cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1943
Views
0
Helpful
2
Replies

NAT Port Forwarding on 800 Series

timitworks
Level 1
Level 1

Hi all,

I have what is probably a dumb problem with a simple solution. Any help you all might offer would be hugely appreciated.

The issue is with an 800-Series firewall: the customer has a single static WAN IP and it's being NATTED -- successfully at this point -- to a simple LAN; it's all quite basic.

Unfortunately, I need to make ports 80 and 8080 on a local IP available to the WAN, and have run into a lot of trouble.

I've defined an ip nat policy for each port -- I think that's fine.
But since the firewall is configured for zone security, I have a hunch something therein is broken.

I followed the steps here to set up a zone, but still can't access the web server.

Pls halp? The config is below.

Thanks.
t

Building configuration...

Current configuration : 7741 bytes

!

! Last configuration change at 16:36:07 UTC Mon Nov 4 2013 by innerpc

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname carouter

!

boot-start-marker

boot-end-marker

!

!

logging buffered 51200 warnings

!

no aaa new-model

memory-size iomem 10

!

crypto pki trustpoint TP-self-signed-1087172924

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1087172924

revocation-check none

rsakeypair TP-self-signed-1087172924

!

!

crypto pki certificate chain TP-self-signed-1087172924

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31303837 31373239 3234301E 170D3133 31303137 31343431

  35395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30383731

  37323932 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100DA61 8F34B4F4 77AD7EAA AD109608 77172069 DB9FB4CB 521978A6 201149CC

  F6E08C5B CEF7F38E 70120B5D B56E9DF5 02C74B67 227D1F9E A108FE7C 05A7C0E4

  4FE13E0A FED0237B D0A4A56E AF241B23 0091BCA4 C48528F0 2AD11EF0 4F0AC329

  37EF85AD 30D108AB 8B16DAF2 88F2362C 5D793652 F5C46967 61B70CDE E7F7AB93

  81870203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 1405404E B1282FF8 F4E53982 0BA770DC 00F6B34F 93301D06

  03551D0E 04160414 05404EB1 282FF8F4 E539820B A770DC00 F6B34F93 300D0609

  2A864886 F70D0101 05050003 818100C3 D2A68A1B 8DEDB513 789C752A E5C8DC6A

  F785DE7B D45BC11B FFEAF2F4 3805D241 96AF24AF 27EA4F90 9ACC9E45 FDBB6B83

  D6CB6ECE 562668D1 C58BBE5D B0895365 A7CDA988 2FA39DD6 1F45A276 E40EB33B

  9E8C15C7 5AEB160F 00997B71 C4F4D598 6D217AA3 FFA9E87D 1F8DDB7C F985FAC3

  D3603752 4EFFF39A 4126F933 F96373

            quit

!

!

!

!

!

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.1.55 192.168.1.255

ip dhcp excluded-address 192.168.1.7

ip dhcp excluded-address 192.168.1.37

!

ip dhcp pool ccp-pool

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server 24.29.99.35 8.8.8.8

lease 0 2

!

!

!

ip name-server 24.29.99.35

ip name-server 24.29.99.36

ip name-server 8.8.8.8

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO881-SEC-K9 sn FTX173383WK

!

!

username innerpc privilege 15 password 0 CAr0ut3r

!

!

!

!

!

!

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any Incoming-Traffic

match access-group name QNAP_Incoming

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 101

!

policy-map type inspect incoming-policy

class type inspect Incoming-Traffic

  pass

class class-default

  drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect sdm-access

  inspect

class class-default

  drop

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security Outside-to-Inside source out-zone destination in-zone

service-policy type inspect incoming-policy

!

!

!

!

!

!

!

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description $FW_OUTSIDE$$ETH-WAN$

ip address 184.75.91.178 255.255.255.252

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

!

interface Vlan1

description $ETH_LAN$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.37 8080 interface FastEthernet4 8080

ip nat inside source static tcp 192.168.1.37 80 interface FastEthernet4 80

ip route 0.0.0.0 0.0.0.0 184.75.91.177

!

ip access-list extended QNAP_Incoming

permit tcp any host 192.168.1.37 eq www

permit tcp any host 192.168.1.37 eq 8080

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 184.75.91.176 0.0.0.3 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any any

!

!

control-plane

!

!

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

!

end


2 Replies 2

paolo bevilacqua
Hall of Fame
Hall of Fame

Remove ip inspect and zone firewall. They are useless and break normal working and performances.

cadet alain
VIP Alumni
VIP Alumni

Hi,

policy-map type inspect incoming-policy

class type inspect Incoming-Traffic

  pass    ---------> inspect

Change your pass action to inspect on the policy for out to in and it should be working.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
Review Cisco Networking for a $25 gift card