Port Forwarding (Redirection)

Hello,
I have a question and need some guidance.
I have a Cisco ASA 5555-X, ASA Version 9.2(2)4 with ASDM Version 7.3(1)101.
We have SMTP on port 25 (I know..not secure...unfortunately we don't control it)
In order to deter spamming, port 25 is blocked and managed by Access Rules in our ASA.
We have allowed servers to use SMTP for alerting features so we have some gear already configured and allowed to use SMTP port 25.
I have been asked to allow a handful of desktops to send email out - yes, send only.
I do not want to allow any desktop to use SMTP port 25.
Here is my question..finally...
Let's say my SMTP is 10.90.2.30
My desktop is 10.0.0.111
Can I set my desktop application SMTP settings to use port 465, then have the ASA redirect the port 465 coming from 10.0.0.111 to port 25 on 10.90.2.30?
Can this be done?
If so, can someone share how this would look configured using ASDM?
Thank you in advance!

I read an article on "Converting your $60 router into a $600 router." I realize that Linksys would not condone or support this. However, if I were to perform this firmware upgrade, would the router then support what I am trying to accomplish?

Similar Messages

Port Forwarding for RDP 3389 is not working

Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny   ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny   ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny   ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny   ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny   ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny   ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny   ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny   ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny   ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny   ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny   ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
   functions svc-enabled
   svc address-pool "sat-ipsec-vpn-pool"
   svc default-domain "domain.com"
   svc keep-client-installed
   svc split dns "domain.com"
   svc split include 10.0.0.0 255.0.0.0
   svc split include 192.168.0.0 255.255.0.0
   svc split include 172.16.0.0 255.240.0.0
   svc dns-server primary 10.20.30.20
   svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
end

Hi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni

Please Help - Only Some Port Forwards Working

Hi all,
I have the most annoying issue with a Cisco 887VA-K9 port forwarding. Some port work while other don’t and I just can’t see why, however I suspect it is a zone based firewall (ZBF) issue.
Port forwards on the follow ports all work fine:
External port 8021 to 192.168.4.253 on port 80 works
External port 8022 to 192.168.4.253 on port 8022 works
All the rest don’t. I also have SIP phones sitting outside the LAN which are unable to register through the internet with the PBX unit which is in the DMZ network 192.168.4..0
Any help would be great appreciated as this sending me mad. Fully running config below.
Louise ;-)
Building configuration...
Current configuration : 36870 bytes
! Last configuration change at 12:49:03 Magadan Fri Nov 8 2013 by cpadmin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname QQQ_ADSL_Gateway
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 64000
enable secret 4 gim.lMOdQK/21R4Wu.QJfOMAv3CIkRyN.hbSTG5xAxE
aaa new-model
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
clock timezone Magadan 11 0
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-3471381936
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3471381936
revocation-check none
rsakeypair TP-self-signed-3471381936
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki certificate chain TP-self-signed-3471381936
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343731 33383139 3336301E 170D3132 30373132 31313332
34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34373133
38313933 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB76 5F7EE03F 306F52A0 91E82E04 7A69528D 1839409C 55BCC55A 47F180A9
7B522E9B FBB96A32 715178FE B96B737E 788947A4 CF4791AA 15609E37 A3F66F07
AD1B8A34 A2877711 E33A613D 8E50AE40 A106DE9C B2B03B95 73392ADB 4BB51FAD
6F2D6F8D A90BA0B5 BD1A209C F54126A9 2E2FF5B7 85041B7E C72032C0 CECE7F79
51550203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 141713AB B7F927E5 50C242DF 9912C3B6 61D93313 80301D06
03551D0E 04160414 1713ABB7 F927E550 C242DF99 12C3B661 D9331380 300D0609
2A864886 F70D0101 05050003 81810099 8EBE5630 2E6734A8 4D2FD0A5 F09A98F8
9E49125F AECEF4BB E0DEBB3A 1A449E38 99B02114 7EC84845 B53C2F88 046B7290
AE44967A 8BE20F5E 9D4A1CFC E1F64FE8 59F51892 23B88B4E 3416808A 68E65660
644C7DA0 E3A7A525 14FE8E54 67C35F8E CF69EB40 34DFB13D EA302F66 102C822A
3D7107BA AA4E7273 1D43690E C4A5D4
                quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
no ip source-route
ip dhcp excluded-address 192.168.0.230 192.168.0.255
ip dhcp excluded-address 192.168.0.1 192.168.0.200
ip dhcp pool QQQ_LAN
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
dns-server 192.168.0.6 202.1.161.36
netbios-name-server 192.168.0.6
domain-name QQQ.Local
lease 3
ip cef
no ip bootp server
ip domain name QQQ.Local
ip name-server 192.168.0.6
ip name-server 202.1.161.37
ip name-server 202.1.161.36
ip inspect log drop-pkt
no ipv6 cef
parameter-map type inspect global
log dropped-packets enable
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
password encryption aes
license udi pid CISCO887VA-K9 sn FGL162321CT
object-group service MAIL-PORTS
description QQQ User Mail Restrictions
tcp eq smtp
tcp eq pop3
tcp eq 995
tcp eq 993
udp lt rip
udp lt domain
tcp eq telnet
udp lt ntp
udp lt tftp
tcp eq ftp
tcp eq domain
tcp eq 5900
tcp eq ftp-data
tcp eq 3389
tcp eq 20410
object-group network Network1
description QQQ Management Network
192.168.1.0 255.255.255.0
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.8.0 255.255.255.0
range 192.168.0.200 192.168.0.254
range 192.168.0.1 192.168.0.25
object-group network Network2
description QQQ User Network
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.6.0 255.255.255.0
range 192.168.0.26 192.168.0.199
object-group network QQQ.Local
description QQQ_Domain
192.168.0.0 255.255.255.0
192.168.1.0 255.255.255.0
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.4.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.6.0 255.255.255.0
192.168.8.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.10.0 255.255.255.0
10.1.0.0 255.255.0.0
object-group network QQQ_Management_Group
description QQQ I.T. Devices With UnRestricted Access
range 192.168.0.200 192.168.0.254
range 192.168.0.1 192.168.0.25
192.168.1.0 255.255.255.0
192.168.8.0 255.255.255.0
192.168.7.0 255.255.255.0
192.168.5.0 255.255.255.0
192.168.4.0 255.255.255.0
10.1.0.0 255.255.0.0
192.168.10.0 255.255.255.0
10.8.0.0 255.255.255.0
192.168.9.0 255.255.255.0
192.168.100.0 255.255.255.0
192.168.20.0 255.255.255.0
192.168.21.0 255.255.255.0
192.168.22.0 255.255.255.0
192.168.23.0 255.255.255.0
object-group network QQQ_User_Group
description QQQ I.T. Devices WIth Restricted Access
range 192.168.0.26 192.168.0.199
192.168.2.0 255.255.255.0
192.168.3.0 255.255.255.0
192.168.6.0 255.255.255.0
object-group service WEB
description QQQ User Web Restrictions
tcp eq www
tcp eq 443
tcp eq 8080
tcp eq 1863
tcp eq 5190
username cpadmin privilege 15 password 7 1406031A2C172527
username QQQVPN privilege 15 secret 4 Hk2tP2GgJ1xXtJUqIZr4gmNSgw6q1E.rvzWiYnDAZHU
controller VDSL 0
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 118
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 121
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 120
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 122
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 117
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any SDM_HTTP
match access-group name SDM_HTTP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all sdm-cls-http
match access-group name dmz-traffic
match protocol http
class-map type inspect match-any Telnet
match protocol telnet
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any FIREWALL_EXCEPTIONS_CLASS
match access-group name FIREWALL_EXCEPTIONS_ACL
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any SDM_EASY_VPN_CTCP_SERVER_PT
match access-group 102
match access-group 103
match access-group 104
match access-group 105
match access-group 106
match access-group 107
match access-group 108
match access-group 109
match access-group 110
match access-group 111
match access-group 112
match access-group 113
match access-group 114
match access-group 115
class-map type inspect match-any SIP
match protocol sip
class-map type inspect pop3 match-any ccp-app-pop3
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect sip match-any ccp-cls-sip-pv-2
match protocol-violation
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-cls-ccp-permit-1
match access-group name ETS1
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match access-group name ETS
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
match class-map Telnet
match access-group name Telnet
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect match-any ccp-dmz-protocols
match user-group qqq
match protocol icmp
match protocol http
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-cls-sip
match access-group name dmz-traffic
match protocol sip
class-map type inspect match-all ccp-dmz-traffic
match access-group name dmz-traffic
match class-map ccp-dmz-protocols
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map SIP
match access-group name SIP
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect PF_OUT_TO_IN
class type inspect FIREWALL_EXCEPTIONS_CLASS
pass
policy-map type inspect PF_IN_TO_OUT
class type inspect FIREWALL_EXCEPTIONS_CLASS
pass
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
reset
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
reset
class type inspect http ccp-app-httpmethods
log
reset
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-invalid-src
drop log
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect ccp-cls-ccp-permit-1
pass
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_EASY_VPN_CTCP_SERVER_PT
inspect
class class-default
drop
policy-map type inspect sip ccp-app-sip-2
class type inspect sip ccp-cls-sip-pv-2
allow
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-1
pass
class type inspect ccp-dmz-traffic
inspect
class type inspect sdm-cls-http
inspect
service-policy http ccp-action-app-http
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class class-default
pass
policy-map type inspect ccp-pol-outToIn
class type inspect ccp-cls-ccp-pol-outToIn-1
pass
class type inspect ccp-cls-ccp-pol-outToIn-2
pass
class type inspect CCP_PPTP
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class type inspect sdm-cls-VPNOutsideToInside-4
inspect
class class-default
drop log
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect sdm-cls-VPNOutsideToInside-2
inspect
class type inspect sdm-cls-VPNOutsideToInside-3
pass
class type inspect sdm-cls-VPNOutsideToInside-4
inspect
class class-default
drop log
zone security dmz-zone
zone security in-zone
zone security out-zone
zone security ezvpn-zone
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ccp-zp-in-dmz source in-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security dmz-to-in source dmz-zone destination in-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source dmz-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination dmz-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in3 source ezvpn-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
crypto ctcp port 10000 1723 6299
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 2
encr aes 256
authentication pre-share
group 2
crypto isakmp key 6 PbKM_WfaCM[hYNXAFOUgCNgCB_ZdJEAAB address 220.245.109.219
crypto isakmp key 6 NddQRR[O^KY`GRDC[VZUEPE`CSJ^CDAAB address 0.0.0.0 0.0.0.0
crypto isakmp client configuration group QQQ
key 6 UWVBhb`Lgc_AZbDYWDFZiGZTTadNYTAAB
dns 192.168.0.6 202.1.161.36
wins 192.168.0.6
domain QQQ.Local
pool SDM_POOL_1
include-local-lan
max-users 20
max-logins 1
netmask 255.255.255.0
banner ^CCWelcome to QQQ VPN!!!!1                 ^C
crypto isakmp profile ciscocp-ike-profile-1
   match identity group QQQ
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   keepalive 10 retry 2
   virtual-template 1
crypto ipsec transform-set ESP_AES_SHA esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 43200
set transform-set ESP_AES_SHA
set isakmp-profile ciscocp-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to220.245.109.219
set peer 220.245.109.219
set transform-set ESP-3DES-SHA
match address 119
interface Loopback0
description QQQ_VPN
ip address 192.168.9.254 255.255.255.0
interface Null0
no ip unreachables
interface Ethernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
no fair-queue
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0.1 point-to-point
description Telekom_ADSL
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security out-zone
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
description QQQ_LAN-VLAN_1
switchport access vlan 1
no ip address
interface FastEthernet1
description QQQ_LAN-VLAN_1
no ip address
interface FastEthernet2
description QQQ_WAN-VLAN_2
switchport access vlan 2
no ip address
interface FastEthernet3
description QQQ_DMZ-IP_PBX-VLAN_3
switchport access vlan 3
no ip address
interface Virtual-Template1 type tunnel
description QQQ_Easy_VPN
ip unnumbered Loopback0
ip nat inside
ip virtual-reassembly in
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
description QQQ_LAN-VLAN1$FW_INSIDE$
ip address 192.168.0.254 255.255.255.0
ip access-group QQQ_ACL in
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
interface Vlan2
description QQQ_WAN-VLAN2$FW_INSIDE$
ip address 192.168.5.254 255.255.255.0
ip access-group QQQ_ACL in
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1412
interface Vlan3
description QQQ_IP-PBX_WAN-VLAN3
ip address 192.168.4.254 255.255.255.0
ip mask-reply
ip nat inside
ip virtual-reassembly in
zone-member security dmz-zone
interface Vlan4
description VLAN4 - 192.168.20.xxx (Spare)
ip address 192.168.20.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
interface Dialer0
description ATM Dialer
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
no cdp enable
interface Dialer2
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxx0 password 7 xxxxxxxxxxxxxxxxxxxxx
no cdp enable
crypto map SDM_CMAP_1
router rip
version 2
redistribute static
passive-interface ATM0
passive-interface ATM0.1
passive-interface Dialer0
passive-interface Dialer2
passive-interface Ethernet0
passive-interface Loopback0
network 10.0.0.0
network 192.168.0.0
network 192.168.1.0
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
network 192.168.5.0
network 192.168.6.0
network 192.168.7.0
network 192.168.8.0
network 192.168.10.0
network 192.168.100.0
ip local pool SDM_POOL_1 192.168.5.100 192.168.5.200
ip forward-protocol nd
ip http server
ip http access-class 5
ip http authentication local
ip http secure-server
ip nat pool NAT_IP 192.168.0.210 192.168.0.235 netmask 255.255.255.0
ip nat inside source static tcp 192.168.4.253 5060 interface Dialer2 5060
ip nat inside source static tcp 192.168.0.240 20408 interface Dialer2 6208
ip nat inside source static tcp 192.168.0.240 20409 interface Dialer2 6209
ip nat inside source static tcp 192.168.0.240 20410 interface Dialer2 6200
ip nat inside source static tcp 192.168.1.240 20408 interface Dialer2 6218
ip nat inside source static tcp 192.168.1.240 20409 interface Dialer2 6219
ip nat inside source static tcp 192.168.1.240 20410 interface Dialer2 6210
ip nat inside source static tcp 192.168.7.240 20408 interface Dialer2 6278
ip nat inside source static tcp 192.168.7.240 20409 interface Dialer2 6279
ip nat inside source static tcp 192.168.7.240 20410 interface Dialer2 6270
ip nat inside source static tcp 192.168.8.240 20408 interface Dialer2 6288
ip nat inside source static tcp 192.168.8.240 20409 interface Dialer2 6289
ip nat inside source static tcp 192.168.8.240 20410 interface Dialer2 6280
ip nat inside source static tcp 192.168.0.6 1723 interface Dialer2 1723
ip nat inside source static tcp 192.168.0.6 3389 interface Dialer2 6389
ip nat inside source static tcp 192.168.0.24 3389 interface Dialer2 6390
ip nat inside source static tcp 192.168.4.253 8022 interface Dialer2 8022
ip nat inside source static tcp 192.168.4.253 80 interface Dialer2 8021
ip nat inside source static tcp 192.168.0.254 23 interface Dialer2 8023
ip nat inside source static tcp 192.168.0.6 443 interface Dialer2 443
ip nat inside source route-map SDM_RMAP_1 interface Dialer2 overload
ip default-network 192.168.0.0
ip default-network 192.168.4.0
ip route 0.0.0.0 0.0.0.0 Dialer2 permanent
ip route 10.1.0.0 255.255.0.0 Vlan2 permanent
ip route 10.8.0.0 255.255.255.0 Vlan2 permanent
ip route 192.168.0.0 255.255.255.0 Vlan1 permanent
ip route 192.168.4.0 255.255.255.0 Vlan3 permanent
ip route 192.168.5.0 255.255.255.0 Vlan2 permanent
ip route 192.168.100.0 255.255.255.0 Dialer2 permanent
ip access-list extended ACCESS_FROM_INSIDE
permit ip object-group QQQ_Management_Group any
permit tcp object-group QQQ_User_Group any eq smtp pop3
permit tcp object-group QQQ_User_Group any eq 993 995
permit tcp 192.168.0.0 0.0.0.255 any eq smtp pop3
permit tcp 192.168.0.0 0.0.0.255 any eq 993 995
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.5.0 0.0.0.255 any
permit ip 192.168.7.0 0.0.0.255 any
permit ip 192.168.8.0 0.0.0.255 any
permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain
permit tcp 192.168.2.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
permit tcp 192.168.3.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
permit tcp 192.168.4.0 0.0.0.255 any eq www 443 8080 domain time-range QQQ_Control
permit udp 192.168.2.0 0.0.0.255 any eq domain time-range QQQ_Control
permit udp 192.168.3.0 0.0.0.255 any eq domain time-range QQQ_Control
permit udp 192.168.4.0 0.0.0.255 any eq domain time-range QQQ_Control
ip access-list extended ETS
remark CCP_ACL Category=128
permit ip host 203.219.237.252 any
ip access-list extended ETS1
remark CCP_ACL Category=128
permit ip host 203.219.237.252 any
ip access-list extended FIREWALL_EXCEPTIONS_ACL
permit tcp any host 192.168.0.100 eq 25565
permit tcp any eq 25565 host 192.168.0.100
ip access-list extended QQQ_ACL
permit ip any host 192.168.4.253
permit udp any any eq bootps bootpc
permit ip any 192.168.4.0 0.0.0.255
permit ip host 203.219.237.252 any
remark QQQ Internet Control List
remark CCP_ACL Category=17
remark Auto generated by CCP for NTP (123) 203.12.160.2
permit udp host 203.12.160.2 eq ntp any eq ntp
remark AD Services
permit udp host 192.168.0.6 eq domain any
remark Unrestricted Access
permit ip object-group QQQ_Management_Group any
remark Restricted Users
permit object-group MAIL-PORTS object-group QQQ_User_Group any
permit ip 192.168.0.0 0.0.0.255 any time-range QQQ_Control
permit ip 192.168.2.0 0.0.0.255 any time-range QQQ_Control
permit ip 192.168.3.0 0.0.0.255 any time-range QQQ_Control
permit ip 192.168.6.0 0.0.0.255 any time-range QQQ_Control
remark ICMP Full Access
permit icmp object-group QQQ_User_Group any
permit tcp 192.168.2.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit tcp 192.168.3.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit tcp 192.168.6.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.6.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
permit tcp 192.168.0.0 0.0.0.255 eq www 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.0.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.2.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
permit udp 192.168.3.0 0.0.0.255 eq 80 443 8080 5190 1863 any time-range QQQ_Control
ip access-list extended QQQ_NAT
remark CCP_ACL Category=18
remark IPSec Rule
deny   ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
permit ip any any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_HTTP
remark CCP_ACL Category=0
permit tcp any any eq telnet
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended SIP
remark CCP_ACL Category=128
permit ip any 192.168.4.0 0.0.0.255
ip access-list extended Telnet
remark CCP_ACL Category=128
permit ip any any
ip access-list extended dmz-traffic
remark CCP_ACL Category=1
permit ip any 192.168.4.0 0.0.0.255
access-list 1 remark CCP_ACL Category=2
access-list 1 remark QQQ_DMZ
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 remark QQQ_LAN
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 3 remark QQQ Insid NAT
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.3.0 0.0.0.255
access-list 3 permit 192.168.4.0 0.0.0.255
access-list 3 permit 192.168.5.0 0.0.0.255
access-list 3 permit 192.168.6.0 0.0.0.255
access-list 3 permit 192.168.7.0 0.0.0.255
access-list 3 permit 192.168.8.0 0.0.0.255
access-list 3 permit 192.168.9.0 0.0.0.255
access-list 3 permit 192.168.10.0 0.0.0.255
access-list 4 remark QQQ_NAT
access-list 4 remark CCP_ACL Category=2
access-list 4 permit 10.1.0.0 0.0.255.255
access-list 4 permit 10.8.0.0 0.0.0.255
access-list 4 permit 192.168.0.0 0.0.0.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 4 permit 192.168.2.0 0.0.0.255
access-list 4 permit 192.168.3.0 0.0.0.255
access-list 4 permit 192.168.4.0 0.0.0.255
access-list 4 permit 192.168.5.0 0.0.0.255
access-list 4 permit 192.168.6.0 0.0.0.255
access-list 4 permit 192.168.7.0 0.0.0.255
access-list 4 permit 192.168.8.0 0.0.0.255
access-list 4 permit 192.168.9.0 0.0.0.255
access-list 4 permit 192.168.10.0 0.0.0.255
access-list 5 remark HTTP Access-class list
access-list 5 remark CCP_ACL Category=1
access-list 5 permit 192.168.4.0 0.0.0.255
access-list 5 permit 192.168.0.0 0.0.0.255
access-list 5 deny   any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip host 255.255.255.255 any
access-list 101 remark QQQ_Extended_ACL
access-list 101 remark CCP_ACL Category=1
access-list 101 permit tcp any host 192.168.0.254 eq 10000
access-list 101 permit udp any host 192.168.0.254 eq non500-isakmp
access-list 101 permit udp any host 192.168.0.254 eq isakmp
access-list 101 permit esp any host 192.168.0.254
access-list 101 permit ahp any host 192.168.0.254
access-list 101 remark Auto generated by CCP for NTP (123) 203.12.160.2
access-list 101 permit udp host 203.12.160.2 eq ntp host 192.168.4.254 eq ntp
access-list 101 permit udp host 192.168.0.6 eq domain any
access-list 101 remark NTP (123) 203.12.160.2
access-list 101 permit udp host 203.12.160.2 eq ntp any eq ntp
access-list 101 remark QQQ_ANY_Any
access-list 101 permit ip object-group QQQ.Local any
access-list 101 remark QQQ_DMZ
access-list 101 permit ip any 192.168.4.0 0.0.0.255
access-list 101 remark QQQ_GRE
access-list 101 permit gre any any
access-list 101 remark QQQ_Ping
access-list 101 permit icmp any any
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp any any eq 10000
access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq 443
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp any any eq 10000
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 8022
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq telnet
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq www
access-list 103 permit tcp any 192.168.4.0 0.0.0.255 eq 5060
access-list 103 permit tcp any eq telnet host 192.168.0.254
access-list 103 permit tcp any 192.168.0.0 0.0.0.255 eq telnet
access-list 103 permit udp any 192.168.4.0 0.0.0.255 eq 5060
access-list 103 permit udp any 192.168.4.0 0.0.0.255 range 10001 12000
access-list 104 remark CCP_ACL Category=1
access-list 104 permit tcp any any eq 10000
access-list 105 remark CCP_ACL Category=1
access-list 105 permit tcp any any eq 10000
access-list 106 remark CCP_ACL Category=1
access-list 106 permit tcp any any eq 10000
access-list 107 remark CCP_ACL Category=1
access-list 107 permit tcp any any eq 10000
access-list 108 remark CCP_ACL Category=1
access-list 108 permit tcp any any eq 10000
access-list 109 remark CCP_ACL Category=1
access-list 109 permit tcp any any eq 10000
access-list 110 remark CCP_ACL Category=1
access-list 110 permit tcp any any eq 10000
access-list 111 remark CCP_ACL Category=1
access-list 111 permit tcp any any eq 10000
access-list 112 remark CCP_ACL Category=1
access-list 112 permit tcp any any eq 10000
access-list 113 remark CCP_ACL Category=1
access-list 113 permit tcp any any eq 10000
access-list 114 remark CCP_ACL Category=1
access-list 114 permit tcp any any eq 10000
access-list 115 remark CCP_ACL Category=1
access-list 115 permit tcp any any eq 10000
access-list 116 remark CCP_ACL Category=4
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 117 remark CCP_ACL Category=128
access-list 117 permit ip any any
access-list 117 permit ip host 220.245.109.219 any
access-list 118 remark CCP_ACL Category=0
access-list 118 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 119 remark CCP_ACL Category=4
access-list 119 remark IPSec Rule
access-list 119 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 120 remark CCP_ACL Category=0
access-list 120 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 121 remark CCP_ACL Category=0
access-list 121 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 122 remark CCP_ACL Category=0
access-list 122 permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
dialer-list 1 protocol ip permit
route-map SDM_RMAP_1 permit 1
match ip address QQQ_NAT
banner login ^CCWelcome to QQQ ADSL Gateway

It turns out the problem had nothing to do with wires or splitters. The Verizon tech was at my house yesterday and the ONT was failing. He replaced part of the ONT and it fixed the problem (finally!). At least I was able to watch the Celtics game last night.
I have a Tellabs ONT. Not sure the model but it's older like the ones in this thread.
http://www.dslreports.com/forum/r19982000-Mounting-board-for-612-ONT

How to port forward in windows server 2012 ? for IIS

Hi,
I have windows server 2012 in AWS cloud (Public IP)
Installed IIS 8 and running website in the port 8980 and its working fine (Public IP)
My question is
I have CNAME record in Godaddy in the name of example.com which is pointed to my PUBLIC IP ... its working fine.
But I want to know how to port the 80 request to 8980 in windows server 2012 thanks.
Wes

Hi,
According to your description, my understanding is that you want that example.com(in Godaddy) to transfer corresponding queries(port and website name) to the website on WS 2012(in AWS cloud).
Since your domain example.com is supported by Godaddy, I recommend you to contact the supporter of Godaddyand confirm that if their product supports port forwarding.
In general, if you useWindows ServerInstruction, we may enable NAT(Routing and Remote Service) on network interface to redirect services/ports.
Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Port forwarding in Solaris 8

Hi,
I am new to Solaris and am trying to set up a simple port forwarding from port 80 to 8080.
I know how to do this in Linux:
iptables -t nat -I PREROUTING -p tcp dport 80 -j REDIRECT to-port 8080
but cannot find a way to do this in Solaris. I have installed SunScreen, but am not sure whether this is the right thing to use.
This is a simple server in a hosting centre.
Can anyone help?

In solaris you can do port forwarding with ssh . You have to install SSH from soalris 2 of 2 CD .
see man pages of ssh
Regards

Port Forwarding to view a web-page that isn't on a...

I have port forwarding set up to access certain services at home, which works fine using my home hub, with the exception of one thing. I'm trying to use a url like the one below, in order that I can gain access to a web page which is on a web-server on a machine in my network that operates on a different port to normal (normal being port 80 or 443 here since this is https):
https://hostname.dyndns.org:1234/service-name
within my home network, I use the following address in a browser and it works fine:
123.123.1.123:1234/service-name
Now I have the port forward application set up on the home hub 3 with the ports set to forward 1234 to 1234 and I have assigned this to the correct machine (i've tried assigning by IP addess and also tried changing the forwarding rule to '1232 to 1234' and amending my url appropriately.
Unfortunately nothing I have tried is working.
uPnP is turned off as most of the machines I want to access are on static IP's. (I couldn't assign forwarding rules to the static IP machines with it on).
Could anyone shed any light on this?
thanks in advance.
btw, uPnP is turned off as most of the machines I want to access are on static IP's.
(I do have a work around by using RDP to another machine and then opening the url using the target machines ip address in the remotely controlled machines browser, but it's far, far from ideal).
Solved!
Go to Solution.

I am not sure you have that quite right on DynDNS, as you have to use two host names, and a webhop to link the two.
Here is a live example of what I used to have.
Mt current webserver works on port 80, which is fine.
My host address is http://forumhelp.dyndns.info which points to the machine on my LAN, which has port 80 forwarded to it.
Prior to the current arrangement, I had a webserver running from a NAS device on port 8100.
To ensure that incoming web requests appeared on the standard port, I had to create an additional similar host name, and then create a webhop within DynDNS to do the redirect.
The web address on the Internet stiil be the same, but would webhop to http://dummyhost.dyndns.org:8100/
Have you checked using one of the many port checking websites to see if port 1234 is open?
There are some useful help pages here, for BT Broadband customers only, on my personal website.
BT Broadband customers - help with broadband, WiFi, networking, e-mail and phones.

