Port Forwarding & Access List Problems

Similar Messages

• Access-list problem ?

  Hello, I/m having problems getting an access-list to work.With the access-group 104 in i lose my internet connectivity.
  Here's the config. If i remove the access-group 104 in from the gigabitinterface0/0 all works but I want to have the settings on this interface.
  What am I missing ?
  version 15.1
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname r01
  boot-start-marker
  boot-end-marker
  logging buffered 15000
  no logging console
  no aaa new-model
  clock timezone CET 1 0
  no ipv6 cef
  ip source-route
  ip cef
  ip dhcp excluded-address 172.17.1.1 172.17.1.30
  ip dhcp excluded-address 172.17.1.240 172.17.1.254
  ip dhcp excluded-address 172.17.3.1 172.17.3.30
  ip dhcp excluded-address 172.17.3.240 172.17.3.254
  ip dhcp pool VLAN1
  network 172.17.1.0 255.255.255.0
  domain-name r1.local
  default-router 172.17.1.254
  dns-server 212.54.40.25 212.54.35.25
  lease 0 1
  ip dhcp pool VLAN100
  network 172.17.3.0 255.255.255.0
  domain-name r1_Guest
  default-router 172.17.3.254
  dns-server 212.54.40.25 212.54.35.25
  lease 0 1
  ip domain name r1.lan
  ip name-server 212.54.40.25
  ip name-server 212.54.35.25
  multilink bundle-name authenticated
  crypto pki token default removal timeout 0
  object-group network temp
  description dummy addresses
  1.1.1.1 255.255.255.0
  2.2.2.2 255.255.255.0
  object-group network vlan1-lan
  172.17.1.0 255.255.255.0
  object-group network vlan100-guest
  172.17.3.0 255.255.255.0
  object-group network ziggo-dns
  host 212.54.40.25
  host 212.54.35.25
  redundancy
  ip ssh version 2
  interface Embedded-Service-Engine0/0
  no ip address
  shutdown
  interface GigabitEthernet0/0
  ip address dhcp
  ip access-group 104 in
  ip nat outside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  description r1.local lan
  ip address 172.17.1.254 255.255.255.0
  ip access-group 102 in
  ip nat inside
  ip virtual-reassembly in
  duplex auto
  speed auto
  interface GigabitEthernet0/1.1
  description Vlan100 r1_Guest
  encapsulation dot1Q 100
  ip address 172.17.3.254 255.255.255.0
  ip access-group 103 in
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  no cdp enable
  ip forward-protocol nd
  no ip http server
  no ip http secure-server
  ip dns server
  ip nat inside source list 101 interface GigabitEthernet0/0 overload
  ip route 172.17.2.0 255.255.255.0 172.17.1.253
  access-list 23 permit 172.17.1.0 0.0.0.255
  access-list 101 permit ip any any
  access-list 102 deny ip any object-group vlan100-guest
  access-list 102 permit ip any any log
  access-list 103 deny ip any object-group vlan1-lan
  access-list 103 permit ip any any
  access-list 104 permit tcp any any eq 22
  access-list 104 permit udp any any eq snmp
  access-list 104 permit icmp any any time-exceeded
  access-list 104 permit icmp any any echo-reply
  access-list 104 permit icmp object-group temp any echo
  access-list 104 permit icmp 172.17.1.0 0.0.0.255 any
  access-list 104 deny ip any any log
  no cdp run
  control-plane
  line con 0
  login local
  line aux 0
  line 2
  login local
  no activation-character
  no exec
  transport preferred none
  transport input ssh
  transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
  stopbits 1
  line vty 0 4
  access-class 23 in
  login local
  transport input ssh
  scheduler allocate 20000 1000
  end

  Hello,
  I applied the rules and that works.
  Only thing i have now.
  Reboot router.
  Interface 0/0 gets no dhcp address from isp.
  I have to remove the 104 in from int 0/0
  Then Router logs : %DHCP -6 - ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address x.x.x.x, mask x.x.x.x,hostname r01
  Int0/0 gets dhcp ip address, next i apply the acl 104 in to int 0/0 and all works until the next reboot.
  Maybe i have to put in a static ip address on int0/0 ?
  Thanks for your help !

• Two VLAN's port forwarding to one, problem

  Hi all
  This is my first ever Cisco router for forgive me, if this is a simple matter, but I have spent the entire weekend trying to figure this out - with no luck.
  My employer has provided me with a Cisco 871W router for my homeoffice.
  The router is pre-configured with two VLANs and BVIs; VLAN1 (BVI1) and VLAN2 (BVI2) for home and office connection on two different subnets (192.168.1.0 and 192.168.0.0).
  My office connection is secured with IPSec or something similar - I have not that much insight in that aspect.
  The configuration works for normal internet access (www, mail etc) on both networks, and the tunneling to my workplace works fint too.
  My problem is that I would like to open up some ports for gaming etc. on the "home"-part of the configuration, but I cannot seems to get that to work.
  The attached configuration is my current running configuration, which contains some of my trials on getting this to work, so it might look a bit odd.
  If anyone could help me, I would appreciate it.
  Regards
  Jesper Lauridsen

  Hi,
  By the looks of it, you have an extended access list called 'outside_access_in' applied to your outside interface fa4.
  You would have to add a rule to this access list allowing the port in question.
  You would then need a static NAT entry that would map the port to the internal host.
  For instance, if you had a rule to allow port 80 like this:
  permit tcp any any eq www
  You would also need a NAT entry like this:
  ip nat inside source static tcp 192.168.0.10 80 interface FastEthernet4 80
  Assuming that 192.168.0.10 was the client PC.

• Need help for access list problem

  Cisco 2901 ISR
  I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
  I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
  Anybody can help?
           DENY       10.25.0.1 – 10.25.0.255
                            10.25.1.1 – 10.25.1.255
  Permit only 1 host for Internet
                  10.25.7.136  255.255.255.192 ------ TMG Server
  Using access-list.
  ( Current configuration  )
  object-group network IP
  description Block_IP
  range 10.25.0.2 10.25.0.255
  range 10.25.1.2 10.25.1.255
  interface GigabitEthernet0/0
  ip address 192.168.2.3 255.255.255.0
  ip nat inside
  ip virtual-reassembly in max-fragments 64 max-reassemblies 256
  duplex auto
  speed auto
  interface GigabitEthernet0/1
  description ### ADSL WAN Interface ###
  no ip address
  pppoe enable group global
  pppoe-client dial-pool-number 1
  interface ATM0/0/0
  no ip address
  no atm ilmi-keepalive
  interface Dialer1
  description ### ADSL WAN Dialer ###
  ip address negotiated
  ip mtu 1492
  ip nat outside
  no ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication pap callin
  ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
  ip nat inside source list 101 interface Dialer1 overload
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip route 10.25.0.0 255.255.0.0 192.168.2.1
  access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  access-list 105 deny   ip object-group IP any
  From the 4500 Catalyst switch
  ( Current Configuration )
  interface GigabitEthernet0/48
  no switchport
  ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
  ip route 0.0.0.0 0.0.0.0 192.168.2.3

  Hello,
  Host will can't get internet connection
  I remove this configuration......         access-list 101 permit ip 10.25.0.0 0.0.255.255 any
  and change the configuration ....      ip access-list extended 101
                                                              5 permit ip host 10.25.7.136 any
  In this case I will allow only host 10.25.7.136 but it isn't work.
  No internet connection from the TMG Server.

• Port forwarding problems with WRT610N v2 + WAG54GS v1.0

  Background:
  I have a WAG54GS v1.0 (Annex A) which I was using to handle my home network and my ADSL connection. I bought a WRT610N v2 (which I'll refer to as the router) with the intention that it would replace the networking duties of the WAG54GS (which I'll call the modem), which would be relegated to just handling the Internet connection. Both are running their latest firmware.
  I've gotten this configuration to work, but with one problem: I've lost a lot of flexibility in regard to port forwarding. The problem is that the only way I've managed to get the Internet to work is by having the router on 192.168.0.1, and the modem on 192.168.1.1. If I try and have both on 192.168.0.x or 192.168.1.x then connecting to the Internet no longer works under any configuration of options I've tried.
  What this means is that when I go to setup port forwarding in the modem, I can only forwards to clients on 192.168.1.x, but the router can only forward to 192.168.0.x. The only things I can get to work are situations where port range triggering can be applied, so only when a connection is made on the relevant port to an external IP, and then that external IP also communicates back on that port. As you may guess this doesn't nearly cover all cases.
  Question:
  Should it be be possible to have both router and modem on either 192.168.0.x or 192.168.1.x, which would allow port forwarding to work as expected. That should have in theory been possible with the modem's bridge mode except that it's then impossible to configure the PPPoA settings necessary to connect to my ISP.
  Or am I going to have to rethink the network layout (i.e. buy a dedicated ADSL modem and fully retire my WAG54GS?)
  Solved!
  Go to Solution.

  Actually in the end what I figured out was that as far as my WRT610N was concerned my WAG54GS was my ISP, and that was all it needed to know about the Internet connection. So I set it to connect to the WAG54GS with a static IP, stuck that IP into the WAG54GS's DMZ, and left the WRT610N to handle port forwarding as all devices that connect will do so through that. (Yes, I've disabled the wireless features of the WAG54GS)
  I'm reasonably sure I tried the combination of settings you've suggested (including moving the WAG54GS off the Internet port of the WRT610N, which I would have wanted to avoid anyway as I have four permanently connected devices anyway) and found it still wouldn't work. And I wasn't trying to set both to 192.168.1.1 at any point, my self-obscured point was that changing only the last block of the IP address failed to work for accessing the Internet.

• Port forwarding for the rest of us?

  Hi all,
  I've been reading this forum for a couple of weeks now trying to find a way to get two Macs to do iChat video.
  1st setup is a G5 MP2.0, 10.4.7, iChat 3.1.5, iSight, Belkin 8230-4 router.
  2nd setup is iMac intel 20", 10.4.7, iChat 3.1.X, builtin camera, Airport Extreme router.
  Both are on 1.5+ broadband, Belkin has a static IP coming into the router, with the G5 connected using DHCP with manual address. Airport has cable modem DHCP in, with DHCP/NAT turned on. Apple firewall is OFF on both.
  Initial tries yielded the dreaded -8 error. I reset Quicktime streaming, iChat bandwidth prefs as suggested and tried forwarding ports on both setups, per the portforward.com recs for iChat.
  The Intel iMac is now able to see/hear the ads on the auto chat test from appleu3test01 just fine, but we're still getting -8 when trying to connect to the G5/Belkin.
  Besides the six initial ports for iChat (portforward.com) have now tried a shotgun approach by adding ports suggested from various sites/forums. This setup has achieved at least an error free connection with the auto testers, however the intermittent blocky video and choppy sound is not much better. Screen grab of blocky video with the 20 forwards currently set on the Belkin.
  http://www.hamishthewelshie.com/ports.jpg
  I'm looking for help sorting this mess out. What am I doing wrong here?
  Thanks in advance for any help.
  PMcK
  P.S. I was going to post my first ever anti-apple rant... if only just to feel better but, what's that? oh okay...
  <rant> Dear Steve, Even tho I have been using Macs since the 512, I am one of those artsy fartsy Mac users who doesn't really want to know what is under the hood. Admittedly, I am newbie at all this router port stuff, but the fact that lots of people seem to be having this same problem is ridiculous IMHO. Even the Yahoo and Skype Beta video ran the first time we tried it, not great quality, but it was a no brainer setup and it just works... exactly what we've come to expect from Apple. If these johnny come latelys can do it this simply, why can't my fruitbox company of choice get their own ***** sorted out? </rant> Sorry Steve.
  G5-2.0MP   Mac OS X (10.4.7)  

  Hi PMck,
  This device can do Port Triggering even if it can not do UPnP.
  At present the Port Forward site list their own PC app to help.
  The method though is here
  Ignor the pics and info on the brown and orange pics.
  Set the first trigger as port 5678 on UDP.
  Set these ports in the next text field
  5060,5678,16384-16403 (no spaces and only commas and dashes inbetween) Set the protocol for these as UDP as well
  Set a new line for trigger 5190 on TCP
  Set the next text field as just 5190 and TCP again
  Repeat the line above but for UDP at both points
  If using Jabber at all:
  Set a trigger of 5222 on TCP and ports 5220,5222 on TCP
  (if using GoogleTalk make that 5223 on TCP and list 5220,5222,5223 on TCP)
  Bonjour needs four single lines (trigger and just one port in the list field)
  5297 on UDP 5297 on UDP
  5298 on UDP 5298 on UDP
  Repeat for TCP for 5298
  5353 on UDP 5353 on UDP
  As this is a NAT method of opening the ports the Airport will need "Distributing Addressing" turned Off in the Aipor Admin Utlity > Network tab This will make the Airport just an access point and the Belkin will address the whole Lan then.
  Thios will allow multiple copmuters to access the same ports for iChat at the same time. The Belkin can be left doing DHCP. (Or be set to Static to the LAN)
  Turning Off DHCP in the Airport (Distributing Addresses) will avoid any Double NAT and Double DHCP that seems to be going on at the moment.
  10:12 PM Tuesday; August 1, 2006

• Messages port forwarding Telstra cable modem

  Anyone know how to get Messages video chat to work with the new "BigPond Ultimate Cable Home Network Gateway". It's the Netgear CG3100D-2BPAUS.
  Messages worked just fine using the old Motorola cable modem but stopped with the new one.  I've tried setting up port forwarding as per:
  http://support.apple.com/kb/HT1507
  and: http://portforward.com/networking/static-Mac10.4.htm
  but no luck.
  Thanks

  HI,
  Does this device (and the firmware on it) have UPnP ?
  UPnP allows multiple devices use the same ports (Port Forwarding does not)
  This means you can leave the modem/router doing DHCP to Issue IP addresses  and it will not matter if the computer gets a new IP now and then.
  In a one computer set up it is likely to always get the same IP when you start it up.
  1) because you probably restart it before the lease time runs out
  2) because there is nothing else to "take" the number.
  However with Smart Phones, Games Consoles and multiple computers you may find that with out setting up IP address that don't change, either by Static routing or Address reservation that computers (And other devices) will swap IP addresses and set ups like Port Forwarding will not work - they tend to list which IP to send stuff to.
  The Port Forward  site lists only a CG3100 (plain, no suffixes)
  Presumably you have used the info on the Port Forwarding bit to learn the access User ID and Password.
  I linked to the AIM talk set up (Portforward.com > Chose Brand > Chose Model > dismiss advert page > chose App > set up instructions)
  Using the link at the bottom to see the Router's screen Shots I went to the Basic set up one
  http://screenshots.portforward.com/routers/Netgear/CG3100/Basic_Settings.htm
  Near the bottom of the menu is UPnP
  On most Netgears it is enabled by default.  Specific Screen Shot.
  On some devices setting up Port Forwarding or Port Triggering and having UPnP on can cause conflicts.
  UPnP is needed for Screen Sharing in Messages or iChat.
  9:31 PM      Tuesday; July 16, 2013
    iMac 2.5Ghz 5i 2011 (Mountain Lion 10.8.4)
   G4/1GhzDual MDD (Leopard 10.5.8)
   MacBookPro 2Gb (Snow Leopard 10.6.8)
   Mac OS X (10.6.8),
   Couple of iPhones and an iPad
  "Limit the Logs to the Bits above Binary Images."  No, Seriously

• Home Hub 3 Port Forwarding (NOT)

  Hello World
  Ok recived the New Home Hub 3 today, ahead of my Infinity install.
  I thought ok lets replace Trusty Home Hub 2 with the 3 as it works both on Std ADSL and Infinity
  Super Quick UI and love the GIG port BUT and its a BIGGY (well for ME) !
  THe hub is running 4.7.5.1.83.8.48 (TypeA) lastest and greatest, Upnp does work so Xbox works no prob and it can be seen in the FW Log being setup 
  BUT if you configure port forwarding by hand ie HTTP to 192.168.0.2 DOESNT WORK !!!
  I tried using a connected device to forward to and just the IP address BOTH FAIL !
  roll back in trusty Hub2 and all work again !
  Phoned in and was told after a few minutes on hold (No Problem) to roll back to Home Hub 2 and there should be a Firmware upgrade for the 3 soon to fix this issue.
  So now you know if you try it and it doesnt work
  Giz
  Solved!
  Go to Solution.

  Similar situation here.
  I received HomeHub 3 this week. Overall, I am pretty satisfied with the new router. The local networking feels quicker due to the gigabit port (connected to gigabit switch). And the wifi reception is better probably due to the intelligent channel selection.
  Similarly, I tried to replicate settings from my old HomeHub 2. I wasn't able to setup port forwarding.
  The problem is the router in inaccessible using the external IP address.
  I contacted BT Broadband Help desk. I spoke to 2 operators. First told me he would investigate and call me back. Never did. Second told me they were untrained to deal with this sort of queries and suggested speaking to the BT Subscription help line.
  So, now I know thanks to you. Waiting anxiously for the patch. Hope it will be out soon.
  Slava

• Connections drops with port forwarding

  I have a WRT54G v.5 and I recently just set up port forwarding. The problem is that my internet connection drops between every 10 minutes to once an hour. Once I disable port forwarding, the connection works perfectly. Any ideas?

  Make sure your router has the latest firmware installed. 
  Richard Aichner (Ikester)

• HELP!! asa 5505 8.4(5) problem with port forwarding-smtp

  Hi I am having a big problem with port forwarding on my asa. I am trying to forward smtp through the asa  to my mail server.
  my mail server ip is 10.0.0.2 and my outside interface is 80.80.80.80 , the ASA is setup with pppoe (I get internet access no problem and that seems fine)
  When I run a trace i get "(ACL-Drop) - flow is deied by configured rule"
  below is my config file , any help would be appreciated
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.4(5)
  hostname ciscoasa
  domain-name domain.local
  enable password mXa5sNUu4rCZ.t5y encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group ISPDsl
  ip address 80.80.80.80 255.255.255.255 pppoe setroute
  ftp mode passive
  dns server-group DefaultDNS
  domain-name domain.local
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Server_SMTP
  host 10.0.0.2
  access-list outside_access_in extended permit tcp any object server_SMTP eq smtp
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network obj_any
  nat (inside,outside) dynamic interface
  object network server_SMTP
  nat (inside,outside) static interface service tcp smtp smtp
  nat (inside,outside) after-auto source dynamic any interface
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  vpdn group ISP request dialout pppoe
  vpdn group ISP localname [email protected]
  vpdn group ISP ppp authentication chap
  vpdn username [email protected] password *****
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:c5570d7ddffd46c528a76e515e65f366
  : end

  Hi Jennifer
  I have removed that nat line as suggested but still no joy.
  here is my current config
  Result of the command: "show running-config"
  : Saved
  ASA Version 8.4(5)
  hostname ciscoasa
  domain-name domain.local
  enable password mXa5sNUu4rCZ.t5y encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  interface Ethernet0/3
  interface Ethernet0/4
  interface Ethernet0/5
  interface Ethernet0/6
  interface Ethernet0/7
  interface Vlan1
  nameif inside
  security-level 100
  ip address 10.0.0.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group ISP
  ip address 80.80.80.80 255.255.255.255 pppoe setroute
  ftp mode passive
  dns server-group DefaultDNS
  domain-name domain.local
  same-security-traffic permit intra-interface
  object network obj_any
  subnet 0.0.0.0 0.0.0.0
  object network Server_Mail
  host 10.0.0.2
  access-list outside_access_in extended permit tcp any object Server_Mail eq smtp
  pager lines 24
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  object network obj_any
  nat (inside,outside) dynamic interface
  object network Server_Mail
  nat (inside,outside) static interface service tcp smtp smtp
  access-group outside_access_in in interface outside
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 10.0.0.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
  telnet timeout 5
  ssh timeout 5
  ssh key-exchange group dh-group1-sha1
  console timeout 0
  vpdn group ISP request dialout pppoe
  vpdn group ISP localname [email protected]
  vpdn group ISP ppp authentication chap
  vpdn username [email protected] password *****
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny 
    inspect sunrpc
    inspect xdmcp
    inspect sip 
    inspect netbios
    inspect tftp
    inspect ip-options
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:f3bd954d1f9499595aab4f9da8c15795
  : end
  also here is the packet trace
  and my acl
  Thanks

• Port forwarding for external access to VNC server on multiple machines

  I will have 10 PCs connected to the WRT54GL wireless AP. I am testing with 1. It has a static addresses 10.155.22.51. It is running a VNC server at port 5951.
  If I  set my VNC client up to access 10.155.22.51:5951 it works through the WRT54GL wireless AP.
  I set the WRT54GL port forwarding to 5951 - 5951, set the IP address to 10.155.22.51 and enable. The external address of the AP is 10.155.0.29 on the company LAN.
   So I set the VNC client to access the AP address with the VNC port, i.e. 10.155.0.29:5951. I expect the AP to change the address to 10.155.22.51:5951. This does not work.
  Note: the problem could be that the AP is going through NATting because I can also access it at 10.155.22.9 along with all the other PCs on that LAN, i.e. I can access the LAN directly from elsewhere on the company net.

  You can try changing the IP of the AP manually ... connect it to the Computer  ..... access the setup page using http://192.168.1.245  .... use password as admin ....
  Configure the IP settings first ...
  Again login with new IP address .... configure wireless settings .....
  Power down the AP & then the router ....
  Wait for few minutes .... then power on the router ...first then the AP ...

• Port forwarding for clientless SSL VPN access

  Hello,
  I am currently trying to set up clientless SSL VPN access for some remote sites that our company does business with. Since their machines are not owned by my company, we don't want to install/support a VPN client. Therefore, SSL is a great option.
  However, I'm running into an issue. I'm trying to set up port forwarding for a few remote servers. These remote servers are different and have distinct IP addresses. They are attempting to connect with two different servers here.
  But my issue is that both servers are trying to use the same TCP port. The ASDM is not letting me use two different port forwarding rules for the same TCP port. The rules can exist side-by-side, but they cannot be used at the same time.
  Why? It's not trying to access the same TCP port on a server when it's already in use. Is there anyway I can get around this?
  If this doesn't make sense, please let me know and I'll do my best to explain it better.

  Hi Caleb,
  if you mean clientless webvpn port-forwarding lists, then you should be able to get your requirments. even the same port of the same server can be mapped to different ports bound to the loopback IP.
  CLI:
  ciscoasa(config) webvpn
  ciscoasa(config-webvpn)# port-forward PF 2323 192.168.1.100 23
  ciscoasa(config-webvpn)# port-forward PF 2300 192.168.1.200 23
  then you apply the port-forwarder list under a group-policy
  Hope this helps
  Mashal
  Mashal Alshboul

• Problems with Port Forwarding for RDP in WebVPN

  Hi,
  I'm hoping somebody can help me solve this problem that's been bugging for weeks. We recently implemented a double-layer firewall architecture. Before that, our users can access RDP via port forwarding on WebVPN or the Cisco VPN client without any problems.
  After we implemented the double-layer firewall architecture, users who are going through the WebVPN and port forwarding for RDP began to experience frequent disconnections, slowness or freezing connections. The users who are using the client are fine.
  I checked the logs and I'm getting repetitive TCP-O for the port forwarding connections for RDP. Additional information: the FW we installed as a 2nd layer is Netscreen. I've already set the policy on it to Any-Any for the meantime to help in troubleshooting but to no avail. 
  I hope somebody can help me in sorting this out as I'm kind of confused on the difference between the port-forwarding for RDP via the WebVPN and the normal RDP via the client.  

  Hi,
  I didnt see anything marked with red in the above? (Atleast when I was reading)
  I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
  But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
  There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
  - Jouni

• Remote TC access via port forwarding

  I have been trying to setup my network for remote TC access via port forwarding. Here's my setup:
  Verizon FiOS router (main router, dhcp & nat) -> connected to TC set in bridge mode with a static IP
  I can remotely access the TC using Back to my Mac with no problems, and of course locally on the home network via Wifi.
  Since the TC has to connect in bridge mode, port forwarding is done on the FiOS router.
  If I set a port forwarding rule in the FiOS router TCP,UDP (any) to port 548, it works. However I want to use a specific connection port
  so others can't connect unless they know the forwarded port. BTW, I have remote disk sharing set with Use Device Password.
  So here's what works:
  FiOS Router (TCP any -> 548, UDP any ->548)
  What doesn't work:
  FiOS router (TCP 8990 -> 548, UDP 8990 -> 548).
  Is there any additional setting required for specific port forwarding to work?

  You're my hero!
  I also have my TC in Bridge Mode to my Verizon FIOS Router.  I used to be able to access my TC remotely, but since I upgraded my router (MI424WR GigE), I had forgotten some port forwarding rules I must have established in my old router.  Once I re-created these two port forwarding rules (just like yours), I can remote access my TC (with TC password) again.
  In addition, I have a static host name aliased to my dynamic IP address through dyndns.org (I have the free version, which I don't think is available anymore, but there are other free providers out there) for easier remote access.
  Regarding, Secure Share Disks: with TC password vs a disk password. Is one more secure than the other?
  Thanks!

• Application And Gaming / Port Forwarding || HELP NEEDED || Can Only Access Via LAN

  Hi.
  I have just bought a Wireless Router, Model Number: WGKPC354G-UK. With the intention of setting up a small server. This server will run from my PC (directly wired into router), running a game called "Counter Strike" - I had to download a dedicated-server tool for this and i successfuly installed this and followed the tutorial to set it all up..
  So I thought i had done it, but I could only access my server with my internal IP 192.168.1.64 (LAN).
  I then found out that i needed to "Port-Forward" I followed a tutorial on www.portforward.com - This showed me how to open the ports, and which ones to open.
  I did all this and i still encounter the same problem !
  So i then opened all my router ports "DNZ" and it still doesnt work !!!
  Any help will be greatly aprreciated !
  PS. Below Are The Required Ports.
  http://portforward.com/english/routers/port_forwarding/Linksys/WAG354G/Counter_Strike.htm         

  Keep in mind your ISP could be blocking the ports needed. DMZ almost ALWAYS works and if it doesnt, most likely your ISP blocks the ports.
  another test is to make sure you can connect to the game server from another CS machine on the inside of your network. If this works, that means your server is up and running properly and its probably your ISP blocking certain ports needed for the CS Server.
  You should also check you have the Windows firewall disabled, and any other software firewall on your server disabled.