ASA 9.2 Port Forward

Similar Messages

• ASA 5505 how to create a port forwarding rule

  ASA 5505 IOS ver 9.2.3
  I need to create a firewall rule that will allow internal services to be accessed externally, but using port forwarding. For example I'd like to enable access to our NAS via ftp external on port 1545 and then have the ASA forward the request to the NAS internally on port 21.
  I tried these commands but they didn't work:
  object network NAS
  host 192.168.2.8
  nat (inside,outside) static interface service tcp 21 1545
  access-list NASFTP-in permit tcp any object NAS eq 1545
  conf t
  int vlan 2
  access-group NASFTP-in permit tcp any object NAS eq 1545
  I really appreciate the help everyone.

  try this, it worked for me, here is an example of adding a webserver with a ip of 10.10.50.60  and naming it with a object named www-server and forwarding port 80 , the way it works is you need to do three things, u need to "nat it" "foward it" and allow it in "acl"
  object network obj-10.10.50.60-1
  host 10.10.50.60
  nat (inside,outside) static interface service tcp 80 80
  object network INSIDE
  nat (inside,outside) dynamic interface
  object network WWW-SERVER
  nat (inside,outside) static interface service tcp 80 80
  access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80
  access-group Outside_access_in in interface Outside

• Cisco 5520 ASA Port Forward to Endian Firewall VPN Question

  Hello,
  We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194.  We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server.  So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN.  Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
  Thanks for your comments in advance I am new to cisco technology,
  Joe        

  Wrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.

• HELP!! asa 5505 8.4(5) problem with port forwarding-smtp

  Hi I am having a big problem with port forwarding on my asa. I am trying to forward smtp through the asa  to my mail server.
  my mail server ip is 10.0.0.2 and my outside interface is 80.80.80.80 , the ASA is setup with pppoe (I get internet access no problem and that seems fine)
  When I run a trace i get "(ACL-Drop) - flow is deied by configured rule"
  below is my config file , any help would be appreciated
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.4(5)
  hostname ciscoasa
  domain-name domain.local
  enable password mXa5sNUu4rCZ.t5y encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group ISPDsl
  ip address 80.80.80.80 255.255.255.255 pppoe setroute
  ftp mode passive
  dns server-group DefaultDNS
  domain-name domain.local
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Server_SMTP
  host 10.0.0.2
  access-list outside_access_in extended permit tcp any object server_SMTP eq smtp
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network obj_any
  nat (inside,outside) dynamic interface
  object network server_SMTP
  nat (inside,outside) static interface service tcp smtp smtp
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  vpdn group ISP request dialout pppoe
  vpdn group ISP localname [email protected]
  vpdn group ISP ppp authentication chap
  vpdn username [email protected] password *****
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:c5570d7ddffd46c528a76e515e65f366
  : end

  Hi Jennifer
  I have removed that nat line as suggested but still no joy.
  here is my current config
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.4(5)
  hostname ciscoasa
  domain-name domain.local
  enable password mXa5sNUu4rCZ.t5y encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group ISP
  ip address 80.80.80.80 255.255.255.255 pppoe setroute
  ftp mode passive
  dns server-group DefaultDNS
  domain-name domain.local
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Server_Mail
  host 10.0.0.2
  access-list outside_access_in extended permit tcp any object Server_Mail eq smtp
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network obj_any
  nat (inside,outside) dynamic interface
  object network Server_Mail
  nat (inside,outside) static interface service tcp smtp smtp
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  vpdn group ISP request dialout pppoe
  vpdn group ISP localname [email protected]
  vpdn group ISP ppp authentication chap
  vpdn username [email protected] password *****
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f3bd954d1f9499595aab4f9da8c15795
  : end
  also here is the packet trace
  and my acl
  Thanks

• Cisco ASA 5512, IP NVR port forwarding

  Hi,
  i have Cisco 5512 ASA with version 8.6(1)2. i have one IP NVR for ip cameras.
  please help me how to configure port forwarding in cisco asa in CLI?
  I have static IP on ASA 94.56.178. 222 and NVR IP 10.192.192.100
  thank you so much.

  ASA#
  Phase: 1
  Type: ROUTE-LOOKUP
  Subtype: input
  Result: ALLOW
  Config:
  Additional Information:
  in   94.56.178.222   255.255.255.255 identity
  Phase: 2
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
   Forward Flow based lookup yields rule:
   in  id=0x7fffa2969000, priority=0, domain=permit, deny=true
          hits=11524, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
          input_ifc=OUTSIDE, output_ifc=any
  Result:
  input-interface: OUTSIDE
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule
  please advise 

• Port Forwarding for Cisco ASA 5505 VPN

  This is the Network
  Linksys E2500 ---> Cisco ASA 5505 ---> Server
  I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.
  Thank You

  For IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.
  Command to enable NAT-T on ASA:
  crypto isakmp nat-traversal 30

• Help: Port forward in Cisco SOHO 97

  Hi there!
  I have a Cisco SOHO 97.
  The IP is: 10.0.0.1/24
  Gw: 0.0.0.0
  *Default route via DIALER1
  I also have a RV042 configured as VPN Server (PPTP and IPSec).
  The IP is: 10.0.0.2/24
  I need help to configure the router to I be able to connect to VPN server from OUTSIDE-WORLD.
  I imagine I need Port forwarding from Cisco SOHO to RV042.
  I hope for possibles answers!
  Thanks!

  Sorry i found the issue.
  The problem was that, i wanted to redirect port 443 (https) to an private address.
  But by default port 443 is reserved to access ASA via https for management.
  I just reserved another port 888 for https management access and now i can redirect port 443 normaly as i wanted.
  Using this command: http server enable 888
  Germain

• Cisco Ironport S160 Port forwarding

  Hi,
  We've got a device within the network which needs to send data out to a website on port 5009. We've setup the following to allow the traffic
  - Identity with the interal IP as  member and bypass the proxy (the device can only be configured with the Proxy IP and port, no logins)
  - Added Port 5009 n HTTP Ports to Proxy
  - Added the destination IP n L4 Traffic allow list
  We are still not able to route the traffic.
  We then tried to get the traffic coming in the other way. We've asked the ISP to put in a port forwarding to forward traffic on Port 5019 to the device. This is also not working. We can get to the device on the internal Port without any issues. The question does the IronPort need to be configured to allow the traffic coming in? We dont have any other incoming port forwarded traffic.

  Hello,
  I will need a quick explanation on how your environment is laid out for your Web Content Appliance.
  1. Is your proxy transparent or explicitly proxied? Do you have multiple proxies that you are load balancing?
  2. If it is explicit, do you use a PAC file or is the proxy configured in the network configuration?
  3. If it is transparent, what do you use to redirect traffic? Is it wccp or L4 redirection? What kind of device are you using to redirect traffic? ASA, Catalyst, Nexus, something else?
  4. Is there any third party devices being used between the proxy and the clients or between the proxy and the outside world?
  5. What are your authentication requirements? How are you authenticating them (NTLMSSP, TUI, or Basic)?
  Thank you for answering these questions.
  Christian Rahl
  Customer Support Engineer
  Cisco Web Content Security Appliance
  Cisco Technical Assistance Center RTP

• Help with port forwarding ASA5505 v8.2

  Hi,
  Having an issue doing a port translation on an ASA5505 for RDP.
  I have a /29 allocated by ISP and when I port forward the address assigned to the outside interface RDP works perfectly, however when I try to use another IP within the /29 range, I get nothing.
  I am only new to ASA so please forgive if this is something obvious...
  Relevant config is:
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.1.12.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address X.X.X.217 255.255.255.248
  access-list OUTSIDE-IN extended permit tcp any host X.X.X.218 eq 3389
  static (inside,outside) X.X.X.218 10.1.12.10 netmask 255.255.255.255 sh run acces    
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  access-group OUTSIDE-IN in interface outside
  When I used the outside IP address and it worked perfectly, config difference was only
  access-list OUTSIDE-IN extended permit tcp any host X.X.X.217 eq 3389
  static (inside,outside) tcp X.X.X.217 3389 10.1.12.10 3389 netmask 255.255.255.255
  Any help would be greatly appreciated

  Hey Jouni,
  Packet capture gave me this output which didnt have any TCP 3389... but had some random UDP ports only?
     1: 21:54:55.108377 802.1Q vlan#2 P0 X.X.X.218.63420 > 208.67.222.222.53:  udp 44
     2: 21:54:58.751929 802.1Q vlan#2 P0 X.X.X.218.63420 > 208.67.220.220.53:  udp 44
     3: 21:54:59.492238 802.1Q vlan#2 P0 X.X.X.218.63976 > 208.67.222.222.53:  udp 45
     4: 21:55:02.807468 802.1Q vlan#2 P0 X.X.X.218.63207 > 216.239.34.10.53:  udp 55
     5: 21:55:02.807651 802.1Q vlan#2 P0 X.X.X.218.63976 > 208.67.220.220.53:  udp 45
     6: 21:55:06.863495 802.1Q vlan#2 P0 X.X.X.218.63414 > 199.253.183.183.53:  udp 56
     7: 21:55:24.599563 802.1Q vlan#2 P0 X.X.X.218.65039 > 208.67.222.222.53:  udp 42
  Config is below:
  ASA Version 8.2(5)
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  switchport access vlan 3
  interface Ethernet0/2
  description TO LAN
  interface Ethernet0/3
  description TO LAN
  interface Ethernet0/4
  description TO LAN
  interface Ethernet0/5
  description TO LAN
  interface Ethernet0/6
  description TO LAN
  interface Ethernet0/7
  description TO LAN
  interface Vlan1
  description TO LAN
  nameif inside
  security-level 100
  ip address 10.1.12.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  ip address X.X.X.217 255.255.255.248
  interface Vlan3
  shutdown
  no forward interface Vlan2
  nameif backup
  security-level 0
  ip address X.X.X.42 255.255.255.252
  ftp mode passive
  dns server-group DefaultDNS
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group icmp-type ICMP
  description ICMP types permitted
  icmp-object echo
  icmp-object echo-reply
  icmp-object unreachable
  icmp-object time-exceeded
  access-list OUTSIDE-IN remark TRAFFIC PERMITTED TO ENTER THE OUTSIDE INTERFACE
  access-list OUTSIDE-IN extended permit tcp any host X.X.X.218 eq 3389
  access-list OUTSIDE-IN extended permit icmp any interface outside object-group ICMP
  access-list INSIDE-IN remark INSIDE ACCESS
  access-list INSIDE-IN extended permit tcp any any
  access-list INSIDE-IN extended permit ip any any
  access-list INSIDE-IN extended permit icmp any any
  access-list BACKUP-IN remark TRAFFIC PERMITTED TO ENTER THE BACKUP INTERFACE
  access-list BACKUP-IN extended permit icmp any interface backup object-group ICMP
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  mtu backup 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  global (backup) 1 interface
  nat (inside) 0 access-list NO-NAT
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) X.X.X.218 10.1.12.10 netmask 255.255.255.255
  access-group INSIDE-IN in interface inside
  access-group OUTSIDE-IN in interface outside
  access-group BACKUP-IN in interface backup
  route outside 0.0.0.0 0.0.0.0 X.X.X.222 1 track 1
  route backup 0.0.0.0 0.0.0.0 X.X.X.41 254
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  sla monitor 1
  type echo protocol ipIcmpEcho X.X.X.X interface outside
  num-packets 3
  frequency 10
  sla monitor schedule 1 life forever start-time now
  track 1 rtr 1 reachability
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect ip-options
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
    inspect icmp

• Port Forwarding for RDP 3389 is not working

  Hi,
  I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20).  I have made sure it is not an issue with the servers firewall, its just the cisco.  I highlighted in red to what i thought I need in my config to get this  to work.  I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
  TAMSATR1#show run
  Building configuration...
  Current configuration : 11082 bytes
  version 15.2
  no service pad
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname TAMSATR1
  boot-start-marker
  boot system flash:/c880data-universalk9-mz.152-1.T.bin
  boot-end-marker
  logging count
  logging buffered 16384
  enable secret
  aaa new-model
  aaa authentication login default local
  aaa authentication login ipsec-vpn local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authorization console
  aaa authorization exec default local
  aaa authorization network groupauthor local
  aaa session-id common
  memory-size iomem 10
  clock timezone CST -6 0
  clock summer-time CDT recurring
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-1879941380
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1879941380
  revocation-check none
  rsakeypair TP-self-signed-1879941380
  crypto pki certificate chain TP-self-signed-1879941380
  certificate self-signed 01
    3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
    32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
    34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
    ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
    88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
    E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
    542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
  ip dhcp excluded-address 10.20.30.1 10.20.30.99
  ip dhcp excluded-address 10.20.30.201 10.20.30.254
  ip dhcp excluded-address 10.20.30.250
  ip dhcp pool tamDHCPpool
  import all
  network 10.20.30.0 255.255.255.0
  default-router 10.20.30.1
  domain-name domain.com
  dns-server 10.20.30.20 8.8.8.8
  ip domain name domain.com
  ip name-server 10.20.30.20
  ip cef
  no ipv6 cef
  license udi pid CISCO881W-GN-A-K9 sn
  crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
  ip tftp source-interface Vlan1
  class-map type inspect match-all CCP_SSLVPN
  match access-group name CCP_IP
  policy-map type inspect ccp-sslvpn-pol
  class type inspect CCP_SSLVPN
    pass
  zone security sslvpn-zone
  crypto isakmp policy 10
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp policy 20
  encr aes 192
  authentication pre-share
  group 2
  crypto isakmp key password
  crypto isakmp client configuration group ipsec-ra
  key password
  dns 10.20.30.20
  domain tamgmt.com
  pool sat-ipsec-vpn-pool
  netmask 255.255.255.0
  crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
  crypto ipsec transform-set TSET esp-aes esp-sha-hmac
  crypto ipsec profile VTI
  set security-association replay window-size 512
  set transform-set TSET
  crypto dynamic-map dynmap 10
  set transform-set ipsec-ra
  reverse-route
  crypto map clientmap client authentication list ipsec-vpn
  crypto map clientmap isakmp authorization list groupauthor
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  interface Loopback0
  ip address 10.20.250.1 255.255.255.252
  ip nat inside
  ip virtual-reassembly in
  interface Tunnel0
  description To AUS
  ip address 192.168.10.1 255.255.255.252
  load-interval 30
  tunnel source
  tunnel mode ipsec ipv4
  tunnel destination
  tunnel protection ipsec profile VTI
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface FastEthernet4
  ip address 1.2.3.4
  ip access-group INTERNET_IN in
  ip access-group INTERNET_OUT out
  ip nat outside
  ip virtual-reassembly in
  no ip route-cache cef
  ip route-cache policy
  ip policy route-map IPSEC-RA-ROUTE-MAP
  duplex auto
  speed auto
  crypto map clientmap
  interface Virtual-Template1
  ip unnumbered Vlan1
  zone-member security sslvpn-zone
  interface wlan-ap0
  description Service module interface to manage the embedded AP
  ip unnumbered Vlan1
  arp timeout 0
  interface Wlan-GigabitEthernet0
  description Internal switch interface connecting to the embedded AP
  switchport mode trunk
  no ip address
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 10.20.30.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
  ip default-gateway 71.41.20.129
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip dns server
  ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
  ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
  ip nat inside source static 10.20.30.20 (public ip)
  ip route 0.0.0.0 0.0.0.0 public ip
  ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
  ip access-list extended ACL-POLICY-NAT
  deny   ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
  deny   ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
  deny   ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
  permit ip 10.20.30.0 0.0.0.255 any
  permit ip 10.20.31.208 0.0.0.15 any
  ip access-list extended CCP_IP
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended INTERNET_IN
  permit icmp any any echo
  permit icmp any any echo-reply
  permit icmp any any unreachable
  permit icmp any any time-exceeded
  permit esp host 24.153. host 66.196
  permit udp host 24.153 host 71.41.eq isakmp
  permit tcp host 70.123. host 71.41 eq 22
  permit tcp host 72.177. host 71.41 eq 22
  permit tcp host 70.123. host 71.41. eq 22
  permit tcp any host 71..134 eq 443
  permit tcp host 70.123. host 71.41 eq 443
  permit tcp host 72.177. host 71.41. eq 443
  permit udp host 198.82. host 71.41 eq ntp
  permit udp any host 71.41. eq isakmp
  permit udp any host 71.41eq non500-isakmp
  permit tcp host 192.223. host 71.41. eq 4022
  permit tcp host 155.199. host 71.41 eq 4022
  permit tcp host 155.199. host 71.41. eq 4022
  permit udp host 192.223. host 71.41. eq 4022
  permit udp host 155.199. host 71.41. eq 4022
  permit udp host 155.199. host 71.41. eq 4022
  permit tcp any host 10.20.30.20 eq 3389
  evaluate INTERNET_REFLECTED
  deny   ip any any
  ip access-list extended INTERNET_OUT
  permit ip any any reflect INTERNET_REFLECTED timeout 300
  ip access-list extended IPSEC-RA-ROUTE-MAP
  deny   ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
  deny   ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
  deny   ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
  deny   ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
  deny   ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
  deny   ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
  permit ip 10.20.30.208 0.0.0.15 any
  deny   ip any any
  access-list 23 permit 70.123.
  access-list 23 permit 10.20.30.0 0.0.0.255
  access-list 24 permit 72.177.
  no cdp run
  route-map IPSEC-RA-ROUTE-MAP permit 10
  match ip address IPSEC-RA-ROUTE-MAP
  set ip next-hop 10.20.250.2
  banner motd ^C
  UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
  You must have explicit permission to access or configure this device.  All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
  ^C
  line con 0
  logging synchronous
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  line vty 0
  access-class 23 in
  privilege level 15
  logging synchronous
  transport input telnet ssh
  line vty 1 4
  access-class 23 in
  exec-timeout 5 0
  privilege level 15
  logging synchronous
  transport input telnet ssh
  scheduler max-task-time 5000
  ntp server 198.82.1.201
  webvpn gateway gateway_1
  ip address 71.41. port 443
  http-redirect port 80
  ssl encryption rc4-md5
  ssl trustpoint TP-self-signed-1879941380
  inservice
  webvpn context TAM-SSL-VPN
  title "title"
  logo file titleist_logo.jpg
  secondary-color white
  title-color #CCCC66
  text-color black
  login-message "RESTRICTED ACCESS"
  policy group policy_1
     functions svc-enabled
     svc address-pool "sat-ipsec-vpn-pool"
     svc default-domain "domain.com"
     svc keep-client-installed
     svc split dns "domain.com"
     svc split include 10.0.0.0 255.0.0.0
     svc split include 192.168.0.0 255.255.0.0
     svc split include 172.16.0.0 255.240.0.0
     svc dns-server primary 10.20.30.20
     svc dns-server secondary 66.196.216.10
  default-group-policy policy_1
  aaa authentication list ciscocp_vpn_xauth_ml_1
  gateway gateway_1
  ssl authenticate verify all
  inservice
  end

  Hi,
  I didnt see anything marked with red in the above? (Atleast when I was reading)
  I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
  But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
  There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
  - Jouni

• I am trying to setup port forwarding

  I am trying to setup port forwarding for a mfi 5510l hotspot. I have made the changes on the hotspot but the hotspot doen't respond when tested. Can anyone help?

  If you examine the About section of the Jetpack’s web style user interface, you should find that it has a reserved IP4 IP address. That means your Jetpack doesn’t connect directly to the public internet, your Jetpack is connected to Verizon’s private network. Your port forwarding has no affect on Verizon’s private network.
  The standard recommendation is:
  Purchase a public facing static IP address from Verizon for a one time fee of $500.
  Use a VPN to go around the issue. 
  Use another ISP that provides a static IP address.

• Trying to Port Forward Airport Extreme 802.11ac using Airpot Utility 6.3.2

  Hello kind experts. I am finally getting around to replacing my old BEFSR81 Cisco Router with an old Time Capsule attached with the Airport Extreme 802.11ac.  The BEFSR81 also had 8 ports, so I have 8 hardwired locations throughout the house.  I have a couple of IP cameras for which it was easy to port forward on the Cisco (just click on the port range forwarding tab, type the start/end ranges (which are identical) and the assigned IP address).  Everything has been working well for years.  Here's what I wish to do with the new setup: Cable Modem -> Airport Extreme -> Dumb gigaport switch with the hardwires connected to it.
  When I go to Airport Utility (6.3.2) -> Network Tab -> Port Settings -> "+", the following comes up:
  Firewall Entry Type (Defaulted to IPv4 Port Mapping)
  Description (5 pull down choices)
  Public UDP Ports : _________
  Public TCP Ports: __________
  Private IP Address (I take it that is where I enter the IP address for each camera, e.g. 192.168.1.xxx)?
  Private UDP Ports: __________
  Private TCP Ports: __________
  I am obviously not a technophile, especially when it comes to networking, but was able to create my old setup.
  Any advice on whether or not my configuration is appropriate and what exactly I need to put in the port fields would be greatly appreciated!
  Thanks in advance!

  To successfully access an IP camera on the local network from the Internet, the following basics need to be taken care of:
  Install the camera(s) and verify that you can access them from the local network.
  Configure port mapping/forwarding on your router. Typically, IP cameras require at least two ports: 1) A web port for administering the camera; Usually TCP port 80, and 2) A streaming port to broadcast the camera video feed; Usually UDP port 9000. Note: You should check with your camera's documentation for the exact ports required.
  If the camera is attached to a computer, you will need to configure the computer's firewall to open the same ports as in step 2 above.
  Verify that your modem is in bridge mode, i.e., if the modem provides NAT & DHCP services, turn them off.
  Test your network. Use CheckIP to determine your router's current WAN-side (public) IP address. Then, from a remote location (not from a computer on the local network), use the DynDNS Open Port Tool to verify that the required ports are open. Success is an "Open" response from the Tool.
  Check out the following AirPort User tip for configuring port mapping on an AirPort base station.

• Port forwarding difficult to set up, or doesn't wo...

  Hello, I have a BT Home Hub 5 and needed to forward the ports for a couple of programs i use. Terefore i went  on 192.168.254 to set up the forwarding of the ports.
  Before that set up a static Ip in the router in the classic way (cmd - ipconfig all - copied all the addresses), then i selected in the programs list the program i needed to have (was already in the list so no need to dd a new one) but has been useless. Everything seems nice, but simply it doesn't work. It worked only once, then the day later came back as before.
  Anyone can give me an hand? I read somewhere that this procedure in the router page has some bugs.
  Thank you very much
  Solved!
  Go to Solution.

  mrblue wrote:
  It worked now!! I made a mistake before, i enabled the "use this ip address" but then i should have connect the new game NOT to my pc but to the user defined ip! That was the static one defined before in my pc
  Thank you keith
  Exactly !
  Device names will normally fail, that seems to be a common "feature" of all the home hubs, and most other routers expect you to use the device IP that you have reserved in the DHCP table, or set as a static IP address, outside of the DHCP range. It could be a leftover from the "SpeedTouch" code that seems to underpins the core of all the home hubs, starting from the home hub 1, which I have.
  This is where most people seem to fail, when it comes to port forwarding on the home hub.
  Sometimes you can get away with it and it will appear to work for a while, but then it fails. I hear so many people complaining on this forum that it does not work, which is why I put together my guides, based on my own experience, and other forum users.
  If you have set an IP address on your PC, outside of the DHCP range, then the option "always use this IP address" is not relevant, and could cause problems.
  There are some useful help pages here, for BT Broadband customers only, on my personal website.
  BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

• How do you set up Port Forwarding for ARD 2.2 in AEB N?

  Help,
  I'm a novice at Apple Remote Desktop (ARD) - not an IT guy, so it has to be pretty basic and detailed.
  How do you set up Port Forwarding for ARD 2.2 on the Apple Airport Extreme BS router, 802.11 N. I have one at each end of the internet connection. At one end I have an Airport Extreme N router with 2 macs and eventually 1 windows XP machine (if I can) that I would like to be able to connect to over the interenet (the clients) and at the other end, I have a Mac with ARD 2.2 installed also with an Airport Extreme N router. Note: Both routers use Static IP addresses and all computers use static IP's internally not through DHCP. What are the settings or directions to do this.
  I have read and printed out the directions for Configuration of ARD 3.0 that are posted many times in the ARD discusion group, but it uses a Linksys router ( http://www.starkpr.com/ard.htm posted by Dave Sawyer). The Mac router is different, particularly with the place to set a Private IP address. I'm not sure about alot of things, but especially about the Private IP address, what number do I set it to, the one that is in my Network connections list? It automatically changes to a different number in AE N setup for Port Forwarding (by one) as if it is not suppose to the same?????
  Are there any directions available that are as straight forward for the Airport Extreme N router, as the one's that are listed here for the Linksys Router's? ( http://www.starkpr.com/ard.htm )
  Any and All help will be greatly appreciated.
  P.S. I know I should have 3.0 but bought 2.2 just weeks before 3.0 came out and they would not give me an upgrade price, so I'm waiting for 4.0 to upgrade.
  Thanks,
  Jim

  Try the following for each AirPort Extreme ...
  AEBSn - Port Mapping Setup
  To setup port mapping on an 802.11n AirPort Extreme Base Station (AEBSn), either connect to the AEBSn's wireless network or temporarily connect directly, using an Ethernet cable, to one of the LAN port of the AEBSn, and then use the AirPort Utility, in Manual Setup, to make these settings:
  1. Reserve a DHCP-provided IP address for the host device.
  Internet > DHCP tab
  o On the DHCP tab, click the "+" (Add) button to enter DHCP Reservations.
  o Description: <enter the desired description of the host device>
  o Reserve address by: MAC Address
  o Click Continue.
  o MAC Address: <enter the MAC (what Apple calls Ethernet ID if you are using wired or AirPort ID if wireless) hardware address of the host computer>
  o IPv4 Address: <enter the desired IP address>
  o Click Done.
  2. Setup Port Mapping on the AEBSn.
  Advanced > Port Mapping tab
  o Click the "+" (Add) button
  o Service: <choose the appropriate service from the Service pop-up menu>
  o Public UDP Port(s): 3283
  o Public TCP Port(s): 3283
  o Private IP Address: <enter the IP address of the host server>
  o Private UDP Port(s): 3283
  o Private TCP Port(s): 3283
  o Click "Continue"
  o Click the "+" (Add) button
  o Service: <choose the appropriate service from the Service pop-up menu>
  o Public UDP Port(s):
  o Public TCP Port(s): 5900
  o Private IP Address: <enter the IP address of the host server>
  o Private UDP Port(s):
  o Private TCP Port(s): 5900
  o Click "Continue"
  o Click the "+" (Add) button
  o Service: <choose the appropriate service from the Service pop-up menu>
  o Public UDP Port(s):
  o Public TCP Port(s): 5988
  o Private IP Address: <enter the IP address of the host server>
  o Private UDP Port(s):
  o Private TCP Port(s): 5988
  o Click "Continue"
  (ref: "Well Known" TCP and UDP ports used by Apple software products)

• SRP547W, How to use multiple WAN IPs for port forwarding?

  Hi folks,
  We've run into some difficulty trying to take advantage of multiple WAN IPs in conjunction with the SRP547, and I'm hoping someone here can help out or at least tell us that we're going to need to buy a different router...
  What we're trying to acheive is the ability to port forward from our distinct public IPs to different internal servers. Looking at the options under Port Forwarding it looks like we can only configure forwards at the "WAN interface" level, but our problem is that we can't work out how to set up separate interfaces for each of our Public IPs...
  Our ISP provides us with a fully managed NTU/router with a single "Internet" ethernet port, which we can use by statically configuring IPs on our end. For this configuration this port has been directly patched to the WAN ethernet port on the SRP547W.
  We have been allocated a 255.255.255.248 (/29) subnet, giving us 5 usable IPs after the ISP's gateway address is taken into account, like so:
  a.b.c.208     Network Address (/29 subnet)
  a.b.c.209     ISP Gateway
  a.b.c.210     IP1
  a.b.c.211     IP2
  a.b.c.212     IP3
  a.b.c.213     IP4
  a.b.c.214     IP5
  a.b.c.215     Broadcast Address
  On the SRP we've set up the default "Ethernet WAN2" sub-interface with the following details for IP1
  VLAN ID:               4088 (Uneditable)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.210
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  The next step (I would have thought) would be to add a second sub-interface, using similar info for IP2
  VLAN ID:               4000 (Chosen arbitrarily)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.211
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  When we try to do so however we get:
  Fail!
  Conflict with Ether_WAN2 interface address type
  I should mention at this point that we're running on firmware version 1.02.01 (023).
  Any suggestions on how we can proceed?
  Is there a CLI or other method of configuration that might work if the web interface won't?
  Thanks,
  Tim.

  OK, I've seen reference to this solution before but not much in the way of details. Perhaps you can spell out how this ought to work, as the Software DMZ doesn't behave as I'd expected it to.
  As before, on the SRP we've set up the default "Ethernet WAN2" sub-interface with the details for IP1 with a /29 subnet.
  VLAN ID:               4088 (Uneditable)
  Connection Type:       Static IP
  Internet IP Address:   a.b.c.210
  Subnet Mask:           255.255.255.248
  Default Gateway:       a.b.c.209
  We'd now like to expose a server function on IP2, let's say LAN details for this server are:
  VLAN:                  3000
  VLAN IP Range:         192.168.1.1/24
  Server IP:             192.168.1.10
  Server Port:           80
  So first we turn on Software DMZ:
  Status:                Enabled
  Public IP:             a.b.c.211
  Private IP:            192.168.1.10
  WAN Interface:         Ether_WAN2
  My understanding, based on what you've said, is that this should expose the whole server to external access via IP2. Unfortunately, it doesn't seem to work this way - we don't seem to have any access at all. Perhaps there's a default deny rule on the firewall?
  Just to be sure, I tried creating a rule to allow HTTP traffic to the server in the Advanced Firewall page.
  In Interface (WAN):    All
  Out Interface (LAN):   VLAN.3000
  Source IP:             0.0.0.0
  Source Subnet:         0.0.0.0
  Destination IP:        192.168.1.10
  Destination Subnet:    255.255.255.255
  Protocol:              TCP
  Source Port:           Any
  Destination Port:      Single:80
  Action:                Permit
  Schedule:              Everyday
  Times:                 24 Hours
  Still no dice. What am I missing?
  Cheers,
  Tim.