Port forwarding on 2811 multipal sub interfaces

jacobwl01 · ‎12-08-2020

Good Morning all,

i am trying to port forward ports 3389,80,443 for my internal server on my network . i get a public ip from my cable modem via dhcp . i got pat working and everything else besides the port forwarding . what am i missing . i have my static nat statements but its not working . is it something to do with my ACL for my wan interface?

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname JLNS-Core-RT1

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

aaa group server radius RAD_SERVERS

server-private 172.63.20.10 auth-port 1812 acct-port 1813 key Cisco1

!

aaa authentication login default group RAD_SERVERS local

aaa authorization exec default group RAD_SERVERS local if-authenticated

!

aaa session-id common

!

dot11 syslog

ip source-route

!

ip cef

!

ip dhcp excluded-address 172.20.0.254

ip dhcp excluded-address 172.20.0.200

ip dhcp excluded-address 172.20.64.254

ip dhcp excluded-address 172.20.32.254

ip dhcp excluded-address 172.20.15.254

ip dhcp excluded-address 172.20.16.254

ip dhcp excluded-address 172.20.56.254

ip dhcp excluded-address 172.20.0.201

ip dhcp excluded-address 172.20.32.147

ip dhcp excluded-address 172.20.32.104

!

ip dhcp pool Network_Devices

network 172.20.0.0 255.255.255.0

dns-server 8.8.8.8

domain-name jlns.local

default-router 172.20.0.254

!

ip dhcp pool JLNS_Wired

network 172.20.64.0 255.255.255.0

default-router 172.20.64.254

dns-server 8.8.8.8

!

ip dhcp pool MTL_Wired

network 172.20.32.0 255.255.255.0

default-router 172.20.32.254

dns-server 8.8.8.8

domain-name jlns.local

!

ip dhcp pool JLNS_Wifi

network 172.20.15.0 255.255.255.0

default-router 172.20.15.254

domain-name jlns.local

dns-server 172.20.0.201

!

ip dhcp pool MTL_Wifi

network 172.20.16.0 255.255.255.0

default-router 172.20.16.254

domain-name jlns.local

dns-server 8.8.8.8

!

ip dhcp pool Guest-Wifi

network 172.20.14.0 255.255.255.0

domain-name jlns.local

default-router 172.20.14.254

dns-server 8.8.8.8

!

ip dhcp pool KCopier

host 172.20.32.147 255.255.255.0

hardware-address 00c0.ee16.b714

!

ip dhcp pool KScanner

host 172.20.32.104 255.255.255.0

hardware-address 00c0.ee71.2675

!

ip domain name JLNS.local

ip ddns update method myupdate

DDNS

interval maximum 2 0 0 0

!

no ipv6 cef

!

multilink bundle-name authenticated

!

voice-card 0

!

crypto pki token default removal timeout 0

!

license udi pid CISCO2811 sn FTX1346A16X

username admin privilege 15 password 0 Willys52!

!

redundancy

!

interface Loopback0

description SSH Int

no ip address

!

interface FastEthernet0/0

description Link to Spectrum

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

!

interface FastEthernet0/1.2

description vlan2 int

encapsulation dot1Q 2

ip address 172.20.0.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.3

description JLNS-Wired VLAN Int

encapsulation dot1Q 3

ip address 172.20.64.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.4

description vlan4 int

encapsulation dot1Q 4

ip address 172.20.32.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.5

description vlan5 int

encapsulation dot1Q 5

ip address 172.20.15.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.6

description vlan6 int

encapsulation dot1Q 6

ip address 172.20.16.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.7

description vlan7 int

encapsulation dot1Q 7

ip address 172.20.14.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface FastEthernet0/1.8

description vlan8 int

encapsulation dot1Q 8

ip address 172.20.56.254 255.255.255.0

ip helper-address 172.20.56.201

ip nat inside

ip virtual-reassembly in

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list My_LAN interface FastEthernet0/0 overload

ip nat inside source static tcp 172.20.0.200 3389 interface FastEthernet0/0 3389

ip nat inside source static tcp 172.20.0.200 443 interface FastEthernet0/0 443

ip nat inside source static tcp 172.20.0.200 80 interface FastEthernet0/0 80

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip access-list standard My_LAN

permit any

!

ip access-list extended My_WAN

permit tcp any any established

deny tcp any any

deny ip any any

!

logging esm config

!

control-plane

!

mgcp profile default

!

line con 0

exec-timeout 5 30

logging synchronous

line aux 0

line vty 0 4

exec-timeout 5 30

logging synchronous

transport input ssh

line vty 5 15

exec-timeout 5 30

logging synchronous

transport input ssh

!

scheduler allocate 20000 1000

end

balaji.bandi · ‎12-08-2020

if all your out going working

you can remove NAT for the host as below

access-list My_LAN deny tcp host 172.20.0.200 eq 443 any
access-list My_LAN deny tcp host 172.20.0.200 eq 3389 any
access-list My_LAN deny tcp host 172.20.0.200 eq 80 any

i will also change this for good :

ip route 0.0.0.0 0.0.0.0 dhcp

to

ip route 0.0.0.0 0.0.0.0 fast 0/0

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jacobwl01 · ‎12-08-2020

thanks for the reply. i tried the ip route 0.0.0.0 0.0.0.0 fa 0/0 and it wasnt working . thats why i added the dhcp

can you provide me a example config to how to configure my acls to allow rdp in from the internet connection

balaji.bandi · ‎12-08-2020

try below and let us know how it goes, make sure you do this config in LAN or Console (not from outside)

no ip access-list standard My_LAN

!

ip access-list standard My_LAN

access-list My_LAN deny tcp host 172.20.0.200 eq 443 any
access-list My_LAN deny tcp host 172.20.0.200 eq 3389 any
access-list My_LAN deny tcp host 172.20.0.200 eq 80 any

permit any

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎12-08-2020

you already get how how config acl for dynamic pat,

but if it not work please show me translate NAT table.

jacobwl01 · ‎12-08-2020

i will get it for you when i get home . i can get out from the internal network , but i cant get in from the outside thats what i will need help with

balaji.bandi · ‎12-08-2020

I just let you know, the IP coming from ISP DHCP, so you need to know that IP address and connect to that IP to work.

Make sure internally the IP host is running those services? - check internally before you try outside.

Once you try from outside, if not work post the logs and NAT translation to look. (make sure end device do not have any FW built in)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

jacobwl01 · ‎12-08-2020

ok thanks ,

would this rule work in my my_Wan acl

permit tcp any any established

permit tcp any int ip of server eq 3389

deny tcp any any

deny ip any any

please let me know if this rule would allow traffic in for rdp sessions

balaji.bandi · ‎12-08-2020

the high level that ACL is not used anywhere, it redundant, try advised config on the router and test and advise, rather making things complicated.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎12-08-2020

Tcp establish acl

we will deny any tcp traffic from pass our router fw except the tcp with ack and rst flag,

here the tcp is initiate from inside “ your local lan”

so as you mention you have three sever inside But

server not initiate traffic it respond to client in wan which initiate traffic

that’s why you need to remove this acl and replace with

permit tcp any host port

where host is your server ip and it port

jacobwl01 · ‎12-08-2020

can you give me a sample acl for this so i can see how it should be setup please

balaji.bandi · ‎12-09-2020

which one worked ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎12-08-2020

ip nat inside source list My_LAN interface FastEthernet0/0 overload

ip nat inside source static tcp 172.20.0.200 3389 interface FastEthernet0/0 3389

ip nat inside source static tcp 172.20.0.200 443 interface FastEthernet0/0 443

ip nat inside source static tcp 172.20.0.200 80 interface FastEthernet0/0 80

!

ip access-list standard My_LAN

permit ip any

!

ip access-list extended My_WAN

permit tcp any any 3389

permit tcp any any 443

permit tcp any any 80

permit tcp any any establish

deny tcp any any

deny ip any any

!

interface FastEthernet0/0

ip access-group My_WAN in

ip nat outside

try above config

jacobwl01 · ‎12-08-2020

thanks that worked without the access-group in on the outside int. should i still add it ?

MHM Cisco World · ‎12-08-2020

you mention in your post the My_WAN acl and i modify only

it up to you config it or not.