Solved: Port Forwarding not working on some ports

eagletec1 · ‎05-16-2013

Hi, I've created some port forwards from my public IP (Dialer0) to our private LAN but only the 25565 port forward works. I've even added an anyany statement to the Nat source list Homenet_NAT. Any help would be much appreciated, full config attached. My Cisco router is an 877W.

Louise

ip nat pool Homenet_NAT 192.168.0.210 192.168.0.240 netmask 255.255.255.0

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.100 25565 interface Dialer0 25565 working

ip nat inside source list 2 interface Dialer0 overload

ip nat inside source list Homenet_NAT interface Dialer0 overload

ip nat inside source static tcp 192.168.4.253 80 interface Dialer0 6392 NOT working

ip nat inside source static tcp 192.168.0.1 443 interface Dialer0 443 NOT working

ip nat inside source static tcp 192.168.0.252 8090 interface Dialer0 6391 NOT working

ip nat inside source static tcp 192.168.0.30 3389 interface Dialer0 6390 NOT working

cadet alain · ‎05-17-2013

Hi Louise,

no ip nat inside source static tcp 192.168.0.1 443 interface Dialer0 443

ip nat inside source static tcp 192.168.0.1 443 interface Dialer0 6393

no class-map type inspect match-all sdm-nat-user-protocol--5-1

no access-list 103

access-list 103 permit tcp any host 192.168.0.100 eq 6390

access-list 103 permit tcp any host 192.168.0.252 eq 6391

access-list 103 permit tcp any host 192.168.0.1 eq 6393

access-list 103 permit tcp any host 192.168.4.253 eq 6392

no zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

no policy-map type inspect sdm-pol-NATOutsideToInside-1

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-user-protocol--3-1

inspect

class type inspect sdm-nat-user-protocol--1-1

inspect

class type inspect sdm-nat-user-protocol--1-2

inspect

class type inspect sdm-nat-user-protocol--2-1

inspect

class type inspect sdm-nat-sip-1

inspect

class class-default

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

if it ain't working then replace the ports in ACL 103 by the inside ports instead of outside ports.

Concerning the access from CCP , try it again and if it ain't still working then replace your inspect clause in the policy-map for self to in and in to self by pass clause and it should be working.

Regards

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎05-17-2013

Hi,

-ip nat inside source static tcp 192.168.4.253 80 interface Dialer0 6392

192.168.4.253 is not matched in any ACL in the class-maps for outside to inside traffic so it should be classified as class-default and dropped( ip inspect log drop-pkt should confirm this.

-ip nat inside source static tcp 192.168.0.1 443 interface Dialer0 443

same as above and also for other static PAT.

Regards.

Alain

Don't forget to rate helpful posts.

eagletec1 · ‎05-17-2013

Hi Alain,

Thanks for that, so what is the syntax to create the required entries in the class maps? Would that also be the reason why I can't use CCP to connect to the router as it always comes back with discovery failed?

Louise

cadet alain · ‎05-17-2013

Hi,

CCP connection to the router is governed by the out to self and self to out policies, I'm gonna take a look at these and also give you the syntax to connect to the internal hosts.

Regards.

Alain

Don't forget to rate helpful posts.

cadet alain · ‎05-17-2013

Hi Louise,

no ip nat inside source static tcp 192.168.0.1 443 interface Dialer0 443

ip nat inside source static tcp 192.168.0.1 443 interface Dialer0 6393

no class-map type inspect match-all sdm-nat-user-protocol--5-1

no access-list 103

access-list 103 permit tcp any host 192.168.0.100 eq 6390

access-list 103 permit tcp any host 192.168.0.252 eq 6391

access-list 103 permit tcp any host 192.168.0.1 eq 6393

access-list 103 permit tcp any host 192.168.4.253 eq 6392

no zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

no policy-map type inspect sdm-pol-NATOutsideToInside-1

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-user-protocol--3-1

inspect

class type inspect sdm-nat-user-protocol--1-1

inspect

class type inspect sdm-nat-user-protocol--1-2

inspect

class type inspect sdm-nat-user-protocol--2-1

inspect

class type inspect sdm-nat-sip-1

inspect

class class-default

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

if it ain't working then replace the ports in ACL 103 by the inside ports instead of outside ports.

Concerning the access from CCP , try it again and if it ain't still working then replace your inspect clause in the policy-map for self to in and in to self by pass clause and it should be working.

Regards

Alain

Don't forget to rate helpful posts.

eagletec1 · ‎05-17-2013

Thanks Alain, testing now. Just one question how come the 25565 port forward was working but 3389 would'nt work even if I changed the destination to 192.168.0.100?

Louise

eagletec1 · ‎05-17-2013

Thanks Alian, all working and yes I had to add the local ports to ACL 103 for traffic to come through.

I wish I had a full understanding of the policy maps and class types.

Cheers

Louise