Re: Trouble port fowarding 2821

mebernstein · ‎06-30-2009

I have a Linksys RV082(port fowarded on all ports i need port fowarded to 192.168.0.102) this then goes through a transparent firewall, and to a 2821(external ip 192.168.0.102) the configs are posted below for the 2821 and the firewall

Firewall config:

Result of the command: "show running-config"

: Saved

:

ASA Version 7.0(8)

!

firewall transparent

hostname ciscoasa

domain-name default.domain.invalid

enable password 6efABQ2cPmP7OKuA encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

dns-guard

!

interface Ethernet0/0

nameif inside

security-level 100

!

interface Ethernet0/1

nameif outside

security-level 0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Management0/0

nameif management

security-level 100

management-only

!

banner exec All your base are belong to us!

banner login All your base are belong to us!

banner motd All your base are belong to us!

ftp mode passive

access-list outside_access_in extended permit tcp any eq 5001 any eq 5001

pager lines 24

mtu inside 1500

mtu outside 1500

mtu management 1500

ip address 192.168.1.1 255.255.255.0

asdm image disk0:/asdm-508.bin

no asdm history enable

arp timeout 14400

access-group outside_access_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

username mebernstein password awdhlGZ6rAWbpyEZ encrypted privilege 15

http server enable

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect dns maximum-length 512

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect mgcp

inspect pptp

inspect ctiqbe

inspect snmp

inspect http

inspect icmp

inspect ils

!

service-policy global_policy global

Cryptochecksum:079bfac43742cef7ff12ec4f03adf068

: end

mebernstein · ‎06-30-2009

Router config:

Building configuration...

Current configuration : 8330 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname CiscoRouter

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$QKvL$DNWm2th4qX.xx2vb1hmG1/

enable password 7 047A1E011A32581F5F

!

aaa new-model

!

aaa authentication login default local

aaa authentication login local_authen local

aaa authorization exec default local

aaa authorization exec local_author local

!

aaa session-id common

dot11 syslog

no ip source-route

no ip gratuitous-arps

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.4.1 192.168.4.9

ip dhcp excluded-address 192.168.4.200 192.168.4.254

!

ip dhcp pool LAN_POOL

import all

network 192.168.4.0 255.255.255.0

default-router 192.168.4.1

lease 15

!

ip dhcp pool HP_PRINTER

host 192.168.4.114 255.255.255.0

hardware-address 000d.9d1c.101a ieee802

!

no ip bootp server

ip domain name globalsource.com

ip name-server 192.168.0.1

ip port-map user-protocol--2 port tcp 20570

ip port-map user-protocol--3 port tcp 20572

ip port-map user-protocol--1 port tcp 5001

ip port-map user-protocol--4 port tcp 20571

!

multilink bundle-name authenticated

!

voice-card 0

no dspfarm

!

username mebernstein privilege 15 view root secret 5 $1$JDyK$M5pRwUdDYFBP7K27/2OSs.

archive

log config

hidekeys

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-all sdm-nat-user-protocol--4-2

match access-group 109

match protocol user-protocol--4

class-map type inspect match-all sdm-nat-user-protocol--4-1

match access-group 104

match protocol user-protocol--4

class-map type inspect match-all sdm-nat-user-protocol--3-1

match access-group 103

match protocol user-protocol--3

class-map type inspect match-all sdm-nat-user-protocol--2-1

match access-group 102

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--1-2

match access-group 106

match protocol user-protocol--1

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 101

match protocol user-protocol--1

class-map type inspect match-all sdm-nat-user-protocol--2-2

match access-group 107

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--3-2

match access-group 108

match protocol user-protocol--3

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

class-map type inspect match-any SDM-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all

mebernstein · ‎06-30-2009

sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all sdm-protocol-http

match protocol http

!

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

inspect

class class-default

pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-user-protocol--1-1

inspect

class type inspect sdm-nat-user-protocol--2-1

inspect

class type inspect sdm-nat-user-protocol--3-1

inspect

class type inspect sdm-nat-user-protocol--4-1

inspect

class type inspect sdm-nat-user-protocol--1-2

inspect

class type inspect sdm-nat-user-protocol--2-2

inspect

class type inspect sdm-nat-user-protocol--3-2

inspect

class type inspect sdm-nat-user-protocol--4-2

inspect

class class-default

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

drop log

class type inspect sdm-insp-traffic

inspect

class type inspect sdm-protocol-http

inspect

class type inspect SDM-Voice-permit

inspect

class class-default

pass

policy-map type inspect sdm-permit

class class-default

drop log

!

zone security out-zone

zone security in-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

!

interface Null0

no ip unreachables

!

interface GigabitEthernet0/0

description $ETH-LAN$$FW_INSIDE$

ip address 192.168.4.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description $ETH-WAN$$FW_OUTSIDE$

ip address dhcp client-id GigabitEthernet0/1

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip route-cache flow

duplex auto

speed auto

no mop enabled

!

router rip

network 192.168.0.0

no auto-summary

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 192.168.0.1 permanent

!

ip http server

ip http access-class 3

no ip http secure-server

ip nat inside source static tcp 192.168.4.254 5001 interface GigabitEthernet0/1 5001

ip nat inside source list 2 interface GigabitEthernet0/1 overload

ip nat inside source static tcp 192.168.4.38 20570 interface GigabitEthernet0/1 20570

ip nat inside source static tcp 192.168.4.38 20572 interface GigabitEthernet0/1 20572

ip nat inside source static tcp 192.168.4.38 20571 interface GigabitEthernet0/1 20571

!

ip access-list extended Permit_all_ports

remark SDM_ACL Category=1

permit tcp any any eq 20570 log

!

mebernstein · ‎06-30-2009

logging trap debugging

access-list 1 remark INSIDE_IF=GigabitEthernet0/0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.4.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.4.0 0.0.0.255

access-list 3 remark HTTP Access-class list

access-list 3 remark SDM_ACL Category=1

access-list 3 permit 192.168.4.0 0.0.0.255

access-list 3 deny any

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark SDM_ACL Category=0

access-list 101 permit ip any host 192.168.4.254

access-list 102 remark SDM_ACL Category=0

access-list 102 permit ip any host 192.168.4.38

access-list 103 remark SDM_ACL Category=0

access-list 103 permit ip any host 192.168.4.38

access-list 104 remark SDM_ACL Category=0

access-list 104 permit ip any host 192.168.4.38

access-list 105 remark VTY Access-class list

access-list 105 remark SDM_ACL Category=1

access-list 105 permit ip 192.168.4.0 0.0.0.255 any

access-list 105 deny ip any any

access-list 106 remark SDM_ACL Category=0

access-list 106 permit ip any host 192.168.4.254

access-list 107 remark SDM_ACL Category=0

access-list 107 permit ip any host 192.168.4.38

access-list 108 remark SDM_ACL Category=0

access-list 108 permit ip any host 192.168.4.38

access-list 109 remark SDM_ACL Category=0

access-list 109 permit ip any host 192.168.4.38

no cdp run

!

control-plane

!

banner login ^CAll your base are belong to us!

^C

!

line con 0

transport output telnet

line aux 0

transport output telnet

line vty 0 4

access-class 105 in

password 7 080079693C2A314644

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end