Help: Port forward in Cisco SOHO 97

Hi there!
I have a Cisco SOHO 97.
The IP is: 10.0.0.1/24
Gw: 0.0.0.0
*Default route via DIALER1
I also have a RV042 configured as VPN Server (PPTP and IPSec).
The IP is: 10.0.0.2/24
I need help to configure the router to I be able to connect to VPN server from OUTSIDE-WORLD.
I imagine I need Port forwarding from Cisco SOHO to RV042.
I hope for possibles answers!
Thanks!

Sorry i found the issue.
The problem was that, i wanted to redirect port 443 (https) to an private address.
But by default port 443 is reserved to access ASA via https for management.
I just reserved another port 888 for https management access and now i can redirect port 443 normaly as i wanted.
Using this command: http server enable 888
Germain

Port Forwarding With Shorewall

I have Shorewall setup on my router, but even though I've read on how to set up port forwarding it doesn't seem to work.
Here's my /etc/shorewall/rules.conf
# Shorewall version 4.0 - Sample Rules File for two-interface configuration.
# Copyright (C) 2006,2007 by the Shorewall Team
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
# See the file README.txt for further details.
# For information about entries in this file, type "man shorewall-rules"
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
# Don't allow connection pickup from the net
Invalid(DROP) net all tcp
# Accept DNS connections from the firewall to the network
DNS(ACCEPT) $FW net
# Accept SSH connections from the local network for administration
SSH(ACCEPT) loc $FW
SSH(ACCEPT) net $FW TCP 3000
# Allow Ping from the local network
Ping(ACCEPT) loc $FW
# Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
Ping(DROP) net $FW
ACCEPT $FW loc icmp
ACCEPT $FW net icmp
# Accept DNS connections from the local network to the firewall
DNS(ACCEPT) loc $FW
# Allow Webmin access from local net
ACCEPT loc $FW tcp 80
# Allow Transmission Traffic
DNAT net loc:192.168.1.100:51413 tcp 51413
DNAT net loc:192.168.1.100:32000 tcp 32000
DNAT net loc:192.168.1.114:6881 tcp 6881
DNAT net loc:192.168.1.114:8881 udp 8881
DNAT net loc:192.168.1.1:80 tcp 1017
Here's my /etc/shorewall/policy in case it's needed
# Shorewall version 4.0 - Sample Policy File for two-interface configuration.
# Copyright (C) 2006 by the Shorewall Team
# This library is free software; you can redistribute it and/or
# modify it under the terms of the GNU Lesser General Public
# License as published by the Free Software Foundation; either
# version 2.1 of the License, or (at your option) any later version.
# See the file README.txt for further details.
# For information about entries in this file, type "man shorewall-policy"
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
$FW net ACCEPT info
loc net ACCEPT info
net all REJECT info
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
SSH works internally, but not externally, and ping works both inside and outside of the network, web browsing also works fine. I just can't seem to get to anything inside the network from outside of the network. What am I doing wrong?
Last edited by brando56894 (2014-04-02 04:04:34)

Even if the forum policy is more to give people the possibility to help themself, I'd like to post a (hopfully) working configuration for the case above, so everyone trying to use shorewall get an idea how it works.
If someone finds errors please let me know, so I can correct this post. Thanks.
/etc/shorewall/interfaces
# change interface to your external iface
net eth0 dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
# change interface to your internal iface
# if running a dhcp server on your internal interface add ",dhcp" to the following line
# if the interface is a bridge add ",bridge" to the following line
loc eth1 nets=(192.168.1.0/24),tcpflags,nosmurfs,routefilter,logmartians
/etc/shorewall/zones
fw firewall
net ipv4
loc ipv4
/etc/shorewall/masq
# change interface to your internal iface
eth1 192.168.1.0/24
/etc/shorewall/policy
$FW all ACCEPT # FW may talk to everyone
loc net ACCEPT # LAN may talk to the internet
net all DROP info # Drop everything not in rules file
# THE FOLLOWING POLICY MUST BE LAST
all all REJECT info
/etc/shorewall/rules
SECTION NEW
### FIREWALL INCOMING ###
# MISC
Invalid(DROP) net all tcp # prevent connection pickup
Ping(DROP) net $FW # no ping from outside allowed
# ALL -> FW
ACCEPT all $FW tcp 3031 # SSH from internet and LAN
# LOC -> FW
Ping(ACCEPT) loc $FW # Ping from LAN to FW
DNS(ACCEPT) loc $FW # DNS from LAN to FW
HTTP(ACCEPT) loc $FW # Webmin access from LAN to FW
### FIREWALL OUTGOING ###
# not needed, because everything allowed in policy file
### DNAT RULES ###
# leaved out rules not found in network diagram
# add them using the same scheme
DNAT net loc:192.168.1.100:32400 tcp 32400
DNAT net loc:192.168.1.100:8081 tcp 8081
# the following may not work, as it redirects to the FW itself
DNAT net loc:192.168.1.1:80 tcp 1017
Last edited by Tarqi (2014-04-01 23:40:46)

Cisco Ironport S160 Port forwarding

Hi,
We've got a device within the network which needs to send data out to a website on port 5009. We've setup the following to allow the traffic
- Identity with the interal IP as member and bypass the proxy (the device can only be configured with the Proxy IP and port, no logins)
- Added Port 5009 n HTTP Ports to Proxy
- Added the destination IP n L4 Traffic allow list
We are still not able to route the traffic.
We then tried to get the traffic coming in the other way. We've asked the ISP to put in a port forwarding to forward traffic on Port 5019 to the device. This is also not working. We can get to the device on the internal Port without any issues. The question does the IronPort need to be configured to allow the traffic coming in? We dont have any other incoming port forwarded traffic.

Hello,
I will need a quick explanation on how your environment is laid out for your Web Content Appliance.
1. Is your proxy transparent or explicitly proxied? Do you have multiple proxies that you are load balancing?
2. If it is explicit, do you use a PAC file or is the proxy configured in the network configuration?
3. If it is transparent, what do you use to redirect traffic? Is it wccp or L4 redirection? What kind of device are you using to redirect traffic? ASA, Catalyst, Nexus, something else?
4. Is there any third party devices being used between the proxy and the clients or between the proxy and the outside world?
5. What are your authentication requirements? How are you authenticating them (NTLMSSP, TUI, or Basic)?
Thank you for answering these questions.
Christian Rahl
Customer Support Engineer
Cisco Web Content Security Appliance
Cisco Technical Assistance Center RTP

BM 3.8 Port Forwarding?

Hello,
Does Bordermanager port forward? I am using Groupwise 6.5 along with
bordermanager, web access, vpn and other things on the same box.I am
installing a Barracuda Spam Firewall hardware appliance that I need to
redirect all mail traffic to and then back into GW. The problem is my
public mail address is also used for web,vpn etc. so I can't simply NAT to
the barracuda. I would like to simply port forward port 25 of my public
address to the Barracuda private address and then on to the GWIA.
A collegue told me there is no port forwarding in BM and that I would have
to add a secondary public address, change my MX record, and static NAT to
the Barracuda with that. While that sounds like a reasonable approach I
would like to avoid changing my MX record and be able to easily go back and
forth while I test the barracuda appliance. This is a live corporate email
system and I need to cause as little disruption as possible.
If there is a way to port forward SMTP traffic to a private address please
let me know the best way to do it . THANKS!
-Dave

Thanks very much for your reply! I will defnitley give the generic proxy a
try. Thanks for the tip about changing the proxy.cfg file. Are there any
other potential gotchas on using this proxy? Any other BM configs that need
to be adjusted to make this proxy work? Also where exactly is proxy.cfg? I
have not been able to find it on my Bordermanager server.
-Dave
> BM doesn't have true port forwarding, but it has a similar function:
> Generic TCP proxy. With it, you configure BM to proxy (forward) TCP
> traffic on a specific pulbi IP/port to a specific server/port on the
> private LAN. However, by default BM won't let you create a generic TCP
> proxy on port 25, because it conflicts with the SMTP proxy (another
> feature of BM, which you don't want to use :-) To get around that you
> need to add this to the [Extra Configuration] section of the proxy.cfg
>
> AllowGTCPProxyToUsePort25=1
>
> Good luck with the Barracuda... we love ours :-)
>
> --
> Jim
> Support Sysop

Cannot get port forwarding to work on EA6500

Hi,
I have an EA6500 to replace the old WRT54G. I have an Apach server on my PC. On the WRT54G, I could easily set port forward to the server, it was working fine. But on the EA6500, I simply couldn't get it to work any more. What am I missing?
TIA

Thanks for the reply.
As it turned out for some "security" reasons, EA6500 port forwarding only allows access from outside of the network, but not from netwrok behind the router. So annoying, however I found this work around
http://community.linksys.com/t5/Wireless-Routers/EA6500-NAT-Redirection-Bug/td-p/583820/highlight/fa...
look for poster sflick1's solution, it really works.

Help for my new E2500 router port forwarding

My home web hosting used to work. But because of changing ISP from Verizon to TWC, TWC gave me a modem-router and I bought my own Linksys E2500 router. Both Verizon and TWC services I subscribed are Dynamic IP. I use a third party to redirect the web traffic to my home.
TWC gave me a simple modem-router in a box. Input is coax and outputs are 4 ethernet ports. I use one of the 4 ethernet outputs of the TWC box to connect to the internet ethernet input port of the E2500. All my wire and wireless devices are now feeding off the E2500. All wireless and wired devices work and can browse internet through the E2500.
I have assigned one computer as the web server and set the internal IP addess of this computer as 192.168.1.128. This is the same for the setup with Verizon before.
I loaded the CD came with the E2500 router and can see the LAN 192.168.1.128.
My problem starts from here, I do not know how to set the port in E2500 to make the web traffic to 192.168.1.128
1. Using the E2500 CD, I click to "APPLICATION AND GAMING", then "SINGLE PORT FORWARDING". under the APPLICATION NAME, I select one of the box to HTTP and type in 128 under "TO IP ADDRESS". I then click ENABLED, then "save settings" . The 192.168.1 is fixed in this window, I can only type 128.
This does not work. I can browse internet but cannot access my website from any machines using domain name.
Then I tried:
2. with item 1 above, I continued to do SETUP>>BASIC SETUP>>DHCP RESEVERSATION. I can see the compute/sever name and the 192.168.1.128. I then click the "select" and save the client.
I restarted the computer/server, I unplug and plug the E2500 power. I check the server internal IP address and it is still the same. But I just cannot browse to my website. I can browse other places.
Any idea of what is wrong on my doing? Please help.
Solved!
Go to Solution.

Your modem is a router. Any incoming internet requests end at the modem/router. You have to configure port forwarding on the modem/router first before the E2500 will see anything incoming from the internet.
Alternatives:
1. Set the modem/router into "bridge" mode which turns it into a simple modem. Then you can connect directly to the internet with your E2500.
2. Set up the E2500 as simple access point and keep the modem/router as your main and only router. Then all forwarding is done on the modem/router.

