Re: 837 expert needed

mgregory · ‎05-30-2007

I appreciate the help I have received from the last post on this topic, but the answers did not help. I think that someone with greater knowledge of the 837 is needed to solve this issue.

I have an 837 at home: it has a static WAN IP that I purchased from the ISP.

I have a PIX 506E at my office that has a static WAN IP that I purchased from the ISP.

I need to setup the 837 to have an IPSEC VPN to the office: completed and working

I need to allow port forwarding through the 837 to two servers on the private network: Note must be two servers, cannot be reduced to one.

The port forwarding is not working. I think it is an access-list problem, please help

Current config is attached.

dominic.caron · ‎05-30-2007

Hi,

If you only have 1 public IP and it's assigned to the router dialer1 interface, the router not forward port 80 if http server is enable.

Change the port of the http server on your router to something else if you need port 80 to be used by a inside server.

To specify the port number to be used by the HTTP server, use the ip http port command in global configuration mode. To return the port number to the default, use the no form of this command.

ip http port port-number

no ip http port port-number

Syntax Description

port-number

The port number to be used for the HTTP server. Valid values are 80 or any value from 1024 to 65535. The default is 80.

Defaults

The HTTP server uses port 80.

spremkumar · ‎05-30-2007

Hi

In addition to Dominic's reply i would also suggest to secure your http access to the router by using access-list binded to your http services..

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124tcr/tnm_r/nmg_02ht.htm#wp1155705

regds

mgregory · ‎06-02-2007

I have successfully moved the http server to port 8080

I still cannot connect to any of the redirected ports from outside on the WAN.

I would appreciate help understanding why this is still a problem.

regards, Mark

stephen.stack · ‎06-03-2007

Hi Mark,

Now, i have had you pain in the past. As far as i know for port forwarding to work correctly on the 837s you need the firewall up and working too. and yours is not. :)

Below is a config that will get your port redirection working. Insert the code and test the port forwarding. (has nothing to do with the HTTP server on the router).

Now, bear in mid that this will knock out your vpn. So what i suggest is that you backup your current config, add the code below. test it and if it works we will build a firewall to suit both your vpn and port forwarding.

OK.. here it is

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 netshow

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 smtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip inspect name DEFAULT100 icmp

!

int dialer0

ip access-group 101 in

ip inspect DEFAULT100 out

!

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit tcp any any eq 80

access-list 101 permit ip 192.168.2.0 0.0.0.255 any

access-list 101 deny ip 192.168.2.0 0.0.0.255 any

access-list 101 permit icmp any host 2.2.2.2 echo-reply

access-list 101 permit icmp any host 2.2.2.2 time-exceeded

access-list 101 permit icmp any host 2.2.2.2 unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

!

So, like i said if this works, i will build you a firewall that includes your VPN settings. Please change the 2.2.2.2 address in the ACL 101 to your public IP address.

Cheers

Stephen

========================== http://www.rconfig.com A free, open source network device configuration management tool, customizable to your needs! - Always vote on an answer if you found it helpful

mgregory · ‎06-10-2007

Hi,

I tried this and also tried starting again with the setup, just adding the port forwarding.

Still no luck, would appreciate some ideas.

I have attached the latest config, just dsl and port forwarding, no nat.

I agree that it should all come together if I can get the port forwarding working.

One question, my dsl is set to Easy IP, and it gets the right IP, but should I hard code the IP as a static when I setup the DSL? Is this something that the port forwarding needs to link the outside to inside?

regards

Mark

mgregory · ‎06-19-2007

Hi, I have no solution and would appreciate someone helping with an 837 config that they know works. I can load this and then test and move forward.

Any assistance is appreciated.

regards, Mark

haltervk · ‎06-28-2007

Here is an example of my config/ I am using an 837 and my VPN is to an ASA, but the concepts are the same. This is from a buisness enviornment so I had to xxxx out some pieces of the config, I also replaced addresses with dummy addresses.

Hope it helps!

mgregory · ‎06-29-2007

thank you, I will have a look this weekend and see if I can resolve my problem.

regards, Mark