- Cisco Community
- Technology and Support
- Networking
- Switching
- Cisco 881 - Ports won't open
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cisco 881 - Ports won't open
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2014 12:37 AM - edited 03-07-2019 05:23 PM
Hi All,
I am trying to forward incoming external traffic from the internet on ports 25 and 433 to internal IP 10.10.10.29, but it's not working, any ideas what I've done wrong?
I've replaced some of the config with "x"'s
Config:
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200
logging console critical
enable secret 5 xxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime 10 0
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-704284261
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-704284261
revocation-check none
rsakeypair TP-self-signed-704284261
!
!
crypto pki certificate chain TP-self-signed-704284261
certificate self-signed 01
xxx
quit
no ip source-route
!
!
!
!
!
ip cef
no ip bootp server
ip domain name
ip name-server 10.10.10.31
ip port-map user-Intranet port tcp 8080 list 3 description Intranet
ip port-map user-5610 port tcp 5610 description 5610
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 ldap
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FGL164227LM
!
!
username admin privilege 15 secret 5 xx
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group xxx.remote
key xxx
dns 10.10.10.1 10.10.10.4
wins 10.10.10.1 10.10.10.4
domain xxx.local
pool SDM_POOL_1
acl 102
split-dns xxx.local
max-users 10
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec df-bit clear
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 3600
set transform-set ESP-3DES-MD5
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description WAN Interface$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
ip address 125.7.x.x 255.255.255.252
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip inspect DEFAULT100 in
ip inspect DEFAULT100 out
ip virtual-reassembly in
ip verify unicast reverse-path
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description Internal Interface$FW_INSIDE$$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.3 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip inspect DEFAULT100 in
ip inspect DEFAULT100 out
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 10.10.20.100 10.10.20.120
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
!
ip nat inside source static tcp 10.10.10.29 25 interface FastEthernet4 25
ip nat inside source static tcp 10.10.10.29 443 interface FastEthernet4 443
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 125.7.x.x
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.10.10.51
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 10.10.10.5
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp host 10.10.10.31 eq domain any
access-list 100 remark SEP Cloud 1
access-list 100 permit ip any host 67.134.208.160
access-list 100 permit udp host 10.10.10.4 eq domain any
access-list 100 remark MYOB File Confirmation
access-list 100 permit ip any host 203.34.100.26
access-list 100 remark Ansarada Dataroom
access-list 100 permit ip any host 125.7.67.133
access-list 100 remark ClassSuper
access-list 100 permit tcp any host 125.7.68.130 eq 443
access-list 100 remark Mercury Connective
access-list 100 permit tcp any host 150.207.147.152 eq 2099
access-list 100 remark AE Tax Lodgement 2
access-list 100 permit tcp any any eq 7586
access-list 100 remark AE Tax Lodgement
access-list 100 permit tcp any any eq 10000
access-list 100 remark Corporate Compliance
access-list 100 permit tcp any any eq 5610
access-list 100 remark GRE
access-list 100 permit gre any any
access-list 100 remark PPTP
access-list 100 permit tcp any any eq 1723
access-list 100 remark RDP
access-list 100 permit tcp any any eq 3389
access-list 100 remark Remote VMs
access-list 100 permit tcp any eq 3389 10.10.20.0 0.0.0.255
access-list 100 remark GetBusi to HTTP
access-list 100 permit tcp host 10.10.10.18 any eq www
access-list 100 remark GetBusi FILTERING
access-list 100 permit tcp host 10.10.10.18 any eq 3436
access-list 100 remark GetBusi NTP
access-list 100 permit tcp host 10.10.10.18 any eq 123
access-list 100 remark GetBusi RSYNC
access-list 100 permit tcp host 10.10.10.18 any eq 873
access-list 100 remark GetBusi DNS
access-list 100 permit tcp host 10.10.10.18 any eq domain
access-list 100 remark GetBusi SSH
access-list 100 permit tcp host 10.10.10.18 any eq 22
access-list 100 remark GetBusi FTP
access-list 100 permit tcp host 10.10.10.18 any eq ftp
access-list 100 remark GetBusi SSL
access-list 100 permit tcp host 10.10.10.18 any eq 443
access-list 100 remark Icarus
access-list 100 permit ip host 10.10.10.99 any
access-list 100 remark BlackHawk
access-list 100 permit ip host 10.10.10.28 any
access-list 100 remark Bane
access-list 100 permit ip host 10.10.10.24 any
access-list 100 remark Buffy
access-list 100 permit ip host 10.10.10.31 any
access-list 100 remark Skype TV Cam FTR
access-list 100 permit ip host 10.10.10.173 any
access-list 100 remark Pyro
access-list 100 permit ip host 10.10.10.26 any
access-list 100 remark TV in FTR
access-list 100 permit ip host 10.10.10.32 any
access-list 100 remark Quorra
access-list 100 permit ip host 10.10.10.29 any
access-list 100 remark Gambit
access-list 100 permit ip host 10.10.10.12 any
access-list 100 remark THOR
access-list 100 permit ip host 10.10.10.21 any
access-list 100 remark QBO Remote VM
access-list 100 permit ip host 10.10.10.47 any
access-list 100 remark VIZ
access-list 100 permit ip host 10.10.10.5 any
access-list 100 remark vCenter
access-list 100 permit ip host 10.10.10.25 10.10.20.0 0.0.0.255
access-list 100 remark WISE
access-list 100 permit ip host 10.10.10.4 any
access-list 100 remark Email - Lotus Domino
access-list 100 permit ip host 10.10.10.1 any
access-list 100 remark TQ's PC1
access-list 100 permit ip host 10.10.10.124 any
access-list 100 remark Thrace
access-list 100 permit ip host 10.10.10.22 any
access-list 100 remark TQ's PC2
access-list 100 permit ip host 10.10.10.97 any
access-list 100 remark TQ's PC2 UDP
access-list 100 permit udp host 10.10.10.97 any
access-list 100 deny ip 203.47.157.0 0.0.0.255 any log
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 remark Block Port 25
access-list 100 deny tcp any eq smtp any eq smtp log
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark CCP_ACL Category=1
access-list 101 remark Auto generated by CCP for NTP (123) 212.12.50.232
access-list 101 permit udp host 212.12.50.232 eq ntp host 125.7.x.x eq ntp
access-list 101 permit ahp any host 125.7.x.x
access-list 101 permit esp any host 125.7.x.x
access-list 101 permit udp any host 125.7.x.x eq isakmp
access-list 101 permit udp any host 125.7.x.x eq non500-isakmp
access-list 101 permit ip host 10.10.20.100 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.101 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.102 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.103 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.104 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.105 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.106 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.107 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.108 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.109 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.110 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.111 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.112 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.113 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.114 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.115 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.116 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.117 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.118 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.119 10.10.10.0 0.0.0.255
access-list 101 permit ip host 10.10.20.120 10.10.10.0 0.0.0.255
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 deny udp any any eq 603
access-list 101 deny tcp any any eq 603
access-list 101 permit tcp any any eq smtp
access-list 101 remark Secure Inbound HTTPS
access-list 101 permit tcp any any eq 443
access-list 101 remark Allow remote ISW access to router
access-list 101 permit tcp 203.33.128.0 0.0.0.255 any
access-list 101 remark PPTP access to completekitchensolutions
access-list 101 permit gre host 202.170.194.141 any
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.100
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.101
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.102
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.103
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.104
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.105
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.106
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.107
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.108
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.109
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.110
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.111
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.112
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.113
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.114
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.115
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.116
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.117
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.118
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.119
access-list 103 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.120
access-list 103 permit ip 10.10.10.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=2
access-list 104 remark SDM_ACL Category=2
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.100
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.101
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.102
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.103
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.104
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.105
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.106
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.107
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.108
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.109
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.110
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.111
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.112
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.113
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.114
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.115
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.116
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.117
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.118
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.119
access-list 104 deny ip 10.10.10.0 0.0.0.255 host 10.10.20.120
access-list 104 permit ip 10.10.10.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=2
no cdp run
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 103
!
route-map SDM_RMAP_2 permit 1
match ip address 104
!
snmp-server community public RO
!
!
banner login ^CCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000 4000 1000
scheduler interval 500
ntp server 212.12.50.232 source FastEthernet4
end
- Labels:
-
Other Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-06-2014 06:08 AM
I decided it might be easier to factory restore, setup, enter the NAT setting and setup the firewall using the wizard, but still it is not working.
Updated config: (some info replaced with "xx")
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 4 xx
!
no aaa new-model
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-84280098
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-84280098
revocation-check none
rsakeypair TP-self-signed-84280098
!
!
crypto pki certificate chain TP-self-signed-84280098
certificate self-signed 01
xx
quit
ip source-route
!
!
!
!
!
ip cef
ip name-server 8.8.8.8
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FGL164227LM
!
!
username admin privilege 15 secret 4
xx
!
!
!
!
!
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-https-1
match access-group 102
match protocol https
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-https-1
inspect
class type inspect CCP_PPTP
pass
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$
ip address 125.7.xx.xx 255.255.255.252
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface Vlan1
description $FW_INSIDE$
ip address 10.10.10.3 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.29 443 interface FastEthernet4 443
ip route 0.0.0.0 0.0.0.0 125.7.xx.xx
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 125.7.xx.xx 0.0.0.3 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.10.10.29
!
!
!
!
!
line con 0
exec-timeout 5 30
password xx
login
line aux 0
line vty 0 4
privilege level 15
password xx
login local
transport input telnet ssh
!
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
