I need to forward port 2875 from any public address to an internal address 192.168.20.103. I am not getting something right because it will not work. Below is my config. Any suggestions?
Current configuration : 11012 bytes
!
! Last configuration change at 23:30:24 UTC Fri Apr 12 2002 by cisco
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Name
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable secret 5
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-501752122
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-501752122
revocation-check none
!
!
crypto pki certificate chain TP-self-signed-501752122
certificate self-signed 01
30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 35303137 35323132 32301E17 0D303230 34313230 34313234
385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3530 31373532
31323230 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
9E616FE2 89D50607 DA6B9C73 DF328C72 890E603D 8B299396 D06265B1 B0B85F75
512E9037 A788275C 3D5AD24F 7762CB8D 8BFCF792 71D6C9F0 D0957B03 689FBD74
54F8F208 DAEEEC6F 1C0F9E3E A262BAC3 58653A3A CAE914FB C8C4C438 A2AFA0A6
D8DF8836 0D45CB41 3E80C328 FD561888 1C4E221C F2D626B0 6A63C8E2 BA636C9D
02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
23041830 168014D3 7C91E31B 0A118C6B 969ED23D 2190FFB8 45207630 1D060355
1D0E0416 0414D37C 91E31B0A 118C6B96 9ED23D21 90FFB845 2076300D 06092A86
4886F70D 01010405 00038181 0016326D DD0F96E6 42DFF3CF FD36D024 50166E4F
A8D7E7CC 93FEE468 12586FEE B2D4F100 711A84F6 26F18FA3 258852B7 70925FB8
70EF1C1C 6CD1CDA6 C054663C 6BDFA84A 72058357 866AC963 818F86CC B7D149FE
D4DE7FD2 09507998 AAA9792B E0FCD2AD 5A29771F 18CC48CB 9FB1032E 7BA6E7F1
C1269DBA 792CDD46 165E4893 1A
quit
dot11 syslog
!
dot11 ssid <Wireless>
vlan 2
authentication open
authentication key-management wpa
mbssid guest-mode!
ip source-route
!
!
ip dhcp excluded-address 192.168.20.1 192.168.20.99
ip dhcp excluded-address 192.168.21.1 192.168.21.99
!
ip dhcp pool <Name>
import all
network 192.168.20.0 255.255.255.0
dns-server 4.2.2.2 4.2.2.1
default-router 192.168.20.1
lease 14
!
ip dhcp pool <Wireless>
import all
network 192.168.21.0 255.255.255.0
dns-server 4.2.2.2 4.2.2.1
default-router 192.168.21.1
!
!
!
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
archive
log config
hidekeys
username cisco privilege 15 secret 5
!
!
no ip ftp passive
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 104
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect sdm-access
inspect
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key key address <peer address>
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to<peer address>
set peer <peer address>
set transform-set ESP-3DES-SHA2
match address <Address>
!
bridge irb
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $FW_OUTSIDE$$ETH-WAN$
ip address <External IP> 255.255.255.252
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
ip nat inside
ip virtual-reassembly in
!
encryption vlan 2 mode ciphers aes-ccm tkip
!
broadcast-key vlan 2 change 30
!
!
ssid <WIreless>
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Dot11Radio0.2
encapsulation dot1Q 2
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.20.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
interface Vlan2
no ip address
bridge-group 1
!
interface BVI1
ip address 192.168.21.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip dns server
ip nat inside source static tcp 192.168.20.103 2875 interface FastEthernet4 2875
ip nat inside source static tcp 192.168.20.103 23 interface Vlan1 23
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 <Exteranl IP>
!
ip access-list extended ACLIN
remark CCP_ACL Category=2
deny ip 192.0.0.0 0.255.255.255 <Peer Network> 0.255.255.255
permit ip 192.0.0.0 0.255.255.255 any
ip access-list extended <Name>
permit ip 192.168.20.0 0.0.0.255 <Peer Network> 0.0.0.255
permit ip 192.168.20.0 0.0.0.255 <Peer Network> 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 <Peer Network> 0.0.0.255
permit ip 192.168.21.0 0.0.0.255 <Peer Network> 0.0.0.255
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
logging esm config
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.0.0.0 0.255.255.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 67.139.127.72 0.0.0.7 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host <peer Address> any
access-list 103 permit ip <Peer Network> 0.0.0.255 192.168.20.0 0.0.0.255
access-list 103 permit ip <Peer Network> 0.0.0.255 192.168.21.0 0.0.0.255
access-list 103 permit ip <Peer Network> 0.0.0.255 192.168.20.0 0.0.0.255
access-list 103 permit ip <Peer Network> 0.0.0.255 192.168.21.0 0.0.0.255
access-list 104 permit ip <Peer Network> 0.0.0.255 192.168.20.0 0.0.0.255
access-list 104 permit ip <Peer Network> 0.0.0.255 192.168.21.0 0.0.0.255
access-list 104 permit ip <Peer Network> 0.0.0.255 192.168.20.0 0.0.0.255
access-list 104 permit ip <Peer Network> 0.0.0.255 192.168.21.0 0.0.0.255
access-list 150 permit tcp any host External IP eq telnet
access-list 150 permit ip host 192.168.20.103 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address ACLIN
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input all
!
scheduler max-task-time 5000
end
wpa-psk ascii 0 <PSK>
