I have been struggling to understand why this is happening for some time now and have had no luck. I have used a 'route-map' to open ranges of ports for our IP phone system on the network, and have used static NAT commands for all other ports that require opening.
After doing several test's using online tools, I have gathered that the only ports which are open are 50, and 1720 (I am assuming that there is another reason why the online tools cannot see all the phone system port's to be open other than them not actually being open).
I have tried both using the external IP address and the external interface for the static NAT translations, however this hasn't seemed to made any difference.
Here is the NAT information from the running config; please let me know if there is any other information which would be useful.
126.96.36.199 has been used in this config as the hypothetical static WAN IP address
10.9.8.1 is the gateway for the management VLAN (the IP address I use to SSH in to the router)
10.9.8.2 is the VLAN1 interface for the only switch in the LAN
172.16.128.194 is the management address for the wireless access point in the LAN
172.16.128.192 is the address of the server
192.168.255.129 is the IP address of the IP phone system
All interfaces on the router are configured with 'ip access-group 1 in' and 'ip access-group 1 out'
ip nat inside source list 1 interface Dialer1 overload ip nat inside source static tcp 10.9.8.1 51 188.8.131.52 51 extendable ip nat inside source static tcp 10.9.8.2 52 184.108.40.206 52 extendable ip nat inside source static tcp 172.16.128.194 54 220.127.116.11 54 extendable ip nat inside source static tcp 172.16.128.192 80 18.104.22.168 80 extendable ip nat inside source static tcp 172.16.128.192 443 22.214.171.124 443 extendable ip nat inside source static 192.168.255.129 126.96.36.199 route-map IPECS_Port_Forwarding_NAT ! ip access-list extended IPECS_Port_Forwarding permit tcp host 192.168.255.129 any range 1717 1720 permit tcp host 192.168.255.129 any eq 50 permit udp host 192.168.255.129 any range 6000 6047 permit tcp host 192.168.255.129 any range 6000 6588 permit udp host 192.168.255.129 any range 8000 8047 permit udp host 192.168.255.129 any range 9000 9047 permit udp host 192.168.255.129 any range 5060 5060 permit udp host 192.168.255.129 any range 5588 5588 permit udp host 192.168.255.129 any range 7000 7015 permit udp host 192.168.255.129 any range 7100 7115 permit udp host 192.168.255.129 any range 7300 7315 ! access-list 1 permit any route-map IPECS_Port_Forwarding_NAT permit 10 match ip address IPECS_Port_Forwarding
Thanks in advance for any help that can be given on this issue,
To participate in this event, please use the button to ask your questions
This topic is a chance to clarify your questions about Cisco Threat Response, from its components and new features to ...
Community Live Slides- How to optimize your Cisco Security investments with Threat Response
(Live event - formerly known as Webcast- Tuesday February 18, 2020 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris)
This event had place on Tuesday 18th, Februa...
Two main issues I am facing as part of ISE guest access POC lab.On any device on first attempt connections works smooth. However, if I disconnect and reconnect the SSID, its repeatedly giving "Couldn't get an IP address" or "No internet connection" on con...
Microsoft published a security advisory providing guidance to increase the security for communications between LDAP clients and Active Directory domain controllers. The document introduced the use of LDAP channel binding and ...
Hi, Hoping someone can help. I am getting the following error message when trying to connect to Cisco any connect: Cisco connection attempt has failed due to network or PC issue.Does anyone know how to solve this issue?