Px4-300d port forward iptables 50000- htt​ps
Hello. I've searched for similar problems but they weren't exactly the same.
I now need to open a https connection to my px4-300d to share folders to specific users.
I already open a portforward to SSH connection which is working fine.
ssh my.ip -p 50001 gets me to mynas.internal.ip:22
I've created a similar rule on port 50000 to port 443, and it starts to connect. I get the certificate out of date error, but then the connections just hangs there on an empty page.
On wireshark I can't see much more, only that my router/pc starts the TLSv1 session, but right after it sends a [FIN, ACK]
Any ideas please?
Thanks and regards.
Dave
Solved!
Go to Solution.
That is not fully true. Once you know the external ip adress of your network you can access your device both via https and ftp. eg.g. https://<external-ip> or ftp://<user-name>:<user-password>@<external-ip>.
(have not checked if this is true when cloud has never set up)
Bearing this in mind you can configure your router to use an own dyn-service with same portforwarding rules as with the cloud..........
Various PCs / Laptops ( sorry I still really love Dell and Fujitsu ;-))
Supporting Customers ix2s and ix4s -- Love Networking ( not only technically ).
I am not a Lenovo Employee.
If you find a post helpful and it answers your question, please mark it as an "Accepted Solution"!
Similar Messages
-
Use iptables on DMZ server to port forward
Hello!
My ISP have this great idea that we have to go to their site to do port forwarding and changing settings on the router/modem, so I was thinking to just set one of my servers as a DMZ, and do port forwarding with iptables on that server.
The problem is that I can't find out how I can make packets coming in on one port go out to another ip in the LAN.
Here is my network setup:
1. Combined router, modem and wireless AP.
2. Apple AirPort Express connected to the Wifi
3. switch connected to the AirPort Express with ethernet.
4. two servers connected to the switch(also with ethernet).
the two servers have ip adress 192.168.2.3 and 192.168.2.4. And I have set up 192.168.2.3 as DMZ.
How do I use iptables to route connections that is coming to 2.3 on a speciffic port to 2.4?hunterthomson wrote:
Well, I have kind of turned into an arno-iptables-firewall fanboy. I mean really, you can read through the script in /usr/sbin/arno-iptables-firewall Super well commented and written very well. It covers all your bases.
You will want to use the updated package listed in the comments.
http://dl.dropbox.com/u/1367726/arno-ip … all.tar.gz
You will also want the SystemD Unit file
https://aur.archlinux.org/packages/syst … -firewall/
To do NAT and Port-Forwarding... basically just read through the whole firewall.conf and when you hit the bottom your done.
But really, you just need to change these things.
/etc/arno-iptables-firewall/firewall.conf
Line #41, put your Internet facing interfaces here.
Line #46, Probaly want to set this to '1' becuase it sounds like the server dose get it's IP from DHCP... but that is a bad idea because it needs to have the same IP all the time... so maybe leave it disabled '0'
Line #87, Put your LAN facing interfaces here
Line #94, Put the LAN network here, So like if your Internet facing network is 192.168.2.0/24 you could make the LAN 192.168.4.0/24
Line #140, Change this to '1' to enable NAT for your LAN
Line #162, Change this to '1' to enable Port-Forwarding
Line #193-195, Here is where you define your port-forwards,
Example: Forward TCP port 22 to host 192.168.4.55 and TCP port 80 to 192.168.4.66
--> Line 193, NAT_FORWARD_TCP="22>192.168.4.55 80>192.168.4.66"
Then open port 22 and 80 on the WAN side so they 'can' be forwarded.
Line #1170, OPEN_TCP="22 80"
You should also check out the config's in the plugins directory. This is where you get your moneys worth...
ssh-brute-force-protection.conf
ids-protection.conf
traffic-shaper.conf
ipv6-over-ipv4.conf
traffic-accounting.conf
transparent-proxy.conf
multiroute.conf
ipsec-vpn.conf
And More !!!
Thanks for answer. But it seems like you missed that the server is only connected to the LAN, never to the internet. -
Hi,
I am new to Solaris and am trying to set up a simple port forwarding from port 80 to 8080.
I know how to do this in Linux:
iptables -t nat -I PREROUTING -p tcp dport 80 -j REDIRECT to-port 8080
but cannot find a way to do this in Solaris. I have installed SunScreen, but am not sure whether this is the right thing to use.
This is a simple server in a hosting centre.
Can anyone help?In solaris you can do port forwarding with ssh . You have to install SSH from soalris 2 of 2 CD .
see man pages of ssh
Regards -
NAT port-forwarding and WAN side IP addresses
I have my Airport Extreme setup to forward port 21 to an FTP server on the LAN side of my network. The AE is connected via DSL to my ISP.
When a client from the WAN side connects to my server, the server's LOGS don't list the IP of the client, rather it says the client connected from my assigned WAN IP. For example (fake ip's):
Client ----> AE ----> FTP-SERVER
130.129.12.3 76.99.89.3 10.0.1.2
Log states client connected
from IP: 76.99.89.3
My previous Linksys router, with the same DSL modem and ISP, would report the client as connecting from 130.129.12.3.
Am I missing something in how I am configureing my AE? Or, is this how the AE manages port-forwarding and there's nothing I can do about it?
I used to use firewall rules to control access to the FTP server, i.e. rules set on the server. This can't be done anymore with the AE operating as it does.Seems to me that the NAT translation in the Airport 802.11n is such that it does not use the incoming IP of clients connecting from the WAN side to a computer on the LAN side. The ingoing and outgoing packets reach their respective destinations, it is just that the AE uses some kind of non-standard routing (at least not that I am used to working with).
This is bad because it prevents the use of some forms of access controls on BSD and Linux servers on the LAN side, TCP Wrappers and iptables for example. This can create obvious security problems when WAN ports are set to forward to such a LAN client. We are already getting hit with robot-like script attacks on our server, this was a problem with our Linksys router, but with the above mentioned tools and scripts we were able to block abusive clients.
Perhaps an Apple can work on resolving this issue in a future firmware release, at least make it an option... Anyone from Apple out there?
jmj -
Port forwarding, NAT, SSH and Transmission.
A couple of days ago I decided to setup the Transmission daemon, along with automatization for my downloads. Recently, however, to put a layer of security around my laptop, I set up a wireless router I had lying around that is now connected with a wire to my laptop. The reason for this is that I have no idea how iptables work yet, and until then I decided this will suffice for the moment. One of the problems though (yes, problems seems to come in twenty-fold where my luck is concerned), is that when I rewire my laptop directly to the internet, without the router, NetworkManager or Archlinux doesn't reset the ip address, which for some reason jumps to 192.168.1.122, which it never uses otherwise. I haven't yet tried reinstalling networkmanager, but when I did turn it off, dhcpdcd assigned the same address... The problem here being that it shouldn't assign a LAN-address, I'm directly connected to the internet. Sidenote here though; my internet connection is just a plug in the wall, the operators here (I live on a kind of campus), probably only use a network-switch to relay the traffic to the socket.
That's that, my wired network doesn't work directly, only via the wireless router, wired or wireless. Because of this, I have to use port-forwarding for SSH (to test if the port forwarding works), and the Transmission daemon with an rcmp port of 9091., which was my intention in the first place. I have no idea if logging into my.ip.address.here:9091 in a browser would work, I just used localhost:9091.
Now for the results:
$ nmap -sT xx.xxx.xx.xx
Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-14 19:42 CEST
Nmap scan report for xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Host is up (0.038s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
53/tcp open domain
80/tcp open http
9091/tcp filtered unknown
Here it shows that the ports are actually not closed, but they're not exactly opened either, from what I gathered from the internet.
SSH shows the true problem:
$ ssh neal@xxxxxxxx
ssh: connect to host xxxxxxxx port 22: Connection timed out
SSH-ing to 192.168.0.102 (my internal ip) works, as does to localhost, same for Transmission webGUI. Before I used port-forwarding ssh would correctly say that it couldn't get traffic from the router.
My router is a cheap solution to another problem I had, but it should work like any router. It's a Sitecom WL-607. I disabled login authentication for the moment. Also, there is no filtering going on in the firewall. Like I said earlier, I don't get iptables, so that's not being used. The hosts file allows all and denies nothing.
TLDR version; I'm using port-forwarding on my Sitecom WL-607, but all ports except http and the 53 port are being blocked.
Is there something I'm missing here?
Thanks in advance,
Neal van Veen.by default, all routers assign there clients an ip address from there internal pool of addresses, your wireless router is assigning you that address and then NAT's the connection with the WAN side, but even after directly plugging in to the wall socket you still dont get a new ip address, use dhcpcd <mydev> in terminal to reresh dhcp lease. if not then your campus/location/etc may also be using NAT on there own side.
as for the ports, iptables doesnt block any traffic by default, it allows everything. if there is filtering, it is from your wireless router.
on the above ssh and nmap scans, did u use your lan ip, or your public ip. -
Port Forwarding with Verizon-Br​anded Action GT704-WG
I am new to the forums, and I am already overjoyed with the 30 minutes I spent figuring out that the login mechanism does not even work with browsers other than IE7/8. Lots of fun to start.
I live in a residential building with the residential High Speed Internet Plan. I assume this is the case because it is a DSL line and they are not using business grade, or I do not think I would be having these problems.
I have spent many hours trying to figure out how to port forward with the above-mentioned router/modem/gateway/**bleep** extraordinnaire. I am in IT professionally, and I am tired of feeling **bleep**. I called Verizon tech, but they were very unhelpful unless I pay for a premium tech service to figure out port forwarding problems. And yes, I have read the info on port-forward.com numerous times for this device.
Essentially, I want to forward an arbitrary port, let's say 6336, to a server running Ubuntu 9.10. I have put this computer in the DMZ using the web interface. I have also set up a mapping rule to forward 6336 (all three entries pointed to 6336 in the Security/Applications/Forwarding section, following docs on port-forward.com for this specific model AND Verizon's own documentation). Occassionally, I can see the service is viewable from the likes of canyouseeme.org. Nonetheless, I cannot access the port: I get a connection refused error when using ssh on this port. Yes, I correctly configured ssh on the DMZ server/host to respond to the non-standard 6336 port, and I have tried it with the server's firewall system (ufw/iptables, for the curious) enabled and disabled. It NEVER works.
Some posts here have indicated I might need a static IP assignment. That can be done only client-side (meaning the Ubuntu server in the DMZ), if I understand people saying it is not possible to do static assignments from this **bleep** gateway, so I am not sure if that should matter (I wonder what happens with this **bleep** when two computers try to demand the same static IP; dare I guess that he asks first wins?). I cannot recall if I have uPnP enabled or disabled as I am at the office right now, but I believe it is off. Not sure if this matters either. If I am wrong, I would love if someone could let me know. I am at a loss and sick of dealing with such a simple problem. I would really appreciate the help.
Solved!
Go to Solution.Ok.
#1 On your computer setup a Static IP.
This means following the directions at http://www.cyberciti.biz/tips/howto-ubuntu-linux-convert-dhcp-network-configuration-to-static-ip-con...
#2 The Static IP must be outside of that DHCP range of the router. So, this means your IP has be above 1 but below 64.
#3 In the router forward to the IP Address that you setup on the computer.
OR if the router can give the computer the same IP Address each time, you could do that.
If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button. -
I have a new RVS4000 router, which is hosing a seagate GoFlec Home drive.
Origianally my WRT54G router worked fine.
I cannot get the UPnP to work.
I have UPnP enabled.
I have my goFlex Home to automatically configure router for portforwarding, ports 21, 22,80, and 443, and 50000 and 50001.
So, nothing. I cannot connect to my drives http://my.intricatephotography.com
Leaving UPnP enabled, I manually portforward my ports to 192.168.1.121 ( the LAN ip of the GoFlex Hardrive.)
Now all works well.
I'm noting too, that the HipServ site says that ports are forwarded correctly, but it cannot configure the router for UPnP correctly.
Any suggestions?
My port forwarding seem to be a up-and down situation. My customers are geting angry.Hi Darrin,
Intriguing post, I just had to comment, as the application looks interesting.
I have absolutely no idea how seagate goFlex @ home setup software loaded on a PC or MAC can automatically via uPnP enable port forwarding specific ports and destination IP on a RVS4000 router.
But, you manually port forwarded and "Now all works well" as you said in your posting.
Once a port if forwarded, it should not be up or down. I can't imagine port forwarding not working well on the RVS4000
But, please check the seagate knowlwdgwbase and Axenta forum to see if others are having trouble with uPnP
The problem originates from a feature that hasn't been validated on a cisco router, there must be better documentation on how to get uPnP workign with the goFlex application.
Also why not place a warranty call with the Disti partner you purchased the freeagent goFlex @ home.
Also I welcome input from anyone within the community who has seen this issue with goFlex@home application.
regards Dave -
Px4-300d copy job setup problem. Firmware version 4.1.108.32627
Hello.
I have a wierd problem with copy job setup on my px4-300d (4.1.108.32627) . I was able to set up one job, where I take a folder from my NAS and put it to a remote machine. That job ran fine.
When I go to setup a similar job but for a different folder, I have two possible outcomes:
1. When I go to chose the remote folder I see it fine and the job is setup fine as well. However when I run the job it throws an error. And in the log I see that instead of going to the folder I setup like "\\remoteserver\backupfolder" it's going to "\\remoteserver\u_myremoteserverusername\backupfolder" , which is obviously not there.
2. I can see my remote server, but I don't see my shares on it. I don't get no "Access denied" error or anything - I simply don't see any shares on that particular server. I do see shares on other servers, which use the same credentials. In addition the job that I was able to set up previously stops working.
Then when I reboot, the first job (the one setup successfully) may or may not properly run, yet I still cannot set up the second job.
I did check permissions and all the stuff that you would regularly check (connectivity, ports etc). Seems to me the script that is being generated from the UI is a bit too smart and is in fact outsmarting the NAs itself.
I also suspect that the fact that I could set up the first job and not the second is that the second job goes to a subfolder of a shared folder. Or that the shared folder's name starts with an underscore "_" . But these are just my guesses - I cannot verify this yet.
Any ideas how to fix this or how to bypass the problem?
Thanks.Hello fimine
I recommend double checking that the remote server's folders that are not being seen by the px4 are infact shared from that remote machine. If they are not, copy jobs will have problems accessing the folders.
I also recommend trying to use the remote machine's ip address for now to see if there is any change in behavior.
If the issue does not happen when using the ip address, it my be an issue with how your network's DNS is setup.
LenovoEMC Contact Information is region specific. Please select the correct link then access the Contact Us at the top right:
US and Canada: https://lenovo-na-en.custhelp.com/
Latin America and Mexico: https://lenovo-la-es.custhelp.com/
EU: https://lenovo-eu-en.custhelp.com/
India/Asia Pacific: https://lenovo-ap-en.custhelp.com/
http://support.lenovoemc.com/ -
Port Forwarding Question for IP Camera with MI424WR-GEN3
So just switched to fios from cable and trying to set up port forwarding on this new actiontec router so I can view my IP Camera from outside the house.
The camera has a static IP address of 192.168.1.200 using port 8080 and I works fine if I type that IP address with the port into the browser inside the network.
The IP Camera company requires you to port forward port 80 (switched to 8080) 554 and 50000-60000.
So I set up Portforwarding on the router like this:
Networked Computer / Device
192.168.1.200:8080
Applications & Ports Forwarded
IPCamera
TCP 8080 -> 8080
UDP 8080 -> 8080
TCP 554 -> 554
UDP 554 -> 554
TCP 50000-60000 -> 50000-60000
UDP 50000-60000 -> 50000-60000
WAN Connection Type
All Broadband Devices
Status
Active
Now the problem is when I type my real IP address: 108.XX.XXX.37:8080 (from inside the network it pulls up the Fios router login page and when I pull it up outside the network I get page not found. This isnt any different then I had previously done on my Netgear router, but I must be missing something on this actiontec one. Any suggestions?
Thanks
Solved!
Go to Solution.Howie411 wrote:
The IP Camera company requires you to port forward port 80 (switched to 8080) 554 and 50000-60000.
So I set up Portforwarding on the router like this:
Networked Computer / Device
192.168.1.200:8080
Applications & Ports Forwarded
IPCamera
TCP 8080 -> 8080
UDP 8080 -> 8080
TCP 554 -> 554
UDP 554 -> 554
TCP 50000-60000 -> 50000-60000
UDP 50000-60000 -> 50000-60000
WAN Connection Type
All Broadband Devices
Status
Active
Now the problem is when I type my real IP address: 108.XX.XXX.37:8080 (from inside the network it pulls up the Fios router login page and when I pull it up outside the network I get page not found. This isnt any different then I had previously done on my Netgear router, but I must be missing something on this actiontec one. Any suggestions?
Thanks
No port on the ip address
Networked Computer / Device
192.168.1.200
should say tcp any on the left side of the arrow in all cases
TCP any -> 8080
UDP any -> 8080
etc -
Unable to connect to Arch VM through port forward.
I'm attempting to run Arch as a web server through VMware, everything appears to be working. The guest can connect to everything with some edits through the network editor, I can type my hosts IP in and it'll connect perfectly to the ArchVM.
So everything seems to be working through my internal network, I just can't port forward the connection so that I can access my server over my internet IP. All my ports seem to be correct and opened like they need to be, I just can't see why I can access it perfectly fine on my internal network just not my external one.
Could it be an issue with VMware not allowing port forwarding to it's internal guests(It doesn't make sense)? Any ideas/stats I can give you guys to help me out.
Thanks
~Compulsed.
Last edited by Compulsed (2012-01-04 04:20:05)Is your router configured to forward the necessary ports to the host ?
Do you have a firewall/iptables running at the host ?
if so, try connecting while iptables is stopped -
Port Forwarding for RDP 3389 is not working
Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
functions svc-enabled
svc address-pool "sat-ipsec-vpn-pool"
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 10.0.0.0 255.0.0.0
svc split include 192.168.0.0 255.255.0.0
svc split include 172.16.0.0 255.240.0.0
svc dns-server primary 10.20.30.20
svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
endHi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
Unable to enable security and create admin user after reset - px4-300d
Our px4-300d became inaccessible a few days ago. I couldn't get to any shares from any machine, and I couldn't get to the admin console. When I checked the unit, there was no indication that anything was wrong (ie - the panel didn't show any failure, I didn't get any emails indicating a failure, and there were no lights offering a clue to what was wrong). However the unit was completely frozen...the buttons on the front would not scroll through the different information on the panel.
I attempted to reset the device using the pinhole on the back, but the device wouldn't respond, so I had to power it down using the button on the front. When I tried to power it back up, it would come on for about one second, then immediately power off. I pulled all 4 drives out and powered it on again without any drives. This time it came up completely and I got a message on the panel that drives were missing. I started putting the drives in one at a time and the device recognized them all and I was able to login to the admin console. However, all the shares were missing and I received an email that the Storage Pool was degraded. I rebooted the device from the admin console and when it came back up, it started reconstruction. After a few hours, it completed, but I still had no shares and couldn't create any new shares. I also did not see any of my users, including the admin account I was logged in with. I tried to create a new user, and also tried creating a user I knew existed and neither one worked. The screen would just flash but nothing would show up. At this point, I decided to try to reset using the pinhole on the back of the device to reset the admin user so I could just create a new one. So, now I'm stuck at the 'Enable Security' screen. Every time I try to create an admin account, it just flashes and returns me to the same 'Enable Security' window.
Now what?
Solved!
Go to Solution.If you are unable to get into it you will not be able to do the factory reset. You can try booting in buy removing one disk at a time. If you are still unable to then tech support should be able to supply you with the imager and try flashing it. I would keep it at 4.0.8 also,
-
ASA 5505 how to create a port forwarding rule
ASA 5505 IOS ver 9.2.3
I need to create a firewall rule that will allow internal services to be accessed externally, but using port forwarding. For example I'd like to enable access to our NAS via ftp external on port 1545 and then have the ASA forward the request to the NAS internally on port 21.
I tried these commands but they didn't work:
object network NAS
host 192.168.2.8
nat (inside,outside) static interface service tcp 21 1545
access-list NASFTP-in permit tcp any object NAS eq 1545
conf t
int vlan 2
access-group NASFTP-in permit tcp any object NAS eq 1545
I really appreciate the help everyone.try this, it worked for me, here is an example of adding a webserver with a ip of 10.10.50.60 and naming it with a object named www-server and forwarding port 80 , the way it works is you need to do three things, u need to "nat it" "foward it" and allow it in "acl"
object network obj-10.10.50.60-1
host 10.10.50.60
nat (inside,outside) static interface service tcp 80 80
object network INSIDE
nat (inside,outside) dynamic interface
object network WWW-SERVER
nat (inside,outside) static interface service tcp 80 80
access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80
access-group Outside_access_in in interface Outside -
Cisco 5520 ASA Port Forward to Endian Firewall VPN Question
Hello,
We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194. We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server. So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN. Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
Thanks for your comments in advance I am new to cisco technology,
JoeWrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.
-
Hello,
i have a problem with a single port forward with 9.2 ASA (5505). Here is the related config.:
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.168.50.5 eq www log
access-list DMZ_in extended permit ip any any
nat (DMZ,outside) source dynamic obj_any interface
nat (DMZ,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP
object network Public_Server
nat (DMZ,outside) static interface service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
When i try to access the server, the console said ACL drops. The packet tracer said that it dropped in the implicit deny rule. Can you help me what can be the problem?
Thank You!Yes, of course, i can ping, and also from VPN. And also the web service works from VPN, local. Tha packet-tracer said the same, the implicit deny catch it.:
packet-tracer input outside tcp 8.8.8.8 http OUTIFIP http det
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2a1718, priority=1, domain=permit, deny=false
hits=89868, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in OUTIFIP 255.255.255.255 identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad071248, priority=1, domain=nat-per-session, deny=true
hits=1199, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2a23b8, priority=0, domain=permit, deny=true
hits=883, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
Maybe you are looking for
-
Is it mandatory to bind each & every CONTEXT element to a text field on the form?
Hello, I am developing an Adobe Interactive Form, i have Designer 8.1 and Reader 9.0 in my Windows 7 Laptop. When i checked the menu EDIT-->form properties --> Compatability, its Adobe XML form File (XDP) I have 3 elements (say, 1_Name, 2_Street and
-
Can't open iTunes after iTunes 10 download Help Please?
Could someone pretty please tell me what I can do to get my iTunes open up. I not only have an iPod but my iPhone too!!!! This includes all my business contacts, agendas, calendars are all looped thru iTunes for my iPhone ...
-
Need Driver for Palm Zire 71 Dock
I need a driver for my Palm Zire 71 dock. I do not have the orginal disk. When I press the sorce button nothing happens. I did download the one to transfer data from the computer to the Palm. I have windows XP Pro W\ Service pack 2 Also I have Vist
-
Web analytic report for sub site
Hi Team, how enable web analytic report for sub sites site collection level working fine but sub site level not working please help on this while checking web analyitics reports i got below error.
-
Hi People, I got a requirement for developing a screen exit for transaction co11n ..... I want to know what are all the screen exit available for this transaction ( I have the progrqam that shows the list of ext available for the transaction, but how