D6200 Port Forwarding | VPN question!

*I just tried to open the following ports on a Netgear D6200:*
VPN-PPTP TCP 1723
VPN-L2TP UDP 1701
VPN-IPSEC UDP 500
I selected the...

Hi - I have TT super router and wish to ise the D6200 wireless capabilities. I have found instructions and connections on the TT forum and connected...

Similar Messages

Home Hub 3 Port Forwarding Issue - Question to BT

Question to BT
Hello i have recently joined BT Infinity and have hit the issue of the Port Forwarding not working. My HH3 is on the following version of software. Will this version automatically upgrade to the latest version of firmware and will this fix my port forwarding issue?
As i work in IT (Cisco Network Eng) i need to be able to access several devices/services at home and this is a real pain for me. If you think that this could drag on as some posts have indicated could you please let me know and i will either get a draytek or throw in a cisco 1841.
Thank you
Dean.
Current firmware:
V100R001C01B031SP09_L_B
Last updated:
Unknown

requiem wrote:
Question to BT
Hello i have recently joined BT Infinity and have hit the issue of the Port Forwarding not working. My HH3 is on the following version of software. Will this version automatically upgrade to the latest version of firmware and will this fix my port forwarding issue?.........
Thank you
Dean.
Current firmware:
V100R001C01B031SP09_L_B
Last updated:
Unknown
Hi Dean
By the look of it you've got the type B version of the HH3 with current firmware.
From http://bt.custhelp.com/app/answers/detail/a_id/13073
The latest versions of the firmware are:
BT Home Hub 3 – Software version 4.7.5.1.83.8.57.1.3 (Type A) or V100R001C01B031SP09_L_B
Please Click On any Text in Blue as that automatically links to information.
PC (NDEGR)

Help needed please (Port forwarding/Firewall Question)

So im hooked up thru my router so if I want to play a game I have to port forward so im told.
Ok, I im at my port forwarding menu and its asking for the following info...some of this info I know and some I have no idea what it means or where I can get it from. Heres the parts im asked to enter that I have no idea what to enter......
Source IP Address:
Destination IP Address
Source Netmask:
Destination Port Map
Where do I find out these things!?...Im a COMPLETE novice when it comes to routers and im so confused.

Hello,
Unfortunately, that information is going to have to come from the people who are providing you the online game.
The settings you need are going to depend on what their program requires, and how they communicate with your computer.
All of this is different for each service you are trying to use.
Here are some articles to get you familiarized with the concept though:
http://en.wikipedia.org/wiki/Port_forwarding
http://forums.furthurnet.org/viewtopic.php?p=3821
http://www.boutell.com/newfaq/creating/forwardports.html
http://panasonic.co.jp/pcc/products/en/netwkcam/technic/port_fwrd.html
http://p2p.weblogsinc.com/2005/04/24/how-to-configure-your-router-to-allow-fast- bittorrent-downloads/
While they all discuss doing it with different routers, the principals and ideas are the same.
But, the actual configuration is going to depend on the specific needs of the service you are trying to use (the particular online game).
I hope this helps.

Simple Port Forwarding / ACL Question

Hi Everyone,
I'm kind of a novice when it comes to Cisco configuration. I went to college for networking but haven't used it enough since graduating and I'm having some trouble with opening some ports for email to my home PC.
Specifically i'm trying to set up IMAP with Gmail to be downloaded to my Mozilla Thunderbird client. I'm using a similar syntax for other ports that i've opened but it isn't working. I also did a "show access list" and saw that one of my rules had hit counts on it but i'm not sure what this means as far as troubleshooting goes.
Can someone lend a hand and explain what i'm doing wrong? If you're feeling extra nice could you let me know what I would need to do to open some Xbox Live ports as well? The rules aren't set up yet but the ports are present in my config. I've bolded the relevant ports below.
*** Config ****
ASA Version 8.2(5)
hostname RyansFirewall
enable password C5OQraC02mISnP8p encrypted
passwd 3mBdM08UO1apR0bB encrypted
names
name 192.168.1.130 theking
name 192.168.1.240 wap
name 192.168.1.252 cam
name 192.168.1.253 switch
name 192.168.1.150 xbox
name x.x.x.x vpnreactor
name x.x.x.x HSoftware
name x.x.x.x Mom_and_Dad
interface Ethernet0/0
description Connection_to_Cable_Modem
switchport access vlan 10
interface Ethernet0/1
description Cisco_Catalyst_2960
interface Ethernet0/2
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
description Guest_Wireless
switchport access vlan 20
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
description Private_Internal_Lan
nameif inside
security-level 100
ip address 192.168.1.254 255.255.255.0
interface Vlan10
description WOW_Internet
nameif outside
security-level 0
ip address dhcp setroute
interface Vlan20
description Guest_Wireless
no forward interface Vlan1
nameif dmz
security-level 30
ip address 172.16.1.254 255.255.255.0
boot system disk0:/asa825-k8.bin
ftp mode passive
clock timezone Eastern -5
object-group network outside_ip_group
description This group contains a list of allowed public IP Addresses
network-object HSoftware 255.255.255.255
network-object Mom_and_Dad 255.255.255.255
object-group service Xbox_Ports tcp-udp
description Ports needed for Xbox Live
port-object eq www
port-object eq 88
port-object eq domain
port-object eq 3074
object-group service Email_Ports tcp-udp
description Ports needed for Email
port-object eq 143
port-object eq 465
port-object eq 587
port-object eq 993
access-list outside_access_in extended permit tcp object-group outside_ip_group any eq 1024
access-list outside_access_in extended permit tcp any any eq 3389
access-list outside_access_in extended permit tcp any any eq ftp
access-list outside_access_in extended permit gre host vpnreactor host theking
access-list outside_access_in extended permit tcp host vpnreactor host theking eq pptp
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended permit icmp any any time-exceeded
access-list outside_access_in extended permit icmp any any unreachable
access-list outside_access_in extended permit tcp object-group outside_ip_group any eq 5900
access-list outside_access_in extended permit tcp any any object-group Email_Ports
access-list outside_access_in extended permit udp any any object-group Email_Ports
pager lines 24
mtu inside 1500
mtu outside 1500
mtu dmz 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-635.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
nat (outside) 1 access-list outside_access_in
nat (dmz) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp interface 3389 theking 3389 netmask 255.255.255.255
static (inside,outside) tcp interface ftp theking ftp netmask 255.255.255.255
static (inside,outside) tcp interface 1024 cam 1024 netmask 255.255.255.255
static (inside,outside) tcp interface 5900 theking 5900 netmask 255.255.255.255
static (inside,outside) tcp interface 143 theking 143 netmask 255.255.255.255
static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255
static (inside,outside) tcp interface 587 theking 587 netmask 255.255.255.255
static (inside,outside) tcp interface 993 theking 993 netmask 255.255.255.255
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh Mom_and_Dad 255.255.255.255 outside
ssh HSoftware 255.255.255.255 outside
ssh timeout 10
console timeout 10
dhcpd address 192.168.1.2-192.168.1.25 inside
dhcpd dns x.x.x.x x.x.x.x interface inside
dhcpd lease 10800 interface inside
dhcpd domain RyanJohn interface inside
dhcpd enable inside
dhcpd address 172.16.1.2-172.16.1.25 dmz
dhcpd dns 8.8.8.8 8.8.4.4 interface dmz
dhcpd domain RyanJohnGuest interface dmz
dhcpd enable dmz
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username XXXXX password ZpRIy72StEDDpdfG encrypted
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect pptp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:3c7abf7d5d55aba0e19d5da340132000
: end
*** Show Access List ****
RyansFirewall# show access-list outside_access_in
access-list outside_access_in; 19 elements; name hash: 0x6892a938
access-list outside_access_in line 1 extended permit tcp object-group outside_ip_group any eq 1024 0xf13a69fb
access-list outside_access_in line 1 extended permit tcp host HSoftware any eq 1024 (hitcnt=0) 0xc8c42900
access-list outside_access_in line 1 extended permit tcp host Mom_and_Dad any eq 1024 (hitcnt=0) 0x7e777675
access-list outside_access_in line 2 extended permit tcp any any eq 3389 (hitcnt=7451) 0x51a647d7
access-list outside_access_in line 3 extended permit tcp any any eq ftp (hitcnt=11) 0x8d0d5aac
access-list outside_access_in line 4 extended permit gre host vpnreactor host theking (hitcnt=0) 0x894a4bbb
access-list outside_access_in line 5 extended permit tcp host vpnreactor host theking eq pptp (hitcnt=0) 0xcb0322a8
access-list outside_access_in line 6 extended permit icmp any any echo-reply (hitcnt=563) 0x54b872f3
access-list outside_access_in line 7 extended permit icmp any any time-exceeded (hitcnt=703) 0x03690eb3
access-list outside_access_in line 8 extended permit icmp any any unreachable (hitcnt=7408) 0x5c2fa603
access-list outside_access_in line 9 extended permit tcp object-group outside_ip_group any eq 5900 0xe88875b2
access-list outside_access_in line 9 extended permit tcp host HSoftware any eq 5900 (hitcnt=0) 0x2208e16f
access-list outside_access_in line 9 extended permit tcp host Mom_and_Dad any eq 5900 (hitcnt=0) 0xa3aaaedd
access-list outside_access_in line 10 extended permit tcp any any object-group Email_Ports 0x91529965
access-list outside_access_in line 10 extended permit tcp any any eq imap4 (hitcnt=17) 0x53d153bd
access-list outside_access_in line 10 extended permit tcp any any eq 465 (hitcnt=0) 0x4d992f5e
access-list outside_access_in line 10 extended permit tcp any any eq 587 (hitcnt=0) 0x734d200d
access-list outside_access_in line 10 extended permit tcp any any eq 993 (hitcnt=0) 0xb91930a9
access-list outside_access_in line 11 extended permit udp any any object-group Email_Ports 0xe12dbb9d
access-list outside_access_in line 11 extended permit udp any any eq 143 (hitcnt=0) 0x34d1c49d
access-list outside_access_in line 11 extended permit udp any any eq 465 (hitcnt=0) 0x5cc4b908
access-list outside_access_in line 11 extended permit udp any any eq 587 (hitcnt=0) 0x6e3b53a3
access-list outside_access_in line 11 extended permit udp any any eq 993 (hitcnt=0) 0x7f9dd9b7

