Port Forwarding & Access List Problems
Good morning all,
I am trying to set up port forwarding for a Webserver we have hosted here on ip: 192.168.0.250 - I have set up access lists, and port forwarding configurations and I can not seem to access the server from outside the network. . I've included my config file below, any help would be greatly appreciated! I've researched a lot lately but I'm still learning. Side note: I've replaced the external ip address with 1.1.1.1.
I've added the bold lines in the config file below in hopes to forward port 80 to 192.168.0.250 to no avail. You may notice I dont have access-list 102 that i created on any interfaces. This is because whenever I add it to FastEthernet0/0, our internal network loses connection to the internet.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname pantera-office
boot-start-marker
boot-end-marker
no logging buffered
enable secret 5 $1$JP.D$6Oky5ZhtpOAbNT7fLyosy/
aaa new-model
aaa authentication login default local
aaa session-id common
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.150
ip dhcp excluded-address 192.168.0.251 192.168.0.254
ip dhcp pool private
import all
network 192.168.0.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.0.1
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name network.local
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-4211276024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4211276024
revocation-check none
rsakeypair TP-self-signed-4211276024
crypto pki certificate chain TP-self-signed-4211276024
certificate self-signed 01
3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34323131 32373630 3234301E 170D3132 30383232 32303535
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313132
37363032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B381 8073BAC2 C322B5F5 F9595F43 E0BE1A27 FED75A75 68DFC6DD 4C062626
31BFC71F 2C2EF48C BEC8991F 2FEEA980 EA5BC766 FEBEA679 58F15020 C5D04881
1D6DFA74 B49E233A 8D702553 1F748DB5 38FDA3E6 2A5DDB36 0D069EF7 528FEAA4
93C5FA11 FBBF9EA8 485DBF88 0E49DF51 F5F9ED11 9CF90FD4 4A4E572C D6BE8A96
D61B0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06
03551D11 04253023 82217061 6E746572 612D6F66 66696365 2E70616E 74657261
746F6F6C 732E6C6F 63616C30 1F060355 1D230418 30168014 31F245F1 7E3CECEF
41FC9A27 62BD24CE F01819CD 301D0603 551D0E04 16041431 F245F17E 3CECEF41
FC9A2762 BD24CEF0 1819CD30 0D06092A 864886F7 0D010104 05000381 8100604D
14B9B30B D2CE4AC1 4E09C4B5 E58C9751 11119867 C30C7FDF 7A02BDE0 79EB7944
82D93E04 3D674AF7 E27D3B24 D081E689 87AD255F B6431F94 36B0D61D C6F37703
E2D0BE60 3117C0EC 71BB919A 2CF77604 F7DCD499 EA3D6DD5 AB3019CA C1521F79
D77A2692 DCD84674 202DFC97 D765ECC4 4D0FA1B7 0A00475B FD1B7288 12E8
quit
username pantera privilege 15 password 0 XXXX
username aneuron privilege 15 password 0 XXXX
archive
log config
hidekeys
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address 2.2.2.2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 2.2.2.2
set peer 2.2.2.2
set transform-set ESP-3DES-SHA
match address 100
interface FastEthernet0/0
description $ETH-WAN$
ip address 2.2.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
interface FastEthernet0/1
description $ETH-LAN$
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface Serial0/0/0
no ip address
shutdown
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.254 20 1.1.1.1 20 extendable
ip nat inside source static tcp 192.168.0.254 21 1.1.1.1 21 extendable
ip nat inside source static tcp 192.168.0.252 22 1.1.1.1 22 extendable
ip nat inside source static tcp 192.168.0.252 25 1.1.1.1 25 extendable
ip nat inside source static tcp 192.168.0.250 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.0.252 110 1.1.1.1 110 extendable
ip nat inside source static tcp 192.168.0.250 443 1.1.1.1 443 extendable
ip nat inside source static tcp 192.168.0.252 587 1.1.1.1 587 extendable
ip nat inside source static tcp 192.168.0.252 995 1.1.1.1 995 extendable
ip nat inside source static tcp 192.168.0.252 8080 1.1.1.1 8080 extendable
ip nat inside source static tcp 192.168.0.249 8096 1.1.1.1 8096 extendable
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark Web Server ACL
access-list 102 permit tcp any any
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps envmon
snmp-server enable traps flash insertion removal
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps bgp
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ipsla
snmp-server enable traps rf
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
line con 0
logging synchronous
line aux 0
line vty 0 4
scheduler allocate 20000 1000
end
Any/All help is greatly appreciated! I'm sorry if I sound like a newby!
-Evan
Hello,
According to the config you posted 2.2.2.2 is your wan ip address and 1.1.1.1 is the next hop address for your wan connection. The ip nat configuration for port forwarding should look like
Ip nat inside source static tcp 192.168.0.250 80 2.2.2.2 80
If your provider assigns you a dynamic ipv4 address to the wan interface you can use
Ip nat inside source static tcp 192.168.0.250 80 interface fastethernet0/0 80
Verify the settings with show ip nat translation.
Your access list 102 permits only tcp traffic. If you apply the acl to an interface dns won't work anymore (and all other udp traffic). You might want to use a statefull firewall solution like cbac or zbf combined with an inbound acl on the wan interface.
Best Regards
Lukasz
Similar Messages
-
Hello, I/m having problems getting an access-list to work.With the access-group 104 in i lose my internet connectivity.
Here's the config. If i remove the access-group 104 in from the gigabitinterface0/0 all works but I want to have the settings on this interface.
What am I missing ?
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r01
boot-start-marker
boot-end-marker
logging buffered 15000
no logging console
no aaa new-model
clock timezone CET 1 0
no ipv6 cef
ip source-route
ip cef
ip dhcp excluded-address 172.17.1.1 172.17.1.30
ip dhcp excluded-address 172.17.1.240 172.17.1.254
ip dhcp excluded-address 172.17.3.1 172.17.3.30
ip dhcp excluded-address 172.17.3.240 172.17.3.254
ip dhcp pool VLAN1
network 172.17.1.0 255.255.255.0
domain-name r1.local
default-router 172.17.1.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
ip dhcp pool VLAN100
network 172.17.3.0 255.255.255.0
domain-name r1_Guest
default-router 172.17.3.254
dns-server 212.54.40.25 212.54.35.25
lease 0 1
ip domain name r1.lan
ip name-server 212.54.40.25
ip name-server 212.54.35.25
multilink bundle-name authenticated
crypto pki token default removal timeout 0
object-group network temp
description dummy addresses
1.1.1.1 255.255.255.0
2.2.2.2 255.255.255.0
object-group network vlan1-lan
172.17.1.0 255.255.255.0
object-group network vlan100-guest
172.17.3.0 255.255.255.0
object-group network ziggo-dns
host 212.54.40.25
host 212.54.35.25
redundancy
ip ssh version 2
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
ip address dhcp
ip access-group 104 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
description r1.local lan
ip address 172.17.1.254 255.255.255.0
ip access-group 102 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1.1
description Vlan100 r1_Guest
encapsulation dot1Q 100
ip address 172.17.3.254 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
no cdp enable
ip forward-protocol nd
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 172.17.2.0 255.255.255.0 172.17.1.253
access-list 23 permit 172.17.1.0 0.0.0.255
access-list 101 permit ip any any
access-list 102 deny ip any object-group vlan100-guest
access-list 102 permit ip any any log
access-list 103 deny ip any object-group vlan1-lan
access-list 103 permit ip any any
access-list 104 permit tcp any any eq 22
access-list 104 permit udp any any eq snmp
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp object-group temp any echo
access-list 104 permit icmp 172.17.1.0 0.0.0.255 any
access-list 104 deny ip any any log
no cdp run
control-plane
line con 0
login local
line aux 0
line 2
login local
no activation-character
no exec
transport preferred none
transport input ssh
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
login local
transport input ssh
scheduler allocate 20000 1000
endHello,
I applied the rules and that works.
Only thing i have now.
Reboot router.
Interface 0/0 gets no dhcp address from isp.
I have to remove the 104 in from int 0/0
Then Router logs : %DHCP -6 - ADDRESS_ASSIGN: Interface GigabitEthernet0/0 assigned DHCP address x.x.x.x, mask x.x.x.x,hostname r01
Int0/0 gets dhcp ip address, next i apply the acl 104 in to int 0/0 and all works until the next reboot.
Maybe i have to put in a static ip address on int0/0 ?
Thanks for your help ! -
Two VLAN's port forwarding to one, problem
Hi all
This is my first ever Cisco router for forgive me, if this is a simple matter, but I have spent the entire weekend trying to figure this out - with no luck.
My employer has provided me with a Cisco 871W router for my homeoffice.
The router is pre-configured with two VLANs and BVIs; VLAN1 (BVI1) and VLAN2 (BVI2) for home and office connection on two different subnets (192.168.1.0 and 192.168.0.0).
My office connection is secured with IPSec or something similar - I have not that much insight in that aspect.
The configuration works for normal internet access (www, mail etc) on both networks, and the tunneling to my workplace works fint too.
My problem is that I would like to open up some ports for gaming etc. on the "home"-part of the configuration, but I cannot seems to get that to work.
The attached configuration is my current running configuration, which contains some of my trials on getting this to work, so it might look a bit odd.
If anyone could help me, I would appreciate it.
Regards
Jesper LauridsenHi,
By the looks of it, you have an extended access list called 'outside_access_in' applied to your outside interface fa4.
You would have to add a rule to this access list allowing the port in question.
You would then need a static NAT entry that would map the port to the internal host.
For instance, if you had a rule to allow port 80 like this:
permit tcp any any eq www
You would also need a NAT entry like this:
ip nat inside source static tcp 192.168.0.10 80 interface FastEthernet4 80
Assuming that 192.168.0.10 was the client PC. -
Need help for access list problem
Cisco 2901 ISR
I need help for my configuration.... although it is working fine but it is not secured cause everybody can access the internet
I want to deny this IP range and permit only TMG server to have internet connection. My DHCP server is the 4500 switch.
Anybody can help?
DENY 10.25.0.1 – 10.25.0.255
10.25.1.1 – 10.25.1.255
Permit only 1 host for Internet
10.25.7.136 255.255.255.192 ------ TMG Server
Using access-list.
( Current configuration )
object-group network IP
description Block_IP
range 10.25.0.2 10.25.0.255
range 10.25.1.2 10.25.1.255
interface GigabitEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly in max-fragments 64 max-reassemblies 256
duplex auto
speed auto
interface GigabitEthernet0/1
description ### ADSL WAN Interface ###
no ip address
pppoe enable group global
pppoe-client dial-pool-number 1
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
interface Dialer1
description ### ADSL WAN Dialer ###
ip address negotiated
ip mtu 1492
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxxxxx password 7 xxxxxxxxx
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.25.0.0 255.255.0.0 192.168.2.1
access-list 101 permit ip 10.25.0.0 0.0.255.255 any
access-list 105 deny ip object-group IP any
From the 4500 Catalyst switch
( Current Configuration )
interface GigabitEthernet0/48
no switchport
ip address 192.168.2.1 255.255.255.0 interface GigabitEthernet2/42
ip route 0.0.0.0 0.0.0.0 192.168.2.3Hello,
Host will can't get internet connection
I remove this configuration...... access-list 101 permit ip 10.25.0.0 0.0.255.255 any
and change the configuration .... ip access-list extended 101
5 permit ip host 10.25.7.136 any
In this case I will allow only host 10.25.7.136 but it isn't work.
No internet connection from the TMG Server. -
Port forwarding problems with WRT610N v2 + WAG54GS v1.0
Background:
I have a WAG54GS v1.0 (Annex A) which I was using to handle my home network and my ADSL connection. I bought a WRT610N v2 (which I'll refer to as the router) with the intention that it would replace the networking duties of the WAG54GS (which I'll call the modem), which would be relegated to just handling the Internet connection. Both are running their latest firmware.
I've gotten this configuration to work, but with one problem: I've lost a lot of flexibility in regard to port forwarding. The problem is that the only way I've managed to get the Internet to work is by having the router on 192.168.0.1, and the modem on 192.168.1.1. If I try and have both on 192.168.0.x or 192.168.1.x then connecting to the Internet no longer works under any configuration of options I've tried.
What this means is that when I go to setup port forwarding in the modem, I can only forwards to clients on 192.168.1.x, but the router can only forward to 192.168.0.x. The only things I can get to work are situations where port range triggering can be applied, so only when a connection is made on the relevant port to an external IP, and then that external IP also communicates back on that port. As you may guess this doesn't nearly cover all cases.
Question:
Should it be be possible to have both router and modem on either 192.168.0.x or 192.168.1.x, which would allow port forwarding to work as expected. That should have in theory been possible with the modem's bridge mode except that it's then impossible to configure the PPPoA settings necessary to connect to my ISP.
Or am I going to have to rethink the network layout (i.e. buy a dedicated ADSL modem and fully retire my WAG54GS?)
Solved!
Go to Solution.Actually in the end what I figured out was that as far as my WRT610N was concerned my WAG54GS was my ISP, and that was all it needed to know about the Internet connection. So I set it to connect to the WAG54GS with a static IP, stuck that IP into the WAG54GS's DMZ, and left the WRT610N to handle port forwarding as all devices that connect will do so through that. (Yes, I've disabled the wireless features of the WAG54GS)
I'm reasonably sure I tried the combination of settings you've suggested (including moving the WAG54GS off the Internet port of the WRT610N, which I would have wanted to avoid anyway as I have four permanently connected devices anyway) and found it still wouldn't work. And I wasn't trying to set both to 192.168.1.1 at any point, my self-obscured point was that changing only the last block of the IP address failed to work for accessing the Internet. -
Port forwarding for the rest of us?
Hi all,
I've been reading this forum for a couple of weeks now trying to find a way to get two Macs to do iChat video.
1st setup is a G5 MP2.0, 10.4.7, iChat 3.1.5, iSight, Belkin 8230-4 router.
2nd setup is iMac intel 20", 10.4.7, iChat 3.1.X, builtin camera, Airport Extreme router.
Both are on 1.5+ broadband, Belkin has a static IP coming into the router, with the G5 connected using DHCP with manual address. Airport has cable modem DHCP in, with DHCP/NAT turned on. Apple firewall is OFF on both.
Initial tries yielded the dreaded -8 error. I reset Quicktime streaming, iChat bandwidth prefs as suggested and tried forwarding ports on both setups, per the portforward.com recs for iChat.
The Intel iMac is now able to see/hear the ads on the auto chat test from appleu3test01 just fine, but we're still getting -8 when trying to connect to the G5/Belkin.
Besides the six initial ports for iChat (portforward.com) have now tried a shotgun approach by adding ports suggested from various sites/forums. This setup has achieved at least an error free connection with the auto testers, however the intermittent blocky video and choppy sound is not much better. Screen grab of blocky video with the 20 forwards currently set on the Belkin.
http://www.hamishthewelshie.com/ports.jpg
I'm looking for help sorting this mess out. What am I doing wrong here?
Thanks in advance for any help.
PMcK
P.S. I was going to post my first ever anti-apple rant... if only just to feel better but, what's that? oh okay...
<rant> Dear Steve, Even tho I have been using Macs since the 512, I am one of those artsy fartsy Mac users who doesn't really want to know what is under the hood. Admittedly, I am newbie at all this router port stuff, but the fact that lots of people seem to be having this same problem is ridiculous IMHO. Even the Yahoo and Skype Beta video ran the first time we tried it, not great quality, but it was a no brainer setup and it just works... exactly what we've come to expect from Apple. If these johnny come latelys can do it this simply, why can't my fruitbox company of choice get their own ***** sorted out? </rant> Sorry Steve.
G5-2.0MP Mac OS X (10.4.7)Hi PMck,
This device can do Port Triggering even if it can not do UPnP.
At present the Port Forward site list their own PC app to help.
The method though is here
Ignor the pics and info on the brown and orange pics.
Set the first trigger as port 5678 on UDP.
Set these ports in the next text field
5060,5678,16384-16403 (no spaces and only commas and dashes inbetween) Set the protocol for these as UDP as well
Set a new line for trigger 5190 on TCP
Set the next text field as just 5190 and TCP again
Repeat the line above but for UDP at both points
If using Jabber at all:
Set a trigger of 5222 on TCP and ports 5220,5222 on TCP
(if using GoogleTalk make that 5223 on TCP and list 5220,5222,5223 on TCP)
Bonjour needs four single lines (trigger and just one port in the list field)
5297 on UDP 5297 on UDP
5298 on UDP 5298 on UDP
Repeat for TCP for 5298
5353 on UDP 5353 on UDP
As this is a NAT method of opening the ports the Airport will need "Distributing Addressing" turned Off in the Aipor Admin Utlity > Network tab This will make the Airport just an access point and the Belkin will address the whole Lan then.
Thios will allow multiple copmuters to access the same ports for iChat at the same time. The Belkin can be left doing DHCP. (Or be set to Static to the LAN)
Turning Off DHCP in the Airport (Distributing Addresses) will avoid any Double NAT and Double DHCP that seems to be going on at the moment.
10:12 PM Tuesday; August 1, 2006 -
Messages port forwarding Telstra cable modem
Anyone know how to get Messages video chat to work with the new "BigPond Ultimate Cable Home Network Gateway". It's the Netgear CG3100D-2BPAUS.
Messages worked just fine using the old Motorola cable modem but stopped with the new one. I've tried setting up port forwarding as per:
http://support.apple.com/kb/HT1507
and: http://portforward.com/networking/static-Mac10.4.htm
but no luck.
ThanksHI,
Does this device (and the firmware on it) have UPnP ?
UPnP allows multiple devices use the same ports (Port Forwarding does not)
This means you can leave the modem/router doing DHCP to Issue IP addresses and it will not matter if the computer gets a new IP now and then.
In a one computer set up it is likely to always get the same IP when you start it up.
1) because you probably restart it before the lease time runs out
2) because there is nothing else to "take" the number.
However with Smart Phones, Games Consoles and multiple computers you may find that with out setting up IP address that don't change, either by Static routing or Address reservation that computers (And other devices) will swap IP addresses and set ups like Port Forwarding will not work - they tend to list which IP to send stuff to.
The Port Forward site lists only a CG3100 (plain, no suffixes)
Presumably you have used the info on the Port Forwarding bit to learn the access User ID and Password.
I linked to the AIM talk set up (Portforward.com > Chose Brand > Chose Model > dismiss advert page > chose App > set up instructions)
Using the link at the bottom to see the Router's screen Shots I went to the Basic set up one
http://screenshots.portforward.com/routers/Netgear/CG3100/Basic_Settings.htm
Near the bottom of the menu is UPnP
On most Netgears it is enabled by default. Specific Screen Shot.
On some devices setting up Port Forwarding or Port Triggering and having UPnP on can cause conflicts.
UPnP is needed for Screen Sharing in Messages or iChat.
9:31 PM Tuesday; July 16, 2013
iMac 2.5Ghz 5i 2011 (Mountain Lion 10.8.4)
G4/1GhzDual MDD (Leopard 10.5.8)
MacBookPro 2Gb (Snow Leopard 10.6.8)
Mac OS X (10.6.8),
Couple of iPhones and an iPad
"Limit the Logs to the Bits above Binary Images." No, Seriously -
Home Hub 3 Port Forwarding (NOT)
Hello World
Ok recived the New Home Hub 3 today, ahead of my Infinity install.
I thought ok lets replace Trusty Home Hub 2 with the 3 as it works both on Std ADSL and Infinity
Super Quick UI and love the GIG port BUT and its a BIGGY (well for ME) !
THe hub is running 4.7.5.1.83.8.48 (TypeA) lastest and greatest, Upnp does work so Xbox works no prob and it can be seen in the FW Log being setup
BUT if you configure port forwarding by hand ie HTTP to 192.168.0.2 DOESNT WORK !!!
I tried using a connected device to forward to and just the IP address BOTH FAIL !
roll back in trusty Hub2 and all work again !
Phoned in and was told after a few minutes on hold (No Problem) to roll back to Home Hub 2 and there should be a Firmware upgrade for the 3 soon to fix this issue.
So now you know if you try it and it doesnt work
Giz
Solved!
Go to Solution.Similar situation here.
I received HomeHub 3 this week. Overall, I am pretty satisfied with the new router. The local networking feels quicker due to the gigabit port (connected to gigabit switch). And the wifi reception is better probably due to the intelligent channel selection.
Similarly, I tried to replicate settings from my old HomeHub 2. I wasn't able to setup port forwarding.
The problem is the router in inaccessible using the external IP address.
I contacted BT Broadband Help desk. I spoke to 2 operators. First told me he would investigate and call me back. Never did. Second told me they were untrained to deal with this sort of queries and suggested speaking to the BT Subscription help line.
So, now I know thanks to you. Waiting anxiously for the patch. Hope it will be out soon.
Slava -
Connections drops with port forwarding
I have a WRT54G v.5 and I recently just set up port forwarding. The problem is that my internet connection drops between every 10 minutes to once an hour. Once I disable port forwarding, the connection works perfectly. Any ideas?
Make sure your router has the latest firmware installed.
Richard Aichner (Ikester) -
HELP!! asa 5505 8.4(5) problem with port forwarding-smtp
Hi I am having a big problem with port forwarding on my asa. I am trying to forward smtp through the asa to my mail server.
my mail server ip is 10.0.0.2 and my outside interface is 80.80.80.80 , the ASA is setup with pppoe (I get internet access no problem and that seems fine)
When I run a trace i get "(ACL-Drop) - flow is deied by configured rule"
below is my config file , any help would be appreciated
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISPDsl
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_SMTP
host 10.0.0.2
access-list outside_access_in extended permit tcp any object server_SMTP eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network server_SMTP
nat (inside,outside) static interface service tcp smtp smtp
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c5570d7ddffd46c528a76e515e65f366
: endHi Jennifer
I have removed that nat line as suggested but still no joy.
here is my current config
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_Mail
host 10.0.0.2
access-list outside_access_in extended permit tcp any object Server_Mail eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Server_Mail
nat (inside,outside) static interface service tcp smtp smtp
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f3bd954d1f9499595aab4f9da8c15795
: end
also here is the packet trace
and my acl
Thanks -
Port forwarding for external access to VNC server on multiple machines
I will have 10 PCs connected to the WRT54GL wireless AP. I am testing with 1. It has a static addresses 10.155.22.51. It is running a VNC server at port 5951.
If I set my VNC client up to access 10.155.22.51:5951 it works through the WRT54GL wireless AP.
I set the WRT54GL port forwarding to 5951 - 5951, set the IP address to 10.155.22.51 and enable. The external address of the AP is 10.155.0.29 on the company LAN.
So I set the VNC client to access the AP address with the VNC port, i.e. 10.155.0.29:5951. I expect the AP to change the address to 10.155.22.51:5951. This does not work.
Note: the problem could be that the AP is going through NATting because I can also access it at 10.155.22.9 along with all the other PCs on that LAN, i.e. I can access the LAN directly from elsewhere on the company net.You can try changing the IP of the AP manually ... connect it to the Computer ..... access the setup page using http://192.168.1.245 .... use password as admin ....
Configure the IP settings first ...
Again login with new IP address .... configure wireless settings .....
Power down the AP & then the router ....
Wait for few minutes .... then power on the router ...first then the AP ... -
Port forwarding for clientless SSL VPN access
Hello,
I am currently trying to set up clientless SSL VPN access for some remote sites that our company does business with. Since their machines are not owned by my company, we don't want to install/support a VPN client. Therefore, SSL is a great option.
However, I'm running into an issue. I'm trying to set up port forwarding for a few remote servers. These remote servers are different and have distinct IP addresses. They are attempting to connect with two different servers here.
But my issue is that both servers are trying to use the same TCP port. The ASDM is not letting me use two different port forwarding rules for the same TCP port. The rules can exist side-by-side, but they cannot be used at the same time.
Why? It's not trying to access the same TCP port on a server when it's already in use. Is there anyway I can get around this?
If this doesn't make sense, please let me know and I'll do my best to explain it better.Hi Caleb,
if you mean clientless webvpn port-forwarding lists, then you should be able to get your requirments. even the same port of the same server can be mapped to different ports bound to the loopback IP.
CLI:
ciscoasa(config) webvpn
ciscoasa(config-webvpn)# port-forward PF 2323 192.168.1.100 23
ciscoasa(config-webvpn)# port-forward PF 2300 192.168.1.200 23
then you apply the port-forwarder list under a group-policy
Hope this helps
Mashal
Mashal Alshboul -
Problems with Port Forwarding for RDP in WebVPN
Hi,
I'm hoping somebody can help me solve this problem that's been bugging for weeks. We recently implemented a double-layer firewall architecture. Before that, our users can access RDP via port forwarding on WebVPN or the Cisco VPN client without any problems.
After we implemented the double-layer firewall architecture, users who are going through the WebVPN and port forwarding for RDP began to experience frequent disconnections, slowness or freezing connections. The users who are using the client are fine.
I checked the logs and I'm getting repetitive TCP-O for the port forwarding connections for RDP. Additional information: the FW we installed as a 2nd layer is Netscreen. I've already set the policy on it to Any-Any for the meantime to help in troubleshooting but to no avail.
I hope somebody can help me in sorting this out as I'm kind of confused on the difference between the port-forwarding for RDP via the WebVPN and the normal RDP via the client.Hi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
Remote TC access via port forwarding
I have been trying to setup my network for remote TC access via port forwarding. Here's my setup:
Verizon FiOS router (main router, dhcp & nat) -> connected to TC set in bridge mode with a static IP
I can remotely access the TC using Back to my Mac with no problems, and of course locally on the home network via Wifi.
Since the TC has to connect in bridge mode, port forwarding is done on the FiOS router.
If I set a port forwarding rule in the FiOS router TCP,UDP (any) to port 548, it works. However I want to use a specific connection port
so others can't connect unless they know the forwarded port. BTW, I have remote disk sharing set with Use Device Password.
So here's what works:
FiOS Router (TCP any -> 548, UDP any ->548)
What doesn't work:
FiOS router (TCP 8990 -> 548, UDP 8990 -> 548).
Is there any additional setting required for specific port forwarding to work?You're my hero!
I also have my TC in Bridge Mode to my Verizon FIOS Router. I used to be able to access my TC remotely, but since I upgraded my router (MI424WR GigE), I had forgotten some port forwarding rules I must have established in my old router. Once I re-created these two port forwarding rules (just like yours), I can remote access my TC (with TC password) again.
In addition, I have a static host name aliased to my dynamic IP address through dyndns.org (I have the free version, which I don't think is available anymore, but there are other free providers out there) for easier remote access.
Regarding, Secure Share Disks: with TC password vs a disk password. Is one more secure than the other?
Thanks! -
Hi.
I have just bought a Wireless Router, Model Number: WGKPC354G-UK. With the intention of setting up a small server. This server will run from my PC (directly wired into router), running a game called "Counter Strike" - I had to download a dedicated-server tool for this and i successfuly installed this and followed the tutorial to set it all up..
So I thought i had done it, but I could only access my server with my internal IP 192.168.1.64 (LAN).
I then found out that i needed to "Port-Forward" I followed a tutorial on www.portforward.com - This showed me how to open the ports, and which ones to open.
I did all this and i still encounter the same problem !
So i then opened all my router ports "DNZ" and it still doesnt work !!!
Any help will be greatly aprreciated !
PS. Below Are The Required Ports.
http://portforward.com/english/routers/port_forwarding/Linksys/WAG354G/Counter_Strike.htmKeep in mind your ISP could be blocking the ports needed. DMZ almost ALWAYS works and if it doesnt, most likely your ISP blocks the ports.
another test is to make sure you can connect to the game server from another CS machine on the inside of your network. If this works, that means your server is up and running properly and its probably your ISP blocking certain ports needed for the CS Server.
You should also check you have the Windows firewall disabled, and any other software firewall on your server disabled.
Maybe you are looking for
-
Why does not USB flash card work?
MacBook Pro 13' (late 2011) OS X Yosemite 10.10 My USB hub does not see any flash card, but it works when I use my iPhone. What have I done: I tried to open my flash card. Then, I cleaned my flash card with Disk Utility and tried to connect to Mac ag
-
Hello, I'm doing a project on text to speech converter using java and i'm very confused. What speech engine should i use? and how do i use it with java? i've downloaded javax package but when i run the sample codes hello world from Java speech api, i
-
Authority to change entries through SM30 depending on values of fields?
Hi. Is it somehow possible to set authorizations in a way, that a user could change only certain entries in a customizing table using SM30? What I want to achieve with this - we have an internationally used system, where consultants from different co
-
Problem with se lww update.
Hi im from Poland and i've got a problem. Everybody can update a phone to android 4.0 but i can;t. my ics number doesn't here in list. why?? because i'm from Poland or why? help me. thank you in advance
-
Hi Adobe Team, Aleks here, PLEASE create an update for Proto where you can import your own pictures. I make apps for kids www.gnomiekids.com, I got Adobe Proto for the purpose of creating wireframes to show my coders how the app is going to flow and