Port forwarding Cisco RV042 / RV042G

Hi,
we use three Cisco RV042 small Business Routers.
The problem:
We want to forward HTTPS on Wan-side to an other port than 443 on Lan-side.
For example: Wan 217.44.55.66 port 443 to 192.168.0.5 port 5001
There is only this option in RV042 : Forwarding -> Service HTTPS [TCP/443~443] to "IP-Adress" (also Port 443)
but we need something like this:
Forwarding -> Service HTTPS [TCP/443~443] to 192.168.0.5:5001
How can I configure it ?
Greetings from Germany
Goetz Hartwig, ITUC GmbH

Hi Ituconsult1
My name is Mehdi from Cisco Technical Support, yes with RV042 we can translate the port
Please follow this steps:
1. Please remove the rule of the port forwarding
2. Go to Setup under UPnP , service management and you will see external port and internal port so please configure external port to 443 and internal to 5001 and click add, please do not enable UPnP
3. on the same page please choose the service you created and put the internal IP of the server server
Please rate the post or mark it as answered to help other Cisco customers
Greeting
Regards
Mehdi

Similar Messages

Port Forwarding Cisco firewall

Hi,
In Cisco Firewall 2900 seires
trying to use port forwarding
but not communication please help me.
Reg
Manoj.

: Saved
: Written by enable_15 at 23:01:39.772 UTC Thu Jan 30 2014
name 10.10.70.X.40 FinalPdf
name 201.256.x.x Youfinalip
interface Ethernet0/0
nameif YOUB
security-level 0
ip address 201.256.x.x.254.82 255.255.255.248
interface Ethernet0/2
nameif inside
security-level 100
ip address 10.10.70.X.1 255.255.255.0
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
ftp mode passive
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service ftp tcp
port-object eq ftp
port-object eq ftp-data
port-object eq 14147
object-group service any tcp-udp
port-object range 1 65535
object-group service DM_INLINE_TCP_1 tcp
group-object ftp
port-object eq ftp-data
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.10.0 255.255.255.0
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 10.70.0.0 255.255.0.0
access-list EXEMPT extended permit ip 10.10.70.X.0 255.255.255.0 192.168.0.0 255.255.0.0
access-list inside_access_in extended deny object-group TCPUDP any any eq domain
access-list inside_access_in extended permit ip any any
access-list YOUB_mpc extended permit ip any any
access-list YOUB_access_in extended permit object-group TCPUDP any interface YOUB inactive
access-list YOUB_access_in extended permit tcp any host Youfinalip object-group ftp
pager lines 24
logging enable
logging emblem
logging asdm-buffer-size 512
logging buffered debugging
logging trap debugging
logging history debugging
logging asdm debugging
logging device-id hostname
logging debug-trace
logging ftp-bufferwrap
logging ftp-server 10.10.70.X.251 firwall/ firwall firwall
logging class auth trap emergencies asdm emergencies
mtu YOUB 1500
mtu SIFY 1500
mtu inside 1500
mtu WAN 1500
mtu management 1500
ip verify reverse-path interface YOUB
ip verify reverse-path interface inside
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-645.bin
asdm location Testpdf 255.255.255.255 inside
asdm history enable
arp timeout 14400
global (YOUB) 1 interface
global (SIFY) 1 interface
nat (inside) 0 access-list EXEMPT
nat (inside) 1 10.10.70.X.0 255.255.255.0 dns
static (inside,YOUB) tcp Youfinalip ftp Testpdf ftp netmask 255.255.255.255
access-group YOUB_access_in in interface YOUB
access-group inside_access_in in interface inside
route YOUB 0.0.0.0 0.0.0.0 201.256.x.x.254.81 1 track 1
route inside 0.0.0.0 0.0.0.0 10.10.70.X.1 10
route WAN 10.60.0.0 255.255.255.0 10.70.100.38 1
route WAN 192.168.8.0 255.255.255.0 10.70.100.38 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
sla monitor 100
type echo protocol ipIcmpEcho 4.2.2.2 interface YOUB
num-packets 3
frequency 10
sla monitor schedule 100 life forever start-time now
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
track 1 rtr 100 reachability
telnet timeout 5
ssh scopy enable
ssh 10.10.70.X.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username cisco password 3USUcOPFUiMCO4Jk encrypted
class-map YOUB-class
match access-list YOUB_mpc
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description ftp
class inspection_default
inspect dns preset_dns_map
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect ftp
class class-default
ips inline fail-open
policy-map YOUB-policy
class YOUB-class
ips inline fail-open sensor vs0
service-policy global_policy global
service-policy YOUB-policy interface YOUB
smtp-server 10.10.70.X.18
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:aace81256bc60bc50469f80cb0c4641a
: end

