12-24-2010 12:29 PM
Hi,
I experience a stronger problem when I try to open and forward ports 8866 for Geovision on iphone and port 5733 for ultravnc on the Router 800 IOS Security.
I do theses commandes
access-list 112 permit tcp 192.168.2.200 8866 80.X.X.X eq 8866
access-list 112 permit tcp 192.168.2.10 5733 80.X.X.X eq 5733
Static NAT Rules:
ip nat source static 192.168.2.200 8866 80.X.X.X 8866
ip nat source static 192.168.2.19 5733 80.X.X.X 5733
but when I try to access to servers on http://80.X.X.X:8866 with one geovision application on the iphone, it's deosen't work, also with client ultravns.
I configured also a vpn tunnel l2L and it's works but when I try to print form one site to another it's doesn't work, my vpn ACLS is permit ip from site 1 to Site 2, is there a port to open for printer?
Thanks for your assistance, let me know if you need the both configuration, i can put it here.
BR
Hassan
12-25-2010 04:10 AM
Hi Hassan,
It would be great if you could attach the configuration!!
What I understand is we have 2 issues :
1) we cannot access http://80.x.x.x:8866 from the internet
2) we have issues with printing through a L2L tunnel. !!(Please attach the configuration of both the ends)
Can you ping the printer from the remote side ? When you try to ping what is the status of encaps and decaps on the remote side and printer side?
Cheers,
Manasi!!
12-25-2010 06:20 AM
Hi Manasi,
Thanks for your reply.
It would be great if you could attach the configuration!!
Please find bythere the config of both routers
1) we cannot access http://80.x.x.x:8866 from the internet
Yes you're correct and the port number 5733 for ultravnc ( plze take a look for acls and nat according for services 8866,5733)
2) we have issues with printing through a L2L tunnel. !!(Please attach the configuration of both the ends)
Can you ping the printer from the remote side ? When you try to ping what is the status of encaps and decaps on the remote side and printer side?
yes it's issue about printing over vpn l2L tunnel ( the tunnel is up )
I can ping the printer from site A ( 192.168.1.9/24 and the ip address printer: 192.168.2.27 on site B but my printer server is on site A with ip address 192.168.1.2)
so the ping is ok but all print jobs are down.
Thanks in advance for help
BR
Hassan
12-25-2010 07:08 AM
Hi,
I see that you have access-l 112 applied on your dialer interface. When you try to access the IP address 80.x.x.x on port 8866 from outside, the source IP is any and the destination is 80.x.x.x on port 8866, so the access-list should be
access-list 112 permit tcp any host 80.X.X.X eq 8866
I do not see any NAT rules for port 5733 in the configuration but the same rule would be applied to that too!!
ip nat inside source static tcp 192.168.2.200 5733 80.X.X.X 5733
access-list 112 permit tcp any host 80.X.X.X eq 5733
About the printing Job, if you are able to ping that means we do have connectivity to the printer through the tunnel
Please check the following things :
1. If you have any settings on the printer which denies print requests from different subnet
2. check if the print requests get queued on the printer
3. status of encaps and decaps on both the routers after print request is sent!!
Cheers,
Manasi
12-25-2010 01:26 PM
Hi,
I will make modifications and come back with results.
Thanks for your help
BR
Hassan
12-25-2010 01:53 PM
Hi,
I did modifications:
access-list 112 permit tcp any host 80.X.X.X eq 8866
I do not see any NAT rules for port 5733 in the configuration but the same rule would be applied to that too!!
ip nat inside source static tcp 192.168.2.200 5733 80.X.X.X 5733
access-list 112 permit tcp any host 80.X.X.X eq 5733
but it doesn't work, i can't access from outside to port 8866 and 533.
for printer job, i will do a test and update the case.
what's i don't understand is that works with ports: 8080,8181,5511
thanks for any other idea.
BR
Hassan
12-25-2010 07:25 PM
hey hassan,
All right lets do this.lets apply an access list on the int vlan1 of the router (inside) and see if the router is forwarding the packets to the host 192.168.2.200
here x.x.x.x is the IP address of the PC on the internet from where you are trying to access the application
ip access-l ext 199
permit tcp host x.x.x.x host 192.168.2.200 eq 8866
permit ip any any
ip access-l ext 200
permit tcp host 192.168.2.200 eq 8866 host x.x.x.x
permit ip any any
ip access-l ext 112
1 permit tcp host x.x.x.x host 80.x.x.x eq 8866
Please make sure that you put in permit ip any any in 199 and 200 else you'd loose internet access.
int vlan1
ip access-g 199 out
ip access-g 200 in
Now we would check the hit counts on capo and capi. I request you to then send the following outputs.
sh access-l 199
sh access-l 200
sh access-l 112
sh ip nat translations | in 192.168.2.200
By doing this we can find out if the packets are being sent out to the server and if the server is replyin!!
Cheers,
Manasi!!
12-26-2010 03:10 AM
Hi Manasi
thanks for your answer and your time.
lets me test this and send outputs. I can see that port 8866, 5511, 8181 works on the same server 192.168.2.200
BR
Hassan
12-26-2010 11:56 AM
12-26-2010 12:10 PM
hey,
sorry I change acl 200 on acl 198 and acl 199 still not modified.
my ip address internet ( X.X.X.X) and my Public IP address of router is 80.X.X.X, server ip address= 192.168.2.200
BR
Hassan
12-27-2010 02:41 AM
Hi,
Could you post a sh run please ( hiding confidential info of course).
Because your static NAT for port 80 is not in NAT table- that's weird.
Regards.
Alain.
12-27-2010 05:33 AM
12-27-2010 08:14 AM
Hi,
for geovision on this link they say to open 80,8866 and 5511but I don't see all these ports forwarded and allowed on iphone.
Regards.
Alain.
12-27-2010 08:35 AM
Hi,
" for geovision on this link they say to open 80,8866 and 5511but I don't see all these ports forwarded and allowed on iphone".
Which link? the iphone is working with this port 8866 and 5511, it's working with port 5511 but deson't work on 8866.
I had the same appli on iphone and it's works but with a Netgear Router which I'm trying to replace by cisco.
Thanks
Hassab
12-27-2010 12:18 PM
Hi,
I had forgot to put the link but anyway no problem as it was working before.
I think you should capture packets on router and save as pcap and open with tcpdump or wireshark if feature available.
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6555/ps9913/datasheet_c78-502727.html
Regards.
Alain.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide