Port Forwarding Twice?
(Also posted in Airport discussions)
I have previously used port forwarding via an AEn to access my Mac Pro while away. I have now installed a Mac mini Server and continue to use the Mac Pro as a client. Port forwarding now directs all incoming requests to the server for e-mail, file sharing, and web services, which I wish to continue. However, I'd also like to continue to access the other box, where I have telephony software installed requiring access to a phone jack (and the Mac mini is in a closet...). Is there a way to to access both the Mac mini Server and the Mac Pro? Thanks.
C.
Hi Charles
Here's how I do it.
First I do not "Port Forward" to my server. I use NAT which sends all default traffic to the server.
I use Port Forwarding to route to other machines.
The internal IP of my server is 10.0.1.253, and I believe that is the default NAT setting on a AE
If you went to www.mydomain.com you would hit my Xserver's web services
If you went to www.mydomain.com:81 you would be directed to the web services on my MacPro.
In Port Mapping I used port 81 as the Public Port, the internal IP of my MacPro of 10.0.1.200, and of course use a private port of 80.
As an example, for one machine I use Public Port 547 for AFP, 5901 for VNC, and 27 for FTP.
Well known" TCP and UDP ports used by Apple software products
Similar Messages
-
New Customer Experience with Port Forwarding
OK, so my OpenReach Modem and HomeHub 3 were installed last week and all seemed OK at first.
A bit of background:
I'm a seasoned IT guy and have a nice network set up at home that caters for my needs (most of the time).
Without going into too much detail, I have my own DHCP/DNS server and I run a Webserver for personal use.
I have Virgin Broadband - which work most of the time.
I've also just had BT Infinity installed so I should always have Internet access no matter which ISP is having issues.
I was hoping to be able to access my webserver externally from either my BT or Virgin. I didn't think this would be an issue.
It still all works fine through my Virgin connection. I use dynamic DNS (no-ip.org) to get to my server.
On the Virgin Superhub - I have DHCP switched off and all my machines (except one at the moment) get the Virgin router assigned as the Internet gateway (via my own DHCP server).
My test machine gets a the BT HomeHub 3 assigned as the Internet gateway (also from my own DHCP server) and I have switched off DHCP on Home Hub.
Before I move onto my issue, I have to say that the above network setup works flawlessly.
The Virgin Router is on 192.168.0.1, The Home Hub is on 192.168.0.2. (subnet 255.255.255.0)
They are on the same network but because DHCP it switched off on both routers - everything is happy.
I can access my Server from the Internet via my no-ip.org address and it all works great.
The issue:
I thought it would be relatively simple to configure the BT Home Hub 3 to access my server from the Internet.
Hmmm. Port Forwarding seems to be the issue. It just doesn't work reliably enough. Sometimes it works, then sometime it stops working. Right now it's not working.
At first I though it was just me, not configuring it correctly. But no.
Then I started reading this forum and found there are reports of issues with port forwarding going back a year.
I don't know if that a good or bad thing - an issue running that long must be on the verge of getting fixed right?
Or any issue running that long without resolution probably has no simple resolution or just isn't a priority (for BT) maybe.
My Question:
(and I think I already know the answer)
Has anyone got a sure fire way of configuring the HomeHub3 so the port forwarding works?
Or should I just throw in the towel now and buy a Dual Wan Router?
One last note:
This morning my Infinity Broadband Speed dropped from
38Mb down/6Mb Up (measured several times yesterday)
to
0.7Mb down/0.3Mb Up (yes those decimal points are in the right place)
And I haven't got a clue why.
I power cycled the HomeHub and it returned to normal. Does this happen to other people?
Cheers
Graeme.
GraemeBullitt wrote:
the port on your network is defined by lan ip address and port number eg 192.168.1.10:80
you cannot forward this outbound port twice
There is no "port on my network" A port is associated with a IP address not a network.
My webserver listens an port 80 - requests from the Internet for http are port forwarded by the router (either BT Homehub or Virgin Superhub) to port 80 at address 192.168.0.5 (in my case).
If I am trying to access my webserver from the Internet, I point my browser at the WAN IP address of my router (again it doesn't matter which one - BT or Virgin) and the router port forwards the request to my Webserver. Each router can do this independently.
"you cannot forward this outbound port twice"
As explained above - It's an inbound port not an outbound port.
I appreciate you are trying to be helpful but just telling me something is not possible without explaining why its not possible doesn't really help me.
As I said before, this was working fine, then it stopped working but only when trying to access my webserver via the BT Router. It still works fine from my Virgin Router. I used WireShark and port mirroring on my switch to prove that the Home Hub as stopped port forwarding inbound traffic to my webserver.
This is a problem with port forwarding on the Homehub, not my network setup. Looking at other posts on this forum - I'd suggest I'm not the only one having problems.
To be honest, it's the least of my problems with the HomeHub right now. I'm far more concerned with the fact that twice today I've had to power cycle it because the throughput has dropped from 38Mbit-down/6Mbit-up to <1Mbit-down/<1Mbit-up. It's a known problem, BT are working on it, yet I still am paying full price for a product that should never had made it out of Beta test.
Graeme -
WRTU54G-TM Port Forward issues, DHCP server disabled but still gives out addresses
I've seen other posts about port-forwarding issues. I've had to hard-reset the device twice in 2 months to clear this up.
One issue that I can't figure out at all is that the DHCP server gives out addresses when it is set to disabled. This is a problem because it gives out the public DNS servers, which will not resolve addresses on my LAN. Anyone else seen this?
Anyone had success putting this router behind a better one and still getting the phone SIM to register and work?Have you tried to upgrade the firmware on your Router?
Click Download the latest firmware for your Router and save the Firmware file on your Desktop.
Once you Download the firmware for your Router, Now you need to login to the Router setup page and click on the "Administration" tab and below click on "Firmware Upgrade" and then click on the Browse Button and select the firmware file and click on Upgrade.
Once the firmware is upgraded successfully then you need to Reset your Router and Re-configure all the settings on your Router from scratch. -
RV220W - Port Forwarding - Different Ports
Hey,
I have a RV220W with 1.0.3.5 Firmware installed.
I also have a few servers with services I need to expose to outside the network (RDP and some websites) where the external port is not the same as the LAN port. I could accomplish this with my previous router using port forwarding and it looks like I can do the same here on the RV220W but I can't quite get it to work successfully. I would be grateful for any help / directions.
Thanks.So here is how Port Forwarding is set up on the RV220W with firmware 1.0.3.5
In my example I needed to setup my :6001 to forward to an internal address for remote desktop, 192.168.1.12:3389.
First, as detailed above by Robert, set up the custom service you want the public address to be listening for. In 1.0.3.5 I found this under Firewall > Advanced Settings > Custom Settings. Add a new service speficying the name, protocol, and ports. For my RDP connection It was "RDP", TCP, and the Start Port and End Port set as "6001", the port that was listening publicly.
Next go to Firewall > Port Forwarding and add a port forwarding record. And set the following values.
Action: Always Allow
Service:
Destination IP:
Forward From Port: Same as incoming port
Forward To Port: 3389
Hit save and that should be it. The problem I was running into is I was setting the "Forward From Port" as the port I wanted to have translated, so 6001. This is already specified with the custom service I created, so when setting it twice it wasnt working. -
Cannot save Port Forwarding Settings
I have a Wireless-N Home Router WRT150N (firmware upgraded to v1.01.9 ).
When I try to set Port forwarding, I get the screen "Settings are successful. Continue". When I click Continue, the Port forwarding page comes back with empty fields, like if I did not enter anything. I tried to reset the Router twice. No result.
The same thing happens for Port Range and Single Port forwarding... Impossible to save any settings in there...
Any suggestion welcome...Correction: caching was not the problem.
The problem was that before posting on this forum, I did not enter a existing IP for destination (left the default 192.168.1.0. What got me confused is that the Linksys interface comes up with a message saying that the settings have been successfully updated, even though nothing was done for lack of an existing destination IP, hence the virgin table served back.
I think Linksys should revise the GUY to alert the user when the destination IP is not properly set rather than pretending to have registered a new non functional setting.
Message Edited by lou_boumian on 01-12-2008 10:15 PM -
Port Forwarding on MI424WR Rev.C
Hi. I've been trying so hard to port forward onto my internet router. I have done so properly, shut off my fire wall, shut off my laptop, shut off the router for a minute, etc. It still says the ports are unopened with my PFPortChecker.
You can see so here http://gyazo.com/f13e6326bebf0a81fda08517bc99366a
I called the Expert Verizon twice. They told me to keep putting the same port in over and over. Still hasn't worked.
I don't know what I'm doing wrong.
I've done it exactly like this but with my computer as the device http://gyazo.com/05226a68948c0251d3bda97da1e91f82
Does anyone have any idea?Avasia wrote:
Hi. I've been trying so hard to port forward onto my internet router. I have done so properly, shut off my fire wall, shut off my laptop, shut off the router for a minute, etc. It still says the ports are unopened with my PFPortChecker.
You can see so here http://gyazo.com/f13e6326bebf0a81fda08517bc99366a
I called the Expert Verizon twice. They told me to keep putting the same port in over and over. Still hasn't worked.
I don't know what I'm doing wrong.
I've done it exactly like this but with my computer as the device http://gyazo.com/05226a68948c0251d3bda97da1e91f82
Does anyone have any idea?
You have it backwards
On the router.
It should say source port ANY destination port 27015 and you need to specify a target ip address
You do not need to shut off firewall -
ActionTec MI424WR / Port Forwarding
I consider myself pretty tech savvy. I've configured plenty of Cisco PIX routers so I have some experience. But for the life of me, I can't get ANY port forwarding working. I have an ActionTec MI424-WR Rev D router with firmware 4.0.16.1.56.0.10.11.6. I've read the manual, I've configured port forwarding. But no matter what port I choose, it never shows as open. I've called ActionTec twice and they walked me through the steps, which were identical to what I did, and no matter what, the ports are not forwarding. They appear to be blocked somewhere.
I do not have a second router. The FIOS comes into the ActionTec router and then two of my computers are connected as part of a network. I am trying to set up a SSH tunnel to one of my home computers. I've tried the standard port 22, and a bunch of non-standard ports. I've even tried to get RDP working on 3389 and no joy. The port forwarding is setup, I've tried medium and low security on the firewall. From other computers on the network, I can telnet to port 22 using both ip address and dns name and I get my OpenSSH screen. But it's not availble from outside. I have tried it with Windows firewall (XP) both on with exceptions and off. Still no joy.
I have read that people all over are doing this, but it isn't working for me. Does anyone have any suggestions on what could be wrong or how to diagnose the problem? Shields Up says my ports are stealthed. CanyouSeeMe.org sometimes says connection denied and sometimes says connection timeout. I don't know what else to try.
Anyone?Okay, problem is partially solved. I installed CopSSH on my other computer, edited the port forwarding to point to the other computer, and it works. I never suspected my own computer was the problem. The question is why? The only firewall on my computer is Windows firewall (XP), which I've created exceptions for and even tried disabling. I still wasn't able to access the port. So something on my machine is blocking ports but I have no idea what. Does anyone have any ideas where to look? I turned off Windows Defender and Symantec AV but that didn't help (and then turned them back on).
TIA for any help -
Hello,
I have a setup where i need users accessing 10.6.17.10:80 or 10.6.17.80:443 to be directed to 10.6.17.10:4443.
10.6.17.10 is a server behind an interface called "application"
requests will be coming from "outside" interface or i want this to work regardless of the source interface (any)
this outside interface is local, i mean source ip addresses will all be private, we're talking within the network.
my configuration is as below:
object network A10-Lync
host 10.6.17.10
nat (Application,any) static A10-Lync service tcp https 4443Hi Murali,
Your answer is very close, but not complete. I'm very familiar with the NAT Rule Order. I didn't think that was the problem. The actual problem is how Object NATs and Twice NATs are implemented. I didn't realize once a Twice NAT (manual nat) is matched no other rules are checked. Here is the information at this Link under How source and destination NAT is implemented. I was under the impression that Twice NAT were processed the same way Object NATs were.
So that was the problem, but what is the solution? That is for Cisco to allow parameters in nat statements. Otherwise we have to create 6 objects and two different nat statements in order to get this working. If they would allow parameters for port numbers, we would only use 3 object (like i have) and two nat statements. The other reason why Cisco needs to allow this, is because how ugly a "working" statement looks.
How to Port Forward to Hosts without a return route:
nat (outside,inside) source dynamic any NATTED_IP_OBJECT destination static interface SERVER1_OBJ service TCP_801_OBJ TCP_80_OBJ
Real. Translated.
Confused?!? You should be... I know what i'm trying to do is a very rare objective. That is get packets to a few hosts that do not have a return route (or default Gateway). But I personally wrote this statement just 2 days ago and it still doesn't look right, but it works. :) And works without translating all source IPs on traffic to hosts that do have a return route (aka NORMAL setup.. haha).
I hope someone finds this helpful. About 40 mins to find a working statement. -
Port Forwarding for RDP 3389 is not working
Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
functions svc-enabled
svc address-pool "sat-ipsec-vpn-pool"
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 10.0.0.0 255.0.0.0
svc split include 192.168.0.0 255.255.0.0
svc split include 172.16.0.0 255.240.0.0
svc dns-server primary 10.20.30.20
svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
endHi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
ASA 5505 how to create a port forwarding rule
ASA 5505 IOS ver 9.2.3
I need to create a firewall rule that will allow internal services to be accessed externally, but using port forwarding. For example I'd like to enable access to our NAS via ftp external on port 1545 and then have the ASA forward the request to the NAS internally on port 21.
I tried these commands but they didn't work:
object network NAS
host 192.168.2.8
nat (inside,outside) static interface service tcp 21 1545
access-list NASFTP-in permit tcp any object NAS eq 1545
conf t
int vlan 2
access-group NASFTP-in permit tcp any object NAS eq 1545
I really appreciate the help everyone.try this, it worked for me, here is an example of adding a webserver with a ip of 10.10.50.60 and naming it with a object named www-server and forwarding port 80 , the way it works is you need to do three things, u need to "nat it" "foward it" and allow it in "acl"
object network obj-10.10.50.60-1
host 10.10.50.60
nat (inside,outside) static interface service tcp 80 80
object network INSIDE
nat (inside,outside) dynamic interface
object network WWW-SERVER
nat (inside,outside) static interface service tcp 80 80
access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80
access-group Outside_access_in in interface Outside -
Cisco 5520 ASA Port Forward to Endian Firewall VPN Question
Hello,
We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194. We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server. So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN. Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
Thanks for your comments in advance I am new to cisco technology,
JoeWrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.
-
Hello,
i have a problem with a single port forward with 9.2 ASA (5505). Here is the related config.:
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.168.50.5 eq www log
access-list DMZ_in extended permit ip any any
nat (DMZ,outside) source dynamic obj_any interface
nat (DMZ,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP
object network Public_Server
nat (DMZ,outside) static interface service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
When i try to access the server, the console said ACL drops. The packet tracer said that it dropped in the implicit deny rule. Can you help me what can be the problem?
Thank You!Yes, of course, i can ping, and also from VPN. And also the web service works from VPN, local. Tha packet-tracer said the same, the implicit deny catch it.:
packet-tracer input outside tcp 8.8.8.8 http OUTIFIP http det
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2a1718, priority=1, domain=permit, deny=false
hits=89868, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in OUTIFIP 255.255.255.255 identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad071248, priority=1, domain=nat-per-session, deny=true
hits=1199, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2a23b8, priority=0, domain=permit, deny=true
hits=883, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
HELP!! asa 5505 8.4(5) problem with port forwarding-smtp
Hi I am having a big problem with port forwarding on my asa. I am trying to forward smtp through the asa to my mail server.
my mail server ip is 10.0.0.2 and my outside interface is 80.80.80.80 , the ASA is setup with pppoe (I get internet access no problem and that seems fine)
When I run a trace i get "(ACL-Drop) - flow is deied by configured rule"
below is my config file , any help would be appreciated
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISPDsl
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_SMTP
host 10.0.0.2
access-list outside_access_in extended permit tcp any object server_SMTP eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network server_SMTP
nat (inside,outside) static interface service tcp smtp smtp
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c5570d7ddffd46c528a76e515e65f366
: endHi Jennifer
I have removed that nat line as suggested but still no joy.
here is my current config
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_Mail
host 10.0.0.2
access-list outside_access_in extended permit tcp any object Server_Mail eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Server_Mail
nat (inside,outside) static interface service tcp smtp smtp
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f3bd954d1f9499595aab4f9da8c15795
: end
also here is the packet trace
and my acl
Thanks -
I am trying to setup port forwarding
I am trying to setup port forwarding for a mfi 5510l hotspot. I have made the changes on the hotspot but the hotspot doen't respond when tested. Can anyone help?
If you examine the About section of the Jetpack’s web style user interface, you should find that it has a reserved IP4 IP address. That means your Jetpack doesn’t connect directly to the public internet, your Jetpack is connected to Verizon’s private network. Your port forwarding has no affect on Verizon’s private network.
The standard recommendation is:
Purchase a public facing static IP address from Verizon for a one time fee of $500.
Use a VPN to go around the issue.
Use another ISP that provides a static IP address. -
Trying to Port Forward Airport Extreme 802.11ac using Airpot Utility 6.3.2
Hello kind experts. I am finally getting around to replacing my old BEFSR81 Cisco Router with an old Time Capsule attached with the Airport Extreme 802.11ac. The BEFSR81 also had 8 ports, so I have 8 hardwired locations throughout the house. I have a couple of IP cameras for which it was easy to port forward on the Cisco (just click on the port range forwarding tab, type the start/end ranges (which are identical) and the assigned IP address). Everything has been working well for years. Here's what I wish to do with the new setup: Cable Modem -> Airport Extreme -> Dumb gigaport switch with the hardwires connected to it.
When I go to Airport Utility (6.3.2) -> Network Tab -> Port Settings -> "+", the following comes up:
Firewall Entry Type (Defaulted to IPv4 Port Mapping)
Description (5 pull down choices)
Public UDP Ports : _________
Public TCP Ports: __________
Private IP Address (I take it that is where I enter the IP address for each camera, e.g. 192.168.1.xxx)?
Private UDP Ports: __________
Private TCP Ports: __________
I am obviously not a technophile, especially when it comes to networking, but was able to create my old setup.
Any advice on whether or not my configuration is appropriate and what exactly I need to put in the port fields would be greatly appreciated!
Thanks in advance!To successfully access an IP camera on the local network from the Internet, the following basics need to be taken care of:
Install the camera(s) and verify that you can access them from the local network.
Configure port mapping/forwarding on your router. Typically, IP cameras require at least two ports: 1) A web port for administering the camera; Usually TCP port 80, and 2) A streaming port to broadcast the camera video feed; Usually UDP port 9000. Note: You should check with your camera's documentation for the exact ports required.
If the camera is attached to a computer, you will need to configure the computer's firewall to open the same ports as in step 2 above.
Verify that your modem is in bridge mode, i.e., if the modem provides NAT & DHCP services, turn them off.
Test your network. Use CheckIP to determine your router's current WAN-side (public) IP address. Then, from a remote location (not from a computer on the local network), use the DynDNS Open Port Tool to verify that the required ports are open. Success is an "Open" response from the Tool.
Check out the following AirPort User tip for configuring port mapping on an AirPort base station.
Maybe you are looking for
-
every time i log in firefox 7 other tab's open up and when a try to open a tab sometime it will crash or it frees. == Crash ID(s) == no code
-
Redirect [SWF] and [Unload SWF] trace?
Hi all! I was wondering if there is a way to redirect or disable [SWF] and [Unload SWF] based messages when working with external SWFS. Ideally I would like to redirect trace statements, but I doubt that's possible. Thanks!
-
Hi, masters, I have configured for 1/2 day absence , defined a counting rule, assigned a rounding rule, defined a valuation rule. while maintaining the master data system records the half day absence as 4 hrs but it is not converting the same to days
-
I have purchased LR5; Downloaded trial from Adobe; S/N came from Amazon. I subscribed to CC today. LR5 does not show as installed. Can someone tell me how to have my CC subscription be aware of LR5? Thanks.
-
I had erased my HDD on my new Mac MD318
Hi all, I just bought a Macbook Pro late 2011. In my job demand, I have to Install bootcamp for Mac OS Lion and Windows 7 64bit. But after I finished installation Windows 7 and shrink Windows HDD to 2 volumes (In this time, in Windows 7, I saw 4 Part