Port Forwarding Cisco DDR2200 .

Hi. I am really knowledgable in technology but this has me stumped. I have a Cisco DDR2200 modem/router and all I want to do is forward some ports. I sign in and locate the Advanced-IPNetworking-VirtualServers. I then add my two external ports (25565), choose my protocol, and then enter my internal ports (25565). Then as my "server IP" (My local IP) is 192.168.1.70. I enter in all the correct details and select add. The ports just refuse to open no matter how many times I retry this. I have searched and searched on google until I finally had enough and came here.
Thanks in advance.

Wrong forum, post in "small business - routers". You can move your post using the actions panel on the right.

Port forwarding Cisco 857W + admin page viewable externally

I would like to open UDP port 22335, and TCP port 80 on my local server 10.10.10.50. I've been having a heck of a time getting this to work, as I don't really understand access lists and what is required.. also, for some reason my firewall is open to the outside world on port 443 (you can browse and see the admin access page) I don't recally setting this up!! Can someone help me fix all this? Config is as follows:
Thanks a million guys!
CiscoMan
This is the running config of the router: 10.10.10.1
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname **************
boot-start-marker
boot system flash c850-advsecurityk9-mz.124-15.T15.bin
boot-end-marker
logging buffered 51200
logging console critical
enable secret 5 **************
aaa new-model
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
crypto pki trustpoint TP-self-signed-2488767310
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2488767310
revocation-check none
rsakeypair TP-self-signed-2488767310
crypto pki certificate chain TP-self-signed-2488767310
certificate self-signed 01
<cert here>
            quit
dot11 syslog
dot11 ssid ***********
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 ******************
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.201 10.10.10.254
ip dhcp pool ccp-pool1
   import all
   network 10.10.10.0 255.255.255.0
   dns-server *********
   default-router 10.10.10.1
ip cef
ip inspect log drop-pkt
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM tcp router-traffic
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
no ip bootp server
ip domain name yourdomain.com
ip name-server *******
ip name-server *******
appfw policy-name SDM_MEDIUM
application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
username ********* privilege 15 secret 5 ************************
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
bridge irb
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/35
pppoe-client dial-pool-number 1
interface FastEthernet0
shutdown
interface FastEthernet1
interface FastEthernet2
shutdown
interface FastEthernet3
interface Dot11Radio0
no ip address
encryption vlan 1 mode ciphers aes-ccm
broadcast-key vlan 1 change 30
ssid ********
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
bridge-group 1
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip inspect SDM_MEDIUM out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username ******** password 7 ********
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration##NO_ACES_3##
access-list 100 remark SDM_ACL Category=1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration##NO_ACES_13##
access-list 101 remark SDM_ACL Category=1
access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
access-list 101 permit udp host ******* eq domain any
access-list 101 permit udp host ******** eq domain any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any log
dialer-list 1 protocol ip permit
control-plane
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Hi Bro
As mentioned by jcarvaja above, you’ll need to enable PAT (Port Address Translation) simply because you’ve a single WAN IP Address.
Here are the commands that you should insert;
ip nat inside source static tcp 10.10.10.50 80 interface Dialer0 80
ip nat inside source static udp 10.10.10.50 22335 interface Dialer0 22335
ip nat inside source static udp 10.10.10.50 22336 interface Dialer0 22336
ip nat inside source static udp 10.10.10.50 30175 interface Dialer0 30175
ip nat translation timeout 600
ip nat translation tcp-timeout 600
ip nat translation udp-timeout 600
ip nat translation syn-timeout 600
ip nat translation icmp-timeout 600
Moreover, the reason as to why your Router’s admin page is widely expose to the Internet cloud is simply because you’ve enabled the http services.
Here are the commands that you should insert;
no ip http server
no ip http secure-server
P/S: if you think this comment is useful, please do rate them nicely :-) and click on the button THIS QUESTION IS ANSWERED.

