Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
0
Replies

Having trouble opening ports/setting up static port forwarding.

jsauer30
Level 1
Level 1

‎05-11-2017 08:51 AM

Hello,

Thanks very much for taking the time to look at this. About three years ago I set up a simple router configuration for a small museum as some volunteer work. Recently they installed a new building security system and needed some ports opened up so the owners could check the cameras from home. I’ve changed careers and my network skills have atrophied some, so I’m having issues getting port forwarding to work. I’m pretty sure my port forwarding commands are correct but I’m doing something wrong with the ACL. When I use one of those open port checking websites it keeps saying they are closed.

 

The basic network setup is this.

The router is a Cisco 881. It connects to the Time Warner line through port FastEthernet4 with the assigned external IP address of 50.84.145.146 and set up as the NAT outside port. From there I have a Vlan set up on Port FastEthernet3 that connects to a forty port switch, which then connects to all the end devices.

 

 

I used the following commands when setting up port forwarding. I have a server at 192.168.0.55 that needs port 9010 and 21 open. And the security system at 192.168.0.8 that needs port 9010, 9011, 8245 tcp and 80 open. Note, the default route at the end goes to 145.145 instead of 145.146. If my memory is right, 50.84.145.145 is the IP of the port on the Time Warner demark equipment that connects to our router. I guess that would be the outside global?

 

ip nat pool PATextra 10.10.10.8 10.10.10.254 netmask 255.255.255.0

ip nat inside source list 2 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.0.55 9010 interface FastEthernet4 9010

ip nat inside source static udp 192.168.0.55 9010 interface FastEthernet4 9010

ip nat inside source static tcp 192.168.0.55 21 interface FastEthernet4 21

ip nat inside source static udp 192.168.0.55 21 interface FastEthernet4 21

ip nat inside source static tcp 192.168.0.8 9010 interface FastEthernet4 9010

ip nat inside source static udp 192.168.0.8 9010 interface FastEthernet4 9010

ip nat inside source static tcp 192.168.0.8 9011 interface FastEthernet4 9011

ip nat inside source static udp 192.168.0.8 9011 interface FastEthernet4 9011

ip nat inside source static tcp 192.168.0.8 8245 interface FastEthernet4 8245

ip nat inside source static udp 192.168.0.8 80 interface FastEthernet4 80

ip nat inside source static tcp 192.168.0.8 80 interface FastEthernet4 80

ip route 0.0.0.0 0.0.0.0 50.84.145.145 permanent

 

 

When researching it looks like I needed to apply an ACL to port FastEthernet4 to allow these through. I never had a lot of practice with ACLs but this is what I came up with. List 1 and 2 were created when I first set up the router for the two VLans, 100 is brand new.

 

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.10.0 0.0.0.7

access-list 2 remark CCP_ACL Category=2

access-list 2 permit 10.10.10.0 0.0.0.7

access-list 2 permit 192.168.0.0 0.0.0.255

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 remark NAT port opening

access-list 100 remark CCP_ACL Category=2

access-list 100 permit tcp any eq 9010 any eq 9010

access-list 100 permit udp any eq 9010 any eq 9010

access-list 100 permit tcp any eq 8245 any eq 8245

access-list 100 permit udp any eq 8245 any eq 8245

access-list 100 permit tcp any eq 80 any eq 80

access-list 100 permit udp any eq 80 any eq 80

access-list 100 permit tcp any eq 9011 any eq 9011

access-list 100 permit udp any eq 9011 any eq 9011

access-list 100 permit tcp any eq 8000 any eq 8000

access-list 100 permit udp any eq 8000 any eq 8000

access-list 100 permit tcp any eq 21 any eq 21

access-list 100 permit udp any eq 21 any eq 21

no cdp run

 

I then tried apply it with these commands if I remember right.

Config T

Int FastEthernet4

Ip access-group 100 in

End

 

After applying the ACL, the entire network went down and I had to reboot the router to the startup config to get everything back online. Port forwarding doesn’t normally need you to reload the router correct? I’ve attached the current start up config for the router. If you someone could take a look and see where I went wrong I would greatly appreciate it. Thanks very much.

Labels:
Preview file
8 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents