New Customer Experience with Port Forwarding
OK, so my OpenReach Modem and HomeHub 3 were installed last week and all seemed OK at first.
A bit of background:
I'm a seasoned IT guy and have a nice network set up at home that caters for my needs (most of the time).
Without going into too much detail, I have my own DHCP/DNS server and I run a Webserver for personal use.
I have Virgin Broadband - which work most of the time.
I've also just had BT Infinity installed so I should always have Internet access no matter which ISP is having issues.
I was hoping to be able to access my webserver externally from either my BT or Virgin. I didn't think this would be an issue.
It still all works fine through my Virgin connection. I use dynamic DNS (no-ip.org) to get to my server.
On the Virgin Superhub - I have DHCP switched off and all my machines (except one at the moment) get the Virgin router assigned as the Internet gateway (via my own DHCP server).
My test machine gets a the BT HomeHub 3 assigned as the Internet gateway (also from my own DHCP server) and I have switched off DHCP on Home Hub.
Before I move onto my issue, I have to say that the above network setup works flawlessly.
The Virgin Router is on 192.168.0.1, The Home Hub is on 192.168.0.2. (subnet 255.255.255.0)
They are on the same network but because DHCP it switched off on both routers - everything is happy.
I can access my Server from the Internet via my no-ip.org address and it all works great.
The issue:
I thought it would be relatively simple to configure the BT Home Hub 3 to access my server from the Internet.
Hmmm. Port Forwarding seems to be the issue. It just doesn't work reliably enough. Sometimes it works, then sometime it stops working. Right now it's not working.
At first I though it was just me, not configuring it correctly. But no.
Then I started reading this forum and found there are reports of issues with port forwarding going back a year.
I don't know if that a good or bad thing - an issue running that long must be on the verge of getting fixed right?
Or any issue running that long without resolution probably has no simple resolution or just isn't a priority (for BT) maybe.
My Question:
(and I think I already know the answer)
Has anyone got a sure fire way of configuring the HomeHub3 so the port forwarding works?
Or should I just throw in the towel now and buy a Dual Wan Router?
One last note:
This morning my Infinity Broadband Speed dropped from
38Mb down/6Mb Up (measured several times yesterday)
to
0.7Mb down/0.3Mb Up (yes those decimal points are in the right place)
And I haven't got a clue why.
I power cycled the HomeHub and it returned to normal. Does this happen to other people?
Cheers
Graeme.
Graeme
Bullitt wrote:
the port on your network is defined by lan ip address and port number eg 192.168.1.10:80
you cannot forward this outbound port twice
There is no "port on my network" A port is associated with a IP address not a network.
My webserver listens an port 80 - requests from the Internet for http are port forwarded by the router (either BT Homehub or Virgin Superhub) to port 80 at address 192.168.0.5 (in my case).
If I am trying to access my webserver from the Internet, I point my browser at the WAN IP address of my router (again it doesn't matter which one - BT or Virgin) and the router port forwards the request to my Webserver. Each router can do this independently.
"you cannot forward this outbound port twice"
As explained above - It's an inbound port not an outbound port.
I appreciate you are trying to be helpful but just telling me something is not possible without explaining why its not possible doesn't really help me.
As I said before, this was working fine, then it stopped working but only when trying to access my webserver via the BT Router. It still works fine from my Virgin Router. I used WireShark and port mirroring on my switch to prove that the Home Hub as stopped port forwarding inbound traffic to my webserver.
This is a problem with port forwarding on the Homehub, not my network setup. Looking at other posts on this forum - I'd suggest I'm not the only one having problems.
To be honest, it's the least of my problems with the HomeHub right now. I'm far more concerned with the fact that twice today I've had to power cycle it because the throughput has dropped from 38Mbit-down/6Mbit-up to <1Mbit-down/<1Mbit-up. It's a known problem, BT are working on it, yet I still am paying full price for a product that should never had made it out of Beta test.
Graeme
Similar Messages
-
Problem with Port Forwarding (when PPTP is up) in WRT-160N
Hi, everybody!
I'm looking for some help with Port Forwarding in my new router from Linksys. I've bought the router afew daysago, and was badly surprised when I found out that there is DD-WRT firmware is installed in it (the router was 100% NEW when I've purchased it). I have downloaded the latest original Linksys firmware file and successfully flashed it.
But I still have problem (same I had on DD-WRT firmware too) with port forwarding for my DC++ and Vuze (app for torrents): I've written port forward for ports 49151 (for Vuze) and 4000 (for DC++) to be forwarded to my desktop computer (IP 192.168.1.201) -- I've seen a post at this forum, that there could be a problem, if you forward to an IP, which is inside DHCP local zone, so I've forwarded it to .201 IP (my local DHCPzone is 192.168.1.100 - .149). But forwardind doesn't work ((
What's wrong?
My configuration:
Router IP: 192.168.1.1
PPTP (I've got it from my ISP)
IP address: 192.168.226.127
Default Gateway: 192.168.226.2
DNS 1: 192.168.1.1
DNS 2 & 3: 0.0.0.0
PPTP Server IP Address: 192.168.226.2
Username: ****
Password: ****
Single Port Forwarding:
Application name External port Internal port Protocol To IP address Enabled
Vuze 49151 49151 Both 192.168.1.201 Checked
DC 4000 4000 Both 192.168.1.201 Checked
Solved!
Go to Solution.As you have mentioned in your post that your ISP has provided you a PPTP connection with an IP address: 192.x.x.x. The IP address which is provided to you by your ISP is in a Private Range, and if you try to forward any ports on your router it will not work, as your ISP modem will block that port. So you need to get a Public IP address from your ISP.
As you are getting Private IP from your ISP, so this connection is called as NAT behind NAT, and your Modem is acting like a Router.
So now you have 2 options, get the Public IP address from your ISP or change the connection type. -
HELP!! asa 5505 8.4(5) problem with port forwarding-smtp
Hi I am having a big problem with port forwarding on my asa. I am trying to forward smtp through the asa to my mail server.
my mail server ip is 10.0.0.2 and my outside interface is 80.80.80.80 , the ASA is setup with pppoe (I get internet access no problem and that seems fine)
When I run a trace i get "(ACL-Drop) - flow is deied by configured rule"
below is my config file , any help would be appreciated
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISPDsl
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_SMTP
host 10.0.0.2
access-list outside_access_in extended permit tcp any object server_SMTP eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network server_SMTP
nat (inside,outside) static interface service tcp smtp smtp
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c5570d7ddffd46c528a76e515e65f366
: endHi Jennifer
I have removed that nat line as suggested but still no joy.
here is my current config
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_Mail
host 10.0.0.2
access-list outside_access_in extended permit tcp any object Server_Mail eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Server_Mail
nat (inside,outside) static interface service tcp smtp smtp
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f3bd954d1f9499595aab4f9da8c15795
: end
also here is the packet trace
and my acl
Thanks -
LRT214 Accessing Web Services with Port Forwarding & Port Translation
Good afternoon to all,
Purchased the LRT214 yesterday afternoon and it was a breeze to configure the internet settings and get back online. But after the initial configuration, I ran into some trouble getting the router to do port translation together with port forwarding.
The port forwarding setup is straighforward and works perfectly, the same cannot be said for the port translation which does not seem to work. I programmed the following,
1) external port 88 forwarded to internal port 80 for 192.169.1.12
2) external port 89 forwarded to internal port 80 for 192.169.1.13
Can someone point me in the correct direction to achieve the above?
Router Model : LRT214
Firmware Revision : 1.0.2.06
Working Mode : GatewayPort Address Translation => Service Management
Add two Services for the port translations and then add the translations to the list. Let us know if you get any errors.
Please remember to Kudo those that help you.
Linksys
Communities Technical Support -
Problem with Port Forwarding in WRT320N
Good day.
I have a web-server and Internet-radio translator to local network of my provider. And I found a problem with Port Forwarding. I'm trying to setup 80 & 8000 ports to forward. And it's working but only for Internet, without provider's local network. My web-server isn't accessible in local network and radio-translator too.
So is it possible to forward ports absolutely - for any type of connections?
P.S. DMZ is working like Port Forwarding.If you ask questions you have to mention that you have an PPTP connection to the internet and another network directly on the internet port. Otherwise noone will really understand your question as it is a very unusual setup.
Your setup is not one really supported by the router. You are lucky that it works but don't expect too much. Port forwarding only the internet connection. If you use PPTP the network on the internet port is basically hidden. Using that local network on the internet port is not supported.
The DMZ host is the IP address to which all ports are forwarded to which are not forwarded otherwise. The same restriction applies here.
I would recommend to ask your ISP which router they recommend for their internet connection. I think most/all Linksys routers and many other brand's consumer routers won't really support a setup like yours... -
Problems with Port Forwarding for RDP in WebVPN
Hi,
I'm hoping somebody can help me solve this problem that's been bugging for weeks. We recently implemented a double-layer firewall architecture. Before that, our users can access RDP via port forwarding on WebVPN or the Cisco VPN client without any problems.
After we implemented the double-layer firewall architecture, users who are going through the WebVPN and port forwarding for RDP began to experience frequent disconnections, slowness or freezing connections. The users who are using the client are fine.
I checked the logs and I'm getting repetitive TCP-O for the port forwarding connections for RDP. Additional information: the FW we installed as a 2nd layer is Netscreen. I've already set the policy on it to Any-Any for the meantime to help in troubleshooting but to no avail.
I hope somebody can help me in sorting this out as I'm kind of confused on the difference between the port-forwarding for RDP via the WebVPN and the normal RDP via the client.Hi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
Help please, with port forwarding settings
I have an MSI RG60 wireless router (Ethernet hard wired to my XP Home PC) and don't know what settings to use for port forwarding, to enable my WinMX and BitTorrent clients to work successfully.
I have the port numbers, and assume that this information goes in the Service Port box, i.e. 6699, or 6881-6889.
I know which ports are TCP and which are UDP, but I don't know what IP address to enter or which Common Service Port type to choose. Can anyone help please?
I'm pretty sure that other settings in my PC are OK as I have successfully been running a Belkin router for a couple of years, and have only replaced it with the new MSI unit due to reliability problems.It does indeed have port triggering, but it wants incoming and trigger port protocol info, along with trigger and incoming port numbers.
How can I type ipconfig into either of teh clients...WinMx or Bit Torrent? -
Continued issues with Port Forwarding/Matchmaking ...
I am at a loss. I am one step away from cancelling with BT. Please, if someone can provide simple, step by step instructions, that would be great...
I have a new Home Hub 5 (type a), as apparently the last was faulty and kept dropping out around peak time. I initially set up port forwarding for my Xbox360 and placed the Xbox One in the DMZ. For the most part, things worked, but now, I am unable to maintain a solid connection, even with this awful excuse for Fibre Optic.
I have reset the hub. Restored to factory settings. I have assigned static IP's. Placed devices in the DMZ. Followed all steps provided from the many sources available. I am still getting a "Matchmaking" service error on the 360, and my Xbox One continually changes it NAT type from moderate to open, leaving me to run the checks each time I want to start a game online, intead of just booting up the console and playing without concern.
I have just cleared all my settings for port forwarding, and when I try to set it up again, I can't due to "Conflicts", which don't exist. Even after factory resetting the Hub.
Please. Can someone help me before I throw all this in the bin and cancel with BT. I am exhausted with it all and am getting nowhere.
How do I clear all the settings so I can assign ports without "conflicts".
Why am I getting matchmaking service errors on Xbox360 when there are no issues on Xbox's end.
What am I missing?The TP Link TD-W9980 and Billion 8800nl are popular at the cheaper end (£65ish) or there are the ASUS DSL AC68U Billion8800AXL and Netgear D6400 in the pricier (£150ish) range. Personally I have the TP-Link. The downside to the Billion 8800nl is lack of 5Ghz wireless.
-
Help with port forwarding to application
Help needed to Port Forward on to my PS3.
I need to forward the following ports:
UDP: 3074; 3659; 6000
TCP: 80; 443; 3659; 10000 - 10099; 42127
Have previously given the PS3 a static IP, set the port forwarding rules and then forwarded to the IP address, but it appears the ports have not opened as expected.
Help KeithI can only see one image which just shows the application mapping, but no indication as to whether you had clicked the "apply" button.
Why are you forwarding ports 80 and 443, are you running a webserver on the PS3, as those ports are used for web serving.
As a matter of interest, your port 80 is showing as open at the moment, so is the PS3 turned on, or is port 80 mapped to something else instead?
What I would like you to do is to start from the beginning, with just the single TCP port number 3659 assigned to the PS3.
It will mean removing the other assignments, but it will make things a bit easier.
If you could do that please, and then we can do some tests.
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones. -
Trouble with port forwarding, DHCP, VUZE, and downloading speed.
I am using Vuze to download things. I have a slow download speed and yellow smiley face, indicating a NAT problem. I think I need to implement a port forwarding, but that requires a static IP address. My router and security is set up such that I CANNOT connect to the internet using a manual configuration--DHCP only. However, I always have the same IP address. This is because the wireless router--a Motorola SB900--will only recognize approved computers designated by the IP address.
Can anyone advise on what to do next?Enmnm wrote:
I am using Vuze to download things. I have a slow download speed and yellow smiley face, indicating a NAT problem.
Here are two links that will rate your connection.
http://www.speedtest.net/
http://www.pingtest.net/
You can try downloading directly from the terminal to see how fast one file downloads.
Macintosh-HD -> Applications -> Utilities -> Terminal
mac $ mkdir test
mac $ cd test
mac $ curl "http://www.apple.com" >see
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 11292 100 11292 0 0 22628 0 --:--:-- --:--:-- --:--:-- 62623
mac $ cat see
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-us" lang="en-US">
<head>
... clipped ...
I think I need to implement a port forwarding, but that requires a static IP address. My router and security is set up such that I CANNOT connect to the internet using a manual configuration--DHCP only.
you are dealing with two networks. There is a network between your computer and your router. There is a second network between your router and your ISP.
Port-forwarding is from your router to your computer.
http://www.portforward.com/english/routers/port_forwarding/Motorola/SBG900/Azure us.htm
However, I always have the same IP address. This is because the wireless router--a Motorola SB900--will only recognize approved computers designated by the IP address.
Can anyone advise on what to do next?
You need to set Port-forwarding between your computer and your router. You will need a fixed IP address on a your Computer. There is to ways of doing this. You can set up a static IP address on your computer. A hack would be to add 10 or 20 to your IP address that your router gives out. For example if your router gives out 192.168.1.10 you of would add 10 to the ten giving 192.168.1.20. you need to make the addition to the right most number of which in the example is ten.
The section way is . . . You can have your router a signed a fixed address based on your MAC address. ( Each Internet device has a fixed address that is called the MAC address. This is a different address than your IP address. the MAC address is assigned in the factory. )
Another hack would be to Port-forward to the number your router assigned at random. If your Computer is the only computer on the router, the number should always be the same. It is a hack because this is not guaranteed. -
Problem with Port Forwarding - Password.
Hello,
I have a LINKSYS router, model BEFW11S4 v4 and its firmware is version 1.52.02
My problem is that neither can I do Port Forwarding nor Port Triggering, because when I make the changes I need and press "Save Changes", it asks me for the username and password again. I write them again, but this time it does not accept them.
I have tested it with 2 laptops connected to the router wired the first time and wireless other times.
What should I do?
Thank you in advance.Normally, you cannot "see your modem" in your network. This is because a modem does not have an IP address. A modem simply converts one signal (ADSL, DSL, or cable) into another signal which is an ethernet signal.
However, some devices that people call "modems" are actually "modem-routers". In this case your "modem-router" probably does have an IP address. If your system is set up correctly, you can "see" a "modem-router" that has an IP address, but it is not part of your LAN (local area network). It is on a another subnet.
The ethernet port of the modem should be wired to the "Internet" port on the BEFW11S4. Do not connect the modem to any other port on the router.
Maybe we need to back up a step or two here. I have always assumed that you were able to get a properly working wired Internet connection through your BEFW11S4. Is that correct?
What is the make and model of your modem?
Who is your ISP?
Also, when you set up your router, leave the username blank. Do not try to add a user name. Change the password to something unique. Do not use the password default "admin" (with no quotes).
Since you are still having problems, please use the following protocol to reset your router to factory defaults:
1) Power down all computers, the router, and the modem, and unplug them from the wall.
2) Disconnect all wires from the router.
3) Power up the router and allow it to fully boot (1-2 minutes).
4) Press and hold the reset button for 30 seconds, then release it, then let the router reset and reboot (2-3 minutes).
5) Power down the router.
6) Connect one computer by wire to port 1 on the router (NOT to the internet port).
7) Power up the router and allow it to fully boot (1-2 minutes).
8) Power up the computer (if the computer has a wireless card, make sure it is off).
9) Try to ping the router. To do this, click the "Start" button > All Programs > Accessories > Command Prompt. A black DOS box will appear. Enter the following: "ping 192.168.1.1" (no quotes), and hit the Enter key. You will see 3 or 4 lines that start either with "Reply from ... " or "Request timed out." If you see "Reply from ...", your computer has found your router.
10) Open your browser and point it to 192.168.1.1. This will take you to your router's login page. Leave the user name blank, and in the password field, enter "admin" (with no quotes). This will take you to your router setup page. Note the version number of your firmware (usually listed near upper right corner of screen). Exit your browser.
If you get this far without problems, try the setup disk (or setup the router manually, if you prefer), and see if you can get your router setup and working.
If you cannot get "Reply from ..." in step 9 above, your router is dead.
If you get a reply in step 9, but cannot complete step 10, then either your router is dead or the firmware is corrupt. In this case, use the Linksys tftp.exe program to try to reload your router with the latest firmware. After reloading the firmware, repeat the above procedure starting with step 1.
If you have problems, report back the results of steps 9 and 10. Also, if you get any error messages, copy them exactly and report back.
Message Edited by toomanydonuts on 04-14-200705:19 PM -
Help with port forwarding ASA5505 v8.2
Hi,
Having an issue doing a port translation on an ASA5505 for RDP.
I have a /29 allocated by ISP and when I port forward the address assigned to the outside interface RDP works perfectly, however when I try to use another IP within the /29 range, I get nothing.
I am only new to ASA so please forgive if this is something obvious...
Relevant config is:
interface Vlan1
nameif inside
security-level 100
ip address 10.1.12.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.217 255.255.255.248
access-list OUTSIDE-IN extended permit tcp any host X.X.X.218 eq 3389
static (inside,outside) X.X.X.218 10.1.12.10 netmask 255.255.255.255 sh run acces
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group OUTSIDE-IN in interface outside
When I used the outside IP address and it worked perfectly, config difference was only
access-list OUTSIDE-IN extended permit tcp any host X.X.X.217 eq 3389
static (inside,outside) tcp X.X.X.217 3389 10.1.12.10 3389 netmask 255.255.255.255
Any help would be greatly appreciatedHey Jouni,
Packet capture gave me this output which didnt have any TCP 3389... but had some random UDP ports only?
