02-13-2012 01:09 PM - edited 03-07-2019 04:54 AM
Hello all,
The following is an running config from a 2811 router in a production environment that is linked to another 2811 at another office via ppp serial link. Each site has it's own connection to the internet, this one supposedly via a DSL modem in bridged mode. So there should be no other hardware blocking ports at this site.
The office needs to forward port 8085 to a specific workstation for a mobile application to connect with their dental software.
According to "show access-lists" the rule "permit tcp any host xx.xx.xx.130 eq 8085 log" from the access list "sdm_dialer0_in" is getting hit every time I probe the port from outside the office. Doesn't this mean the packets should be getting through? Why is the port still showing up as blocked?
For testing perposes I created a NAT rule to send traffic on port 8085 to the server at 192.168.0.201. IP 192.168.0.202 is setup to respond to terminal services.
Hoping somebody can help with this.
Thanks.
-----------------------------------------------------------------------------------
Current configuration : 14085 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Joliet
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
!
!
no ip bootp server
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
vpdn enable
!
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-3838063487
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3838063487
revocation-check none
rsakeypair TP-self-signed-3838063487
!
!
crypto pki certificate chain TP-self-signed-3838063487
certificate self-signed 01
XXXXXX
quit
username Joe privilege 15 password 7 xxxxxxxxxxxxxxxxxxxx
username admin privilege 15 password 7 xxxxxxxxxxxxxxxxxxxx
username dpi secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group RemoteAccess
key xxxxxxxxxxxxxx
dns 192.168.0.201 4.4.4.2
domain ioc.local
pool SDM_POOL_1
acl 102
include-local-lan
max-users 10
max-logins 2
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 28800
set transform-set ESP-3DES-SHA1
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface Null0
no ip unreachables
!
interface Multilink1
ip address 10.10.10.2 255.255.255.252
no cdp enable
ppp multilink
ppp multilink group 1
!
interface FastEthernet0/0
description Joliet LAN$FW_INSIDE$
ip address 192.168.0.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-WAN$
no ip address
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
duplex auto
speed auto
pppoe enable
pppoe-client dial-pool-number 1
no mop enabled
!
interface Serial0/0/0
description P2P Link to Joliet
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
ip route-cache flow
no fair-queue
service-module t1 timeslots 1-24
ppp multilink
ppp multilink group 1
!
interface Serial0/2/0
description Second Point to Point to Naperville
no ip address
encapsulation ppp
no fair-queue
service-module t1 timeslots 1-24
ppp multilink
ppp multilink group 1
!
interface Dialer0
description $FW_OUTSIDE$
ip address xx.xx.xx.134 255.255.255.248
ip access-group sdm_dialer0_in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname innovativorthodont@static.att.net
ppp chap password 7 xxxxxxxxxxxxxxxxx
ppp pap sent-username innovativorthodont@static.att.net password 7 xxxxxxxxxxxxxxxxxx
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.120.1 192.168.120.10
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 Multilink1
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.202 1723 xx.xx.xx.130 1723 extendable
ip nat inside source static tcp 192.168.0.202 3389 xx.xx.xx.130 3389 extendable
ip nat inside source static tcp 192.168.0.201 8085 xx.xx.xx.130 8085 extendable
!
