Port Forwarding & Access List Problems

evanschulte13 · ‎05-16-2014

Good morning all,

I am trying to set up port forwarding for a Webserver we have hosted here on ip: 192.168.0.250 - I have set up access lists, and port forwarding configurations and I can not seem to access the server from outside the network. . I've included my config file below, any help would be greatly appreciated! I've researched a lot lately but I'm still learning. Side note: I've replaced the external ip address with 1.1.1.1.

I've added the bold lines in the config file below in hopes to forward port 80 to 192.168.0.250 to no avail. You may notice I dont have access-list 102 that i created on any interfaces. This is because whenever I add it to FastEthernet0/0, our internal network loses connection to the internet.

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname pantera-office

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 $1$JP.D$6Oky5ZhtpOAbNT7fLyosy/

!

aaa new-model

!

aaa authentication login default local

!

aaa session-id common

dot11 syslog

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.1 192.168.0.150

ip dhcp excluded-address 192.168.0.251 192.168.0.254

!

ip dhcp pool private

import all

network 192.168.0.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.0.1

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip domain name network.local

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-4211276024

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4211276024

revocation-check none

rsakeypair TP-self-signed-4211276024

!

crypto pki certificate chain TP-self-signed-4211276024

certificate self-signed 01

3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 34323131 32373630 3234301E 170D3132 30383232 32303535

31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313132

37363032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B381 8073BAC2 C322B5F5 F9595F43 E0BE1A27 FED75A75 68DFC6DD 4C062626

31BFC71F 2C2EF48C BEC8991F 2FEEA980 EA5BC766 FEBEA679 58F15020 C5D04881

1D6DFA74 B49E233A 8D702553 1F748DB5 38FDA3E6 2A5DDB36 0D069EF7 528FEAA4

93C5FA11 FBBF9EA8 485DBF88 0E49DF51 F5F9ED11 9CF90FD4 4A4E572C D6BE8A96

D61B0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06

03551D11 04253023 82217061 6E746572 612D6F66 66696365 2E70616E 74657261

746F6F6C 732E6C6F 63616C30 1F060355 1D230418 30168014 31F245F1 7E3CECEF

41FC9A27 62BD24CE F01819CD 301D0603 551D0E04 16041431 F245F17E 3CECEF41

FC9A2762 BD24CEF0 1819CD30 0D06092A 864886F7 0D010104 05000381 8100604D

14B9B30B D2CE4AC1 4E09C4B5 E58C9751 11119867 C30C7FDF 7A02BDE0 79EB7944

82D93E04 3D674AF7 E27D3B24 D081E689 87AD255F B6431F94 36B0D61D C6F37703

E2D0BE60 3117C0EC 71BB919A 2CF77604 F7DCD499 EA3D6DD5 AB3019CA C1521F79

D77A2692 DCD84674 202DFC97 D765ECC4 4D0FA1B7 0A00475B FD1B7288 12E8

quit

!

username pantera privilege 15 password 0 XXXX

username aneuron privilege 15 password 0 XXXX

archive

log config

hidekeys

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxx address 2.2.2.2

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 2.2.2.2

set peer 2.2.2.2

set transform-set ESP-3DES-SHA

match address 100

!

interface FastEthernet0/0

description $ETH-WAN$

ip address 2.2.2.2 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

description $ETH-LAN$

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/0/0

no ip address

shutdown

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 1.1.1.1

!

no ip http server

ip http authentication local

no ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.0.254 20 1.1.1.1 20 extendable

ip nat inside source static tcp 192.168.0.254 21 1.1.1.1 21 extendable

ip nat inside source static tcp 192.168.0.252 22 1.1.1.1 22 extendable

ip nat inside source static tcp 192.168.0.252 25 1.1.1.1 25 extendable

ip nat inside source static tcp 192.168.0.250 80 1.1.1.1 80 extendable

ip nat inside source static tcp 192.168.0.252 110 1.1.1.1 110 extendable

ip nat inside source static tcp 192.168.0.250 443 1.1.1.1 443 extendable

ip nat inside source static tcp 192.168.0.252 587 1.1.1.1 587 extendable

ip nat inside source static tcp 192.168.0.252 995 1.1.1.1 995 extendable

ip nat inside source static tcp 192.168.0.252 8080 1.1.1.1 8080 extendable

ip nat inside source static tcp 192.168.0.249 8096 1.1.1.1 8096 extendable

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 remark IPSec Rule

access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255

access-list 101 remark CCP_ACL Category=2

access-list 101 remark IPSec Rule

access-list 101 deny ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 102 remark Web Server ACL

access-list 102 permit tcp any any

snmp-server community public RO

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vrrp

snmp-server enable traps ds1

snmp-server enable traps tty

snmp-server enable traps eigrp

snmp-server enable traps envmon

snmp-server enable traps flash insertion removal

snmp-server enable traps icsudsu

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps ds0-busyout

snmp-server enable traps ds1-loopback

snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config

snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up

snmp-server enable traps disassociate

snmp-server enable traps deauthenticate

snmp-server enable traps authenticate-fail

snmp-server enable traps dot11-qos

snmp-server enable traps switch-over

snmp-server enable traps rogue-ap

snmp-server enable traps wlan-wep

snmp-server enable traps bgp

snmp-server enable traps cnpd

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps entity

snmp-server enable traps resource-policy

snmp-server enable traps event-manager

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps frame-relay

snmp-server enable traps frame-relay subif

snmp-server enable traps hsrp

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps mvpn

snmp-server enable traps ospf state-change

snmp-server enable traps ospf errors

snmp-server enable traps ospf retransmit

snmp-server enable traps ospf lsa

snmp-server enable traps ospf cisco-specific state-change nssa-trans-change

snmp-server enable traps ospf cisco-specific state-change shamlink interface-old

snmp-server enable traps ospf cisco-specific state-change shamlink neighbor

snmp-server enable traps ospf cisco-specific errors

snmp-server enable traps ospf cisco-specific retransmit

snmp-server enable traps ospf cisco-specific lsa

snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message

snmp-server enable traps pppoe

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps l2tun session

snmp-server enable traps l2tun pseudowire status

snmp-server enable traps vtp

snmp-server enable traps aaa_server

snmp-server enable traps atm subif

snmp-server enable traps firewall serverstatus

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server enable traps ipsla

snmp-server enable traps rf

!

route-map SDM_RMAP_1 permit 1

match ip address 101

!

control-plane

!

line con 0

logging synchronous

line aux 0

line vty 0 4

!

scheduler allocate 20000 1000

end

Any/All help is greatly appreciated! I'm sorry if I sound like a newby!

-Evan

LukaszTJB · ‎05-17-2014

Hello,

According to the config you posted 2.2.2.2 is your wan ip address and 1.1.1.1 is the next hop address for your wan connection. The ip nat configuration for port forwarding should look like

Ip nat inside source static tcp 192.168.0.250 80 2.2.2.2 80

If your provider assigns you a dynamic ipv4 address to the wan interface you can use

Ip nat inside source static tcp 192.168.0.250 80 interface fastethernet0/0 80

Verify the settings with show ip nat translation.

Your access list 102 permits only tcp traffic. If you apply the acl to an interface dns won't work anymore (and all other udp traffic). You might want to use a statefull firewall solution like cbac or zbf combined with an inbound acl on the wan interface.

Best Regards

Lukasz