E3000 ~ spontaneous port forwarding IP changes

I have an E3000 with firnware 1.0.04.
A forwarded port is spontaneously changing the IP address assigned to it, but with no change indicated in the singel port forwarding configuration.
I have a web server on IP=XXX.XXX.XXX.7, and another device on my LAN with an internal web server at IP= XXX.XXX.XXX.8. The single port forwarding configuration is:
HTTP, external port 80, internal port 80, protocol=TCP, to internal IP address xxx.xxx.xxx.7, enable checked
The configuration is saved, and all works well for for hours and/or days and I can use the web host from the intenet as expected. However, after a few days or hours the E3000 suddenly starts sending the http traffic to IP=xxx.xxx.xxx.8 instead of xxx.xxx.xxx.7. When I log in to the router and look at the port forwarding page, it still says it's forwarding the http traffic to xxx.xxx.xx.7 ~ even though all http traffic is being sent to xxx.xxx.xxx.8! I have to reboot the router to get the port forwarding to work properly. If I leave the device at xxx.xxx.xxx.8 powered off, the router seems to work fine for extended periods.
There are no port forwarding services in the router that reference IP=xxx.xxx.xxx.8 , and it does not appear that the port forwarding problem is related to DHCP. All devices on my network have a reserved DHCP address based on their MAC. It does not appear that the spontaneous port forwarding change occurs when when the xxx.xxx.xxx.8 device powers up and gets it's address via DHCP. I have also deleted the xxx.xxx.xxx.8 device from the DHCP reservation table and simply access the device as needed by referencing it's IP, and xxx.xxx.xxx.8 is outside the range of DHCP assigned addresses, and the spontaneous port redirection still occurs once in a while.
Is there a known bug where forwarded ports are sent to the wrong IP address? Is there a fix in the works? Is there other data I can gather that might help?

Thanks for the reply. I have a bunch of services running on several hosts, so configuring each port to forward to the proper host using the E3000 single port forwarding page is the only way to go. It has been 4 days with uPNP turned off on the host (uPNP is still active in the router), and the problem has not occurred as yet. However, sometimes it has taken over a week for the problem to occur. So far things are looking good, and I am starting to believe that this host has been "stealing" port 80 by remapping it in the router via uPNP, albeit for reasons I do not understand.
Because a uPNP device can change the port-to-DestinationIPAddress map in the router, the router really should be able to display the actual port map rather than just displaying the desired configuration. Not being able to see the actual mapping make as much sense as not being able to not see actual DHCP assignments and only being able to see the desired DHCP configuration. With the widespread deployment of uPNP, and considering the programming simplicty needed to display some table entries from the router's memory, this would seem an obvious and easy feature to add to the next firmware release. A log of runtime configuration changes would be appreciated too, so that people can ascertain what device on the LAN caused a router configuration change and record what the changes were. This sure would make troubleshooting a lot easier...

Port forwarding externally but not internally

I've got an AExtremeBS at home and at work. I've been port forwarding http for a while with no problems internally or externally. I've recently configured a new web server which internally is hosted on port 80. I've enabled port forwarding from 8080 to 80 on the AEBS and it works fine externally. However, if I try to browse the site internally using the FQDN:8080 of my AEBS, it does not work.
I can check both external and internal and the external is still working while the internal is not.
Any ideas?
One idea would be to move my internal listener to 8080 and just port forward 8080 to 8080 (I would just redirect 8080 to the internalIP:8080 rather than map 8080 to internal:80).
Thanks,
sid.

You might be onto something....but it's probably not what you think, but then again, I just confused myself again.
To get OD working I had to add my Leopard Server to my DNS settings. The Leopard Server required that it resolves the FQDN of the AEBS to itself (the internal IP address). However, everything else on the network resolves the FQDN to the external IP address.
If I nslookup on my FQDN, from my mac (which has the Leopard Server as it's DNS server) I get the internal IP address of the Leopard Server. However, if I go to another machine inside my network which does not query DNS from the Leopard Server, I get my external IP and when I browse to extneral:8080 it port forwards correctly. So it wasn't the AEBS, it was my particular mac and freaking Leopard Server.
So, it's settled, Leopard Server strikes again. I can't believe that Apple released this POS. I had a much easier time with Ubuntu 6.06 on my old 300 MHz blueberry iMac.

RV042 port forwarding / routing

Hello folks,
I'm having a really hard time tring to set up port forwarding to my LAN. Let me explain a bit of how my enviroment is set up.
RV042 -> MS-TMG (former ISA Server) -> LAN
RV042 WAN IP: Public IP (Does not matter)
RV042 LAN IP: 10.31.11.1
TMG WAN: 10.31.11.2
TMG LAN: 10.3.1.2
I've set up a port forwarding directing port 3002/TCP to 10.31.11.2 (TMGWAN) so that TMG can redirect to my LAN, but when I look at TMG Log, I see that the packages have the destination address of TMG WAN (10.31.11.2).
I don't know why RV042 is changing the destination address of the packages and for the TMG it seens that the packet is coming for him (wich is not true and it's not allowed).
I can't port forward to my lan (10.31.1.x directly bacause of the webinterface does not allow this).
I've also tried DMZ but the behavior is the same.
I've also tried uPnP but the packages are not arriving at TMG...
Here is the route table of RV042
200.XXX
255.255.255.255
186..XXX
40
ppp0
200..XXX
255.255.255.255
186..XXX
40
ppp0
186..XXX
255.255.255.255
40
ppp0
186..XXX
255.255.255.255
45
ipsec1
189.XXX
255.255.255.255
40
ppp0
189.XXX
255.255.255.255
45
ipsec1
10.31.11.0
255.255.255.0
50
ixp0
10.31.3.0
255.255.255.0
186.213.76.1
10
ipsec1
10.31.2.0
255.255.255.0
186.213.76.1
10
ipsec1
10.31.1.0
255.255.255.0
10.31.11.2
2
ixp0
10.31.1.0
255.255.255.0
50
ixp0
default
0.0.0.0
186.XXX
40
ppp0
Does anyone have a clue how can I get this thing working?

Hi Eric, the default state table may be the problem.
Try to make an access rule something like-
Action Deny
Service All
Source interface WAN
Source IP any
Destination IP any
Save
Action Permit
Service RDP
Source interface WAN
Source IP -xx.xx.xx.xx
Destination IP - xx.xx.xx.xx
Save
-Tom
Please mark answered for helpful posts

Port Forwarding (Redirection)

Similar Messages

Maybe you are looking for