I have an issue on a Cisco 877 using IOS 12.4(20)T3 where I already have one port forward that works which uses a route-map to avoid dramas with the remote subnet begin subjected to the static port forward locally. I need to create an additional port forward which uses a different external port than 3389 as I only have a single external static IP and 3389 is already is use for the first server on the local lan. This is the specific section for the port forwarding rules. ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ip nat inside source static tcp 192.168.100.2 80 210.xxxx 80 route-map No-Eden-NAT extendable ip nat inside source static tcp 192.168.100.2 443 210.xxxx 443 route-map No-Eden-NAT extendable ip nat inside source static tcp 192.168.100.2 3389 210.xxxx 3389 route-map No-Eden-NAT extendable This one does not work -----> ip nat inside source static tcp 192.168.100.3 3389 210.xxxx 8000 route-map SecureRDP extendable I have tried using other external ports other than 8000 but they do not work either. And below is listed the route-maps route-map No-Eden-NAT permit 10 match ip address 120 ! route-map SDM_RMAP_1 permit 1 match ip address 107 ! route-map SecureRDP permit 10 description Map for direct RDP to both Servers from certain IP's match ip address 130 access-list 120 remark Deny Eden subnet being routed in via port forward access-list 120 deny ip host 192.168.100.2 192.168.101.0 0.0.0.255 access-list 120 permit ip host 192.168.100.2 any access-list 130 remark Deny Eden subnet and restrict RDP access access-list 130 deny ip host 192.168.100.3 192.168.101.0 0.0.0.255 access-list 130 permit ip host 192.168.100.3 any Surely a Cisco router should be able to port forward from an alternate external port to a second server using 3389 ?? There is also a ZBFW but I have checked over those rules a million times and am convinced that they are correct as the rules match the port forwards that are working. I believe that there is some bug in the IOS that will not port forward when the external port and the internal port do not match !! Any help is greatly appreciated as I can't change the internal port for the second server as it's a Terminal Server.
... View more
I am having trouble with our 2801 QOS after changing over to a PPP multilink. QoS setup is as follows. policy-map IBC-QOS-ORIGINAL class IBC-VOIP priority percent 30 class IBC-GOLD bandwidth percent 30 class class-default fair-queue 4096 random-detect Each ATM is as follows interface ATM0/1/0 description FNN0264921537 bandwidth 850 no ip address load-interval 30 no atm ilmi-keepalive bundle-enable dsl noise-margin 3 dsl bitswap both pvc 8/35 vbr-nrt 850 850 tx-ring-limit 3 encapsulation aal5mux ppp dialer dialer pool-member 1 Dialer is as follows interface Dialer1 bandwidth 1850 ip address negotiated ip mtu 1460 ip flow ingress encapsulation ppp load-interval 30 dialer pool 1 ppp authentication chap callin ppp chap hostname xxxxxxx ppp chap password 7 xxxxxxx ppp multilink ppp multilink interleave ppp multilink fragment delay 20 ppp multilink queue depth qos 3 service-policy output IBC-QOS-ORIGINAL I am running 12.4(24)T1 show ppp multilink displays Virtual-Access4 Bundle name: SydneySGBP Remote Username: SydneySGBP Remote Endpoint Discriminator:  SydneySGBP Local Username: email@example.com Local Endpoint Discriminator:  firstname.lastname@example.org Bundle up for 1d18h, total bandwidth 3400, load 5/255 Receive buffer limit 24384 bytes, frag timeout 1000 ms Interleaving enabled Dialer interface is Dialer1 0/0 fragments/bytes in reassembly list 933 lost fragments, 64095 reordered 0/0 discarded fragments/bytes, 0 lost received 0x5EA704 received sequence, 0x579C2E sent sequence Member links: 2 (max not set, min not set) Vi3, since 1d18h, 4250 weight, 1496 frag size PPPoATM link, ATM PVC 8/35 on ATM0/3/0 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 Vi2, since 1d18h, 4250 weight, 1496 frag size PPPoATM link, ATM PVC 8/35 on ATM0/1/0 Packets in ATM PVC Holdq: 0, Particles in ATM PVC Tx Ring: 0 No inactive multilink interfaces The bundle bandwidth concerns me ? If I change the dialer bandwidth the QOS policies break with the percentages of bandwidth going all wrong. I also get the virtual-access queueing displaying output drops on the Voice priority class when I am sure that there is not that many calls as we use g729. Any help or advice anybody can give me is most appreciated. BTW this is the show policy map on the dialer if it helps. show policy-map interface dialer 1 Dialer1 Service-policy output: IBC-QOS-ORIGINAL queue stats for all priority classes: queue limit 64 packets (queue depth/total drops/no-buffer drops) 0/0/0 (pkts output/bytes output) 0/0 Class-map: IBC-VOIP (match-any) 1106655 packets, 61662210 bytes 30 second offered rate 0 bps, drop rate 0 bps Match: dscp ef (46) 1100759 packets, 61185446 bytes 30 second rate 0 bps Match: ip precedence 5 0 packets, 0 bytes 30 second rate 0 bps Match: access-group name nodephone 0 packets, 0 bytes 30 second rate 0 bps Match: access-group name Asterisk 5896 packets, 476764 bytes 30 second rate 0 bps Priority: 30% (555 kbps), burst bytes 13850, b/w exceed drops: 0 Class-map: IBC-GOLD (match-any) 476057 packets, 86197097 bytes 30 second offered rate 2000 bps, drop rate 0 bps Match: protocol citrix 113921 packets, 20388798 bytes 30 second rate 0 bps Match: access-group name CitrixRDP 362135 packets, 65807735 bytes 30 second rate 2000 bps Match: dscp af11 (10) 1 packets, 564 bytes 30 second rate 0 bps Match: ip precedence 3 0 packets, 0 bytes 30 second rate 0 bps Match: access-group name ibc-management 0 packets, 0 bytes 30 second rate 0 bps Queueing queue limit 64 packets (queue depth/total drops/no-buffer
... View more