Hi, I have configured my 1921 with nat overload for my network. NAT/PAT is working fine and everyone can access the internet, and my static address translations for remote desktop are working as well. However, when I go to apply access list 101 to my inbound outside interface, all internet connectivity is lost. For some reason my RDP connections are being allowed when the access list isn't applied to the interface. Also, port 23 (telnet) is showing as open to the outside (canyouseeme.org) without an access list. I want only the ports in the access list (RDP, ect.) to be accessible from the outside, and I want SSH access to the router from the outside as well. Any help would be appriciated...thanks! This config is without the access list outside_access_in applied to the outside interface. Building configuration... Current configuration : 2274 bytes ! ! Last configuration change at 01:01:13 UTC Sat Jul 7 2012 by ADMIN ! NVRAM config last updated at 00:59:39 UTC Sat Jul 7 2012 by ADMIN ! NVRAM config last updated at 00:59:39 UTC Sat Jul 7 2012 by ADMIN version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname *****1921 ! boot-start-marker boot-end-marker ! ! ! no aaa new-model ! no ipv6 cef ip source-route ip cef ! ! ! ! ! multilink bundle-name authenticated ! crypto pki token default removal timeout 0 ! ! license udi pid CISCO1921/K9 sn ******* ! ! username ******* privilege 15 secret ***** ! ! ! ! ! ! interface Embedded-Service-Engine0/0 no ip address shutdown !         interface GigabitEthernet0/0 ip address X.X.X.X 255.255.255.224 ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/1 ip address 10.254.51.1 255.255.255.248 ip nat inside ip virtual-reassembly in duplex auto speed auto ! ! router eigrp 1 network 10.0.0.0 ! ip forward-protocol nd ! no ip http server no ip http secure-server ! ip nat inside source list 100 interface GigabitEthernet0/0 overload ip nat inside source static tcp 10.100.51.10 3389 interface GigabitEthernet0/0 3389 ip nat inside source static tcp 10.100.51.251 1723 interface GigabitEthernet0/0 1723 ip route 0.0.0.0 0.0.0.0 gi0/0 ! access-list 100 remark Allow PAT access-list 100 permit ip 10.0.0.0 0.255.255.255 any access-list 101 remark Outside_Access_in access-list 101 permit icmp any any echo access-list 101 permit tcp any any eq 3389 access-list 101 permit tcp any any eq 1723 access-list 101 permit gre any any ! ! ! control-plane ! !         ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 login local transport input all ! scheduler allocate 20000 1000 end ... View more

Hi, I'm having issues both with port forwarding and VPN with my PIX. I've tried different ways to set up port forwarding for remote desktop, but I still haven't had any luck. With the VPN, I can secure a connection into the PIX, but I cannot access the internet or ping any of my devices on the remote network. The config is below. Thanks! hostname PIX-515E-1 domain-name ##### enable password #####  encrypted passwd ##### encrypted names ! interface Ethernet0 description Outside nameif Outside security-level 0 ip address x.x.x.x 255.255.255.224 ! interface Ethernet1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface Ethernet2 shutdown no nameif no security-level no ip address ! interface Ethernet3 shutdown no nameif no security-level no ip address ! interface Ethernet4 shutdown no nameif no security-level no ip address ! interface Ethernet5 shutdown no nameif no security-level no ip address ! ftp mode passive dns server-group DefaultDNS domain-name ##### object-group service RDP tcp port-object eq 3389 access-list Outside_access_in extended permit icmp any any access-list Outside_access_in extended permit tcp host 192.168.1.10 any object-group RDP access-list Outside_access_in_1 remark RDP access-list Outside_access_in_1 extended permit tcp any any eq 3389 pager lines 24 logging enable logging asdm informational mtu Outside 1500 mtu inside 1500 ip local pool pool1 192.168.1.20-192.168.1.29 mask 255.255.255.0 no failover icmp unreachable rate-limit 1 burst-size 1 icmp permit any Outside icmp permit any inside no asdm history enable arp timeout 