Help: Port forward in Cisco SOHO 97

Hi there!
I have a Cisco SOHO 97.
The IP is: 10.0.0.1/24
Gw: 0.0.0.0
*Default route via DIALER1
I also have a RV042 configured as VPN Server (PPTP and IPSec).
The IP is: 10.0.0.2/24
I need help to configure the router to I be able to connect to VPN server from OUTSIDE-WORLD.
I imagine I need Port forwarding from Cisco SOHO to RV042.
I hope for possibles answers!
Thanks!

Sorry i found the issue.
The problem was that, i wanted to redirect port 443 (https) to an private address.
But by default port 443 is reserved to access ASA via https for management.
I just reserved another port 888 for https management access and now i can redirect port 443 normaly as i wanted.
Using this command: http server enable 888
Germain

Port Forwarding with Port Translation RV042, RV016, RV082

This is a feature request for the Linksys RV series Routers. Currently, it appears that the Cisco/Linksys RV042, RV082, and RV016 only support port forwarding and 1-to-1 Nat. One item that I find very helpful with customers is port forwarding with port translation. I am requesting that this feature be included with a future firmware relase for these RV series routers.
Here is an example of the request.
Take an incoming service request on a TCP or UDP destination port and forward it to an internal IP on a different TCP or UDP port. For example, customer A wants to allow different machines on the internal network to receive Windows RDP connections inbound. To make PC maintenance identical between the internal machines, the customer does not want to change the listening port for RDP on the individual PC workstations through the Windows Registry. The customer also does not want to dedicate separate IP's to each machine in a 1-to-1 NAT setup. The only option is to have remote connections to each of these PC's to use a different destination port. So, for example, PC one could be reached on TCP port 5151, PC two on TCP port 5152, and PC three on port 5153. This requres a firewall that is able to translate each of these connection requests to a different internal IP on the default RDP port (TCP 3389). So, the following setup is required:
Port Forwarding with Port Translation:
Router External IP on TCP port 5151 ---> forwarded to PC One's internal IP on TCP 3389
Router External IP on TCP port 5152 ---> forwarded to PC Two's internal IP on TCP 3389
Router External IP on TCP port 5153 ---> forwarded to PC Three's internal IP on TCP 3389
There are several comparable "small business" class router competitors to the RV042, RV082, and RV016 that will perform this port forwarding with port translation process without incident. Unfortunately, these Cisco/Linksys small business routers will not accomplish this task currently.
Please implement this feature in a future firmware release.
Thanks!

Excellent. I see this now. None of our customers actually use the UPNP feature, so we never realized that Port Forwarding with Port Translation features existed on this page along with the ability to enable or disable UPNP.
Perhaps, in the future, this functionality could be moved to and incorporated into the port forwarding page which seems to be a more logical location.
In either case I'm very happy to know that this feature is available on the RV's.
Thanks for your assistance.

Cisco RV042 port forwording case?

Hello,
Here is my situation. I have two real IP addresses on each of my WAN ports. I need to configure:
port forwarding (80,443,3389) from Real_IP1 (configured on WAN1) to 192.168.116.10 (same ports)
port forwarding (80,443,3389) from Real_IP2 (configured on WAN2) to 192.168.117.10 (same ports)
Router is confugured in System Management > Dual WAN as Load balancing.
192.168.116.0 is in vlan1 (port1)
192.168.117.0 is in vlan2 (port2)
Is it possible to make it working using Cisco RV042?
Thanks in advance!

Plamen,
Try to create an Access Rule like shown in the following example. On the second rule, select WAN 2 and use the other internal IP. I have never tested this but it looks like it might be a solution. (This is an older RV042)
Please let us know if this works or not.
- Marty

Cisco rv042 not forwarding

Hello my Name is Enoth Rojas from the republic of Panama.
I have a dual band cisco rv042 router which does not respond to port forwarding for remote desktop. When I check from the internet for open ports it says that port 3389 is close. I have been unable to make it forward the request. Any advice will be appreciate?
Thanks
Enoth Rojas

Hello enothrojas,
If you check the logging and enable all the logging for accepted connections. Once this is enabled attempt to RDP to the computer you want access to, make sure your not on the local network when you attempt for better testing. Then go to your logging and then look at your incoming logs.
Look for the source IP address, (the WAN IP address of the site you attempted the connection from) and see if the RV042 is seeing the request.
If it is not then you will need to talk to your ISP. If it is, what is the destination?
Then look at your outgoing log table and see if you see an ACK being sent back to your source, if it is not then the PC you are trying to access is no replying.
Hope this helps.
Regards,
Michael D.

Cisco 5520 ASA Port Forward to Endian Firewall VPN Question

Hello,
We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194. We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server. So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN. Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
Thanks for your comments in advance I am new to cisco technology,
Joe

Wrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.

Cisco ASA 5512, IP NVR port forwarding

Hi,
i have Cisco 5512 ASA with version 8.6(1)2. i have one IP NVR for ip cameras.
please help me how to configure port forwarding in cisco asa in CLI?
I have static IP on ASA 94.56.178. 222 and NVR IP 10.192.192.100
thank you so much.

ASA#
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 94.56.178.222 255.255.255.255 identity
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fffa2969000, priority=0, domain=permit, deny=true
hits=11524, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
input_ifc=OUTSIDE, output_ifc=any
Result:
input-interface: OUTSIDE
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
please advise

Port Forwarding for Cisco ASA 5505 VPN

This is the Network
Linksys E2500 ---> Cisco ASA 5505 ---> Server
I beleive I need to forward some ports to the asa to use the IPsec VPN I just setup. I had the SSL VPN working but only needed to forward 443 for that....I assume that IPsec tunnel is a specific port.
Thank You

For IPSec VPN, you need to port forward UDP/500 and UDP/4500, and remember to enable NAT-T on the ASA.
Command to enable NAT-T on ASA:
crypto isakmp nat-traversal 30

RV042 Port forwarding stops working when Firewall is enabled

Hey all,
I have a RV042 router on a single WAN and an internal LAN. I have configured port forwarding as follows:
HTTP[TCP/80~80]->10.0.0.6
HTTPS[TCP/443~443]->10.0.0.6
IMAP[TCP/143~143]->10.0.0.5
IMAP SSL[TCP/993~993]->10.0.0.5
SMTP SSL[TCP/587~587]->10.0.0.5
Everything works just fine when I have the firewall DISABLED. However, when I enable it the behaviour is erratic. 1 out of 10 attempts to connect to ANY port forwarded works. Almost all attempts time out.
Notice that this happens even if using only the default firewall rules (which should be bypassed by the port forwarding as I read in other posts).
My second try was to create firewall rules manually, overriding the default ones. I tried adding rules from source WAN1 (where my connection is) to ANY and to SINGLE IP's on every port. Nothing seems to work.
I don't know what I'm doing wrong, this is really bugging me. I had to turn the firewall off so we can access our servers from outside the office. This shouldn't have to be done.
Do you know anything I could try?
Best regards,
Theo
EDIT:
Just found out that my firewall is getting LOTS and LOTS of Blocked - SYN Flood entries. I think this is why we are having trouble with the firewall. Could this be the problem? I have no idea where all these SYN packets are coming from since they appear with spoofed IPs or come from different bots all over.

Hi Theo, if you want to over ride the default state table, you need to first make firewall rules to block all access then make your permission rules.
Such an example would be-
Action Deny
Service All
Source interface WAN
Source IP any
Destination IP any
Save
Action Permit
Service RDP
Source interface WAN
Source IP -xx.xx.xx.xx
Destination IP - xx.xx.xx.xx
Save
As for your concern about the syn flood, it can be a likely cause of your problems. Does the logging facility of the router give any indications?
-Tom
Please mark answered for helpful posts

Port Forward in Cisco series 800

Dear Support
below the configuration of Cisco Series 800 Router that Has VDSL port of internet , the configuration as below :
i add three command
what is required in order to make port forward
ip nat inside source static tcp 8000 10.10.10.10 8000 dilar 0
ip nat inside source static tcp 554 10.10.10.10 554 dilar 0
ip access list extended 100
permit ip any any
what is required to make port forward to the local ip address 10.10.10.10 from outside interface that is VDSL port ?
! Last configuration change at 10:47:44 KSA Wed Apr 22 2015 by aamalsup
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
hostname AamalNet
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret level 2 5 $1$Y4PF$K6TQ5wf0gcHiO5IxvLZba0
enable secret level 5 5 $1$WZeO$BzTCl0C0e1078CWxExJK0/
enable secret 5 $1$plq6$P5HVL/tR81cs0GFDrD.0V/
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
clock timezone KSA 3 0
crypto pki trustpoint TP-self-signed-1682106276
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1682106276
revocation-check none
rsakeypair TP-self-signed-1682106276
crypto pki certificate chain TP-self-signed-1682106276
certificate self-signed 02
30820250 308201B9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363832 31303632 3736301E 170D3032 30333031 30303038
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36383231
30363237 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C2F3 49897460 71FEB259 7794B7C6 D398958A 2D338F0F C69F0E75 1137B16C
C261A275 8416DAF6 FC19AA6E 50024019 66CE4DB8 3AFAB6FE CE892B42 86A93490
97259E47 D740B2F4 9AA2D307 7B676841 2CAAA879 D945A6FD 717B507F 77399332
1644CEDE 884BF133 ACFBBC80 9869A104 54CC3EEE 9D521378 EC762D86 C3F0ABC9
CA990203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18417761 6C416D61 6C792E61 77616C6E 65742E6E 65742E73
61301F06 03551D23 04183016 80149ADD A651C9F9 F8369354 5C904777 090FEB75
72E0301D 0603551D 0E041604 149ADDA6 51C9F9F8 3693545C 90477709 0FEB7572
E0300D06 092A8648 86F70D01 01040500 03818100 50ACCA98 1A5FCCAD FC61D703
A8589B02 AFB8CD47 BD1CC7B0 B095C97F AA0604A8 F8495053 C8A9CBB9 644F5674
318A7AA0 873250AD 1DE28CE2 BE21ED19 BF212CF7 E2A97CFB FFA62F1E 643CEDFE
90D02109 719FD4D3 98E6C40B D61CE89C D2426C1E 3CBD9FBE 397F7F7C F1DD279E
14F8BB2D ABFA784B 6E04274B EDCBFC8F A805E91D
    quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.11.1
ip dhcp pool lan
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 212.93.192.4 212.93.192.5
lease 0 2
ip dhcp pool wireless
import all
network 10.10.11.0 255.255.255.0
default-router 10.10.11.1
dns-server 212.93.192.4 212.93.192.5
lease 0 2
no ip domain lookup
ip domain name aamal.net.sa
ip name-server 212.93.192.4
ip name-server 212.93.192.5
no ipv6 cef
cwmp agent
enable download
enable
session retry limit 10
management server password 7 094D4308151612001D05072F
management server url http://aamalservice.aamal.net.sa:9090
license udi pid C887VA-W-E-K9 sn FCZ17459018
archive
log config
hidekeys
username k privilege 15 password 7 020D
username admin privilege 15 password 7 14161606050A
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group aamalnet
key aamalnet
dns 212.93.192.4 212.93.192.5
include-local-lan
dhcp server 10.10.10.1
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group aamalnet
   client authentication list sdm_vpn_xauth_ml_2
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile SDM_Profile1
set security-association idle-time 60
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
interface Ethernet0
no ip address
shutdown
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Vlan2
no ip address
bridge-group 2
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 0007145E2E5A05522E1858
no cdp enable
interface BVI2
ip address 10.10.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 23 permit 212.93.196.0 0.0.0.255
access-list 23 permit 212.93.192.0 0.0.0.255
access-list 23 permit 212.93.193.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.11.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
snmp-server community private RW
snmp-server community public RO
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
privilege interface level 5 encapsulation
privilege interface level 5 description
privilege interface level 5 no encapsulation
privilege interface level 5 no description
privilege interface level 5 no
privilege configure level 5 ip route
privilege configure level 5 interface
privilege configure level 5 controller
privilege configure level 5 ip
privilege exec level 5 copy running-config tftp
privilege exec level 5 copy running-config
privilege exec level 5 copy
privilege exec level 5 write memory
privilege exec level 5 write
privilege exec level 5 configure terminal
privilege exec level 5 configure
privilege exec level 5 show processes cpu
privilege exec level 5 show processes
privilege exec level 2 show running-config
privilege exec level 5 show configuration
privilege exec level 2 show
privilege exec level 5 clear counters
privilege exec level 5 clear
banner exec
CC
% Password expiration warning.
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
banner login
CC
********STC AamalNet Service****************************************
********Authorize Access Only. For more Support Call 909************
line con 0
privilege level 15
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class 23 in
privilege level 2
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 20000 1000
end

Hello,
Sure.
What version are you running?
Regards,

How can I forward ports in Cisco C897VA-K9 model

Hi there,
Does any body know how I can use port forwarding in Cisco 897 model
I want to have a 115.1.1.1:60095 to 172.16.1.1:80 for example .
many thanks

Hello,
The desired port forward would look like the following:
ip nat inside source static tcp 115.1.1.1 60095 172.16.1.1 80 extendable
Thanks!

RV042 vpn&port forwarding problems

Hello,
I spent a few days trying to configure the RV042 router but I messed up. I need this router for VPN access on my site and Port Forwarding to an internal web server. Apparently very simple task, isn't it?
So:
1. PPTP is working fine but I need more than 5 concurrent accesses.
2. Quickvpn does not work when the DHCP server is checked and I can't access any computer from my lan. I have a DHCP server in my LAN but when I'm conected through Quickvpn I never reach it. In the log file there are messages like:
Connection refused - Policy violation TCP 169.254.x.x->192.168.1.2 (DHCP server from my lan)
3. On Setup > Forwarding I added a Port Range Forwarding for HTTP port 80 to an internal IP address (192.168.1.x). I although added a firewall access rule to allow traffic to Port 80 from any source interface and any source IP to 192.168.1.x.
From the internal LAN, using the WAN IP of the router, the Port forwarding works but not form the outside, though in the log file of the router it appears to work:
Connection Accepted TCP 208.64.252.230:33027->192.168.1.x:80 on ixp1
What could I have done wrong?
The router is configured with a static address as a gateway and it has the latest firmware 1.3.12.19-tm. The access rules are the default ones and the one I added.
Any help would be much apreciated.
Thanks.

Can't answer as to why QVPN fails when you enable DHCP on the router, but concidering your requirements it seems to be a moot point. So, you have a DHCP server on your network which I will guess is also running your Web service. If this is a Windows server does your current configuration allow you to enable PPTP on it? If so, that would solve the five user limit. You will need to turn off the PPTP server on the router and then forward port 1723 TCP to your server and you are done. As for your http access, remove any rule that you have in reference to "allow" port 80 connectivity to your web server. Not sure why but this tends to confuse the poor little things. Once you have verified that port 80 is active on the server via the LAN (which you already have) then you are done. If you are still not successful with the connection to the server from the WAN you may want to default the router and start over (lame I know).
*** SORRY, just noticed that you stated that you added a "port range" forwarding rule. Remove that, and configure a UPnP rule for the same server instead. Do not know why they call it that, they just do. This is the same as configuring a single port forward they just call it something different. So just port forward 80 tcp to your server on 192.168.1.x and you are done.

Port forwarding Cisco RV042 / RV042G

Similar Messages

Maybe you are looking for