1: 21:54:55.108377 802.1Q vlan#2 P0 X.X.X.218.63420 > 208.67.222.222.53: udp 44
2: 21:54:58.751929 802.1Q vlan#2 P0 X.X.X.218.63420 > 208.67.220.220.53: udp 44
3: 21:54:59.492238 802.1Q vlan#2 P0 X.X.X.218.63976 > 208.67.222.222.53: udp 45
4: 21:55:02.807468 802.1Q vlan#2 P0 X.X.X.218.63207 > 216.239.34.10.53: udp 55
5: 21:55:02.807651 802.1Q vlan#2 P0 X.X.X.218.63976 > 208.67.220.220.53: udp 45
6: 21:55:06.863495 802.1Q vlan#2 P0 X.X.X.218.63414 > 199.253.183.183.53: udp 56
7: 21:55:24.599563 802.1Q vlan#2 P0 X.X.X.218.65039 > 208.67.222.222.53: udp 42
Config is below:
ASA Version 8.2(5)
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
switchport access vlan 3
interface Ethernet0/2
description TO LAN
interface Ethernet0/3
description TO LAN
interface Ethernet0/4
description TO LAN
interface Ethernet0/5
description TO LAN
interface Ethernet0/6
description TO LAN
interface Ethernet0/7
description TO LAN
interface Vlan1
description TO LAN
nameif inside
security-level 100
ip address 10.1.12.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address X.X.X.217 255.255.255.248
interface Vlan3
shutdown
no forward interface Vlan2
nameif backup
security-level 0
ip address X.X.X.42 255.255.255.252
ftp mode passive
dns server-group DefaultDNS
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group icmp-type ICMP
description ICMP types permitted
icmp-object echo
icmp-object echo-reply
icmp-object unreachable
icmp-object time-exceeded
access-list OUTSIDE-IN remark TRAFFIC PERMITTED TO ENTER THE OUTSIDE INTERFACE
access-list OUTSIDE-IN extended permit tcp any host X.X.X.218 eq 3389
access-list OUTSIDE-IN extended permit icmp any interface outside object-group ICMP
access-list INSIDE-IN remark INSIDE ACCESS
access-list INSIDE-IN extended permit tcp any any
access-list INSIDE-IN extended permit ip any any
access-list INSIDE-IN extended permit icmp any any
access-list BACKUP-IN remark TRAFFIC PERMITTED TO ENTER THE BACKUP INTERFACE
access-list BACKUP-IN extended permit icmp any interface backup object-group ICMP
pager lines 24
logging enable
logging buffered debugging
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu backup 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (backup) 1 interface
nat (inside) 0 access-list NO-NAT
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) X.X.X.218 10.1.12.10 netmask 255.255.255.255
access-group INSIDE-IN in interface inside
access-group OUTSIDE-IN in interface outside
access-group BACKUP-IN in interface backup
route outside 0.0.0.0 0.0.0.0 X.X.X.222 1 track 1
route backup 0.0.0.0 0.0.0.0 X.X.X.41 254
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 1
type echo protocol ipIcmpEcho X.X.X.X interface outside
num-packets 3
frequency 10
sla monitor schedule 1 life forever start-time now
track 1 rtr 1 reachability
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp -
Help with port forwarding for the WRT54G
I need assistance please!
I am having issues trying to setup port forwarding for a ftp. I already have set this up for a SQL Server port and it works remotely. When I setup another rule for ftp using port range 20-21 it does not work.
I have confirmed that I have saved my settings, have the correct IP address, etc. I have firmware version 4.21.1 and not sure how to troubleshoot this. Any help would be great.
Thanks,
JohnYes you do need to have the port already forwarded for port 20~21 with both TCP/IP and UDP enabled unless you know for sure your ftp only uses just one of them. That is why I asked what port your SGL was set to. Follow the link that other guy posted and open port 20 and 21 (I only use 21 with no problems) and make sure it is directed to the IP of the ftp host. Also that PC needs to have the FTP enabled in windows. To do that go to your control panel > add/remove software > and on the left side go to add/remove windows components. Then check the box for the ftp and add it. It should ask for your windows CD do have it handy when you add the ftp component to your PC.
Richard Aichner (Ikester) -
i am running a web and mail server from my home computer. i have port 25 and port 80 set to forward traffic to my webserver. port 80 works ok, but according to the linksys log, the linksys router is blocking port 25. My isp is not blocking any ports, and i can send mail from my mail server. how can I get the linksys router to stop blocking incoming port 25? my router setup is: linksys befw11s4 port forwarding: 80 to 80 25 to 25 upnp is enabled upnp forward smtp 25 tcp to port 25 192.168.X.X dmz is enabled for the server's ip.
wiles wrote:
i am running a web and mail server from my home computer. i have port 25 and port 80 set to forward traffic to my webserver. port 80 works ok, but according to the linksys log, the linksys router is blocking port 25. My isp is not blocking any ports, and i can send mail from my mail server. how can I get the linksys router to stop blocking incoming port 25? my router setup is: linksys befw11s4 port forwarding: 80 to 80 25 to 25 upnp is enabled upnp forward smtp 25 tcp to port 25 192.168.X.X dmz is enabled for the server's ip.
First off, DISABLE the dmz!! That opens ALL ports to your pc, you dont want that.
Second, because you had the pc in the dmz tells me that the router is not blocking port 25, again, in the dmz all ports are open.
Disable upnp, it will just cause problems and you arent using it anyway.
Go to :
https://www.grc.com/x/ne.dll?bh0bkyd2
Click proceed, enter 25 in the box in the middle, then click user specified custom probe.
Does it show as stealth? -
Setting up a Time Capsule with port forwarding
Our old AirPort Extreme station hit EOL, so we decided to upgrade it to a Time Capsule. Along the way, we're trying to also set it up with a separate guest network and port forwarding/NAT, however we're having trouble setting it up so that the time capsule is handling the DHCP leases instead of the router. We've got DSL through Verizon through a Westell modem/router to the Time Capsule. Done the RTFM thing, and we haven't been able to get it to work. Can anyone explain how to get things set up properly for this configuration?
however we're having trouble setting it up so that the time capsule is handling the DHCP leases instead of the router.
If you have a router ahead of the Time Capsule, you would want to configure the Time Capsule as a "bridge", using Bridge Mode to allow things to work correctly on your network. You don't want two devices handling DHCP on a home network. This will cause slowdowns and IP address conflicts on your network.
In order for the Time Capsule to act as the DHCP server for your network, you will need to connect it to a simple modem (one port), not another router or gateway with 3-4 ethernet ports.
Maybe you are looking for
-
How do I change the itunes account my iphone is linked to?
My wife and I both have Itunes accounts but somehow my iphone is linked to her account. I simply want to link my iphone to my account and can't discover how to do this. Should be very simple I guess but if i try and edit her ID on Itunes by putting m
-
JDBC THIN CLIENT in V$SESSION inactive
Hello DBA's I have too many inactive session of JDBC thin client. Please suggest can we kill them?? or any other alternative SID SERIAL# USERNAME PROGRAM STATUS Inactive_Hours 12 74 APPS JDBC Thin Client INACTIVE 1772.69806 13 31 APPLSYSPUB JDBC Thin
-
User update in Child system through CUA
Hi, I created a role in child system and assigned it to the users in the parent system However, users are not getting updated in the child system Plz suggest
-
I need to re-install Adobe Acrobat Pro 11
I need to re install a purchased product into my computer
-
HP G4050 "HP Scan Resources has stopped working" and the program closes
Scanning photo negatives, and all was working well until I updated the HP software. RUnning on an HP laptop, 64 bit, Win 8.1 64 bit, most current version of scanner software (is there no way on the software to find the version no.? I deleted the dow