Port Forwarding Cisco firewall

Hi,
In Cisco Firewall 2900 seires
trying to use port forwarding
but not communication please help me.
Reg
Manoj.

: Saved
: Written by enable_15 at 23:01:39.772 UTC Thu Jan 30 2014
name 10.10.70.X.40 FinalPdf
name 201.256.x.x Youfinalip
interface Ethernet0/0
nameif YOUB
security-level 0
ip address 201.256.x.x.254.82 255.255.255.248
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.10.70.X.1 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service ftp tcp
port-object eq ftp
port-object eq ftp-data
port-object eq 14147
object-group service any tcp-udp
port-object range 1 65535
object-group service DM_INLINE_TCP_1 tcp
group-object ftp
port-object eq ftp-data
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 10.70.0.0 255.255.0.0
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_access_in extended deny object-group TCPUDP any any eq domain
access-list inside_access_in extended permit ip any any
access-list YOUB_mpc extended permit ip any any
access-list YOUB_access_in extended permit object-group TCPUDP any interface YOUB inactive
access-list YOUB_access_in extended permit tcp any host Youfinalip object-group ftp
pager lines 24
logging enable
logging emblem
logging asdm-buffer-size 512
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm debugging
logging device-id hostname
logging debug-trace
logging ftp-bufferwrap
logging ftp-server 10.10.70.X.251 firwall/ firwall firwall
logging class auth trap emergencies asdm emergencies
mtu YOUB 1500
mtu SIFY 1500
mtu inside 1500
mtu WAN 1500
mtu management 1500
ip verify reverse-path interface YOUB
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm location Testpdf 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (YOUB) 1 interface
global (SIFY) 1 interface
nat (inside) 0 access-list EXEMPT
nat (inside) 1 10.10.70.X.0 255.255.255.0 dns
static (inside,YOUB) tcp Youfinalip ftp Testpdf ftp netmask 255.255.255.255
access-group YOUB_access_in in interface YOUB
access-group inside_access_in in interface inside
route YOUB 0.0.0.0 0.0.0.0 201.256.x.x.254.81 1 track 1
route inside 0.0.0.0 0.0.0.0 10.10.70.X.1 10
route WAN 10.60.0.0 255.255.255.0 10.70.100.38 1
route WAN 192.168.8.0 255.255.255.0 10.70.100.38 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 4.2.2.2 interface YOUB
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
track 1 rtr 100 reachability
telnet timeout 5
ssh scopy enable
ssh 10.10.70.X.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
class-map YOUB-class
match access-list YOUB_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description ftp
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ftp
class class-default
ips inline fail-open
policy-map YOUB-policy
class YOUB-class
ips inline fail-open sensor vs0
service-policy global_policy global
service-policy YOUB-policy interface YOUB
smtp-server 10.10.70.X.18
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:aace81256bc60bc50469f80cb0c4641a
: end

Similar Messages

Port Forwarding/Router Firewall HELP

I'm trying to use my iSight built in cam with "aMSN" and they give me error messages when I configure. It says I have firewall/port issues to free up or something. Here's what help says to do:
"To do this, open your router web-based configuration (check router manual for details on this). Once you have the web-based configuration open, browse for a setting called "port forwarding" or "port range forwarding" or something similar to that. (This might be found under the advanced features for your router).
Now that you have the port forwarding page open, you will want to set the port forwarding range so that aMSN will be able to accept and send the webcam stream.
Here's an example of how you will set up your port forwarding:
Application: aMSN
Start: 6890
End: 6900
Protocol: Both(TCP & UDP)
IP: xxx.xxx.x.xxx
Enabled: X (Yes/True)
Note: xxx.xxx.x.xxx is the IP of your machine that you are trying to send / receive webcam
If you have a web server open on your port 80, you can try to disable it too, sometimes it helps. "
All I'm asking is how do I get to the port forwarding page to do what they have displayed above? I've tried Apple support topics on the subject and all were irrelevent or only dealt with iChat.
Any ideas? Thank you!

Are you using an Airport? If not, what type of router do you have connected? Each manufactor is different, but should provide the information in their manuals.

Port forwarding Cisco RV042 / RV042G

Hi,
we use three Cisco RV042 small Business Routers.
The problem:
We want to forward HTTPS on Wan-side to an other port than 443 on Lan-side.
For example: Wan 217.44.55.66 port 443 to 192.168.0.5 port 5001
There is only this option in RV042 : Forwarding -> Service HTTPS [TCP/443~443] to "IP-Adress" (also Port 443)
but we need something like this:
Forwarding -> Service HTTPS [TCP/443~443] to 192.168.0.5:5001
How can I configure it ?
Greetings from Germany
Goetz Hartwig, ITUC GmbH

Hi Ituconsult1
My name is Mehdi from Cisco Technical Support, yes with RV042 we can translate the port
Please follow this steps:
1. Please remove the rule of the port forwarding
2. Go to Setup under UPnP , service management and you will see external port and internal port so please configure external port to 443 and internal to 5001 and click add, please do not enable UPnP
3. on the same page please choose the service you created and put the internal IP of the server server
Please rate the post or mark it as answered to help other Cisco customers
Greeting
Regards
Mehdi

Port forwarding Cisco 857W + admin page viewable externally

I would like to open UDP port 22335, and TCP port 80 on my local server 10.10.10.50. I've been having a heck of a time getting this to work, as I don't really understand access lists and what is required.. also, for some reason my firewall is open to the outside world on port 443 (you can browse and see the admin access page) I don't recally setting this up!! Can someone help me fix all this? Config is as follows:
Thanks a million guys!
CiscoMan
This is the running config of the router: 10.10.10.1
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname **************
boot-start-marker
boot system flash c850-advsecurityk9-mz.124-15.T15.bin
boot-end-marker
logging buffered 51200
logging console critical
enable secret 5 **************
aaa new-model
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
crypto pki trustpoint TP-self-signed-2488767310
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2488767310
revocation-check none
rsakeypair TP-self-signed-2488767310
crypto pki certificate chain TP-self-signed-2488767310
certificate self-signed 01
<cert here>
            quit
dot11 syslog
dot11 ssid ***********
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 ******************
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.201 10.10.10.254
ip dhcp pool ccp-pool1
   import all
   network 10.10.10.0 255.255.255.0
   dns-server *********
   default-router 10.10.10.1
ip cef
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp router-traffic
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
no ip bootp server
ip domain name yourdomain.com
ip name-server *******
ip name-server *******
appfw policy-name SDM_MEDIUM
application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
username ********* privilege 15 secret 5 ************************
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
bridge irb
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/35
pppoe-client dial-pool-number 1
interface FastEthernet0
shutdown
interface FastEthernet1
interface FastEthernet2
shutdown
interface FastEthernet3
interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers aes-ccm
broadcast-key vlan 1 change 30
ssid ********
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
bridge-group 1
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username ******** password 7 ********
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_3##
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_13##
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
access-list 101 permit udp host ******* eq domain any
access-list 101 permit udp host ******** eq domain any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
dialer-list 1 protocol ip permit
control-plane
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Hi Bro
As mentioned by jcarvaja above, you’ll need to enable PAT (Port Address Translation) simply because you’ve a single WAN IP Address.
Here are the commands that you should insert;
ip nat inside source static tcp 10.10.10.50 80 interface Dialer0 80
ip nat inside source static udp 10.10.10.50 22335 interface Dialer0 22335
ip nat inside source static udp 10.10.10.50 22336 interface Dialer0 22336
ip nat inside source static udp 10.10.10.50 30175 interface Dialer0 30175
ip nat translation timeout 600
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 600
ip nat translation syn-timeout 600
ip nat translation icmp-timeout 600
Moreover, the reason as to why your Router’s admin page is widely expose to the Internet cloud is simply because you’ve enabled the http services.
Here are the commands that you should insert;
no ip http server
no ip http secure-server
P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED.

Port Forwarding Cisco DDR2200 .

Hi. I am really knowledgable in technology but this has me stumped. I have a Cisco DDR2200 modem/router and all I want to do is forward some ports. I sign in and locate the Advanced-IPNetworking-VirtualServers. I then add my two external ports (25565), choose my protocol, and then enter my internal ports (25565). Then as my "server IP" (My local IP) is 192.168.1.70. I enter in all the correct details and select add. The ports just refuse to open no matter how many times I retry this. I have searched and searched on google until I finally had enough and came here.
Thanks in advance.

Wrong forum, post in "small business - routers". You can move your post using the actions panel on the right.

RV16 Port forwarding and firewall

I'm currently trying to configure an RV16 to allow SIP and RTP protocols from only 3 sites, so the first thing I did was to forward port 5060 to the internal IP on the network, on this case 192.168.1.55
SIP   UDP/5060~5061-> 192.168.1.55
RTP UDP/10000~20000-> 192.168.1.55
So far everything works fine but I only wish to allow 3 public IP address to connect to the VOIP server
The following rules are already in place:
Allow
All Traffic [0]
LAN
Any
Any
Always
Deny
All Traffic [0]
WAN1
Any
Any
Always
Deny
All Traffic [0]
WAN2
Any
Any
Always
Deny
All Traffic [0]
DMZ
Any
192.168.1.0 ~ 192.168.1.255
Always
Allow
All Traffic [0]
DMZ
Any
Any
Always
Tried the following but not able to connect sip clients from this location, I'm I missing something?
12345
Allow
SIP [5060]
WAN1
64.106.24.74 ~ 64.106.24.74
192.168.1.55 ~ 192.168.1.55
Always
12345
Allow
RTP [10000]
WAN1
64.106.24.74 ~ 64.106.24.74
192.168.1.55 ~ 192.168.1.55
Always
Thank you.

                       1                     / 1 page
                       51020All                     entries per page
Priority
Enable
Action
Service
Source Interface
Source
Destination
Time
Day
Delete
12345
Allow
All Traffic [0]
WAN1
64.106.24.74 ~ 64.106.24.74
192.168.1.55 ~ 192.168.1.55
Always
12345
Allow
All Traffic [0]
WAN1
208.216.2.211 ~ 208.216.2.215
192.168.1.55 ~ 192.168.1.55
Always
12345
Allow
SIP [5060]
WAN1
64.106.24.74 ~ 64.106.24.74
192.168.1.55 ~ 192.168.1.55
Always
12345
Allow
RTP [10000]
WAN1
64106.24.74 ~ 64.106.24.74
192.168.1.55 ~ 192.168.1.55
Always
12345
Allow
All Traffic [0]
WAN1
208.180.146.205 ~ 208.180.146.205
Any
Always
Allow
All Traffic [0]
LAN
Any
Any
Always
Deny
All Traffic [0]
WAN1
Any
Any
Always
Deny
All Traffic [0]
WAN2
Any
Any
Always
Deny
All Traffic [0]
DMZ
Any
192.168.1.0 ~ 192.168.1.255
Always
Allow
All Traffic [0]
DMZ
Any
Any
Always

RDP Port Forwarding non-functional

OK, so I'm having yet another issue with my RV220w. I thought this would be a wise buy, but I keep finding reasons to hate myself for buying this router.
Anyway, I need to forward port 3389, Windows Remote Desktop Protocol to one of my internal servers. I have defualt NAT, defualt firewall, etc. etc. I have seen documentation that says that Firewall -> Port Forwarding is non-functional, so I attempt to set up port forwarding via Firewall -> Access Rules. I did not see "RDP" or any other obvious acronym for Remote Desktop Protocol in the services list. So, I made a custom service, called RemoteDP, TCP protocol, port 3389 to 3389.
No, I cannot RDP to my server from WAN. What gives? This was easily achieved with a cheap NETGEAR router from 2005.
Very confused, and therefore disappointed.
SAM

Join the club. . . .I have the same issues with custom rules and have been trying to get it to work for over a month now. I can only stall for so long with this problem. I need to get some ports open for established services that also was not a problem with a residential Netgear router.

RV220w port forwarding notworking

I want to forward a few port in the 8000-8100 series.
Goal is to reach the web interfaces for secondary routes true HTTPS protocol.
Port forwarding seems not to be working.
Someone experience / solution for this. i realy can use some help.
for current settings see below
For exaple 1 router IP wan = 192.168.0.17 protocol Https port 8007 open for external.
This is an static IP adres configured in the RV220W
RV220 settings
WAN IP automaitc configuration -> external DHCP 192.168.0.100
Network LAN IP 191.168.0.1
submask 255.255.255.0
DHCP mode : DHCP server.
start 191.168.0.2
end 191.168.0.10
static adresses
191.168.0.15 port forward 8005
191.168.0.17 port forward 8007.
firewall settings
Connection type inbound
action always allow
service Https
source Ip any
send to local server Dnat ip 191.168.0.17
rule status enabled
Port forwarding
Action always allow
service Https
source Ip any
destination 191.168.0.17
internalport 8007
Remote acces true webbrowser : Https://192.168.0.100:8007

Hi Jhon, the RV220W port forwarding is very stable through access rules on the 1.0.4.17 firmware. There is no reason for the RV220W interface to become unreachable because you made an access rule unless it overlaps with your remote management port, which would have the same result using a port forward.
I would recommend you test TCP sockets locally (behind the router) and over the WAN IP of the router from the subnet of the upstream router.
If I were testing this at your location I would do the following-
-Connect a computer to the LAN subnet of the RV220W and obtain an IP address on the same subnet as the resource you want to access
-Telnet the IP address of the resource and the port number, example- telnet 192.168.0.150 8007
-The telnet screen should change, if it times out, the resource is not accepting inbound connections
-Connect a computer to the LAN subnet of your upstream router and obtain an IP address on the same subnet as the WAN interface of the RV220W
-Try to telnet the WAN IP address of the RV220W using the port you have forwarded to the resource, example telnet RV220W wan:8007
If you can't make TCP sockets this way, either the access rules/forwarding is not configured correctly or the resource is not configured correctly.
This also may be a fundamental networking issue. I am having a hard time to decipher the IP addresses you're using but it almost seems like the IP addresses on the RV220W LAN correspond to IP addresses on the subnet. You said 1 router is 192.168.0.17 while the RV220W is 192.168.0.100. This is fine but you also said you have some devices 192.168.0.15 port 8007. This is not fine. This IP won't work if the LAN subnet of the RV220W is the same as the WAN subnet. That won't work with any router unless it were a transparent port... and if it were a transparent port you wouldn't need any forwarding.
-Tom
Please mark answered for helpful posts

Cisco 5520 ASA Port Forward to Endian Firewall VPN Question

Hello,
We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194. We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server. So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN. Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
Thanks for your comments in advance I am new to cisco technology,
Joe

Wrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.

HELP!! Cisco RV180 Port Forwarding

Someone please advise as to this is the first time I've tried to setup port forwarding using the Cisco RV180 Router. I have a Cisco RV180 Router, a Ruckus 7055 access point and a power distribution unit. I'd like to be able to access the router remotely and also the devices behind the router (the ruckus access point and the power distribution unit). I'm assuming that I'll need to assign the Cisco RV180 router a static IP address and I'm assuing that this static address should be assigned to the WAN port? I'd also like to configure port forwarding so that I can access the ruckus and the PDU remotely also. I've tried assigning a static IP address to the WAN port of the RV180 but I cannot ping this device remotely. Anyone have any advice on accessing the RV180 remotely? I've populated all of the correct fields for the WAN settings (ip, gateway, subnet, etc.) , and my static ip address is valid.Thank you in advance.

Hello sirflex,
As you have mentioned you need to configure a static nat for the devices which you have done when you configure a port forwarding.
Have you configured access rules under firewall>access Rules. Add the access rules for the ping and the Http and Https services.
Can you capture the packets at the WAN port while you are pinging the WAN port and the firmware version on the device.
Which mode are you running the device gateway or router. You can check it under Netwroking>Routing>Routing Mode.
Thanks,
Prithvi
Please mark answered and rate for helpful posts.

Cisco ASA 5512, IP NVR port forwarding

Hi,
i have Cisco 5512 ASA with version 8.6(1)2. i have one IP NVR for ip cameras.
please help me how to configure port forwarding in cisco asa in CLI?
I have static IP on ASA 94.56.178. 222 and NVR IP 10.192.192.100
thank you so much.

ASA#
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 94.56.178.222 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2969000, priority=0, domain=permit, deny=true
hits=11524, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
please advise

Port Forwarding for Cisco ASA 5505 VPN

This is the Network
Linksys E2500 ---> Cisco ASA 5505 ---> Server
I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.
Thank You

For IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.
Command to enable NAT-T on ASA:
crypto isakmp nat-traversal 30

RV042 Port forwarding stops working when Firewall is enabled

Hey all,
I have a RV042 router on a single WAN and an internal LAN. I have configured port forwarding as follows:
HTTP[TCP/80~80]->10.0.0.6
HTTPS[TCP/443~443]->10.0.0.6
IMAP[TCP/143~143]->10.0.0.5
IMAP SSL[TCP/993~993]->10.0.0.5
SMTP SSL[TCP/587~587]->10.0.0.5
Everything works just fine when I have the firewall DISABLED. However, when I enable it the behaviour is erratic. 1 out of 10 attempts to connect to ANY port forwarded works. Almost all attempts time out.
Notice that this happens even if using only the default firewall rules (which should be bypassed by the port forwarding as I read in other posts).
My second try was to create firewall rules manually, overriding the default ones. I tried adding rules from source WAN1 (where my connection is) to ANY and to SINGLE IP's on every port. Nothing seems to work.
I don't know what I'm doing wrong, this is really bugging me. I had to turn the firewall off so we can access our servers from outside the office. This shouldn't have to be done.
Do you know anything I could try?
Best regards,
Theo
EDIT:
Just found out that my firewall is getting LOTS and LOTS of Blocked - SYN Flood entries. I think this is why we are having trouble with the firewall. Could this be the problem? I have no idea where all these SYN packets are coming from since they appear with spoofed IPs or come from different bots all over.

Hi Theo, if you want to over ride the default state table, you need to first make firewall rules to block all access then make your permission rules.
Such an example would be-
Action Deny
Service All
Source interface WAN
Source IP any
Destination IP any
Save
Action Permit
Service RDP
Source interface WAN
Source IP -xx.xx.xx.xx
Destination IP - xx.xx.xx.xx
Save
As for your concern about the syn flood, it can be a likely cause of your problems. Does the logging facility of the router give any indications?
-Tom
Please mark answered for helpful posts

Port Forward in Cisco series 800

Dear Support
below the configuration of Cisco Series 800 Router that Has VDSL port of internet , the configuration as below :
i add three command
what is required in order to make port forward
ip nat inside source static tcp 8000 10.10.10.10 8000 dilar 0
ip nat inside source static tcp 554 10.10.10.10 554 dilar 0
ip access list extended 100
permit ip any any
what is required to make port forward to the local ip address 10.10.10.10 from outside interface that is VDSL port ?
! Last configuration change at 10:47:44 KSA Wed Apr 22 2015 by aamalsup
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
hostname AamalNet
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret level 2 5 $1$Y4PF$K6TQ5wf0gcHiO5IxvLZba0
enable secret level 5 5 $1$WZeO$BzTCl0C0e1078CWxExJK0/
enable secret 5 $1$plq6$P5HVL/tR81cs0GFDrD.0V/
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
clock timezone KSA 3 0
crypto pki trustpoint TP-self-signed-1682106276
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1682106276
revocation-check none
rsakeypair TP-self-signed-1682106276
crypto pki certificate chain TP-self-signed-1682106276
certificate self-signed 02
30820250 308201B9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363832 31303632 3736301E 170D3032 30333031 30303038
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36383231
30363237 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C2F3 49897460 71FEB259 7794B7C6 D398958A 2D338F0F C69F0E75 1137B16C
C261A275 8416DAF6 FC19AA6E 50024019 66CE4DB8 3AFAB6FE CE892B42 86A93490
97259E47 D740B2F4 9AA2D307 7B676841 2CAAA879 D945A6FD 717B507F 77399332
1644CEDE 884BF133 ACFBBC80 9869A104 54CC3EEE 9D521378 EC762D86 C3F0ABC9
CA990203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18417761 6C416D61 6C792E61 77616C6E 65742E6E 65742E73
61301F06 03551D23 04183016 80149ADD A651C9F9 F8369354 5C904777 090FEB75
72E0301D 0603551D 0E041604 149ADDA6 51C9F9F8 3693545C 90477709 0FEB7572
E0300D06 092A8648 86F70D01 01040500 03818100 50ACCA98 1A5FCCAD FC61D703
A8589B02 AFB8CD47 BD1CC7B0 B095C97F AA0604A8 F8495053 C8A9CBB9 644F5674
318A7AA0 873250AD 1DE28CE2 BE21ED19 BF212CF7 E2A97CFB FFA62F1E 643CEDFE
90D02109 719FD4D3 98E6C40B D61CE89C D2426C1E 3CBD9FBE 397F7F7C F1DD279E
14F8BB2D ABFA784B 6E04274B EDCBFC8F A805E91D
    quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.11.1
ip dhcp pool lan
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 212.93.192.4 212.93.192.5
lease 0 2
ip dhcp pool wireless
import all
network 10.10.11.0 255.255.255.0
default-router 10.10.11.1
dns-server 212.93.192.4 212.93.192.5
lease 0 2
no ip domain lookup
ip domain name aamal.net.sa
ip name-server 212.93.192.4
ip name-server 212.93.192.5
no ipv6 cef
cwmp agent
enable download
enable
session retry limit 10
management server password 7 094D4308151612001D05072F
management server url http://aamalservice.aamal.net.sa:9090
license udi pid C887VA-W-E-K9 sn FCZ17459018
archive
log config
hidekeys
username k privilege 15 password 7 020D
username admin privilege 15 password 7 14161606050A
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group aamalnet
key aamalnet
dns 212.93.192.4 212.93.192.5
include-local-lan
dhcp server 10.10.10.1
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group aamalnet
   client authentication list sdm_vpn_xauth_ml_2
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile SDM_Profile1
set security-association idle-time 60
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
interface Ethernet0
no ip address
shutdown
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Vlan2
no ip address
bridge-group 2
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 0007145E2E5A05522E1858
no cdp enable
interface BVI2
ip address 10.10.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 23 permit 212.93.196.0 0.0.0.255
access-list 23 permit 212.93.192.0 0.0.0.255
access-list 23 permit 212.93.193.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.11.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
snmp-server community private RW
snmp-server community public RO
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
privilege interface level 5 encapsulation
privilege interface level 5 description
privilege interface level 5 no encapsulation
privilege interface level 5 no description
privilege interface level 5 no
privilege configure level 5 ip route
privilege configure level 5 interface
privilege configure level 5 controller
privilege configure level 5 ip
privilege exec level 5 copy running-config tftp
privilege exec level 5 copy running-config
privilege exec level 5 copy
privilege exec level 5 write memory
privilege exec level 5 write
privilege exec level 5 configure terminal
privilege exec level 5 configure
privilege exec level 5 show processes cpu
privilege exec level 5 show processes
privilege exec level 2 show running-config
privilege exec level 5 show configuration
privilege exec level 2 show
privilege exec level 5 clear counters
privilege exec level 5 clear
banner exec
CC
% Password expiration warning.
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
banner login
CC
********STC AamalNet Service****************************************
********Authorize Access Only. For more Support Call 909************
line con 0
privilege level 15
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class 23 in
privilege level 2
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 20000 1000
end

Hello,
Sure.
What version are you running?
Regards,

How can I forward ports in Cisco C897VA-K9 model

Hi there,
Does any body know how I can use port forwarding in Cisco 897 model
I want to have a 115.1.1.1:60095 to 172.16.1.1:80 for example .
many thanks

Hello,
The desired port forward would look like the following:
ip nat inside source static tcp 115.1.1.1 60095 172.16.1.1 80 extendable
Thanks!

Port Forwarding Cisco firewall

Similar Messages

Maybe you are looking for