Go Back   Tech Support Forum > Networking Forum > Protocols and Routing

User Tag List

Cisco NAT/PAT forwarding

This is a discussion on Cisco NAT/PAT forwarding within the Protocols and Routing forums, part of the Tech Support Forum category. Hello everybody, I am currenlty trying to configure a 871W to forward a port 3389 to the internal address 192.168.1.240.


Closed Thread
 
Thread Tools Search this Thread
Old 01-01-2011, 12:45 PM   #1
Registered Member
 
Join Date: Jan 2011
Posts: 3
OS: 7


Question

Hello everybody, I am currenlty trying to configure a 871W to forward a port 3389 to the internal address 192.168.1.240. I have been playing with this for a couple days now, and I have not been able to figure out what I am doing wrong. Any help is appreciated, and if you see anything else wrong, please don't hesitate to correct me. I am still learning everything here :::BTW Outside interface utilizes DHCP for addressing...



Current configuration : 8415 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SuperRT
!
boot-start-marker
boot-end-marker
!
logging buffered 100000 debugging
enable secret 5 REMOVED
enable password 7 REMOVED
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.2.1 192.168.2.100
!
ip dhcp pool VLAN10
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 4
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
lease 4
!
!
ip inspect log drop-pkt
ip inspect name MYFW udp
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip name-server 8.8.4.4
ip name-server 8.8.8.8
!
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-3692985937
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3692985937
revocation-check none
rsakeypair TP-self-signed-3692985937
!
!
crypto pki certificate chain TP-self-signed-3692985937
certificate self-signed 01
30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363932 39383539 3337301E 170D3032 30333031 30303133
31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36393239
38353933 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AF61 3D71E7FC A5126C66 AE63222A F8A7194F C2E02069 673A8689 C0458EAC
44E1AA1A E6FD61F4 89C254A4 69B6A9E2 73FDDD40 A140F9B3 D1D2EB46 3198F509
190D84D3 B77B5314 3FC40310 DF726EFF E99A53A7 C4FE6C05 732BBAC8 9CEF8FE6
25A8F4A8 F1F81D5F 7F9644E7 50CD4ED5 2E953A02 CA2583E2 8C3FA9C8 BE411909
35450203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
551D1104 0C300A82 08537570 65725254 2E301F06 03551D23 04183016 80140A57
B1CF7305 680DA4C3 E7C761BA CB02A278 256E301D 0603551D 0E041604 140A57B1
CF730568 0DA4C3E7 C761BACB 02A27825 6E300D06 092A8648 86F70D01 01040500
03818100 77B8E5CD 5C1EA0F6 7A8FCC98 91A3448D F4E28353 DBF76E01 1EB57A8F
C062C979 7859DBB5 1A2B1DB5 536B283B 32B9323B 78B618F6 5178DECF 95805E78
4821B674 A8B51DFA 15F2AE68 EF372884 7902A2E2 FAF483A6 D9E425DF 32B9F606
EBA4D5DB BE49AC84 30E1118D 4CEE9CC0 D10ABC2D 8744E815 6FFD19ED 448E0502 D7444FBB
quit
username root privilege 15 password 7 REMOVED
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$$ES_WAN$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption vlan 10 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid GuestWireless
vlan 20
authentication open
authentication key-management wpa
wpa-psk ascii 7 REMOVED
!
ssid SuperWRT
vlan 10
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 REMOVED
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2452
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no snmp trap link-status
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no snmp trap link-status
!
interface Vlan1
no ip address
bridge-group 10
bridge-group 10 spanning-disabled
!
interface Dialer1
no ip address
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
!
interface BVI10
description Bridge to Internal Network$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
ip classless
!
ip http server
ip http secure-server
ip nat log translations syslog
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.240 3389 interface FastEthernet4 3389
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit tcp any any eq 4000
permit tcp any any eq 3389
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI10
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip any any log
access-list 101 permit udp host 8.8.4.4 eq domain any
access-list 101 permit udp host 8.8.8.8 eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
!
control-plane
!
bridge 10 route ip
!
line con 0
password 7 REMOVED
no modem enable
line aux 0
line vty 0 4
password 7 REMOVED
!
scheduler max-task-time 5000
end
joshbuss is offline  
Sponsored Links
Advertisement
 
Old 01-01-2011, 02:58 PM   #2
TSF Emeritus
 
Join Date: Sep 2010
Location: Oregon
Posts: 16,395
OS: Vista/Win7



I am no expert in cisco but a couple of observations

ip dhcp excluded-address 192.168.1.1 192.168.1.100
and
ip nat inside source static tcp 192.168.1.240 3389 interface FastEthernet4 3389!

It appears to me you are excluding 1-100 but you have assigned 240 as a static which should be out of the dhcp scope yet it's in the dhcp scope. Not a forwarding issue but can cause a ip conflict.

https://www.cisco.com/en/US/docs/ios/...html#wp1079180

ip nat inside source static (TCPorUDP) (YourCompsIP) (PortToForward) interface BVI1 (PortToForward)
so
ip nat inside source static tcp 192.168.1.240 3389 interface FastEthernet4 3389
looks good
Wand3r3r is offline  
Old 01-02-2011, 03:07 PM   #3
Registered Member
 
Join Date: Jan 2011
Posts: 3
OS: 7



.240 is being assigned by DHCP, but is assigned VIA mac address, so we will not run into ip conflicts. I still am unable to connect on port 3389 (or any port that i try to forward). I have verified that all local firewalls are turned off and have even tried separate hosts on the LAN with diffrent Ips.

I must be missing something in my config...
joshbuss is offline  
Sponsored Links
Advertisement
 
Old 01-02-2011, 08:27 PM   #4
TSF Emeritus
 
Join Date: Sep 2010
Location: Oregon
Posts: 16,395
OS: Vista/Win7



first test is can you connect from pc to pc via rdp.
Wand3r3r is offline  
Old 01-02-2011, 08:32 PM   #5
Registered Member
 
Join Date: Jan 2011
Posts: 3
OS: 7



Yes, internally I can RDP into it PC-2-PC no problem. The issue is when I try to RDP from outside the LAN. I have verified that all firewalls on the host have been disabled, so they will not interfere with me testing. (I can reenable later)
joshbuss is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 01:51 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts