Ip port-map user on ASR 1000 IOS XE

Similar Messages

• How to get the port mapping to work on SR520

  I have been using CCA 2.0 and configured the device based on documents (a recurring story) and well it wont work...... again.
  This is the results of the 'show tcp brief'
  SR520#show tcp brief all
  TCB       Local Address               Foreign Address             (state)
  84C8EFD4  192.168.75.1.23             172.16.33.10.3227           ESTAB
  86479CB0  192.168.75.1.443            172.16.33.10.3078           ESTAB
  8647850C  192.168.75.1.443            172.16.33.10.3122           ESTAB
  84B08378  192.168.75.1.23             172.16.33.10.3062           ESTAB
  83B7FAB8  192.168.75.1.23             172.16.33.10.3041           ESTAB
  851D6704  *.443                       *.*                         LISTEN
  851D5CF4  *.443                       *.*                         LISTEN
  851D56B8  *.80                        *.*                         LISTEN
  85419B70  *.80                        *.*                         LISTEN
  85DAD264  XXX.XXX.XXX.194.ptr.us.443   *.*                         LISTEN
  SR520#
  It appears that CCA is not correctly adding the info into the configuration or is it.
  It made these acl entries:
  access-list 102 remark SDM_ACL Category=0
  access-list 102 permit ip any host 192.168.75.2
  access-list 103 remark SDM_ACL Category=0
  access-list 103 permit ip any host 192.168.75.2
  access-list 104 remark SDM_ACL Category=0
  access-list 104 permit ip any host 192.168.75.2
  access-list 105 remark SDM_ACL Category=0
  access-list 105 permit ip any host 192.168.10.12
  access-list 106 remark SDM_ACL Category=128
  access-list 106 permit ip any host XX.XX.XX.194
  It added this for one port but not for the others:
  ip port-map user-protocol--1 port tcp 3389
  and it added this:
  ip nat inside source list 1 interface FastEthernet4 overload
  ip nat inside source static tcp 192.168.10.12 3389 interface FastEthernet4 3389
  ip nat inside source static tcp 192.168.75.2 5060 interface FastEthernet4 5060
  ip nat inside source static udp 192.168.75.2 5060 interface FastEthernet4 5060
  ip nat inside source static tcp 192.168.75.2 1720 interface FastEthernet4 1720
  Yet none of these ports are allowed through the firewall.
  Please help me figure this out.
  Thanks

  I think the CCA team knows of some issue with this.  In May, I had heard that while configuration of NAT static entry is supported by CCA there is an issue in that CCA currently does not modify the firewall configuration to allow the statically mapped IP and TCP port to pass through.
  I heard  we were looking to resolve in a subsequent CCA release. I will find out when or ask that team to reply....
  Steve DiStefano
  SE Small Business Sales
  U.S. Field Channel

• MPLS PE/P 7600 or ASR 1000

  hi,
  We are planning to change our 7206VXR as P/PE routers.  Currently we only have 2 nodes that is running on STM-1.  on each node we have 7206VXR NPEG2 that is acting as PE and P router.
  our requirement is getting bigger we will be upgrading our WAN links to STM-4 soon (and to STM-12 in the future) and we will also be adding more nodes.
  I'm confused on what platform would be best for our network, 7600 or  ASR1000......7600???? 7606 or 7604?      ASR 1000???? ASR1004 or ASR 1006.
  I want my router to accomodate the growth in the network.
  I need your advise/expertise on this.
  Thanks in advance....
  Rachelle

  Hi,
  ASR1k runs IOS-XE, which is IOS. It does not run IOS-XR. ASR9k runs IOS-XR.
  The newer platforms, like ASR1k, ASR9k, have more throughput, while 7200 e.g. has a bigger
  range in different kinds of port adaptors. If you only plan to use ethernet interfaces for example, then
  you could only look at the newer platforms like ASR1k, ASR9k, or even 7600 and choose
  a specific model based on the number of ports you'd need.
  Thanks,
  Luc

• Where to check license details - ASR 1000 firewall

  Hi,
  I am looking for for details meaning of license because I cannot found the details install.  The license call
  FLASR1-FW-RTU(=)
  that is used to enable the firewall function in ASR 1000 series.  But I don't clear about what feature inside, it is because it only show the "firewall" from website.  Is that same as IOS firewall?
  Thanks!

  Hello,
  If you look at the ordering guide: http://www.cisco.com/en/US/prod/collateral/routers/ps9343/product_bulletin_c07-448862.html
  Firewall service: The Cisco ASR 1000 Series Router Firewall application requires a RTU license (FLASR1-FW-RTU(=)), which allows you to enable Layer 4-through-Layer 7 firewalling. To enable per subscriber/user firewall in broadband and enterprise deployments, the firewall RTU license, as well as the number-of-session licenses listed in the "Broadband service" section, is required. Please refer to the "Per subscriber/user firewall service" section.
  Now, if you want to know more in detail what the ASR1000 can do, you can refer to the product documentation: Network Security Features for Cisco ASR 1000 Series Routers: http://www.cisco.com/en/US/prod/collateral/routers/ps9343/data_sheet__network_security_features_for_cisco_asr_1000_series_routers.html
  You have a full paragraph explaning zone based firewall, search for "Cisco IOS Zone-Based Firewall"

• How do I use Port Mapping?

  b How do I use Port Mapping?
  (This document will assume that you are using and ABS/AEBS/AX as an internet router and have DHCP & NAT turned on.)
  Sometime you may want to offer access to a computer on your AirPort network to users on the internet, whether it be a web site, or for file sharing, or just remote access for yourself when traveling. If any of these sound like something you want to do, then you need to understand how Port Mapping works.
  b AirPort as Firewall
  Most of the time your AirPort base station will not let any traffic into your network which did not originate from your network. It will let everything out and replies to your traffic back in, but it will not let sessions initiated on the internet side of the base station in to your network. This is what is referred to as the "NAT firewall" capability of the base station and it provides effective protection for your network from the internet. What Port Mapping does is poke a hole in this wall to allow certain type(s) of traffic into the network and direct this traffic to a specific computer on the network. In the firewall world this is commonly referred to as an "inbound proxy" or "inbound translation" rule or "PAT" (Port Address Translation) in the router world.
  b The Need for Manual Addressing
  Since a Port Mapping entry in the base station configuration requires an inside private IP address to be specified, the computer to which to mapping entry applies should always have the IP address specified in the mapping entry. Thus, DHCP should not be used for a computer offering services on the internet as the Port Mapping entry will no longer work if the target computer's IP address changes. In general, an Apple base station's DHCP server will try to assign IP addresses in the 10.0.1.2 to 10.0.1.200 range. IP addresses above 10.0.1.200 can be Manually assigned to computers and other devices on the network up to 10.0.1.254. 10.0.1.255 is reserved (it is the broadcast address for the 10.0.1 subnet). To Manually set up the TCP/IP information for a Macintosh running Mac OS X, go to System Preferences -> Network and "Show" the appropriate interface (Ethernet or AirPort) and click on the TCP/IP tab. Select "Configure Manually" and enter the following information:
  IP address : 10.0.1.201 (or whatever address you decide to use)
  Subnet mask : 255.255.255.0
  Router IP : 10.0.1.1 (the AirPort base station LAN IP)
  DNS server : 10.0.1.1, or whatever DNS server IP your ISP uses
  After making these changes verify that your computer can still access the internet and local resources on the LAN before continuing.
  b Port Mapping a service
  In our example we will be hosting a web site on a computer which we have given an IP address of 10.0.1.201. Basic web sites are accessed using the HyperText Transport Protocol (HTTP) and this protocol typically uses port 80 to communicate. In order for others to see the web site, we must configure a Port Mapping entry in the base station configuration to not only allow the web browsers in, but to tell the base station what IP address the web server is using. The Port Mapping entry has three parts: Public Port, Private IP, and Private Port. In this case you would use the following values:
  Public Port : 80
  Private IP : 10.0.1.201 (this is the computer hosting the web site)
  Private Port : 80
  In order to access the web site from the internet, users must reference the base station's WAN port public IP (determined by looking at the base station configuration summary page in the AirPort Admin Utility). Since this address may change over time, you might want to use a Dynamic DNS service to simplify connecting for your users.
  Sometimes the port you wish to use may be blocked by the ISP. In this case, use a different non-standard Public Port number for the service, but keep the Private Port standard. In the above example, if the ISP was blocking port 80, you could potentially use 8080 instead, so:
  Public Port :

  Public Port : 8080
  Private IP : 10.0.1.201
  Private Port : 80
  Your users would then have to enter "http://<publicIP>:8080/" (where <publicIP> is the public IP address of the AirPort base station) to access the web site.
  b Internal Access
  It should be noted that when accessing these services from within the network you cannot reference the Public IP/Public Port, but rather you must use the Private IP/Private Port. Thus, "http://10.0.1.201:80/" in the above example.
  b Limits and Options
  There is a maximum of 20 Port Mapping entries that can be made in an Apple base station configuration. If you use an AirPort Extreme or AirPort Express base station there is an option which can be helpful in the case where you need many ports opened to a single computer. This is the "Default Host" option. When using this it is not necessary to use Port Mapping at all as all ports will be opened to the specified "Default Host". This is found in "Base Station Options". The default IP address for the "Default Host" is 10.0.1.253. You may change this IP address. The target computer must be Manually configured as specified above with the same IP address. Since all ports are now open to this computer, you should enable and configure the Mac OS X firewall on the default host computer to protect it from intruders.
  b Useful Related Links
  <a href="http://docs.info.apple.com/article.html?artnum=52002>"Designing AirPort Extreme Networks: Manuals</a>
  "Well Known" TCP and UDP Ports Used By Apple Software Products
  IANA Port Number Assignments

• How do I configure my airport utility for port mapping?

  I am trying to view my FOSCAM cameras over the internet while away from home. They work fine in my house using Wi-Fi. Instructions say to do port forwarding. I have cameras set up, but can't get my router to port forward. I found "Port Forwarding" in Airport Utlility then NETWORK. 'Router mode: DHCP and NAT';on 'Port Settings I click on the "+" at the bottom. 'Private IP Address: populates to 10.0.1.201'. What goes in the other blocks?

  Please check out the following AirPort User Tip for details on how to configure Port Mapping on the AirPort routers. I would suggest that you check your FOSCAM documentation as to what TCP and/or UDP ports are required to access their IP cameras from a remote location.

• Airport Extreme v7.3.3 Port Mapping Port 80

  I have a DVR in my home which is connected to my home network. It has a static IP address. I would like to be able to utilize its mobile app from any mobile/cellular network. The manufacturer of my DVR tells me that I need to open up Port 80 on my router, which is an Airport Extreme running v7.3.3.
  I have tried looking up solutions and have found similar results but nothing for the AirPort running v7.x.x. Everything I have found is for version v6.x.x or v5.x.x.
  I have tried using the following examples with no success, which may be fault on my part, as well as the document:
  AirPort - Port Mapping Basics using AirPort Utility v6.x
  http://portforward.com/english/routers/port_forwarding/Apple/AirPortExtreme/defa ultguide.htm
  Re: How do I open ports on my airport extreme and assign a fixed IP Address for a device connected to my network?
  Any further advice would be welcome. Thank you. I will gladly provide further details upon request/as needed.

  I have tried looking up solutions and have found similar results but nothing for the AirPort running v7.x.x. Everything I have found is for version v6.x.x or v5.x.x.
  Unfortunately, you have the firmware version of the AirPort mixed up with the software version of AirPort Utility, the application used to setup and administer the AirPort router.
  Your AirPort was setup using software either by AirPort Utility 6.x...or....an iPad or iPhone running the iOS version of AirPort Utility. Either of those applications will allow you to set up port mapping......IF.....the AirPort is setup as the main router on your network. 
  Or, in other words....you do not have the AirPort connected to another modem/router on the network.
  Now might be a very good time to confirm on the make and model number of the device that you call your "modem", since that will dictate the next move as far as setting up ports.

• NAT configuration and Port Mapping for xBox

  I'm looking for help with port mapping to open up the NAT for an xBox One. I'm working with the following network devices:
  xBox One
  DSL Modem: Embarq (ZyXEL) 660R series
  Airport Extreme version 7.7.3
  I understand the following from researching the issue:
  The default settings for both devices block the ports needed for xBox Live.
  Airport Extremes are not on the compatible list for xBox.
  Port Mapping is better then creating a DMZ for the xBox.
  The xBox needs its own manually set IP address.
  I switched my Network>Router Mode from Off (Bridge Mode) to DHCP and NAT. I then created a DHCP Reservation and the Port Settings for that IP.
  After doing this, the Airport would restart and display a warning - Double NAT. I figured this was because the 660 settings showed the NAT Mode to be SUA Only. The Edit Details link displayed an empty table where you edited the SUA/NAT Server Set. I switched from NAT Mode>SUA Only to None. So there was my Double NAT and I would have thought that would have removed one.
  I also disabled the Firewall and Enabled the UPnP.
  After restarts the Airport continued to display the Double NAT error. However, with the 660's NAT Mode set to None, the Internet was not there. Web browsers and email accounts replied with server not found.
  Only with the 660 set to SUA Only and the Airport in Bridge Mode is the Internet accessible. I now have the details for the SUA filled out for the xBox's IP address and ports.
  Hypothesis
  Since both devices are acting as DHCP servers the port mapping is not working. Rather then have the 660 distribute IP addresses and then having the Airport distribute another range of numbers, I need to have both devices bridge and distribute one range of numbers. Currently the 660 is using the 192.168 range and the Airport is using the 10.0 range.
  Am I correct? Any thoughts and suggestions are welcome.

  Port forwarding through a double NAT.. is near impossible.. !!
  And the xbox is so attuned to using UPNP it is very hard not to.. even port mapping is not a great fix. Since apple decided gamers did not count as users for Airports.. I think honestly it is best to bypass the airport and stick to upnp from the modem router.
  What method of authentication does your ISP use? Because it is really better to use one router.
  And in fact the router should be the Zyxel. If you plug the Xbox to the Zyxel running in full router mode, with the airport removed from the network does it work and open NAT??
  If not replace the Zyxel with a modern listed router that is xbox compatible and bridge the airport to it.

• Port mapping question - I need clarification

  I have posted a question about port mapping previously but - although I thought I understood - it is still not working for me. I was hoping there was a kind soul out there who could humor me and explain port mapping with AEBS 802.11n as if there where talking to a 5 year old.
  Thanks for the help and it's ok to laugh.

  {quote:}This address MUST be outside of the range of IP addresses that your 802.11n AirPort Extreme Base Station's (AEBS) DHCP service is providing.{quote}
  This actually is incorrect.
  The statement that the mapped internal address must be static is correct; otherwise the AEBS will not, if the Mac is assigned a different dynamic (DHCP) IP address by the AEBS some time in the future, be able to forward packets to the Mac. However it is very straightforward to have the Mac computer be assigned an address dynamically by the AEBS and to have the AEBS always assign the same IP address to the same Mac computer. Thereby giving the Mac a static address inside the DHCP range.
  In the AirPort utility go to Internet | DHCP | DHCP Reservations. Click "+" then enter the MAC (what Apple calls Ethernet ID if you are using wired or AirPort ID if wireless) hardware address of the Mac computer, give it an IP address, save it. Then that Mac computer will always receive that (static) IP address from the AEBS.
  Why do this? Well by continuing to use DHCP (while having though a static IP address) you keep all the other benefits of DHCP such as automatically having the gateway address, the DNS server addresses given to the Mac. Otherwise you have to enter all this information manually on the computer if you put it outside the DHCP address range. This is very desirable, especially for most home users, as their DNS server entries are provided by their ASP and picked up by the AEBS. If the ASP changes DNS addresses the manually configured Mac machine will not know.
  So in summary - for port forwarding it is NOT necessary for the Mac machine to be outside the DHCP range, in fact _it is desirable to keep it in the DHCP range_ *as long as* the Mac utilises DHCP reservation on the AEBS.
  I have tested this and it works fine.

• Default Host (DMZ) and Port Mapping together

  Hi all,
  I have the G5 set as a default host for all my web services through the Airport Extreme.
  In the Airport Extreme's Port Mapping tab, a user is not prevented from using the port mapping tab even when the Default host is set. I want to serve video through another port not on the G5.
  Does this mean I can set up port mapping for ports I do not want to go to the default host? (my G5 in this case)
  I asked this on the airport forum and never got an answer, maybe you G5 folks might know. (Or maybe there is a setting that will redirect from the G5.)
  Thanks in advance,
  Jamy

  I figured it out. I can't have a DMZ and separately port mapping on the Airport.

• Quick question re: port mapping

  Does the 802.11n base station have the same limit as the 802.11g base station regarding the maximum number of ports that the user can map?
  In other (perhaps more coherent) words: The "g" base station only allows a user to specify a total of 20 ports in the "port mapping" pane of Advanced settings. Does the "n" station have the same limitation?

  Anyone have any ideas or information? I'm not able to find anything clear by searching the knowledge base, etc.

• Port mapping converting gui to cli

  Hi,
  I am having an issue with a new office LAN implementation and I was wondering if anyone can help.
  The current setup has a Linksys router and there are port mappings for the servers for a inside and outside port. This has been input via GUI. I am upgrading to a 3845 router and have converted the GUI input to Cisco CLI. This however does not work and the LAN does not behave as it did before.
  The Linksys GUI input is attached.

  Hi @samdilloway,
  A few questions for you:
  Did you check if those servers can go to the internet?
  Is the NAT functioning properly when they go outside?
  Here is a link of a page with the step-by-step process of the port mapping configuration. Make sure you're doing it exactly like that:
  http://kb.linksys.com/Linksys/ukp.aspx?pid=80&vw=1&articleid=21470
  Also, a link of a TSHOOT page for the same problem:
  http://kb.linksys.com/Linksys/ukp.aspx?pid=80&vw=1&articleid=22385
  To be sure, the problem that you have is that users from outside cannot access to the services your mapping, right?
  Let me know your answers.
  HTH.
  Don't forget to rate.
  Rgrds,
  Martin, IT Specialist

• Port Mapping Inconsistent

  I am having trouble getting port mapping to work consistently.
  I have configured by Airport base station to forward 5 ports to iMac: 6880, 6881, 6969, 9090, and 9091. It appears that one of these is forwarded correctly, but the others are not.
  When I go to https://www.grc.com/x/portprobe=9090 I'm told that the port is open. However, when I substitute any of the other ports, they appear to be closed.
  I'm also not able to visit websites that use port 6969.
  Any ideas what could be going wrong with this? There are multiple users on this machine (with fast user switching). Could that be part of the problem?

  Is there any way to tell without disconnecting my Airport and connecting my Mac directly to the cable modem? I did some googling, and did not find anything about my ISP (RCN) blocking ports other than 25.

• Port mapping in Time Machine

  I cannot see where in Time Machine I can set port mapping. There should be a drop down box for set up service. I'm trying to access Echolink.

  I cannot see where in Time Machine I can set port mapping.
  Time Machine is software to back up your Mac to a hard drive.  Won't be anything about port mapping there.
  Maybe you meant to ask about a Time Capsule?  If yes, Port Mapping is set up using AirPort Utility on your Mac. It is located as follows: Finder > Applications > Utilities > AirPort Utility.
  Hold down the option key on your Mac while you double click on the picture of the Time Capsule
  Click the Network tab
  IF.....the Time Capsule has been configured to provide DHCP and NAT service for the network, you will see the Port Mapping Setup there.
  IF....the Time Capsule has been setup to work with your modem/router in Bridge Mode, the Port Mapping settings are greyed out and cannot be accessed. Port Mapping service must be set up on your modem/router.....not on the Time Capsule.
  For more information about Port Mapping Basics, see this excellent User Tip for forum expert Tesserax:
                   AirPort - Port Mapping Basics using AirPort Utility v6.x

• Trying to port map but there's a hitch

  Hello all,
  I would like to set up a port map so I might be able to tunnel in to my Mac from work. Simple to do with the AEBS but here's the rub:
  One, my AEBS is set up in bridge mode and the Airport Utility pane allowing for port mapping is not visible.
  Two, the main router to which I have it connected is a DLINK DIR-655 using a DHCP range of IPs for our apartment's various devices and other friends who bring over their odd techbits. I know in order to have a successful and secure SSH/VNC connection (my ultimate goal) I need to establish a static IP for my MAChine.
  Three, my roommate is not exactly forthcoming with the settings or the password for the router admin login so getting access to try different settings is to put it mildly, difficult.
  With the vast volume of knowledge out there, what might be a solution for how to set this up?
  Also, I am using both the VNC Viewer and iSSH apps for the iPod/iPhone to remote in. So anyone with knowledge of these might help illuminate what I need to do in order to get it working is also appreciated.

  Ok so should I gain access to the main router, what would the settings look like?
  I suggest that you download yourself a copy of the User Manual for this particular router directly from D-Link's web site. I found the manual here: D-Link Xtreme N Gigabit Router
  Port Forwarding is described, starting on page 31.
  Is it true SSH traffic is looked for on 22?
  Yes, for both UDP & TCP. (ref: List of TCP and UPD port numbers)
  The issue for me then is mixing dynamic and static IPs. Is it possible to establish a range of DHCP IPs for other machines (and there are many) and a static IP for my MAChine?
  Yes. Like the AEBS, this particular D-Link router has the ability to make DHCP Reservations. (ref: pg 26) You would use this feature to assign a "static" IP address that will be provided to your device by the router's DHCP server.
  With the AEBS being supplied its own dynamic IP right now, I would have to change that as well in order for this to work.
  You should also be able to use the DHCP Reservation feature to assign a static IP address to the AEBS.