10-18-2012 09:21 PM - edited 03-04-2019 05:54 PM
Hi,
I have issues with port forwarding. I did, but it didn't work. Then I tried different ip addresses. Now I don't know how to delete those configurations, because when I try to overwrite it says already exist. And still port forwarding is not working. I did: ip nat inside source static tcp (ip and port numbers)
Our device is 1841, also we have firewall within this router. DHCP is in our 3750.
Please help.
Thank you.
10-18-2012 10:34 PM
can u post the configs removing sensitive areas.....
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
10-21-2012 07:26 PM
Here is it:
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PASCS_ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $1$Znyz$M8Me9FKTO0yB/w2xUStt6.
!
no aaa new-model
clock timezone EAST -5
clock summer-time EAST recurring
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name mydomain.com
ip name-server 167.206.112.138
ip name-server 167.206.7.4
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-4141110999
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4141110999
revocation-check none
rsakeypair TP-self-signed-4141110999
!
!
crypto pki certificate chain TP-self-signed-4141110999
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313431 31313039 3939301E 170D3132 30393139 30373436
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31343131
31303939 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB76 5A57E8F2 F85E26C5 B850C38E 4F7E9148 1729FD72 36DB3FD0 1E42918D
BB44E448 739A88A0 145741A8 05335F58 307185D6 86FA5181 0C491D31 5C29E036
FF3336ED DBCB4C67 323E6841 63E7D27B B908562C 4E21DE16 508771F8 A5BB0ADE
0C0491E8 0536757D 525A39FA 25CF87EA 4942A86C 12006C5B 1BCCB491 C91602BE
C21D0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19504153 43535F52 4F555445 522E6D79 646F6D61 696E2E63
6F6D301F 0603551D 23041830 16801469 2BFE28CC A4414F73 41E6DE91 AB0F5DEF
DF111B30 1D060355 1D0E0416 0414692B FE28CCA4 414F7341 E6DE91AB 0F5DEFDF
111B300D 06092A86 4886F70D 01010405 00038181 00162F4B 41EAF909 B62CD44E
CD58B75E 7F03D5D6 AD672FF4 84186DC6 0566007C 57D1560A 9FB66560 2A785A1F
11BFE322 20C4744E 8A946A5E A1607E9F 0798E750 4C6CE41B 2C19E059 52821ADB
C2958FC6 D93F0070 88A73CE6 A24798F5 5AE6BF8C 93870227 7E5884E2 D0532BD6
5D6EF0D0 726C3F41 74015555 EDCC019D 81148CFD 76
quit
!
!
username xxxxxxxx privilege 15 password 0 xxxxxxx
username xxxxxxxx privilege 15 password 0 xxxxxxx
archive
log config
hidekeys
!
!
!
!
!
ip ssh version 2
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect sdm-access
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface FastEthernet0/0
description CONNECTION_TO_LAN_3750$FW_INSIDE$
ip address 172.16.16.1 255.255.240.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
duplex auto
speed auto
!
interface FastEthernet0/1
description CONNECTION_TO_INTERNET$FW_OUTSIDE$
ip address (external ip) 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 108.58.161.17
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 172.16.16.11 4370 (external ip) 4370 extendable
ip nat inside source static tcp 172.16.16.16 8080 (external ip) 8080 extendable
ip nat inside source static tcp 172.16.16.17 8081 (external ip) 8081 extendable
ip nat inside source static tcp 172.16.16.18 8082 (external ip) 8082 extendable
ip nat inside source static tcp 172.16.16.16 8080 172.16.16.16 80 extendable
!
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 108.58.161.16 0.0.0.7 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 30 0
logging synchronous
login local
line aux 0
line vty 0 4
exec-timeout 20 0
logging synchronous
login local
transport input ssh
line vty 5 807
exec-timeout 20 0
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp server 64.90.182.55
end version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname PASCS_ROUTER
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $1$Znyz$M8Me9FKTO0yB/w2xUStt6.
!
no aaa new-model
clock timezone EAST -5
clock summer-time EAST recurring
dot11 syslog
ip source-route
!
!
!
!
ip cef
ip domain name mydomain.com
ip name-server 167.206.112.138
ip name-server 167.206.7.4
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-4141110999
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4141110999
revocation-check none
rsakeypair TP-self-signed-4141110999
!
!
crypto pki certificate chain TP-self-signed-4141110999
certificate self-signed 01
30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313431 31313039 3939301E 170D3132 30393139 30373436
34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31343131
31303939 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB76 5A57E8F2 F85E26C5 B850C38E 4F7E9148 1729FD72 36DB3FD0 1E42918D
BB44E448 739A88A0 145741A8 05335F58 307185D6 86FA5181 0C491D31 5C29E036
FF3336ED DBCB4C67 323E6841 63E7D27B B908562C 4E21DE16 508771F8 A5BB0ADE
0C0491E8 0536757D 525A39FA 25CF87EA 4942A86C 12006C5B 1BCCB491 C91602BE
C21D0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
551D1104 1D301B82 19504153 43535F52 4F555445 522E6D79 646F6D61 696E2E63
6F6D301F 0603551D 23041830 16801469 2BFE28CC A4414F73 41E6DE91 AB0F5DEF
DF111B30 1D060355 1D0E0416 0414692B FE28CCA4 414F7341 E6DE91AB 0F5DEFDF
111B300D 06092A86 4886F70D 01010405 00038181 00162F4B 41EAF909 B62CD44E
CD58B75E 7F03D5D6 AD672FF4 84186DC6 0566007C 57D1560A 9FB66560 2A785A1F
11BFE322 20C4744E 8A946A5E A1607E9F 0798E750 4C6CE41B 2C19E059 52821ADB
C2958FC6 D93F0070 88A73CE6 A24798F5 5AE6BF8C 93870227 7E5884E2 D0532BD6
5D6EF0D0 726C3F41 74015555 EDCC019D 81148CFD 76
quit
!
!
username xxxxxxxx privilege 15 password 0 xxxxxxx
username xxxxxxxx privilege 15 password 0 xxxxxxx
archive
log config
hidekeys
!
!
!
!
!
ip ssh version 2
!
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class type inspect SDM-Voice-permit
inspect
class class-default
pass
policy-map type inspect sdm-permit
class type inspect sdm-access
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface FastEthernet0/0
description CONNECTION_TO_LAN_3750$FW_INSIDE$
ip address 172.16.16.1 255.255.240.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
duplex auto
speed auto
!
interface FastEthernet0/1
description CONNECTION_TO_INTERNET$FW_OUTSIDE$
ip address (external ip) 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 108.58.161.17
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 172.16.16.11 4370 (external ip) 4370 extendable
ip nat inside source static tcp 172.16.16.16 8080 (external ip) 8080 extendable
ip nat inside source static tcp 172.16.16.17 8081 (external ip) 8081 extendable
ip nat inside source static tcp 172.16.16.18 8082 (external ip) 8082 extendable
ip nat inside source static tcp 172.16.16.16 8080 172.16.16.16 80 extendable
!
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 108.58.161.16 0.0.0.7 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 30 0
logging synchronous
login local
line aux 0
line vty 0 4
exec-timeout 20 0
logging synchronous
login local
transport input ssh
line vty 5 807
exec-timeout 20 0
logging synchronous
login local
transport input ssh
!
scheduler allocate 20000 1000
ntp server 64.90.182.55
end
Thank you.
10-22-2012 12:52 AM
Hi,
By these commands
ip nat inside source static tcp 172.16.16.11 4370 (external ip) 4370 extendable
ip nat inside source static tcp 172.16.16.16 8080 (external ip) 8080 extendable
ip nat inside source static tcp 172.16.16.17 8081 (external ip) 8081 extendable
ip nat inside source static tcp 172.16.16.18 8082 (external ip) 8082 extendable
ip nat inside source static tcp 172.16.16.16 8080 172.16.16.16 80 extendable
You were trying to nat your internal ip to an external ip with the ports given.
For removing them you can write these
no ip nat inside source list 1 interface FastEthernet0/1 overload (if any nat rules present earlier they also will not work by this if they are already functioning.)
no ip nat inside source static tcp 172.16.16.11 4370 (external ip) 4370 extendable
no ip nat inside source static tcp 172.16.16.16 8080 (external ip) 8080 extendable
no ip nat inside source static tcp 172.16.16.17 8081 (external ip) 8081 extendable
no ip nat inside source static tcp 172.16.16.18 8082 (external ip) 8082 extendable
no ip nat inside source static tcp 172.16.16.16 8080 172.16.16.16 80 extendable
Try only this command
ip nat inside source static tcp 172.16.16.11 4370 (external ip) 4370 (this is for testing purpose, if you are able to do so then you can try all you want.)
interface FastEthernet0/0
description CONNECTION_TO_LAN_3750$FW_INSIDE$
ip address 172.16.16.1 255.255.240.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
duplex auto
speed auto
!
interface FastEthernet0/1
description CONNECTION_TO_INTERNET$FW_OUTSIDE$
ip address (external ip) 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
Make sure that 172.16.16.1 subnet should have internet access.
Please rate if the info is helpful....
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
10-22-2012 12:33 PM
it didn't work for me.
When tried this:
no ip nat inside source list 1 interface FastEthernet0/1 overload
it warned me that dynamic map could be deleted. So I didn't.
I coulde remove unnecessary port forwarding configurations.
And then I did this:
nterface FastEthernet0/0
description CONNECTION_TO_LAN_3750$FW_INSIDE$
ip address 172.16.16.1 255.255.240.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone (After this code it said that Interface is already member of zone in-zone)
duplex auto
speed auto
!
interface FastEthernet0/1
description CONNECTION_TO_INTERNET$FW_OUTSIDE$
ip address (external ip) 255.255.255.248
ip nat outside
ip virtual-reassembly
zone-member security out-zone (After this, message came: Interface is already member of zone out-zone)
duplex auto
speed auto
why it's not forwarding? What is the issue with configurations?
Thank you for trying.
10-22-2012 10:05 PM
Hi,
The command you mentioned as below is written by you or it was there earlier? If it wasn't there earlier you can remove it.
ip nat inside source list 1 interface FastEthernet0/1 overload
and
zone-member security out-zone (After this, message came: Interface is already member of zone out-zone)
this message was given because the zone was already mentioned in the previous config.
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
10-23-2012 06:43 AM
Hi,
Probably somebody else wrote that code before. The device's configuration was done by someone else whom I can't reach. That's why I tried to get help from this forum.
And you told me to do write this code. When I did it I got that message.
Why do you think port forwarding is not working? I don't have any information about configurations, but I searched other topics related with port forwarding, but couldn't find any solution for my case. Usually they want to know how to configure. Others who had issues they had this:
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 108.58.161.16 0.0.0.7 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
where they had DENY instead of permit. But in my case they all permit. I have no clue:(
I'll be glad if you can help me, even if not I am glad you are trying.
Thanks a lot.
10-24-2012 10:15 PM
Can you provide the output for
show ip nat translation
term mon
debug ip nat detailed
Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."
10-25-2012 12:30 AM
Hi,
this is indeed a ZBF issue: you don't have any zone-pair security configured for traffic coming from out-zone and going to in-zone.
add this to your config:
access-list 150 permit tcp any host 172.16.16.16 eq 8080
access-list 150 permit tcp any host 172.16.16.17 eq 8081
access-list 150 permit tcp any host 172.16.16.11 eq 4370
access-list 150 permit tcp any host 172.16.16.18 eq 8082
access-list 150 permit tcp any host 172.16.16.16 eq 80
class-map type inspect OUT_TO_IN_PERM_TRAFFIC
match access-group 150
policy-map type inspect OUT_TO_IN_POLICY
class type inspect OUT_TO_IN_PERM_TRAFFIC
inspect
class class-default
drop
zone-pair security out-to-in source out-zone destination in-zone
service-policy type inspect OUT_TO_IN_POLICY
Regards.
Alain
Don't forget to rate helpful posts.
10-24-2012 11:27 PM
copy paste this in the config (make sure to copy paste and not type if you do not have console access)
interface FastEthernet0/0
no zone-member security in-zone
!
interface FastEthernet0/1
no zone-member security out-zone
After this checkyour NAT, if it works then the issue is with ZBF policies.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide