Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1528
Views
0
Helpful
9
Replies

Cisco 871W port mapping not working

Go to solution
cchipont
Level 1
Level 1

‎08-03-2011 06:44 AM - edited ‎03-07-2019 01:31 AM

I am managing Cisco 871W Integrated Services Router.

I'm noob to cisco ios but have strong linux and programming basis, so I've been able with som ehelp to manage and configure the router.

But, now I have to open port 3307 in the router and map it to the 192.168.1.88 ip in the lan and don't understand what is the problem as I can't get it to work. All other ports I've mapped (22, 143, etc.) are in perfect order.

Here is a copy of my running-config and any help willl be really welcome

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname cisco

!

boot-start-marker

boot-end-marker

!

logging buffered 4096

enable secret 5 $1$0uVc$XXhnKvo1eBB9dK80rYv8W0

!

no aaa new-model

clock timezone PCTime -3

!

crypto pki trustpoint TP-self-signed-1384173472

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1384173472

revocation-check none

rsakeypair TP-self-signed-1384173472

!

!

crypto pki certificate chain TP-self-signed-1384173472

certificate self-signed 01

  3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31333834 31373334 3732301E 170D3032 30333031 30303038

  32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33383431

  37333437 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100D014 4650F7F6 D7B8C139 EF5E4136 3B1B97BB 7CF7E730 5C4B8601 B6CD6B59

  DBCFA5A9 88AB7F7A FE082F62 0ECAFA92 D590D2AD BCA775C6 6EBFF2AE D41D7166

  C77059C5 49798B20 4491A19C C0BBE9B0 C9788E13 FD61D02A 355A06A5 606EDD57

  3738F5C5 26661274 BEA86468 F585BE11 D5325B36 480E0436 C6EF6F86 0DA21587

  0A010203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603

  551D1104 17301582 13636973 636F2E64 6F756572 2E6D696E 652E6E75 301F0603

  551D2304 18301680 1468D064 234801DB FEF14CB1 BBAB674C D3D1CECA 28301D06

  03551D0E 04160414 68D06423 4801DBFE F14CB1BB AB674CD3 D1CECA28 300D0609

  2A864886 F70D0101 04050003 81810060 65955928 793A4BBA C04B83EB 2D803284

  6F5016AE 0AE544F4 1C6EE79E CF3739FF 69B672B9 06FCF11E A17EEE5A 0165FF8E

  1F896997 AABC4BBB 7C938634 B78D8469 3C4D0FDF 5EB6FF48 CFC6EAAA 8D30636A

  A6571AE9 DC9498BB 5FB8FFE8 20D866C3 5A9C3A04 9565B394 5A376C4B A9B7FC75

  55CC1662 DCEF63CB C22C5463 F3A8DE

            quit

dot11 syslog

!

dot11 ssid douer_main

   authentication open

   guest-mode

!

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.99

!

ip dhcp pool sdm-pool1

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 192.168.1.88 208.67.222.222 208.67.222.220

!

!

ip port-map user-protocol--2 port tcp 10000

ip port-map user-protocol--1 port tcp 5729

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

no ip bootp server

ip domain name douer.mine.nu

ip host douer.mine.nu 192.168.1.88

ip name-server 192.168.1.88

ip name-server 208.67.222.222

ip name-server 208.67.222.220

!

!

!

username admin privilege 15 secret 5 $1$ujZJ$3Gcyq1RbCmpEukHSxTW1j0

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

ip scp server enable

!

class-map type inspect match-all sdm-nat-http-1

match access-group 102

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--2-1

match access-group 105

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 104

match protocol user-protocol--1

class-map type inspect match-all sdm-nat-imap-1

match access-group 103

match protocol imap

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-protocol-http

match protocol http

class-map type inspect match-all sdm-nat-ssh-1

match access-group 101

match protocol ssh

!

!

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-ssh-1

  inspect

class type inspect sdm-nat-http-1

  inspect

class type inspect sdm-nat-imap-1

  inspect

class type inspect sdm-nat-user-protocol--1-1

  inspect

class type inspect sdm-nat-user-protocol--2-1

  inspect

class class-default

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

  drop log

class type inspect sdm-insp-traffic

  inspect

class type inspect sdm-protocol-http

  inspect

class class-default

policy-map type inspect sdm-permit

class class-default

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

!

bridge irb

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip route-cache flow

duplex auto

speed auto

!

interface Dot11Radio0

no ip address

!

encryption key 1 size 40bit 7 0F72F0FD678D transmit-key

encryption mode wep mandatory

!

ssid douer_main

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface BVI1

description $ES_LAN$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1412

!

ip forward-protocol nd

!

ip http server

ip http port 8080

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.88 22 interface FastEthernet4 22

ip nat inside source static tcp 192.168.1.88 143 interface FastEthernet4 143

ip nat inside source static tcp 192.168.1.88 5729 interface FastEthernet4 5729

ip nat inside source static tcp 192.168.1.88 10000 interface FastEthernet4 10000

ip nat inside source static tcp 192.168.1.88 80 interface FastEthernet4 80

ip nat inside source static tcp 192.168.1.88 3307 interface FastEthernet4 3307

!

logging trap debugging

logging facility local2

logging 192.168.1.88

access-list 1 remark INSIDE_IF=BVI1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit any

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark SDM_ACL Category=0

access-list 101 permit ip any host 192.168.1.88

access-list 101 permit tcp any host 192.168.1.88 eq www

access-list 102 remark SDM_ACL Category=0

access-list 102 permit ip any host 192.168.1.88

access-list 103 remark SDM_ACL Category=0

access-list 103 permit ip any host 192.168.1.88

access-list 104 remark SDM_ACL Category=0

access-list 104 permit ip any host 192.168.1.88

access-list 105 remark SDM_ACL Category=0

access-list 105 permit ip any host 192.168.1.88

no cdp run

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

banner exec 

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device and

it provides the default username "cisco" for  one-time use. If you have already

used the username "cisco" to login to the router and your IOS image supports the

"one-time" user option, then this username has already expired. You will not be

able to login to the router with this username after you exit this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to

use.

-----------------------------------------------------------------------

banner login  Authorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

if Anyone could help I'd reall appreciate it.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
johnlloyd_13
Level 9
Level 9
In response to cchipont

‎08-04-2011 04:27 AM

Hi Christian,

Try to temporarily disable these commands and try again.

zone-member security out-zone

zone-member security in-zone

Further check the settings on the 192.168.1.88 as per Naidu.

Sent from Cisco Technical Support iPhone App

View solution in original post

0 Helpful
9 Replies 9

Go to solution
johnlloyd_13
Level 9
Level 9

‎08-03-2011 07:20 PM

Hi Christian,

Could you try adding the below and test again!

ip nat inside source static udp 192.168.1.88 3307 interface FastEthernet4 3307

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
cchipont
Level 1
Level 1
In response to johnlloyd_13

‎08-04-2011 01:45 AM

Thanks for your kind help, I've tried, but doesn't seem to work.

I'm not shure whats happening, but all other open ports work, could it be something in policies or acl?

Do you know how I could drop the firewall to test if the firewall is the problem?

Thanks

0 Helpful

Go to solution
Latchum Naidu
VIP Alumni
VIP Alumni
In response to cchipont

‎08-04-2011 02:27 AM

Hi,

Try to turn off the firewall in 192.168.1.88 and check.
see the below link to know how to turn off the windows firewal..
http://support.microsoft.com/kb/283673


Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful

Go to solution
cchipont
Level 1
Level 1
In response to Latchum Naidu

‎08-04-2011 08:43 AM

The 192.168.1.88 has not a firewall and it is not a windows server.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to cchipont

‎08-04-2011 04:27 AM

Hi Christian,

Try to temporarily disable these commands and try again.

zone-member security out-zone

zone-member security in-zone

Further check the settings on the 192.168.1.88 as per Naidu.

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
cchipont
Level 1
Level 1
In response to johnlloyd_13

‎08-04-2011 08:45 AM

Dear John,

Thanks for your kind help. What would be the command to disable this?

zone-member security out-zone

zone-member security in-zone

192.168.1.88 is not running windows, is centos, and it has no firewall up right now.

Christian

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to cchipont

‎08-04-2011 01:12 PM

Hi,

just issue each command under the corresponding interfaces:

int f4

no zone-member security out-zone

int bvi1

no zone-member security in-zone

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
cchipont
Level 1
Level 1
In response to cadet alain

‎08-10-2011 02:38 AM

ok, finally solved it.

What I did whas using the sdm instead of punching in manual commands. Seems it had something to do with ACL and protocols.

Thanks for all your help.

Christian

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to cchipont

‎08-10-2011 04:53 AM

Hi Christian,

Thanks for the feedback and glad your problem is now resolved! Just curious, could we know what you did on your ACL that made it worked?

As a side note and IMHO, CLI is still the best approach when it comes to troubleshooting.

Sent from Cisco Technical Support iPhone App

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card