Hi Riyasat,
Here is the result of the command. I'm a little confused though as it said it passed through although this port is still not open to my inside host.
RyansFirewall# packet-tracer input outside tcp 8.8.8.8 465 Outside_IP 465 detailed
Phase: 1
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255
match tcp inside host theking eq 465 outside any
    static translation to Outside_IP/465
    translate_hits = 0, untranslate_hits = 2
Additional Information:
NAT divert to egress interface inside
Untranslate Outside_IP/465 to theking/465 using netmask 255.255.255.255
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group outside_access_in in interface outside
access-list outside_access_in extended permit tcp any any eq 465
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd863ac20, priority=12, domain=permit, deny=false
        hits=9, user_data=0xd613bd70, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=465, dscp=0x0
Phase: 3
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7de9018, priority=0, domain=inspect-ip-options, deny=true
        hits=20003, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 4
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
nat (outside) 1 access-list outside_access_in
match tcp outside any outside any eq 3389
    dynamic translation to pool 1 (Outside_IP [Interface PAT])
    translate_hits = 0, untranslate_hits = 0
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7e62278, priority=2, domain=host, deny=false
        hits=25913, user_data=0xd7e61e60, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 5
Type: HOST-LIMIT
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xd7debf90, priority=0, domain=host-limit, deny=false
        hits=143, user_data=0x0, cs_id=0x0, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 6
Type: NAT
Subtype: rpf-check
Result: ALLOW
Config:
static (inside,outside) tcp interface 465 theking 465 netmask 255.255.255.255
match tcp inside host theking eq 465 outside any
    static translation to Outside_IP/465
    translate_hits = 0, untranslate_hits = 2
Additional Information:
Forward Flow based lookup yields rule:
out id=0xd7e84380, priority=5, domain=nat-reverse, deny=false
        hits=3, user_data=0xd7e58b08, cs_id=0x0, flags=0x0, protocol=6
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=theking, mask=255.255.255.255, port=465, dscp=0x0
Phase: 7
Type: NAT
Subtype: host-limits
Result: ALLOW
Config:
static (inside,outside) tcp interface 3389 theking 3389 netmask 255.255.255.255
match tcp inside host theking eq 3389 outside any
    static translation to 0.0.0.0/3389
    translate_hits = 0, untranslate_hits = 107
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd7e70e30, priority=5, domain=host, deny=false
        hits=1642, user_data=0xd7e6c678, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=theking, mask=255.255.255.255, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 8
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0xd7d9e160, priority=0, domain=inspect-ip-options, deny=true
        hits=30929, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Phase: 9
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 31012, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: allow

Cisco 5520 ASA Port Forward to Endian Firewall VPN Question

Hello,
We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194. We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server. So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN. Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
Thanks for your comments in advance I am new to cisco technology,
Joe

Wrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.

How to IPsec site to site vpn port forwarding to remote site?

Hi All,
The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A. Would you please advise the solution for that?
Building configuration...
Current configuration : 5425 bytes
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Laverton
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime 10
crypto pki trustpoint TP-self-signed-1119949081
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1119949081
revocation-check none
rsakeypair TP-self-signed-1119949081
crypto pki certificate chain TP-self-signed-1119949081
certificate self-signed 01
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
69666963 6174652D 31313139 39343930 3831301E 170D3132 30363135 30343032
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31313939
            quit
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp pool DHCP_LAN
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 61.9.134.49
   lease infinite
ip cef
no ipv6 cef
multilink bundle-name authenticated
object-group network VPN
description ---Port Forward to vpn Turnnel---
host 192.168.2.99
username admin01 privilege 15 secret 5 $1$6pJE$ngWtGp051xpSXLAizsX6B.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mypasswordkey address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
archive
log config
hidekeys
no ip ftp passive
interface ATM0
description ---Telstra ADSL---
no ip address
no atm ilmi-keepalive
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
switchport access vlan 10
shutdown
interface FastEthernet3
interface Vlan1
description ---Ethernet LAN---
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
interface Vlan10
ip dhcp relay information trusted
ip dhcp relay information check-reply none
no ip dhcp client request tftp-server-address
no ip dhcp client request netbios-nameserver
no ip dhcp client request vendor-specific
no ip dhcp client request static-route
ip address dhcp
ip nat outside
ip virtual-reassembly
interface Dialer0
description ---ADSL Detail---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 0 mypassword
crypto map SDM_CMAP_1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.2.99 80 interface Dialer0 8000
ip nat inside source static tcp 192.168.2.99 9100 interface Dialer0 9100
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip access-list extended NAT
remark CCP_ACL Category=16
remark IPSec Rule
deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address NAT
route-map SDM_RMAP_2 permit 1
match ip address 101
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000
end
Your help would be very appreciated!
PS: I know it is easier if i config Site A as the VPN server but in out scenario, we need to access printer from internet over static WAN IP of site A.
Thanks,
Thai

Is there anyone can help please?

Port Forwarding for Cisco ASA 5505 VPN

This is the Network
Linksys E2500 ---> Cisco ASA 5505 ---> Server
I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.
Thank You

For IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.
Command to enable NAT-T on ASA:
crypto isakmp nat-traversal 30

Port forwarding for clientless SSL VPN access

Hello,
I am currently trying to set up clientless SSL VPN access for some remote sites that our company does business with. Since their machines are not owned by my company, we don't want to install/support a VPN client. Therefore, SSL is a great option.
However, I'm running into an issue. I'm trying to set up port forwarding for a few remote servers. These remote servers are different and have distinct IP addresses. They are attempting to connect with two different servers here.
But my issue is that both servers are trying to use the same TCP port. The ASDM is not letting me use two different port forwarding rules for the same TCP port. The rules can exist side-by-side, but they cannot be used at the same time.
Why? It's not trying to access the same TCP port on a server when it's already in use. Is there anyway I can get around this?
If this doesn't make sense, please let me know and I'll do my best to explain it better.

Hi Caleb,
if you mean clientless webvpn port-forwarding lists, then you should be able to get your requirments. even the same port of the same server can be mapped to different ports bound to the loopback IP.
CLI:
ciscoasa(config) webvpn
ciscoasa(config-webvpn)# port-forward PF 2323 192.168.1.100 23
ciscoasa(config-webvpn)# port-forward PF 2300 192.168.1.200 23
then you apply the port-forwarder list under a group-policy
Hope this helps
Mashal
Mashal Alshboul

Port Forwarding for L2TP/IPSec VPN Behind Verizon Actiontec MI424WR-GEN2 Rev. E v20.21.0.2

I've got a NAS setup with various services running on custom ports to help minimize exposure (especially to script kiddies). I've tested everything both internally and externally to confirm they all work, and even had someone at a remote location confirm accessibility as well. Port forward configurations performed on the Actiontec are working well.
I installed an L2TP/IPSec VPN server, tested internally and it connected successfully. So for all intents & purposes, this validates that the VPN server is correctly configured to accept inbound connections and functioning correctly.
I logged into the Verizon Actiontec MI424WR router, setup port forwarding for UDP ports 500, 1701 & 4500.
Note: I added the AH & ESP protocols based on what I saw on the built-in L2TP/IPSec rules
With the port forwarding in place, I tested VPN externally but it didn't connect.
I've done the following so far to no avail:
Double & triple checked the port forwards, deleted & recreated the rules a few times to be sure
There are no other pre-existing L2RP/IPSec port forward rules or otherwise conflicting port forward rules (e.g.: another rule for ports 500, 1701 or 4500)
There was an L2TP port triggering rule enabled, that I toggled on and off with no change
Verified the firewall on VPN server had an exclusion for L2TP, or that the firewall is off. (Firewall is off to reduce a layer of complexity, but it worked internally to begin with so I doubt that's the issue.)
Since it works internally, and there are no entries in the logs on the device indicating inbound connections, I'm convinced its an issue with the Verizon Actiontec router. But unfortunately, I'm not sure what else to try or where else to look to troubleshoot this. For instance, is there a log on the router that I can view in real time (e.g.: tail) that would show me whether or not the inbound connection attempt is reaching the device, and whether or not the device allowed or blocked it?
My router details:
Verizon Actiontec
MI424WR-GEN2
Revision E
Firmware 20.21.0.2
Verizon Actiontec built-in L2TP/IPSec rule templates. They're not currently in use, but are baked into the firmware for easy configuration/selection from a drop down menu.
Solved!
Go to Solution.

normally a vpn on that router, will have a GRE tunneling protocol as well.
two ways to build the PF rules,
Manually
Preconfigured
I know the preconfigured VPN rules will do the GRE protocol as well, but if you do it by hand you can't get it.

Port Forward and IP address question

I am configuring my father's computer so that I can "see" his screen. He's on a different network, using a mac with a wireless router. He enables remote desktop login, I use Chicken of the VNC software on my mac to see and control his computer.
Here's my question, when I set up his router to forward the ports so this will work, do I use the ports for apple remote desktop or VNC? (The ports overlap (5900) but are different.)
Also, which IP address do I enter into Chicken of the VNC? His router IP, his static IP that we assigned or his computer's IP.
Thanks for the help,
Rob

ok, but in his prefs for apple remote desktop, it gives the static IP address that we set as the address other people can use, so... any thoughts?
You use that private address if you are in the same subnet as his Mac. That is the address you enter into the port forwarding settings on the router because the router needs to send requests received on the public IP address to that unreachable private IP address.
When you are on the internet, you can't reach that private IP address.

RV042 vpn&port forwarding problems

Hello,
I spent a few days trying to configure the RV042 router but I messed up. I need this router for VPN access on my site and Port Forwarding to an internal web server. Apparently very simple task, isn't it?
So:
1. PPTP is working fine but I need more than 5 concurrent accesses.
2. Quickvpn does not work when the DHCP server is checked and I can't access any computer from my lan. I have a DHCP server in my LAN but when I'm conected through Quickvpn I never reach it. In the log file there are messages like:
Connection refused - Policy violation TCP 169.254.x.x->192.168.1.2 (DHCP server from my lan)
3. On Setup > Forwarding I added a Port Range Forwarding for HTTP port 80 to an internal IP address (192.168.1.x). I although added a firewall access rule to allow traffic to Port 80 from any source interface and any source IP to 192.168.1.x.
From the internal LAN, using the WAN IP of the router, the Port forwarding works but not form the outside, though in the log file of the router it appears to work:
Connection Accepted TCP 208.64.252.230:33027->192.168.1.x:80 on ixp1
What could I have done wrong?
The router is configured with a static address as a gateway and it has the latest firmware 1.3.12.19-tm. The access rules are the default ones and the one I added.
Any help would be much apreciated.
Thanks.

Can't answer as to why QVPN fails when you enable DHCP on the router, but concidering your requirements it seems to be a moot point. So, you have a DHCP server on your network which I will guess is also running your Web service. If this is a Windows server does your current configuration allow you to enable PPTP on it? If so, that would solve the five user limit. You will need to turn off the PPTP server on the router and then forward port 1723 TCP to your server and you are done. As for your http access, remove any rule that you have in reference to "allow" port 80 connectivity to your web server. Not sure why but this tends to confuse the poor little things. Once you have verified that port 80 is active on the server via the LAN (which you already have) then you are done. If you are still not successful with the connection to the server from the WAN you may want to default the router and start over (lame I know).
*** SORRY, just noticed that you stated that you added a "port range" forwarding rule. Remove that, and configure a UPnP rule for the same server instead. Do not know why they call it that, they just do. This is the same as configuring a single port forward they just call it something different. So just port forward 80 tcp to your server on 192.168.1.x and you are done.

VPN: Port-forwarding OK but Nothing Talking

I've set up several 10.3 & 10.4 VPN services but this one has me puzzled...
10.4.2 Server (does it just need updated?)
Internal ip only (no firewall on server) with router forwarding UDP 1701, 500 & 4500 (for L2TP).
When attempting to form the VPN with remote (wan side) Internet Connect client, there is no connection showing in vpnd.log (set to verbose logging) and no connection showing on Internet Connect log. It's like the port forwarding is not taking place. However...
If I run a port scan from remote machine, on UDP 1701, 500 & 4500, this traffic shows up on a TCPDump session running on the server.
Attempting to form the VPN, however, shows NO traffic with TCPDump.
The IP address of the server, in Internet Connect, is correct (same as the one used during port scanning). The VPN client is able to connect to several other servers OK.
Any ideas?
Ta.
-david
Server 10.4.8

1. What kind of router are you using?
Corega router at server side and Netgear DG834G on client side (with ethernet cable, not wireless).
The Netgear works fine to other sites. The Corega is 'unproven' in that I do not have another site with same router. It can act as a VPN gateway (this does work elsewhere) but is not active in this role at this site (we want to use server vpn service).
2. I have seen a few copies of 10.4.x Server just go
L2TP/IPSec deaf. They all eventually sorted
themselves out with software updates, but certain
versions were just plain ol' deaf.
I've now updated to 10.4.8. No difference.
Just to reiterate...
Port-forwarding of 500, 1701 and 4500 appears to be working, as a TCPDump on the server lists these packets when a remote machine is port scanning for them.
However, the same TCPDump session does not list any UDP 500 packets when the VPN client (internet connect) is attempting to start. Logs show nothing beyond "listening for connections...". As I understand it, L2TP commences with an IKE communication on port 500 prior to the later 'real' stuff. Why is this not showing up in a TCPDump?
Puzzled...
-david
Server 10.4.8

Combo unix ssh port forwarding + iChatAV + Bonjour question

I don't know which forum is best for this question, so thought I'd try here first.
I've been tossing around the idea of picking up a couple of iSights and running iChatAV. Problem is, if I understand this correctly, iChatAV uses a couple of ports for connections to third-party servers: AOL buddy server or Jabber server, a port for something called snatmap, a port for SIP, and some other stuff. Plus, it requires that you open up nearly 20 ports on your network for the AV traffic! (I get nervous just having my non-standard ports for smtp and ssh open, and my imaps port open (which is another issue -- anybody know how to change imaps port 993 to a non-standard port if running uw-imap server?) It doesn't look like iChatAV can, normally, operate by "calling up" an IP address or hostname...it always has to set up calls using AOL or Jabber...unless, perhaps, the destination iSight/iChatAV is on your own Bonjour-capable subnet.
So, I'm thinking, what if a calling party created a ssh tunnel and port-forwarded the dozens of UDP and couple of TCP ports over a ssh tunnel, as a lengthy list of port forward options like "-L 5297:localhost:5297 -L ...", (assuming that the forwarding host, to whom the caller ssh's, is the same computer that is running iChatAV, hence, the remote host specification in the "-L" option of "localhost"). Would the caller then be able to treat the connection like Bonjour networking and when he calls localhost on his end of the circuit, it "bonjours" to the called hostname's localhost and thus a peer-to-peer connection would be made?
Or perhaps a reverse port forward tunnel ("-R" options) could be set up in advance by the "to-be-called" party, and then the calling party initiates a iChatAV call as a "same-subnet-as-calling-computer-via-Bonjour" type of call?
I'm just kicking around some thoughts here; I don't know enough about the intricacies of iChatAV and Bonjour (and ssh) to really know all the "gotchas" and I'd like to get the planning done with a high degree of confidence of success before I plunk out $300 on two iSights.
If the general concensus of the group moderator and others on this forum is that this question should be posted in another forum, I apologize, and I'll move, but I thought that the ssh tunneling nature of my inquiry (and my unrelated side question about how to change 993 to a non-standard port) made this forum the obvious, and best, choice.
Thanks in advance for any thoughts on these issues!
2001 Quicksilver G4 Mac OS X (10.4.5)

No, you can't do what you describe. You have to use port forwarding on the router for any incoming connections, and each port forward rule can only map to a single server/service.
However, SSH has the ability to tunnel other connections, so it may be possible to remove one or more of the existing port forwarding rules and replace them with a SSH rule, then use SSH tunneling to get to those services. Of course, this will only work for services that only you (or other authorized users) need to access, and not public services such as web/http traffic (assuming you're running a public web site).
The only other option would be to replace your router with one that doesn't have such a strict limit on the number of port forwarding rules.

WRT350N unable to forward single port to VPN.

I set up a PPTP (VPN) server on my network so that I could access stuff at home when I am not. I went to the router to configure router to forward the port for VPN -- 1723 -- to the IP of the the server and got the following error:
Port overlap occured! Please change your entry!
I am running firmware version 1.04.3 and have tried 1.03.7 without any luck. I originally configured with a previous version of the firmware and have haven't had a need to change the configuration. I tried to save the settings without any changes and got the same message. The current port forwarding is:
SMTP                                              172.16.0.2      enabled
POP3                     172.16.0.2 enabled
FTP                                      172.16.0.2      enabled
HTTP                                  172.16.074      enabled
None
Braindead       2525   25        Both    172.16.0.2       enabled
IMAP              143     143      Both    172.16.0.2       enabled
Print                515      515      Both    172.16.0.240   enabled
WebMail        3000    3000    Both    172.16.0.2       enabled
MailAdmin     1000    1000    Both    172.16.0.2       enabled
VNC                 5900    5900    Both    172.16.0.2       enabled
VNC+1            5901     5900 Both    172.16.0.51 enabled
VNC+2            5902     5900    Both    172.16.0.74     enabled
VNC+3            5903     5900    Both    172.160.3        enabled
Blank
I dont' have any port overlaps. I have changed everything and nothing works. It was working perfectly under the original firmware. This router is less than a year old. I have looked at other threads that are serveral months old without a new post and without a resolution. I am going to need to change the web server as the machine that was running the web server is now dead and I CANNOT change the address. I wish there was a way to go back to original firmware.   I even tried to reset the router to factor defaults and could not change the port forwarding.
HELP
George Worley

ridcully wrote:
Yes, you are right you don't have any port overlaps...Well, you should check the subtabs "Port Range Forwarding" and "Port Range Triggering" and check if you have any port overlaps there...Also did you reset your router after the last firmware upgrade ? If not you must reset your router and re-configure it from scratch...
Do not have anything under either one of those tabs until now because I need to get VPN established. That is under "Port Range Forwarding" and it is just a single port -- 1732 (VPN).
Steps
Backed up configuration to a file.
Flashed with 1.03.7
Power Cycled WRT350N
Tried to add a single port forward for VPN.
Got Error
Followed the same with the above steps.
Got the same error.
Pushed in the "Factory Defaults Button" for about 45 seconds.
Now with Factory Defaults
Configured for ISP.
Tried to add in just a POP3 server with no other ports defined.
Got the same error.
Flashed with 1.04.3.
Power Cycled
Set back to factory defaults.
Configured for ISP.
Tried to add POP3 server with no other ports defined.
Got the same error.
Flashed with 1.03..
Power Cycled
Set back to factor defaults.
Configured for ISP.
Tried to add POP3 server with no other ports defined.
Got the same error.
Flashed back to 1.04.3.
Restored back up. Old ports are still defined and still can not map new ones.
I think that the firmware version that was on it when I bought it was 1.03.2 -- wish that I had never upgraded it.
Thank you,
George Worley

Port Forwarding for OS X Server VPN on BT Home Hub...

We have BT Infinity using a BT Home Hub 5 and I have recently installed OS X Server to create my own VPN. However, I cannot seem to get the hub to open the ports I desire using the port forwarding tool - I have tried everything I can think of including (and a combination of all these things in one way or another)...
Standard Port Forwarding
Disabling uPNP
Disabling Firewall
Enabling DMZ directly to the OS X Server
The ports I am trying to enable, but stay closed are:
500
1701
1723
5900
And I have selected the 'Any' protocol in desperation, but they still show up closed on an online port checker tool like canyouseeme.org
I create a custom application in the hub to cover these ports, and out of curiousity I added port '5900' (VNC Port) to the list, which curiously IS open when I check it, but the hub seems to refuse to open any of the other ports.
I am beginning to think there may be something up with the router... I've Googled and spent a few hours on failing to solve this simple problem... does anyone else have any ideas?
Solved!
Go to Solution.

Remember, the port discovery websites can only test TCP ports, not UDP. I use Microsoft PortQuery tool, from a remote connection like a 3G mobile data. This can test both TCP and UDP.
The main thing is that you have it working now Port forwarding seems to give people a lot of problems, when it should just work without any issues.
Common problems seem to be.
Having spaces in either device names or application names.
Failing to apply the settings on every step of the way.
Being on CG-NAT (IP address sharing)
Forgetting to open any firewall connections.
Relying on DHCP to allocate the IP address, instead of setting it on the device itself.
Plus others....
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

D6200 Port Forwarding | VPN question!

Similar Messages

Maybe you are looking for