02-10-2017 06:00 AM - edited 03-08-2019 09:17 AM
Hi,
We have a Cisco 800 that I am struggling to get an inbound NAT rule working for. I want to forward port 80 to 192.168.1.20.
Below are sections I think are relevant.
interface Vlan1
description LAN interface
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname ****@*****.net
ppp chap password 7 1307051D0A08062B252079
crypto map HQ_VPN
no access-list 105
access-list 105 permit tcp any any eq 80
access-list 105 permit udp any any eq 80
access-list 105 permit gre any any
access-list 105 deny icmp any any echo
access-list 105 deny ip any any log
ip nat inside source static tcp 192.168.1.20 80 <Public IP> 80
I have also tried
ip nat inside source static tcp 192.168.1.20 80 interface Dialer1 80
Each time I apply the 105 access list to the Dialer1 the site loses internet connectivity and I have to revert change. NAT rules also does not work.
interface Dialer1
ip access-group 105 in
Any ideas appreciated?
Thanks.
02-10-2017 06:40 AM
Try adding the following:
ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp
interface dialer1
ip inspect FWOUT out
Brandon
02-10-2017 08:41 AM
Hi Brandon,
Thanks for response.
I get the below when adding the "ip inspect FWOUT out" command to the dialer 1 interface.
%Cannot configure inspect rule on an interface which is member of a zone . Remove the interface from the zone and retry.
02-10-2017 08:53 AM
Sorry, didn't notice you had zone based firewall configured. The inspection I was recommending is likely being accomplished with this config. I don't see the rest of the config in your post, but I'm assuming that is the case. Are you applying access list 105 inbound such as - "ip access-group 105 in"?
02-10-2017 09:00 AM
Yep I'm applying it to the Dialer1 interface.
As soon as I apply it inbound the connection to the site just drops.
Its a remote site so I need to get someone to reboot ISR to revert.
02-13-2017 06:19 AM
Couple of things to help your troubleshooting:
1. Add a couple of lines to your ACL to allow telnet/ssh to the router. This will allow you to access the device after applying the ACL to troubleshoot.
access-list 105 permit tcp 1.1.1.1 (your public IP address) 0.0.0.255 (your wildcard bits) 2.2.2.2 (public IP of the remote router) 0.0.0.0 eq telnet
access-list 105 permit tcp 1.1.1.1 (your public IP address) 0.0.0.255 (your wildcard bits) 2.2.2.2 (public IP of the remote router) 0.0.0.0 eq 22
2. When you have a doubt regarding the outcome of a command, enter "reload in 5" before issuing the command. This will reload the router in 5 minutes and bring you back to the config before the command was entered. After you're sure the command has not caused a problem, enter "reload cancel"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide