04-26-2024 03:22 AM
Hello,
I have a cisco router connected to ISP using Dialer interface. I can access the web no problem, but have problems configuring port forwarding to a local computer from outside. Trying with tcp port 5555.
Any idea what I am doing wrong? Thanks
version 17.9
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname router1
!
boot-start-marker
boot system bootflash:c1100-universalk9.17.09.03a.SPA.bin
boot-end-marker
!
!
logging console emergencies
no aaa new-model
!
!
!
!
!
!
!
ip name-server 88.146.243.209 8.8.8.8 8.8.4.4
ip domain name home.router1.local
ip dhcp excluded-address 10.0.10.1 10.0.10.16
ip dhcp excluded-address 10.0.20.1 10.0.20.16
ip dhcp excluded-address 10.0.20.240 10.0.20.254
ip dhcp excluded-address 10.0.10.240 10.0.10.254
ip dhcp excluded-address 10.0.10.21
!
ip dhcp pool DHCP10
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 10.0.10.1
lease 0 4
!
ip dhcp pool DHCP20
network 10.0.20.0 255.255.255.0
dns-server 10.0.20.1
default-router 10.0.20.1
lease 0 4
!
!
!
login on-success log
ipv6 unicast-routing
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1047828789
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1047828789
revocation-check none
rsakeypair TP-self-signed-1047828789
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-1047828789
certificate self-signed 01
--redacted--
quit
crypto pki certificate chain SLA-TrustPoint
certificate ca 01
--redacted--
quit
!
crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
no license feature hseck9
license udi pid C1116-4P sn --redacted--
license boot level securityk9
memory free low-watermark processor 65764
!
!
!
!
!
object-group network LAN20-TO-LAN10_deny_dst_net
host 10.0.10.2
host 10.0.10.3
!
object-group service allow_5555_svc
tcp source eq 5555 eq 5555
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
enable secret 9 --redacted--
!
username root privilege 15 secret 9 --redacted--
!
redundancy
mode none
!
!
!
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-all LAN10-TO-LAN20
match access-group name LAN10-TO-LAN20_acl
class-map type inspect match-any allow_5555_app
match protocol tcp
class-map type inspect match-any LAN20-TO-LAN10_app
match protocol tcp
class-map type inspect match-any WAN-TO-LAN20_app
match protocol tcp
class-map type inspect match-any LAN20-TO-WAN_app
match protocol tcp
class-map type inspect match-any LAN10-TO-WAN_app
match protocol tcp
class-map type inspect match-any WAN-TO-LAN10_app
match protocol tcp
class-map type inspect match-all LAN20-TO-LAN10_deny
match access-group name LAN20-TO-LAN10_deny_acl
class-map type inspect match-all LAN10-TO-WAN
match access-group name LAN10-TO-WAN_acl
match class-map LAN10-TO-WAN_app
class-map type inspect match-all WAN-TO-LAN10
match access-group name WAN-TO-LAN10_acl
match class-map WAN-TO-LAN10_app
class-map type inspect match-all LAN20-TO-WAN
match access-group name LAN20-TO-WAN_acl
match class-map LAN20-TO-WAN_app
class-map type inspect match-all WAN-TO-LAN20
match access-group name WAN-TO-LAN20_acl
match class-map WAN-TO-LAN20_app
class-map type inspect match-all LAN20-TO-LAN10
match access-group name LAN20-TO-LAN10_acl
match class-map LAN20-TO-LAN10_app
class-map type inspect match-all allow_5555
match class-map allow_5555_app
match access-group name allow_5555_acl
!
policy-map type inspect LAN10-WAN-POLICY
class type inspect LAN10-TO-WAN
inspect
class class-default
drop log
policy-map type inspect LAN10-LAN20-POLICY
class type inspect LAN10-TO-LAN20
inspect
class class-default
drop log
policy-map type inspect WAN-LAN20-POLICY
class type inspect WAN-TO-LAN20
inspect
class class-default
drop log
policy-map LAN20_QoS
class class-default
police cir 300000000
conform-action transmit
exceed-action drop
policy-map type inspect LAN20-WAN-POLICY
class type inspect LAN20-TO-WAN
inspect
class class-default
drop log
policy-map type inspect WAN-LAN10-POLICY
class type inspect allow_5555
pass
class type inspect WAN-TO-LAN10
inspect
class class-default
drop log
policy-map type inspect LAN20-LAN10-POLICY
class type inspect LAN20-TO-LAN10_deny
drop
class type inspect LAN20-TO-LAN10
inspect
class class-default
drop log
!
zone security LAN10
zone security WAN
zone security LAN20
zone-pair security LAN10-LAN20 source LAN10 destination LAN20
service-policy type inspect LAN10-LAN20-POLICY
zone-pair security LAN10-WAN source LAN10 destination WAN
service-policy type inspect LAN10-WAN-POLICY
zone-pair security LAN20-LAN10 source LAN20 destination LAN10
service-policy type inspect LAN20-LAN10-POLICY
zone-pair security LAN20-WAN source LAN20 destination WAN
service-policy type inspect LAN20-WAN-POLICY
zone-pair security WAN-LAN10 source WAN destination LAN10
service-policy type inspect WAN-LAN10-POLICY
zone-pair security WAN-LAN20 source WAN destination LAN20
service-policy type inspect WAN-LAN20-POLICY
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description WAN
no ip address
speed 1000
no negotiation auto
no cdp enable
!
interface GigabitEthernet0/0/0.848
encapsulation dot1Q 848
pppoe enable group global
pppoe max-sessions 1
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1/0
description LAN10
switchport access vlan 10
switchport mode access
ip virtual-reassembly
!
interface GigabitEthernet0/1/1
description LAN20
switchport access vlan 20
switchport mode access
ip virtual-reassembly
!
interface GigabitEthernet0/1/2
shutdown
!
interface GigabitEthernet0/1/3
shutdown
!
interface ATM0/2/0
no ip address
atm oversubscribe factor 2
!
interface Ethernet0/2/0
no ip address
no negotiation auto
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.0.10.1 255.255.255.0
ip nat inside
zone-member security LAN10
ip virtual-reassembly
!
interface Vlan20
ip address 10.0.20.1 255.255.255.0
ip nat inside
zone-member security LAN20
service-policy input LAN20_QoS
service-policy output LAN20_QoS
ip virtual-reassembly
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip proxy-arp
ip nat outside
zone-member security WAN
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username --redacted-- password 0 --redacted--
ppp ipcp dns accept
ppp ipcp address accept
ip virtual-reassembly
!
ip http server
ip http access-class ipv4 11
ip http authentication local
ip http secure-server
ip http client source-interface GigabitEthernet0/1/0
ip forward-protocol nd
ip dns server
ip nat settings interface-overload block port tcp 5555
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 10.0.10.2 5555 interface Dialer1 5555
ip nat inside source static udp 10.0.10.2 3050 interface Dialer1 3050
ip nat inside source static tcp 10.0.10.2 3050 interface Dialer1 3050
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
ip access-list extended LAN10-TO-LAN20_acl
10 permit ip any any
ip access-list extended LAN10-TO-WAN_acl
10 permit ip any any
20 permit tcp any any
ip access-list extended LAN20-TO-LAN10_acl
10 permit ip any any
ip access-list extended LAN20-TO-LAN10_deny_acl
10 permit ip any object-group LAN20-TO-LAN10_deny_dst_net
ip access-list extended LAN20-TO-WAN_acl
10 permit ip any any
ip access-list extended WAN-TO-LAN10_acl
10 permit ip any any
20 permit tcp any eq 5555 host 10.0.10.2 eq 5555
ip access-list extended WAN-TO-LAN20_acl
10 permit ip any any
ip access-list extended allow_5555_acl
10 permit object-group allow_5555_svc any any
!
ip access-list standard 10
10 permit 10.0.10.0 0.0.0.255
20 permit 10.0.20.0 0.0.0.255
ip access-list standard 11
10 permit 10.0.10.0 0.0.0.255 log
20 deny any log
ip access-list standard 12
10 permit 10.0.10.0 0.0.0.255
ip access-list extended 111
10 permit ip 10.0.10.2 0.0.0.1 any
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
transport input none
stopbits 1
line vty 0 4
access-class 111 in
login local
length 0
transport input ssh
line vty 5 14
login
transport input ssh
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
!
!
!
!
!
!
end
Solved! Go to Solution.
04-26-2024 03:25 AM
20 permit tcp any eq 5555 host 10.0.10.2 eq 5555 <<- this ACL use same port as source and dest
also
since you use Zone FW then you need
from OUT to IN and pass this traffic
MHM
04-26-2024 08:55 AM
Run the debug and check is the traffic from external coming to router ? using dialer public IP?
Some ISP do not allow odd ports, better check before you proceeding further.
04-26-2024 03:25 AM
20 permit tcp any eq 5555 host 10.0.10.2 eq 5555 <<- this ACL use same port as source and dest
also
since you use Zone FW then you need
from OUT to IN and pass this traffic
MHM
04-26-2024 06:07 AM
Thank you for the reply. I have tried to do as you advised but must have made mistakes, as I still have no success.
Posting only parts of the config, so it's not too long
I have tried changing the ACL:
ip access-list extended WAN-TO-LAN10_acl
10 permit ip any any
20 permit tcp any host 10.0.10.2 eq 5555
and pass the traffic from zone WAN to LAN10:
!
object-group network wan_to_lan10_pass_dst_net
host 10.0.10.2
!
object-group service wan_to_lan10_pass_svc
tcp eq 5555
!
class-map type inspect match-all LAN10-TO-WAN
match access-group name LAN10-TO-WAN_acl
class-map type inspect match-all WAN-TO-LAN10
match access-group name WAN-TO-LAN10_acl
class-map type inspect match-all wan_to_lan10_pass
match access-group name wan_to_lan10_pass_acl
!
policy-map type inspect LAN10-WAN-POLICY
class type inspect LAN10-TO-WAN
inspect
class class-default
drop log
policy-map type inspect WAN-LAN10-POLICY
class type inspect wan_to_lan10_pass
pass
class type inspect WAN-TO-LAN10
inspect
class class-default
drop log
!
ip access-list extended wan_to_lan10_pass_acl
10 permit object-group wan_to_lan10_pass_svc any object-group wan_to_lan10_pass_dst_net
!
04-26-2024 08:28 AM
stg-871-L#sh policy-map type insp zone-pair
also you change the Policy-map name did you add new Zone pair after change the policy-name?
MHM
04-26-2024 08:55 AM
Run the debug and check is the traffic from external coming to router ? using dialer public IP?
Some ISP do not allow odd ports, better check before you proceeding further.
04-29-2024 03:53 AM
Thank you both - it was partly my bad firewall config, partly ISPs fault. Solved
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide