
            quit
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.55 192.168.1.255
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.37
!
ip dhcp pool ccp-pool
 import all
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1 
 dns-server 24.29.99.35 8.8.8.8 
 lease 0 2
!
!
!
ip name-server 24.29.99.35
ip name-server 24.29.99.36
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FTX173383WK
!
!
username innerpc privilege 15 password 0 CAr0ut3r
!
!
!
!
!
!
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any Incoming-Traffic
 match access-group name QNAP_Incoming
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
class-map type inspect match-any sdm-cls-access
 match class-map SDM_HTTPS
 match class-map SDM_SSH
 match class-map SDM_SHELL
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-access
 match class-map sdm-cls-access
 match access-group 101
!
policy-map type inspect incoming-policy
 class type inspect Incoming-Traffic
  pass
 class class-default
  drop
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect ccp-sip-inspect
  inspect 
 class type inspect ccp-h323-inspect
  inspect 
 class type inspect ccp-h323annexe-inspect
  inspect 
 class type inspect ccp-h225ras-inspect
  inspect 
 class type inspect ccp-h323nxg-inspect
  inspect 
 class type inspect ccp-skinny-inspect
  inspect 
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect sdm-access
  inspect 
 class class-default
  drop
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  pass
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security Outside-to-Inside source out-zone destination in-zone
 service-policy type inspect incoming-policy
! 
!
!
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 description $FW_OUTSIDE$$ETH-WAN$
 ip address 184.75.91.178 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.37 8080 interface FastEthernet4 8080
ip nat inside source static tcp 192.168.1.37 80 interface FastEthernet4 80
ip route 0.0.0.0 0.0.0.0 184.75.91.177
!
ip access-list extended QNAP_Incoming
 permit tcp any host 192.168.1.37 eq www
 permit tcp any host 192.168.1.37 eq 8080
ip access-list extended SDM_HTTPS
 remark CCP_ACL Category=1
 permit tcp any any eq 443
ip access-list extended SDM_SHELL
 remark CCP_ACL Category=1
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 remark CCP_ACL Category=1
 permit tcp any any eq 22
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 184.75.91.176 0.0.0.3 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any any
!
!
control-plane
!
!
!
line con 0
 login local
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 login local
 transport input telnet ssh
!
!
end

Labels:
0 Helpful
2 Replies 2

paolo bevilacqua
Hall of Fame
Hall of Fame

‎11-04-2013 08:36 PM

Remove ip inspect and zone firewall. They are useless and break normal working and performances.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni

‎11-04-2013 11:26 PM

Hi,

policy-map type inspect incoming-policy
class type inspect Incoming-Traffic
  pass    ---------> inspect

Change your pass action to inspect on the policy for out to in and it should be working.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card