cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
356
Views
0
Helpful
1
Replies

Help with a port on a 2811

synthphase
Level 1
Level 1

Hello all,

The following is an running config from a 2811 router in a production environment that is linked to another 2811 at another office via ppp serial link. Each site has it's own connection to the internet, this one supposedly via a DSL modem in bridged mode. So there should be no other hardware blocking ports at this site.

The office needs to forward port 8085 to a specific workstation for a mobile application to connect with their dental software.

According to "show access-lists" the rule "permit tcp any host xx.xx.xx.130 eq 8085 log" from the access list  "sdm_dialer0_in" is getting hit every time I probe the port from outside the office. Doesn't this mean the packets should be getting through? Why is the port still showing up as blocked?

For testing perposes I created a NAT rule to send traffic on port 8085 to the server at 192.168.0.201. IP 192.168.0.202 is setup to respond to terminal services.

Hoping somebody can help with this.

Thanks.

-----------------------------------------------------------------------------------

Current configuration : 14085 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Joliet

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200 debugging

logging console critical

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authorization exec local_author local

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network sdm_vpn_group_ml_2 local

!

aaa session-id common

!

resource policy

!

no ip source-route

ip tcp synwait-time 10

!

!

ip cef

!

!

no ip bootp server

ip name-server 68.94.156.1

ip name-server 68.94.157.1

ip ssh time-out 60

ip ssh authentication-retries 2

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

vpdn enable

!

!

!

voice-card 0

no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

crypto pki trustpoint TP-self-signed-3838063487

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3838063487

revocation-check none

rsakeypair TP-self-signed-3838063487

!

!

crypto pki certificate chain TP-self-signed-3838063487

certificate self-signed 01

XXXXXX

  quit

username Joe privilege 15 password 7 xxxxxxxxxxxxxxxxxxxx

username admin privilege 15 password 7 xxxxxxxxxxxxxxxxxxxx

username dpi secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group RemoteAccess

key xxxxxxxxxxxxxx

dns 192.168.0.201 4.4.4.2

domain ioc.local

pool SDM_POOL_1

acl 102

include-local-lan

max-users 10

max-logins 2

netmask 255.255.255.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set security-association idle-time 28800

set transform-set ESP-3DES-SHA1

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

!

interface Null0

no ip unreachables

!

interface Multilink1

ip address 10.10.10.2 255.255.255.252

no cdp enable

ppp multilink

ppp multilink group 1

!

interface FastEthernet0/0

description Joliet LAN$FW_INSIDE$

ip address 192.168.0.1 255.255.255.0

ip access-group 100 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1412

duplex auto

speed auto

no mop enabled

!

interface FastEthernet0/1

description $ETH-WAN$

no ip address

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip route-cache flow

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

no mop enabled

!

interface Serial0/0/0

description P2P Link to Joliet

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation ppp

ip route-cache flow

no fair-queue

service-module t1 timeslots 1-24

ppp multilink

ppp multilink group 1

!

interface Serial0/2/0

description Second Point to Point to Naperville

no ip address

encapsulation ppp

no fair-queue

service-module t1 timeslots 1-24

ppp multilink

ppp multilink group 1

!

interface Dialer0

description $FW_OUTSIDE$

ip address xx.xx.xx.134 255.255.255.248

ip access-group sdm_dialer0_in in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

encapsulation ppp

ip route-cache flow

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication pap chap callin

ppp chap hostname innovativorthodont@static.att.net

ppp chap password 7 xxxxxxxxxxxxxxxxx

ppp pap sent-username innovativorthodont@static.att.net password 7 xxxxxxxxxxxxxxxxxx

crypto map SDM_CMAP_1

!

ip local pool SDM_POOL_1 192.168.120.1 192.168.120.10

ip route 0.0.0.0 0.0.0.0 Dialer0

ip route 192.168.1.0 255.255.255.0 Multilink1

!

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.202 1723 xx.xx.xx.130 1723 extendable

ip nat inside source static tcp 192.168.0.202 3389 xx.xx.xx.130 3389 extendable

ip nat inside source static tcp 192.168.0.201 8085 xx.xx.xx.130 8085 extendable

!

ip access-list extended sdm_dialer0_in

remark Outside Access In

remark SDM_ACL Category=17

permit ip host 192.168.120.1 192.168.1.0 0.0.0.255

remark Outside Access In

permit ip host 192.168.120.2 192.168.1.0 0.0.0.255

permit ip host 192.168.120.3 192.168.1.0 0.0.0.255

permit ip host 192.168.120.4 192.168.1.0 0.0.0.255

permit ip host 192.168.120.5 192.168.1.0 0.0.0.255

permit ip host 192.168.120.6 192.168.1.0 0.0.0.255

permit ip host 192.168.120.7 192.168.1.0 0.0.0.255

permit ip host 192.168.120.8 192.168.1.0 0.0.0.255

permit ip host 192.168.120.9 192.168.1.0 0.0.0.255

permit ip host 192.168.120.10 192.168.1.0 0.0.0.255

permit ip host 192.168.120.1 192.168.0.0 0.0.0.255

permit ip host 192.168.120.2 192.168.0.0 0.0.0.255

permit ip host 192.168.120.3 192.168.0.0 0.0.0.255

permit ip host 192.168.120.4 192.168.0.0 0.0.0.255

permit ip host 192.168.120.5 192.168.0.0 0.0.0.255

permit ip host 192.168.120.6 192.168.0.0 0.0.0.255

permit ip host 192.168.120.7 192.168.0.0 0.0.0.255

permit ip host 192.168.120.8 192.168.0.0 0.0.0.255

permit ip host 192.168.120.9 192.168.0.0 0.0.0.255

permit ip host 192.168.120.10 192.168.0.0 0.0.0.255

permit tcp any host xx.xx.xx.130 eq 1723

permit gre any host xx.xx.xx.130

permit udp any host xx.xx.xx.134 eq non500-isakmp

permit udp any host xx.xx.xx.134 eq isakmp

permit esp any host xx.xx.xx.134

permit ahp any host xx.xx.xx.134

permit tcp any host xx.xx.xx.130 eq 3389

permit udp host 68.94.157.1 eq domain any

permit udp host 68.94.156.1 eq domain any

permit ip 192.168.0.0 0.0.0.255 any

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any time-exceeded

permit icmp any any unreachable

permit tcp any host xx.xx.xx.134 eq 443

permit tcp any any eq www

permit tcp any host xx.xx.xx.134 eq 22

permit tcp any host xx.xx.xx.134 eq cmd

permit tcp 192.168.0.0 0.0.0.255 host xx.xx.xx.xx

permit tcp any host xx.xx.xx.130 eq 8085 log

permit tcp any host xx.xx.xx.134 eq telnet

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip host 255.255.255.255 any

deny   ip host 0.0.0.0 any

deny   ip any any log

!

logging trap debugging

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 100 remark Inside Access Out

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit tcp any host xx.xx.xx.130 eq 8085 log

access-list 101 remark Outside Access In

access-list 101 permit ip host 192.168.120.1 192.168.1.0 0.0.0.255

access-list 101 remark Outside Access In

access-list 101 permit ip host 192.168.120.2 192.168.1.0 0.0.0.255

access-list 101 permit ip host 192.168.120.3 192.168.1.0 0.0.0.255

access-list 101 permit ip host 192.168.120.4 192.168.1.0 0.0.0.255

access-list 101 permit ip host 192.168.120.5 192.168.1.0 0.0.0.255

access-list 101 permit ip host 192.168.120.6 192.168.1.0 0.0.0.255

access-list 101 permit ip host 192.168.120.7 192.168.1.0 0.0.0.255

access-list 101 permit ip host 192.168.120.8 192.168.1.0 0.0.0.255

access-list 101 permit ip host 192.168.120.9 192.168.1.0 0.0.0.255

access-list 101 permit ip host 192.168.120.10 192.168.1.0 0.0.0.255

access-list 101 permit ip host 192.168.120.1 192.168.0.0 0.0.0.255

access-list 101 permit ip host 192.168.120.2 192.168.0.0 0.0.0.255

access-list 101 permit ip host 192.168.120.3 192.168.0.0 0.0.0.255

access-list 101 permit ip host 192.168.120.4 192.168.0.0 0.0.0.255

access-list 101 permit ip host 192.168.120.5 192.168.0.0 0.0.0.255

access-list 101 permit ip host 192.168.120.6 192.168.0.0 0.0.0.255

access-list 101 permit ip host 192.168.120.7 192.168.0.0 0.0.0.255

access-list 101 permit ip host 192.168.120.8 192.168.0.0 0.0.0.255

access-list 101 permit ip host 192.168.120.9 192.168.0.0 0.0.0.255

access-list 101 permit ip host 192.168.120.10 192.168.0.0 0.0.0.255

access-list 101 permit udp any host xx.xx.xx.134 eq non500-isakmp

access-list 101 permit udp any host xx.xx.xx.134 eq isakmp

access-list 101 permit esp any host xx.xx.xx.134

access-list 101 permit ahp any host xx.xx.xx.134

access-list 101 permit tcp any host xx.xx.xx.130 eq 3389

access-list 101 permit tcp any host xx.xx.xx.130 eq 8085

access-list 101 permit udp host 68.94.157.1 eq domain any

access-list 101 permit udp host 68.94.156.1 eq domain any

access-list 101 deny   ip 192.168.0.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 permit tcp any host xx.xx.xx.134 eq 443

access-list 101 permit tcp any host xx.xx.xx.134 eq 22

access-list 101 permit tcp any host xx.xx.xx.134 eq cmd

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

!

dialer-list 1 protocol ip permit

snmp-server community public RO

no cdp run

!

route-map SDM_RMAP_2 permit 1

match ip address 1

!

!

!

!

control-plane

!

!

!

!

!

!

!

!

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!

^C

!

line con 0

password 7 XXXXXXXXXXXXX

login authentication local_authen

line aux 0

login authentication local_authen

line vty 0 4

password 7 XXXXXXXXXXXXXXX

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

1 Reply 1

cadet alain
VIP Alumni
VIP Alumni

Hi,

access-list 100 permit tcp any host xx.xx.xx.130 eq 8085 log

this is applied inbound on the LAN interface so it won't have 8085 as destination port as it must be the port used by the client to connect to the service not the port the service is listening on.

So change this statement to:

access-list 100 permit tcp 192.168.0.201 eq 8085 host xx.xx.xx.130

to achieve this either use a text editor to edit the ACL with the modified statement then delete the ACL and copy paste the new modified one or  do a sh access-list and you shoulmd see line numbers on the far left for each statement then to modify enter in named ACL mode:

ip access-list extended 100

  no xx    where xx is the line number of wrong statement

  xx permit tcp 192.168.0.201 eq 8085 host xx.xx.xx.130

then sh access-list to verify and then try to connect and let us know.

Regards.

Alain

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: