12-08-2020 07:24 AM
Good Morning all,
i am trying to port forward ports 3389,80,443 for my internal server on my network . i get a public ip from my cable modem via dhcp . i got pat working and everything else besides the port forwarding . what am i missing . i have my static nat statements but its not working . is it something to do with my ACL for my wan interface?
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname JLNS-Core-RT1
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa group server radius RAD_SERVERS
server-private 172.63.20.10 auth-port 1812 acct-port 1813 key Cisco1
!
aaa authentication login default group RAD_SERVERS local
aaa authorization exec default group RAD_SERVERS local if-authenticated
!
!
!
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
ip dhcp excluded-address 172.20.0.254
ip dhcp excluded-address 172.20.0.200
ip dhcp excluded-address 172.20.64.254
ip dhcp excluded-address 172.20.32.254
ip dhcp excluded-address 172.20.15.254
ip dhcp excluded-address 172.20.16.254
ip dhcp excluded-address 172.20.56.254
ip dhcp excluded-address 172.20.0.201
ip dhcp excluded-address 172.20.32.147
ip dhcp excluded-address 172.20.32.104
!
ip dhcp pool Network_Devices
network 172.20.0.0 255.255.255.0
dns-server 8.8.8.8
domain-name jlns.local
default-router 172.20.0.254
!
ip dhcp pool JLNS_Wired
network 172.20.64.0 255.255.255.0
default-router 172.20.64.254
dns-server 8.8.8.8
!
ip dhcp pool MTL_Wired
network 172.20.32.0 255.255.255.0
default-router 172.20.32.254
dns-server 8.8.8.8
domain-name jlns.local
!
ip dhcp pool JLNS_Wifi
network 172.20.15.0 255.255.255.0
default-router 172.20.15.254
domain-name jlns.local
dns-server 172.20.0.201
!
ip dhcp pool MTL_Wifi
network 172.20.16.0 255.255.255.0
default-router 172.20.16.254
domain-name jlns.local
dns-server 8.8.8.8
!
ip dhcp pool Guest-Wifi
network 172.20.14.0 255.255.255.0
domain-name jlns.local
default-router 172.20.14.254
dns-server 8.8.8.8
!
ip dhcp pool KCopier
host 172.20.32.147 255.255.255.0
hardware-address 00c0.ee16.b714
!
ip dhcp pool KScanner
host 172.20.32.104 255.255.255.0
hardware-address 00c0.ee71.2675
!
!
ip domain name JLNS.local
ip ddns update method myupdate
DDNS
interval maximum 2 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FTX1346A16X
username admin privilege 15 password 0 Willys52!
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface Loopback0
description SSH Int
no ip address
!
interface FastEthernet0/0
description Link to Spectrum
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.2
description vlan2 int
encapsulation dot1Q 2
ip address 172.20.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.3
description JLNS-Wired VLAN Int
encapsulation dot1Q 3
ip address 172.20.64.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.4
description vlan4 int
encapsulation dot1Q 4
ip address 172.20.32.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.5
description vlan5 int
encapsulation dot1Q 5
ip address 172.20.15.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.6
description vlan6 int
encapsulation dot1Q 6
ip address 172.20.16.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.7
description vlan7 int
encapsulation dot1Q 7
ip address 172.20.14.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.8
description vlan8 int
encapsulation dot1Q 8
ip address 172.20.56.254 255.255.255.0
ip helper-address 172.20.56.201
ip nat inside
ip virtual-reassembly in
!
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list My_LAN interface FastEthernet0/0 overload
ip nat inside source static tcp 172.20.0.200 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 172.20.0.200 443 interface FastEthernet0/0 443
ip nat inside source static tcp 172.20.0.200 80 interface FastEthernet0/0 80
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip access-list standard My_LAN
permit any
!
ip access-list extended My_WAN
permit tcp any any established
deny tcp any any
deny ip any any
!
logging esm config
!
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
!
line con 0
exec-timeout 5 30
logging synchronous
line aux 0
line vty 0 4
exec-timeout 5 30
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 5 30
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
end
12-08-2020 07:35 AM
if all your out going working
you can remove NAT for the host as below
access-list My_LAN deny tcp host 172.20.0.200 eq 443 any
access-list My_LAN deny tcp host 172.20.0.200 eq 3389 any
access-list My_LAN deny tcp host 172.20.0.200 eq 80 any
i will also change this for good :
ip route 0.0.0.0 0.0.0.0 dhcp
to
ip route 0.0.0.0 0.0.0.0 fast 0/0
12-08-2020 08:21 AM
thanks for the reply. i tried the ip route 0.0.0.0 0.0.0.0 fa 0/0 and it wasnt working . thats why i added the dhcp
can you provide me a example config to how to configure my acls to allow rdp in from the internet connection
12-08-2020 09:44 AM
try below and let us know how it goes, make sure you do this config in LAN or Console (not from outside)
no ip access-list standard My_LAN
!
ip access-list standard My_LAN
access-list My_LAN deny tcp host 172.20.0.200 eq 443 any
access-list My_LAN deny tcp host 172.20.0.200 eq 3389 any
access-list My_LAN deny tcp host 172.20.0.200 eq 80 any
permit any
12-08-2020 10:18 AM
you already get how how config acl for dynamic pat,
but if it not work please show me translate NAT table.
12-08-2020 11:09 AM
i will get it for you when i get home . i can get out from the internal network , but i cant get in from the outside thats what i will need help with
12-08-2020 01:03 PM
I just let you know, the IP coming from ISP DHCP, so you need to know that IP address and connect to that IP to work.
Make sure internally the IP host is running those services? - check internally before you try outside.
Once you try from outside, if not work post the logs and NAT translation to look. (make sure end device do not have any FW built in)
12-08-2020 01:07 PM
ok thanks ,
would this rule work in my my_Wan acl
permit tcp any any established
permit tcp any int ip of server eq 3389
deny tcp any any
deny ip any any
please let me know if this rule would allow traffic in for rdp sessions
12-08-2020 01:41 PM
the high level that ACL is not used anywhere, it redundant, try advised config on the router and test and advise, rather making things complicated.
12-08-2020 01:27 PM
Tcp establish acl
we will deny any tcp traffic from pass our router fw except the tcp with ack and rst flag,
here the tcp is initiate from inside “ your local lan”
so as you mention you have three sever inside But
server not initiate traffic it respond to client in wan which initiate traffic
that’s why you need to remove this acl and replace with
permit tcp any host port
where host is your server ip and it port
12-08-2020 02:35 PM
can you give me a sample acl for this so i can see how it should be setup please
12-09-2020 06:43 AM
which one worked ?
12-08-2020 03:31 PM
ip nat inside source list My_LAN interface FastEthernet0/0 overload
ip nat inside source static tcp 172.20.0.200 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 172.20.0.200 443 interface FastEthernet0/0 443
ip nat inside source static tcp 172.20.0.200 80 interface FastEthernet0/0 80
!
ip access-list standard My_LAN
permit ip any
!
ip access-list extended My_WAN
permit tcp any any 3389
permit tcp any any 443
permit tcp any any 80
permit tcp any any establish
deny tcp any any
deny ip any any
!
interface FastEthernet0/0
ip access-group My_WAN in
ip nat outside
try above config
12-08-2020 04:27 PM
thanks that worked without the access-group in on the outside int. should i still add it ?
12-08-2020 05:00 PM
you mention in your post the My_WAN acl and i modify only
it up to you config it or not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide