Hi Manasi,

Thanks for your reply.

It would be great if you could attach the configuration!!

Please find bythere the config of both routers

1) we cannot access http://80.x.x.x:8866 from the internet

Yes you're correct and the port number 5733 for ultravnc ( plze take a look for acls and nat according for services 8866,5733)

2) we have issues with printing through a L2L tunnel. !!(Please attach the configuration of both the ends)

Can you ping the printer from the remote side ? When you try to ping what is the status of encaps and decaps on the remote side and printer side?

yes it's issue about printing over vpn l2L tunnel ( the tunnel is up )

I can ping the printer from site A ( 192.168.1.9/24 and the ip address printer: 192.168.2.27 on site B but my printer server is on site A with ip address 192.168.1.2)

so the ping is ok but all print jobs are down.

Thanks in advance for help

BR

Hassan

Hi,

I see that you have access-l 112 applied on your dialer interface. When you try to access the IP address 80.x.x.x on port 8866 from outside, the source IP is any and the destination is 80.x.x.x on port 8866, so the access-list should be

access-list 112 permit tcp any host 80.X.X.X eq 8866

I do not see any NAT rules for port 5733 in the configuration but the same rule would be applied to that too!!

ip nat inside source static tcp 192.168.2.200 5733 80.X.X.X 5733

access-list 112 permit tcp any host 80.X.X.X eq 5733

About the printing Job, if you are able to ping that means we do have connectivity to the printer through the tunnel

Please check the following things :

1. If you have any settings on the printer which denies print requests from different subnet

2. check if the print requests get queued on the printer

3. status of encaps and decaps on both  the routers after print request is sent!!

Cheers,

Manasi

Hi,

I will make modifications and come back with results.

Thanks for your help

BR

Hassan

Hi,

I did modifications:

access-list 112 permit tcp any host 80.X.X.X eq 8866

I do not see any NAT rules for port 5733 in the configuration but the same rule would be applied to that too!!

ip nat inside source static tcp 192.168.2.200 5733 80.X.X.X 5733

access-list 112 permit tcp any host 80.X.X.X eq 5733

but it doesn't work, i can't access from outside to port 8866 and 533.

for printer job, i will do a test and update the case.

what's i don't understand is that works with ports: 8080,8181,5511

thanks for  any other idea.

BR

Hassan

hey hassan,

All right lets do this.lets apply an access list on the int vlan1 of the router (inside) and see if the router is forwarding the packets to the host 192.168.2.200

here x.x.x.x is the IP address of the PC on the internet from where you are trying to access the application

ip access-l  ext 199

permit tcp host x.x.x.x host 192.168.2.200 eq 8866

permit ip any any

ip access-l ext 200

permit tcp host 192.168.2.200 eq 8866 host x.x.x.x

permit ip any any

ip access-l ext 112

1 permit tcp host x.x.x.x host 80.x.x.x eq 8866

Please make sure that you put in permit ip any any in 199 and 200 else you'd loose internet access.

int vlan1

ip access-g 199 out

ip access-g 200 in

Now we would check the hit counts on capo and capi. I request you to then send the following outputs.

sh access-l 199

sh access-l 200

sh access-l 112

sh ip nat translations | in 192.168.2.200

By doing this we can find out if the packets are being sent out to the server and if the server is replyin!!

Cheers,

Manasi!!

Hi Manasi

thanks for your answer and your time.

lets me test this and send outputs. I can see that port 8866, 5511, 8181 works on the same server 192.168.2.200

BR

Hassan

Hi Manasi,

I did test and I can see that paquets are sent out to the server but server doesn't reply

please find bythere "outputs" of all commands suggested.

Thanks

BR

Hassan

hey,

sorry I change acl 200 on acl 198 and acl 199 still not modified.

my ip address internet ( X.X.X.X) and my Public IP address of router is 80.X.X.X, server ip address= 192.168.2.200

BR

Hassan

Hi,

Could you post a sh run please ( hiding confidential info of course).

Because your static NAT for port 80 is not in NAT table- that's weird.

Regards.

Alain.

Hi Alain,

Thanks for your answer. see bythere the sh run of router.

BR

Hassan

Hi,

for geovision on this link they say to open 80,8866 and 5511but I don't see all these ports forwarded and allowed  on iphone.

Regards.

Alain.

Hi,

" for geovision on this link they say to open 80,8866 and 5511but I don't see all these ports forwarded and allowed  on iphone".

Which link? the iphone is working with this port 8866 and 5511, it's working with port 5511 but deson't work on 8866.

I had the same appli on iphone and it's works but with a Netgear Router which I'm trying to replace by cisco.

Thanks

Hassab

Hi,

I had forgot to put the link but anyway no problem as it was working before.

I think you should capture packets on router and save as pcap and open with tcpdump or wireshark if feature available.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps9913/datasheet_c78-502727.html

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps6441_TSD_Products_Configuration_Guide_Chapter.html

Regards.

Alain.