14400 global (Outside) 1 interface nat (Outside) 0 192.168.1.0 255.255.255.0 nat (inside) 1 0.0.0.0 0.0.0.0 static (Outside,inside) tcp interface 3389 192.168.1.10 3389 netmask 255.255.255.255 access-group Outside_access_in_1 in interface Outside route Outside 0.0.0.0 0.0.0.0 ##### 1 timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy aaa authentication enable console LOCAL aaa authentication ssh console LOCAL aaa authentication http console LOCAL aaa authorization command LOCAL aaa local authentication attempts max-fail 10 http server enable http 192.168.1.100 255.255.255.255 inside http 192.168.1.0 255.255.255.0 inside http 0.0.0.0 0.0.0.0 Outside no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac crypto ipsec transform-set ESP-DES-SHA1 esp-des esp-sha-hmac crypto ipsec transform-set myset esp-des esp-md5-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set pfs crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 1 set transform-set ESP-DES-SHA1 ESP-3DES-SHA crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 10 set transform-set myset crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5 crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Outside_map interface Outside crypto map inside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map inside_map interface inside crypto ca trustpoint ASDM_TrustPoint0 enrollment self fqdn PIX-515E-1 subject-name CN=PIX-515E-1 no client-types crl configure crypto ca trustpoint ASDM_TrustPoint1 enrollment self fqdn PIX-515E-1 subject-name CN=PIX-515E-1 keypair #### no client-types crl configure crypto ca certificate chain ASDM_TrustPoint0 certificate e93c7a4f <output omitted>   quit crypto ca certificate chain ASDM_TrustPoint1 certificate 083d7a4f <output omitted>   quit crypto isakmp enable Outside crypto isakmp enable inside crypto isakmp policy 10 authentication pre-share encryption 3des hash sha     group 2 lifetime 86400 crypto isakmp policy 65535 authentication rsa-sig encryption des hash md5 group 2 lifetime 86400 no vpn-addr-assign aaa telnet 0.0.0.0 0.0.0.0 inside telnet timeout 5 ssh 0.0.0.0 0.0.0.0 Outside ssh 0.0.0.0 0.0.0.0 inside ssh 192.168.1.0 255.255.255.0 inside ssh timeout 5 ssh version 2 console timeout 0 threat-detection basic-threat threat-detection statistics host threat-detection statistics port threat-detection statistics protocol threat-detection statistics access-list no threat-detection statistics tcp-intercept group-policy GroupPolicy1 internal group-policy 51 internal group-policy 51 attributes dns-server value 192.168.1.10 167.102.160.34 vpn-tunnel-protocol IPSec default-domain value ##### group-policy VPN1 internal group-policy VPN1 attributes dns-server value 192.168.1.10 167.102.160.34 vpn-tunnel-protocol IPSec default-domain value ##### username ##### password ##### encrypted privilege 15 username ##### attributes vpn-group-policy GroupPolicy1 username ##### password #### encrypted privilege 15 username admin attributes service-type admin tunnel-group TunnelGroup1 type remote-access tunnel-group TunnelGroup1 general-attributes authentication-server-group (Outside) LOCAL authorization-server-group LOCAL tunnel-group TunnelGroup1 ipsec-attributes pre-shared-key * peer-id-validate cert chain        trust-point ASDM_TrustPoint0 tunnel-group VPN1 type remote-access tunnel-group VPN1 general-attributes address-pool pool1 default-group-policy VPN1 tunnel-group VPN1 ipsec-attributes pre-shared-key * tunnel-group 51 type remote-access tunnel-group 51 general-attributes address-pool pool1 default-group-policy 51 tunnel-group 51 ipsec-attributes pre-shared-key * ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters   message-length maximum 512 policy-map global_policy class inspection_default   inspect dns preset_dns_map   inspect ftp   inspect h323 h225   inspect h323 ras   inspect netbios   inspect rsh   inspect rtsp   inspect skinny    inspect esmtp   inspect sqlnet   inspect sunrpc   inspect tftp   inspect sip    inspect xdmcp ! service-policy global_policy global prompt hostname context Cryptochecksum:c367f64420d2281a8d2a2d51d23cf852 : end ... View more