ip access-list extended sdm_dialer0_in
remark Outside Access In
remark SDM_ACL Category=17
permit ip host 192.168.120.1 192.168.1.0 0.0.0.255
remark Outside Access In
permit ip host 192.168.120.2 192.168.1.0 0.0.0.255
permit ip host 192.168.120.3 192.168.1.0 0.0.0.255
permit ip host 192.168.120.4 192.168.1.0 0.0.0.255
permit ip host 192.168.120.5 192.168.1.0 0.0.0.255
permit ip host 192.168.120.6 192.168.1.0 0.0.0.255
permit ip host 192.168.120.7 192.168.1.0 0.0.0.255
permit ip host 192.168.120.8 192.168.1.0 0.0.0.255
permit ip host 192.168.120.9 192.168.1.0 0.0.0.255
permit ip host 192.168.120.10 192.168.1.0 0.0.0.255
permit ip host 192.168.120.1 192.168.0.0 0.0.0.255
permit ip host 192.168.120.2 192.168.0.0 0.0.0.255
permit ip host 192.168.120.3 192.168.0.0 0.0.0.255
permit ip host 192.168.120.4 192.168.0.0 0.0.0.255
permit ip host 192.168.120.5 192.168.0.0 0.0.0.255
permit ip host 192.168.120.6 192.168.0.0 0.0.0.255
permit ip host 192.168.120.7 192.168.0.0 0.0.0.255
permit ip host 192.168.120.8 192.168.0.0 0.0.0.255
permit ip host 192.168.120.9 192.168.0.0 0.0.0.255
permit ip host 192.168.120.10 192.168.0.0 0.0.0.255
permit tcp any host xx.xx.xx.130 eq 1723
permit gre any host xx.xx.xx.130
permit udp any host xx.xx.xx.134 eq non500-isakmp
permit udp any host xx.xx.xx.134 eq isakmp
permit esp any host xx.xx.xx.134
permit ahp any host xx.xx.xx.134
permit tcp any host xx.xx.xx.130 eq 3389
permit udp host 68.94.157.1 eq domain any
permit udp host 68.94.156.1 eq domain any
permit ip 192.168.0.0 0.0.0.255 any
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit tcp any host xx.xx.xx.134 eq 443
permit tcp any any eq www
permit tcp any host xx.xx.xx.134 eq 22
permit tcp any host xx.xx.xx.134 eq cmd
permit tcp 192.168.0.0 0.0.0.255 host xx.xx.xx.xx
permit tcp any host xx.xx.xx.130 eq 8085 log
permit tcp any host xx.xx.xx.134 eq telnet
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark Inside Access Out
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp any host xx.xx.xx.130 eq 8085 log
access-list 101 remark Outside Access In
access-list 101 permit ip host 192.168.120.1 192.168.1.0 0.0.0.255
access-list 101 remark Outside Access In
access-list 101 permit ip host 192.168.120.2 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.120.3 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.120.4 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.120.5 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.120.6 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.120.7 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.120.8 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.120.9 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.120.10 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.120.1 192.168.0.0 0.0.0.255
access-list 101 permit ip host 192.168.120.2 192.168.0.0 0.0.0.255
access-list 101 permit ip host 192.168.120.3 192.168.0.0 0.0.0.255
access-list 101 permit ip host 192.168.120.4 192.168.0.0 0.0.0.255
access-list 101 permit ip host 192.168.120.5 192.168.0.0 0.0.0.255
access-list 101 permit ip host 192.168.120.6 192.168.0.0 0.0.0.255
access-list 101 permit ip host 192.168.120.7 192.168.0.0 0.0.0.255
access-list 101 permit ip host 192.168.120.8 192.168.0.0 0.0.0.255
access-list 101 permit ip host 192.168.120.9 192.168.0.0 0.0.0.255
access-list 101 permit ip host 192.168.120.10 192.168.0.0 0.0.0.255
access-list 101 permit udp any host xx.xx.xx.134 eq non500-isakmp
access-list 101 permit udp any host xx.xx.xx.134 eq isakmp
access-list 101 permit esp any host xx.xx.xx.134
access-list 101 permit ahp any host xx.xx.xx.134
access-list 101 permit tcp any host xx.xx.xx.130 eq 3389
access-list 101 permit tcp any host xx.xx.xx.130 eq 8085
access-list 101 permit udp host 68.94.157.1 eq domain any
access-list 101 permit udp host 68.94.156.1 eq domain any
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 permit tcp any host xx.xx.xx.134 eq 443
access-list 101 permit tcp any host xx.xx.xx.134 eq 22
access-list 101 permit tcp any host xx.xx.xx.134 eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
!
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
!
route-map SDM_RMAP_2 permit 1
match ip address 1
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
^C
!
line con 0
password 7 XXXXXXXXXXXXX
login authentication local_authen
line aux 0
login authentication local_authen
line vty 0 4
password 7 XXXXXXXXXXXXXXX
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
02-14-2012 12:45 AM
Hi,
access-list 100 permit tcp any host xx.xx.xx.130 eq 8085 log
this is applied inbound on the LAN interface so it won't have 8085 as destination port as it must be the port used by the client to connect to the service not the port the service is listening on.
So change this statement to:
access-list 100 permit tcp 192.168.0.201 eq 8085 host xx.xx.xx.130
to achieve this either use a text editor to edit the ACL with the modified statement then delete the ACL and copy paste the new modified one or do a sh access-list and you shoulmd see line numbers on the far left for each statement then to modify enter in named ACL mode:
ip access-list extended 100
no xx where xx is the line number of wrong statement
xx permit tcp 192.168.0.201 eq 8085 host xx.xx.xx.130
then sh access-list to verify and then try to connect and let us know.
Regards.
Alain
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: