Port-forwarding in Cisco 800 series

Dimitrios1434 · ‎06-11-2019

Hello,

I am trying to open a port in my Cisco router using the command, ip nat inside source static tcp 192.168.102.2 25 interface Dialer1 25, but no luck. Could someone please help?

The router is a Cisco 886VA

Below is my configuration:

Current configuration : 3121 bytes
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname hostname_Fr
!
boot-start-marker
boot-end-marker
!
!
enable secret 4
enable password secret
!
no aaa new-model
memory-size iomem 10
!
!
!
!
!
!
!
!
ip cef
no ipv6 cef
!
!
license udi pid CISCO886VA-K9 sn FCZ18019140
!
!
username password
!
!
!
!
!
controller VDSL 0
operating mode vdsl2
sra
!
!
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
!
interface Ethernet0.835
encapsulation dot1Q 835
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface ATM0
description Adsl_Port
no ip address
no ip route-cache
load-interval 30
shutdown
no atm ilmi-keepalive
no snmp trap link-status
bridge-group 1
pvc 8/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.102.1 255.255.255.0
ip access-group 151 out
ip nat inside
ip virtual-reassembly in
!
interface Dialer1
ip address negotiated
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
no ip route-cache cef
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp pap sent-username password
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat pool INTERNET public_ip public_ip netmask 255.255.255.252
ip nat inside source list 1 pool INTERNET overload
ip nat inside source static tcp 192.168.102.20 33953 interface Dialer1 33953
ip nat inside source static udp 192.168.102.20 33953 interface Dialer1 33953
ip nat inside source static tcp 192.168.102.150 400 interface Dialer1 400
ip nat inside source static udp 192.168.102.150 400 interface Dialer1 400
ip nat inside source static tcp 192.168.102.2 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.102.2 1723 interface Dialer1 1723
ip nat inside source static tcp 192.168.102.2 443 interface Dialer1 443
ip nat inside source static tcp 192.168.102.2 4105 interface Dialer1 4105
ip nat inside source static tcp 192.168.102.2 4117 interface Dialer1 4117
ip nat inside source static tcp 192.168.102.2 4118 interface Dialer1 4118
ip nat inside source static udp 192.168.102.2 500 interface Dialer1 500
ip nat inside source static udp 192.168.102.2 4500 interface Dialer1 4500
ip nat inside source static esp 192.168.102.2 interface Dialer1
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.0.1.0 255.255.255.0 192.168.102.2
ip route 192.168.1.0 255.255.255.0 192.168.102.2
ip route 192.168.110.0 255.255.255.0 192.168.102.2
!
access-list 1 permit 192.168.102.0 0.0.0.255
dialer-list 1 protocol ip permit
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password
login local
transport input all
!
!
end

Georg Pauwen · ‎06-11-2019

Hello,

the syntax you use looks good. You have many static NAT entries, do all these ports work, and is it just port 25 that doesn't ?

aimerencedadjo1 · ‎09-17-2024

bonjour svp j'ai configurer la redirection du port 7777sur le routeur cisco 800 mais il ne fonctionne pas pouvez vous aider?

aimerencedadjo1 · ‎09-17-2024

!
!

!
!
!
!
no ip domain lookup
ip domain name orange-guinee.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 7
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 7
!
!
!
!
!
!
!
!
license udi pid C881-K9 sn FCZ22014025
!
!
username barry privilege 15 secret 5 $1$dJD0$wPpAgr2ttOV46JGSGHeSJ.
username fode privilege 15 secret 5 $1$NHGH$AUcCX8O7Ey4ktp/XB1NlG/
username sory privilege 15 secret 5 $1$PRiM$TLcKRq/hojfQR34E7Ek8d.
username loua privilege 15 secret 5 $1$vhnC$.fGMQHoVyg10lTFaIpDzk0
username demba privilege 15 secret 5 $1$POGF$R2cj29XPXubX1zuS3Tnyb/
username Cis0 password 0 Cis000
username diawara110528 privilege 5 secret 5 $1$6Z0w$MYA5dtsXQ6bEjbZGxFrog0
username aob343311 privilege 5 secret 5 $1$pHpk$fks6FSIiuU34J8VBx53y81
username absimans94 privilege 5 secret 5 $1$XD6m$sC7JhExDmxvtG09rbRMnZ.
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface FastEthernet4.357

encapsulation dot1Q 357
ip address 197.149.205.10 255.255.255.252
ip nat outside
ip virtual-reassembly in
!
interface Virtual-Template7
ip unnumbered Vlan1
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
peer default ip address pool cico_IP
keepalive 5
compress mppc
ppp encrypt mppe auto required
ppp authentication ms-chap-v2 ms-chap
!
interface Vlan1
description
ip address 192.168.10.10 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool cico_IP 192.168.10.230 192.168.10.240
ip local pool cico_IP 192.168.10.2
ip local pool cico_IP 192.168.10.27
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet4.357 overload
ip nat inside source static tcp 192.168.10.100 2017 197.149.205.10 2017 extendable
ip nat inside source static tcp 192.168.10.201 3339 197.149.205.10 3339 extendable
ip nat inside source static udp 192.168.10.201 3339 197.149.205.10 3339 extendable
ip nat inside source static tcp 192.168.10.201 4449 197.149.205.10 4449 extendable
ip nat inside source static udp 192.168.10.201 4449 197.149.205.10 4449 extendable
ip nat inside source static tcp 192.168.10.100 6669 197.149.205.10 6669 extendable
ip nat inside source static tcp 192.168.10.61 6696 197.149.205.10 6696 extendable
ip nat inside source static tcp 192.168.10.101 6699 197.149.205.10 6699 extendable
ip nat inside source static tcp 192.168.10.31 7575 197.149.205.10 7575 extendable
ip nat inside source static tcp 192.168.10.32 7576 197.149.205.10 7576 extendable
ip nat inside source static tcp 192.168.10.33 7577 197.149.205.10 7577 extendable
ip nat inside source static tcp 192.168.10.24 7578 197.149.205.10 7578 extendable
ip nat inside source static tcp 192.168.10.101 7777 197.149.205.10 7777 extendable
ip nat inside source static udp 192.168.10.24 7777 197.149.205.10 7777 extendable
ip nat inside source static tcp 192.168.10.110 7779 197.149.205.10 7779 extendable
ip nat inside source static udp 192.168.10.110 7779 197.149.205.10 7779 extendable
ip nat inside source static tcp 192.168.10.101 7799 197.149.205.10 7799 extendable
ip nat inside source static udp 192.168.10.101 7799 197.149.205.10 7799 extendable
ip nat inside source static tcp 192.168.10.100 8888 197.149.205.10 8888 extendable
ip nat inside source static udp 192.168.10.24 8888 197.149.205.10 8888 extendable
ip nat inside source static tcp 192.168.10.100 8889 197.149.205.10 8889 extendable
ip nat inside source static tcp 192.168.10.101 8899 197.149.205.10 8899 extendable
ip route 0.0.0.0 0.0.0.0 FastEthernet4.357 197.149.205.9
ip ssh version 2
!
!
snmp-server community ogc_@2017 RO
access-list 46 permit 185.189.149.184
access-list 46 permit 185.189.151.235
access-list 46 permit 89.248.173.131
access-list 46 permit 185.158.251.126
access-list 46 permit 185.212.47.166
access-list 101 permit tcp any host 192.168.10.100 eq 888
access-list 101 permit tcp any host 192.168.10.100 eq 666
access-list 101 permit tcp any host 192.168.10.100 eq 201
access-list 101 permit tcp any host 192.168.10.101 eq 777
access-list 101 permit tcp any host 192.168.10.101 eq 889
access-list 101 permit tcp any host 192.168.10.101 eq 669
access-list 101 permit tcp any host 192.168.10.110 eq 777
access-list 101 permit udp any host 192.168.10.110 eq 777
access-list 101 permit tcp any host 192.168.10.101 eq 779
access-list 101 permit udp any host 192.168.10.101 eq 779
access-list 101 permit tcp any host 192.168.10.61 eq 6696
access-list 101 permit tcp any host 192.168.10.100 eq 8888
access-list 101 permit tcp any host 192.168.10.100 eq 8889
access-list 101 permit tcp any host 192.168.10.100 eq 6669
access-list 101 permit tcp any host 192.168.10.100 eq 2017
access-list 101 permit tcp any host 192.168.10.101 eq 8899
access-list 101 permit tcp any host 192.168.10.101 eq 6699
access-list 101 permit tcp any host 192.168.10.110 eq 7779
access-list 101 permit udp any host 192.168.10.110 eq 7779
access-list 101 permit tcp any host 192.168.10.101 eq 7799
access-list 101 permit udp any host 192.168.10.101 eq 7799
access-list 101 permit tcp any host 192.168.10.201 eq 3339
access-list 101 permit udp any host 192.168.10.201 eq 3339
access-list 101 permit tcp any host 192.168.10.201 eq 4449
access-list 101 permit udp any host 192.168.10.201 eq 4449
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit ip any any
access-list 101 permit tcp any host 192.168.10.31 eq 7575
access-list 101 permit tcp any host 192.168.10.32 eq 7576
access-list 101 permit tcp any host 192.168.10.33 eq 7577
access-list 101 permit tcp any host 192.168.10.24 eq 7578
access-list 101 permit tcp any host 192.168.10.24 eq 8888
access-list 101 permit udp any host 192.168.10.24 eq 8888
access-list 101 permit tcp any host 192.168.10.101 eq 7777
access-list 101 permit udp any host 192.168.10.24 eq 7777
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 46 in
password aob123
login local
transport input telnet ssh
line vty 5 14
access-class 46 in
login
transport input none
!
scheduler allocate 20000 1000
!
end

Giuseppe Larosa · ‎06-11-2019

Hello Dimitrios,

you have other static NAT entries for the same internal host that make me think you have an IPSec VPN on it

>> ip nat inside source static udp 192.168.102.2 500 interface Dialer1 500
ip nat inside source static udp 192.168.102.2 4500 interface Dialer1 4500
ip nat inside source static esp 192.168.102.2 interface Dialer1

If this is the case you need to be sure that the TCP port 25 traffic is not encapsulated within the IPSec tunnel in ESP.

Hope to help

Giuseppe

Dimitrios1434 · ‎06-11-2019

Hi Giuseppe,

All these static nats are pointing to my firewall which is in the 192.168.102.2 IP address. I have already made the configurations in my firewall (Watchguard)

However, not all of these ports are currently open, which is also weird. The current open ports are 1723, 23, 33953, 443

Thank you in advance for your help

Dimitrios1434 · ‎06-11-2019

Hi all,

The issue has been solved.

I should have logged in to the configure terminal and inserted the command.

I did that and the port now is open.

Thank you all for your help.

Giuseppe Larosa · ‎06-11-2019

Hello Dimitrios,

nice to know you have solved.

You have been kind in providing feedback on the solution this can help other people having a similar issue in the future.

Even if sometimes the solution can appear trivial feedback is important.

Best Regards

Giuseppe