07-29-2017 08:26 AM - edited 03-08-2019 11:31 AM
Hello
I have running a Little ZBF and i will translate with NAT one Port 3389 to inside machine.
i try with
ip nat inside source list 10 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.21 3389 198.168.1.1 3389 extendable
access-list 10 permit 192.168.1.0 0.0.0.255
WAN - FA0/0 Public lease ISP Adresses
LAN - FA0/1 192.168.1.1 to 192.168.1.21 3389
but this 3389 arn't reachable from World, sorry i have forgotten a route?
Regards
Mauri
07-29-2017 09:23 AM
Hello
Can you post you ZBF config also
res
Paul
07-29-2017 03:28 PM
07-30-2017 03:30 AM
Hello
i don't see ip default route have you not posted it or dont you have one?
ip route 0,0,0,0 0,0,0,0 fa0/0 dhcp
res
paul
07-30-2017 08:11 AM
Hello Paul
First thanks for your fast answer.
But for what i need this, then all me other clients will running witout any problems. Possible you can this answer for me?
Or it's this needed if i use NAT.
Thanks for feedback.
Regards
Mauri
07-30-2017 03:12 PM
Hello
its required to allow your rtr to be able to forward traffic off your internal lan towards wan/internet and for nat to be able to translate your non routable lan address range to a routable address range
res
paul
07-31-2017 04:45 AM
Hello Paul
ok, adding this line to me System:
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 dhcp
07-31-2017 06:41 AM
Default route needed to be configured as Paul Driver suggested.
Your port forward statement is not written properly for WAN access
ip nat inside source static tcp 192.168.1.21 3389 198.168.1.1 3389 extendable
it supposed to be (if destination host for port forwarding is host 192.168.1.21)
ip nat inside source static tcp 192.168.1.21 3389 interface fa0/0 3389 extend
08-01-2017 01:05 AM
I have also try to add following, but this will not appair....
please, but with witch command i can check what are running or not?
conf t
class-map type inspect match-any www
match access-group 100
class-map type inspect match-any RDP
match access-group 100
policy-map type inspect Internet_to_Trusted
class type inspect RDP
inspect
class type inspect www
inspect
class class-default
drop
Scanning public IP
- 0080 OPEN - Web-Server
- 3389 OPEN - MS Terminal Services
Regards
Mauri
07-31-2017 10:17 AM
Hello
You'll will also require an ISP-Trusted rule to allow RDP be initiated from the outside of your network
try this:
no policy-map type inspect Trusted
no class-map type inspect match-any ICMP
access-list 100 permit tcp any any eq 3389
class-map type inspect match-any RDP
match access-group 100
policy-map type inspect ISP-Trusted
class type inspect RDP
inspect
class class-default
drop
zone-pair security ISP-LAN source ISP destination Trusted
service-policy type inspect ISP-Trusted
ip nat inside source static tcp 192.168.1.21 3389 interface FastEthernet0/0 3389
res
Paul
08-01-2017 01:04 AM
Hello Paul
Thanks for your Help and answer, but unfort. not running, i have done also any changes but the page that i Need arn't visible, after check me IP from the Router the port 3389 seems open.
Scanning public IP
- 0080 OPEN - Web-Server
- 3389 OPEN - MS Terminal Services
but the page will not appair.
possible any Routing Problem?
what i have read also that if you implement any ZBF you don't Need to set any ACL but i'am not shure this Moment, please for any Help i'am Happy!
Regards
Mauri
08-01-2017 06:16 AM
Hello
If you need to allow traffic from outside to initiate connecthen then you need a rule to allow this.
ZBF do support Acl and infact I don't think you can match on 3386 any other way
The config I posted should work however for testing remove ZBF from the Wan and Lan interfaces and just test the natting instead.
int fa0/0
no zone-member security ISP
int fa0/1
no zone-member security Trusted
res
Paul
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide