Px4-300d port forward iptables 50000- htt​ps

Similar Messages

• Use iptables on DMZ server to port forward

  Hello!
  My ISP have this great idea that we have to go to their site to do port forwarding and changing settings on the router/modem, so I was thinking to just set one of my servers as a DMZ, and do port forwarding with iptables on that server.
  The problem is that I can't find out how I can make packets coming in on one port go out to another ip in the LAN.
  Here is my network setup:
  1. Combined router, modem and wireless AP.
  2. Apple AirPort Express connected to the Wifi
  3. switch connected to the AirPort Express with ethernet.
  4. two servers connected to the switch(also with ethernet).
  the two servers have ip adress 192.168.2.3 and 192.168.2.4. And I have set up 192.168.2.3 as DMZ.
  How do I use iptables to route connections that is coming to 2.3 on a speciffic port to 2.4?

  hunterthomson wrote:
  Well, I have kind of turned into an arno-iptables-firewall fanboy. I mean really, you can read through the script in /usr/sbin/arno-iptables-firewall  Super well commented and written very well. It covers all your bases.
  You will want to use the updated package listed in the comments.
  http://dl.dropbox.com/u/1367726/arno-ip … all.tar.gz
  You will also want the SystemD Unit file
  https://aur.archlinux.org/packages/syst … -firewall/
  To do NAT and Port-Forwarding... basically just read through the whole firewall.conf and when you hit the bottom your done.
  But really, you just need to change these things.
  /etc/arno-iptables-firewall/firewall.conf
  Line #41, put your Internet facing interfaces here.
  Line #46, Probaly want to set this to '1' becuase it sounds like the server dose get it's IP from DHCP... but that is a bad idea because it needs to have the same IP all the time... so maybe leave it disabled '0'
  Line #87, Put your LAN facing interfaces here
  Line #94, Put the LAN network here, So like if your Internet facing network is 192.168.2.0/24 you could make the LAN 192.168.4.0/24
  Line #140, Change this to '1' to enable NAT for your LAN
  Line #162, Change this to '1' to enable Port-Forwarding
  Line #193-195, Here is where you define your port-forwards,
  Example: Forward TCP port 22 to host 192.168.4.55 and TCP port 80 to 192.168.4.66
  --> Line 193, NAT_FORWARD_TCP="22>192.168.4.55 80>192.168.4.66"
  Then open port 22 and 80 on the WAN side so they 'can' be forwarded.
  Line #1170, OPEN_TCP="22 80"
  You should also check out the config's in the plugins directory. This is where you get your moneys worth...
  ssh-brute-force-protection.conf
  ids-protection.conf
  traffic-shaper.conf
  ipv6-over-ipv4.conf
  traffic-accounting.conf
  transparent-proxy.conf
  multiroute.conf
  ipsec-vpn.conf
  And More !!!
  Thanks for answer. But it seems like you missed that the server is only connected to the LAN, never to the internet.

• Port forwarding in Solaris 8

  Hi,
  I am new to Solaris and am trying to set up a simple port forwarding from port 80 to 8080.
  I know how to do this in Linux:
  iptables -t nat -I PREROUTING -p tcp dport 80 -j REDIRECT to-port 8080
  but cannot find a way to do this in Solaris. I have installed SunScreen, but am not sure whether this is the right thing to use.
  This is a simple server in a hosting centre.
  Can anyone help?

  In solaris you can do port forwarding with ssh . You have to install SSH from soalris 2 of 2 CD .
  see man pages of ssh
  Regards

• NAT port-forwarding and WAN side IP addresses

  I have my Airport Extreme setup to forward port 21 to an FTP server on the LAN side of my network. The AE is connected via DSL to my ISP.
  When a client from the WAN side connects to my server, the server's LOGS don't list the IP of the client, rather it says the client connected from my assigned WAN IP. For example (fake ip's):
  Client ----> AE ----> FTP-SERVER
  130.129.12.3 76.99.89.3 10.0.1.2
  Log states client connected
  from IP: 76.99.89.3
  My previous Linksys router, with the same DSL modem and ISP, would report the client as connecting from 130.129.12.3.
  Am I missing something in how I am configureing my AE? Or, is this how the AE manages port-forwarding and there's nothing I can do about it?
  I used to use firewall rules to control access to the FTP server, i.e. rules set on the server. This can't be done anymore with the AE operating as it does.

  Seems to me that the NAT translation in the Airport 802.11n is such that it does not use the incoming IP of clients connecting from the WAN side to a computer on the LAN side. The ingoing and outgoing packets reach their respective destinations, it is just that the AE uses some kind of non-standard routing (at least not that I am used to working with).
  This is bad because it prevents the use of some forms of access controls on BSD and Linux servers on the LAN side, TCP Wrappers and iptables for example. This can create obvious security problems when WAN ports are set to forward to such a LAN client. We are already getting hit with robot-like script attacks on our server, this was a problem with our Linksys router, but with the above mentioned tools and scripts we were able to block abusive clients.
  Perhaps an Apple can work on resolving this issue in a future firmware release, at least make it an option... Anyone from Apple out there?
  jmj

• Port forwarding, NAT, SSH and Transmission.

  A couple of days ago I decided to setup the Transmission daemon, along with automatization for my downloads. Recently, however, to put a layer of security around my laptop, I set up a wireless router I had lying around that is now connected with a wire to my laptop. The reason for this is that I have no idea how iptables work yet, and until then I decided this will suffice for the moment. One of the problems though (yes, problems seems to come in twenty-fold where my luck is concerned), is that when I rewire my laptop directly to the internet, without the router, NetworkManager or Archlinux doesn't reset the ip address, which for some reason jumps to 192.168.1.122, which it never uses otherwise. I haven't yet tried reinstalling networkmanager, but when I did turn it off, dhcpdcd assigned the same address... The problem here being that it shouldn't assign a LAN-address, I'm directly connected to the internet. Sidenote here though; my internet connection is just a plug in the wall, the operators here (I live on a kind of campus), probably only use a network-switch to relay the traffic to the socket.
  That's that, my wired network doesn't work directly, only via the wireless router, wired or wireless. Because of this, I have to use port-forwarding for SSH (to test if the port forwarding works), and the Transmission daemon with an rcmp port of 9091., which was my intention in the first place. I have no idea if logging into my.ip.address.here:9091 in a browser would work, I just used localhost:9091.
  Now for the results:
  $ nmap -sT xx.xxx.xx.xx
  Starting Nmap 5.21 ( http://nmap.org ) at 2010-06-14 19:42 CEST
  Nmap scan report for xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  Host is up (0.038s latency).
  Not shown: 996 closed ports
  PORT STATE SERVICE
  22/tcp filtered ssh
  53/tcp open domain
  80/tcp open http
  9091/tcp filtered unknown
  Here it shows that the ports are actually not closed, but they're not exactly opened either, from what I gathered from the internet.
  SSH shows the true problem:
  $ ssh neal@xxxxxxxx
  ssh: connect to host xxxxxxxx port 22: Connection timed out
  SSH-ing to 192.168.0.102 (my internal ip) works, as does to localhost, same for Transmission webGUI. Before I used port-forwarding ssh would correctly say that it couldn't get traffic from the router.
  My router is a cheap solution to another problem I had, but it should work like any router. It's a Sitecom WL-607. I disabled login authentication for the moment. Also, there is no filtering going on in the firewall. Like I said earlier, I don't get iptables, so that's not being used. The hosts file allows all and denies nothing.
  TLDR version; I'm using port-forwarding on my Sitecom WL-607, but all ports except http and the 53 port are being blocked.
  Is there something I'm missing here?
  Thanks in advance,
  Neal van Veen.

  by default, all routers assign there clients an ip address from there internal pool of addresses, your wireless router is assigning you that address and then NAT's the connection with the WAN side, but even after directly plugging in to the wall socket you still dont get a new ip address, use dhcpcd <mydev> in terminal to reresh dhcp lease. if not then your campus/location/etc may also be using NAT on there own side.
  as for the ports, iptables doesnt block any traffic by default, it allows everything. if there is filtering, it is from your wireless router.
  on the above ssh and nmap scans, did u use your lan ip, or your public ip.

• Port Forwarding with Verizon-Br​anded Action GT704-WG

  I am new to the forums, and I am already overjoyed with the 30 minutes I spent figuring out that the login mechanism does not even work with browsers other than IE7/8.  Lots of fun to start.
  I live in a residential building with the residential High Speed Internet Plan.  I assume this is the case because it is a DSL line and they are not using business grade, or I do not think I would be having these problems.
  I have spent many hours trying to figure out how to port forward with the above-mentioned router/modem/gateway/**bleep** extraordinnaire.  I am in IT professionally, and I am tired of feeling **bleep**.  I called Verizon tech, but they were very unhelpful unless I pay for a premium tech service to figure out port forwarding problems.  And yes, I have read the info on port-forward.com numerous times for this device.
  Essentially, I want to forward an arbitrary port, let's say 6336, to a server running Ubuntu 9.10.  I have put this computer in the DMZ using the web interface.  I have also set up a mapping rule to forward 6336 (all three entries pointed to 6336 in the Security/Applications/Forwarding section, following docs on port-forward.com for this specific model AND Verizon's own documentation).  Occassionally, I can see the service is viewable from the likes of canyouseeme.org.  Nonetheless, I cannot access the port: I get a connection refused error when using ssh on this port.  Yes, I correctly configured ssh on the DMZ server/host to respond to the non-standard 6336 port, and I have tried it with the server's firewall system (ufw/iptables, for the curious) enabled and disabled.  It NEVER works.
  Some posts here have indicated I might need a static IP assignment.  That can be done only client-side (meaning the Ubuntu server in the DMZ), if I understand people saying it is not possible to do static assignments from this **bleep** gateway, so I am not sure if that should matter (I wonder what happens with this **bleep** when two computers try to demand the same static IP; dare I guess that he asks first wins?).  I cannot recall if I have uPnP enabled or disabled as I am at the office right now, but I believe it is off.  Not sure if this matters either.  If I am wrong, I would love if someone could let me know.  I am at a loss and sick of dealing with such a simple problem.  I would really appreciate the help. 
  Solved!
  Go to Solution.

  Ok.
  #1 On your computer setup a Static IP.
  This means following the directions at http://www.cyberciti.biz/tips/howto-ubuntu-linux-c​onvert-dhcp-network-configuration-to-static-ip-con​...
  #2 The Static IP must be outside of that DHCP range of the router. So, this means your IP has be above 1 but below 64.
  #3 In the router forward to the IP Address that you setup on the computer.
  OR if the router can give the computer the same IP Address each time, you could do that.
  If you are the original poster (OP) and your issue is solved, please remember to click the "Solution?" button so that others can more easily find it. If anyone has been helpful to you, please show your appreciation by clicking the "Kudos" button.

• RVS4000 not Port forwarding

  I have  a new RVS4000 router, which is hosing a seagate GoFlec Home drive.
  Origianally my WRT54G router worked fine.
  I cannot get the UPnP to work.
  I have UPnP enabled.
  I have my goFlex Home to automatically configure router for portforwarding, ports 21, 22,80, and 443, and 50000 and 50001.
  So, nothing. I cannot connect to my drives http://my.intricatephotography.com
  Leaving UPnP enabled, I manually portforward my ports to 192.168.1.121 ( the LAN ip of the GoFlex Hardrive.)
  Now all works well.
  I'm noting too, that the HipServ site says that ports are forwarded correctly, but it cannot configure the router for UPnP correctly.
  Any suggestions?
  My port forwarding seem to be a up-and down situation. My customers are geting angry.

  Hi Darrin,
  Intriguing post, I just had to comment, as the application looks interesting.
  I have absolutely no idea how seagate goFlex @ home setup software  loaded on a PC or MAC  can automatically  via uPnP enable port forwarding specific ports and destination IP on a RVS4000 router.
  But, you manually port forwarded  and "Now all works well" as you said in your posting.
  Once a port if forwarded, it should not be up or down. I can't imagine port forwarding not working well on the RVS4000
  But, please check the seagate knowlwdgwbase and Axenta forum to see if others are having trouble with uPnP
  The problem originates from a feature that hasn't been validated on a cisco router, there must be better documentation on how to get uPnP workign with the goFlex application.
  Also why not place a warranty call with the Disti partner you purchased the freeagent goFlex @ home.
  Also I welcome input from  anyone within the community who  has seen this issue with goFlex@home application.
  regards Dave

• Px4-300d copy job setup problem. Firmware version 4.1.108.32627

  Hello. 
  I have a wierd problem with copy job setup on my  px4-300d (4.1.108.32627) . I was able to set up one job, where I take a folder from my NAS and put it to a remote machine. That job ran fine. 
  When I go to setup a similar job but for a different folder, I have two possible outcomes: 
  1. When I go to chose the remote folder I see it fine and the job is setup fine as well. However when I run the job it throws an error. And in the log I see that instead of going to the folder I setup like "\\remoteserver\backupfolder" it's going to "\\remoteserver\u_myremoteserverusername\backupfolder" , which is obviously not there. 
  2. I can see my remote server, but I don't see my shares on it. I don't get no "Access denied" error or anything - I simply don't see any shares on that particular server. I do see shares on other servers, which use the same credentials. In addition the job that I was able to set up previously stops working. 
  Then when I reboot, the first job (the one setup successfully) may or may not properly run, yet I still cannot set up the second job. 
  I did check permissions and all the stuff that you would regularly check (connectivity, ports etc). Seems to me the script that is being generated from the UI is a bit too smart and is in fact outsmarting the NAs itself. 
  I also suspect that the fact that I could set up the first job and not the second is that the second job goes to a subfolder of a shared folder. Or that the shared folder's name starts with an underscore "_" . But these are just my guesses - I cannot verify this yet. 
  Any ideas how to fix this or how to bypass the problem? 
  Thanks. 

  Hello fimine
  I recommend double checking that the remote server's folders that are not being seen by the px4 are infact shared from that remote machine.  If they are not, copy jobs will have problems accessing the folders.
  I also recommend trying to use the remote machine's ip address for now to see if there is any change in behavior.
  If the issue does not happen when using the ip address, it my be an issue with how your network's DNS is setup.
  LenovoEMC Contact Information is region specific. Please select the correct link then access the Contact Us at the top right:
  US and Canada: https://lenovo-na-en.custhelp.com/
  Latin America and Mexico: https://lenovo-la-es.custhelp.com/
  EU: https://lenovo-eu-en.custhelp.com/
  India/Asia Pacific: https://lenovo-ap-en.custhelp.com/
  http://support.lenovoemc.com/

• Port Forwarding Question for IP Camera with MI424WR-GEN3

  So just switched to fios from cable and trying to set up port forwarding on this new actiontec router so I can view my IP Camera from outside the house.
  The camera has a static IP address of 192.168.1.200  using port 8080 and I works fine if I type that IP address with the port into the browser inside the network.
  The IP Camera company requires you to port forward  port 80 (switched to 8080) 554 and 50000-60000.
  So I set up Portforwarding on the router like this:
  Networked Computer / Device
  192.168.1.200:8080
  Applications & Ports Forwarded
  IPCamera
  TCP 8080 -> 8080
  UDP 8080 -> 8080
  TCP 554 -> 554
  UDP 554 -> 554
  TCP 50000-60000 -> 50000-60000
  UDP 50000-60000 -> 50000-60000
  WAN Connection Type
  All Broadband Devices
  Status
  Active
  Now the problem is when I type my real IP address:  108.XX.XXX.37:8080 (from inside the network it pulls up the Fios router login page and when I pull it up outside the network I get page not found.  This isnt any different then I had previously done on my Netgear router, but I must be missing something on this actiontec one.  Any suggestions?
  Thanks
  Solved!
  Go to Solution.

  Howie411 wrote:
  The IP Camera company requires you to port forward  port 80 (switched to 8080) 554 and 50000-60000.
  So I set up Portforwarding on the router like this:
  Networked Computer / Device
  192.168.1.200:8080
  Applications & Ports Forwarded
  IPCamera
  TCP 8080 -> 8080
  UDP 8080 -> 8080
  TCP 554 -> 554
  UDP 554 -> 554
  TCP 50000-60000 -> 50000-60000
  UDP 50000-60000 -> 50000-60000
  WAN Connection Type
  All Broadband Devices
  Status
  Active
  Now the problem is when I type my real IP address:  108.XX.XXX.37:8080 (from inside the network it pulls up the Fios router login page and when I pull it up outside the network I get page not found.  This isnt any different then I had previously done on my Netgear router, but I must be missing something on this actiontec one.  Any suggestions?
  Thanks
  No port on the ip address
  Networked Computer / Device
  192.168.1.200
  should say tcp any on the left side of the arrow in all cases
  TCP any -> 8080
  UDP any -> 8080
  etc

• Unable to connect to Arch VM through port forward.

  I'm attempting to run Arch as a web server through VMware, everything appears to be working. The guest can connect to everything with some edits through the network editor, I can type my hosts IP in and it'll connect perfectly to the ArchVM.
  So everything seems to be working through my internal network, I just can't port forward the connection so that I can access my server over my internet IP. All my ports seem to be correct and opened like they need to be, I just can't see why I can access it perfectly fine on my internal network just not my external one.
  Could it be an issue with VMware not allowing port forwarding to it's internal guests(It doesn't make sense)? Any ideas/stats I can give you guys to help me out.
  Thanks
  ~Compulsed.
  Last edited by Compulsed (2012-01-04 04:20:05)

  Is your router configured to forward the necessary ports to the host ?
  Do you have a firewall/iptables running at the host ?
  if so, try connecting while iptables is stopped

• Port Forwarding for RDP 3389 is not working

  Hi,
  I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20).  I have made sure it is not an issue with the servers firewall, its just the cisco.  I highlighted in red to what i thought I need in my config to get this  to work.  I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
  TAMSATR1#show run
  Building configuration...
  Current configuration : 11082 bytes
  version 15.2
  no service pad
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  hostname TAMSATR1
  boot-start-marker
  boot system flash:/c880data-universalk9-mz.152-1.T.bin
  boot-end-marker
  logging count
  logging buffered 16384
  enable secret
  aaa new-model
  aaa authentication login default local
  aaa authentication login ipsec-vpn local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authorization console
  aaa authorization exec default local
  aaa authorization network groupauthor local
  aaa session-id common
  memory-size iomem 10
  clock timezone CST -6 0
  clock summer-time CDT recurring
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-1879941380
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1879941380
  revocation-check none
  rsakeypair TP-self-signed-1879941380
  crypto pki certificate chain TP-self-signed-1879941380
  certificate self-signed 01
    3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
    32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
    34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
    ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
    88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
    E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
    542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
  ip dhcp excluded-address 10.20.30.1 10.20.30.99
  ip dhcp excluded-address 10.20.30.201 10.20.30.254
  ip dhcp excluded-address 10.20.30.250
  ip dhcp pool tamDHCPpool
  import all
  network 10.20.30.0 255.255.255.0
  default-router 10.20.30.1
  domain-name domain.com
  dns-server 10.20.30.20 8.8.8.8
  ip domain name domain.com
  ip name-server 10.20.30.20
  ip cef
  no ipv6 cef
  license udi pid CISCO881W-GN-A-K9 sn
  crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
  ip tftp source-interface Vlan1
  class-map type inspect match-all CCP_SSLVPN
  match access-group name CCP_IP
  policy-map type inspect ccp-sslvpn-pol
  class type inspect CCP_SSLVPN
    pass
  zone security sslvpn-zone
  crypto isakmp policy 10
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp policy 20
  encr aes 192
  authentication pre-share
  group 2
  crypto isakmp key password
  crypto isakmp client configuration group ipsec-ra
  key password
  dns 10.20.30.20
  domain tamgmt.com
  pool sat-ipsec-vpn-pool
  netmask 255.255.255.0
  crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
  crypto ipsec transform-set TSET esp-aes esp-sha-hmac
  crypto ipsec profile VTI
  set security-association replay window-size 512
  set transform-set TSET
  crypto dynamic-map dynmap 10
  set transform-set ipsec-ra
  reverse-route
  crypto map clientmap client authentication list ipsec-vpn
  crypto map clientmap isakmp authorization list groupauthor
  crypto map clientmap client configuration address respond
  crypto map clientmap 10 ipsec-isakmp dynamic dynmap
  interface Loopback0
  ip address 10.20.250.1 255.255.255.252
  ip nat inside
  ip virtual-reassembly in
  interface Tunnel0
  description To AUS
  ip address 192.168.10.1 255.255.255.252
  load-interval 30
  tunnel source
  tunnel mode ipsec ipv4
  tunnel destination
  tunnel protection ipsec profile VTI
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface FastEthernet4
  ip address 1.2.3.4
  ip access-group INTERNET_IN in
  ip access-group INTERNET_OUT out
  ip nat outside
  ip virtual-reassembly in
  no ip route-cache cef
  ip route-cache policy
  ip policy route-map IPSEC-RA-ROUTE-MAP
  duplex auto
  speed auto
  crypto map clientmap
  interface Virtual-Template1
  ip unnumbered Vlan1
  zone-member security sslvpn-zone
  interface wlan-ap0
  description Service module interface to manage the embedded AP
  ip unnumbered Vlan1
  arp timeout 0
  interface Wlan-GigabitEthernet0
  description Internal switch interface connecting to the embedded AP
  switchport mode trunk
  no ip address
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 10.20.30.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
  ip default-gateway 71.41.20.129
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip dns server
  ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
  ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
  ip nat inside source static 10.20.30.20 (public ip)
  ip route 0.0.0.0 0.0.0.0 public ip
  ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
  ip access-list extended ACL-POLICY-NAT
  deny   ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
  deny   ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
  deny   ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
  permit ip 10.20.30.0 0.0.0.255 any
  permit ip 10.20.31.208 0.0.0.15 any
  ip access-list extended CCP_IP
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended INTERNET_IN
  permit icmp any any echo
  permit icmp any any echo-reply
  permit icmp any any unreachable
  permit icmp any any time-exceeded
  permit esp host 24.153. host 66.196
  permit udp host 24.153 host 71.41.eq isakmp
  permit tcp host 70.123. host 71.41 eq 22
  permit tcp host 72.177. host 71.41 eq 22
  permit tcp host 70.123. host 71.41. eq 22
  permit tcp any host 71..134 eq 443
  permit tcp host 70.123. host 71.41 eq 443
  permit tcp host 72.177. host 71.41. eq 443
  permit udp host 198.82. host 71.41 eq ntp
  permit udp any host 71.41. eq isakmp
  permit udp any host 71.41eq non500-isakmp
  permit tcp host 192.223. host 71.41. eq 4022
  permit tcp host 155.199. host 71.41 eq 4022
  permit tcp host 155.199. host 71.41. eq 4022
  permit udp host 192.223. host 71.41. eq 4022
  permit udp host 155.199. host 71.41. eq 4022
  permit udp host 155.199. host 71.41. eq 4022
  permit tcp any host 10.20.30.20 eq 3389
  evaluate INTERNET_REFLECTED
  deny   ip any any
  ip access-list extended INTERNET_OUT
  permit ip any any reflect INTERNET_REFLECTED timeout 300
  ip access-list extended IPSEC-RA-ROUTE-MAP
  deny   ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
  deny   ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
  deny   ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
  deny   ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
  deny   ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
  deny   ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
  permit ip 10.20.30.208 0.0.0.15 any
  deny   ip any any
  access-list 23 permit 70.123.
  access-list 23 permit 10.20.30.0 0.0.0.255
  access-list 24 permit 72.177.
  no cdp run
  route-map IPSEC-RA-ROUTE-MAP permit 10
  match ip address IPSEC-RA-ROUTE-MAP
  set ip next-hop 10.20.250.2
  banner motd ^C
  UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
  You must have explicit permission to access or configure this device.  All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
  ^C
  line con 0
  logging synchronous
  line aux 0
  line 2
  no activation-character
  no exec
  transport preferred none
  transport input all
  line vty 0
  access-class 23 in
  privilege level 15
  logging synchronous
  transport input telnet ssh
  line vty 1 4
  access-class 23 in
  exec-timeout 5 0
  privilege level 15
  logging synchronous
  transport input telnet ssh
  scheduler max-task-time 5000
  ntp server 198.82.1.201
  webvpn gateway gateway_1
  ip address 71.41. port 443
  http-redirect port 80
  ssl encryption rc4-md5
  ssl trustpoint TP-self-signed-1879941380
  inservice
  webvpn context TAM-SSL-VPN
  title "title"
  logo file titleist_logo.jpg
  secondary-color white
  title-color #CCCC66
  text-color black
  login-message "RESTRICTED ACCESS"
  policy group policy_1
     functions svc-enabled
     svc address-pool "sat-ipsec-vpn-pool"
     svc default-domain "domain.com"
     svc keep-client-installed
     svc split dns "domain.com"
     svc split include 10.0.0.0 255.0.0.0
     svc split include 192.168.0.0 255.255.0.0
     svc split include 172.16.0.0 255.240.0.0
     svc dns-server primary 10.20.30.20
     svc dns-server secondary 66.196.216.10
  default-group-policy policy_1
  aaa authentication list ciscocp_vpn_xauth_ml_1
  gateway gateway_1
  ssl authenticate verify all
  inservice
  end

  Hi,
  I didnt see anything marked with red in the above? (Atleast when I was reading)
  I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
  But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
  There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
  - Jouni

• Unable to enable security and create admin user after reset - px4-300d

  Our px4-300d became inaccessible a few days ago.  I couldn't get to any shares from any machine, and I couldn't get to the admin console.  When I checked the unit, there was no indication that anything was wrong (ie - the panel didn't show any failure, I didn't get any emails indicating a failure, and there were no lights offering a clue to what was wrong).  However the unit was completely frozen...the buttons on the front would not scroll through the different information on the panel.
  I attempted to reset the device using the pinhole on the back, but the device wouldn't respond, so I had to power it down using the button on the front.  When I tried to power it back up, it would come on for about one second, then immediately power off.  I pulled all 4 drives out and powered it on again without any drives.  This time it came up completely and I got a message on the panel that drives were missing.  I started putting the drives in one at a time and the device recognized them all and I was able to login to the admin console.  However, all the shares were missing and I received an email that the Storage Pool was degraded.  I rebooted the device from the admin console and when it came back up, it started reconstruction.  After a few hours, it completed, but I still had no shares and couldn't create any new shares.  I also did not see any of my users, including the admin account I was logged in with.  I tried to create a new user, and also tried creating a user I knew existed and neither one worked.  The screen would just flash but nothing would show up.  At this point, I decided to try to reset using the pinhole on the back of the device to reset the admin user so I could just create a new one.  So, now I'm stuck at the 'Enable Security' screen.  Every time I try to create an admin account, it just flashes and returns me to the same 'Enable Security' window.  
  Now what?
  Solved!
  Go to Solution.

  If you are unable to get into it you will not be able to do the factory reset. You can try booting in buy removing one disk at a time. If you are still unable to then tech support should be able to supply you with the imager and try flashing it. I would keep it at 4.0.8 also,

• ASA 5505 how to create a port forwarding rule

  ASA 5505 IOS ver 9.2.3
  I need to create a firewall rule that will allow internal services to be accessed externally, but using port forwarding. For example I'd like to enable access to our NAS via ftp external on port 1545 and then have the ASA forward the request to the NAS internally on port 21.
  I tried these commands but they didn't work:
  object network NAS
  host 192.168.2.8
  nat (inside,outside) static interface service tcp 21 1545
  access-list NASFTP-in permit tcp any object NAS eq 1545
  conf t
  int vlan 2
  access-group NASFTP-in permit tcp any object NAS eq 1545
  I really appreciate the help everyone.

  try this, it worked for me, here is an example of adding a webserver with a ip of 10.10.50.60  and naming it with a object named www-server and forwarding port 80 , the way it works is you need to do three things, u need to "nat it" "foward it" and allow it in "acl"
  object network obj-10.10.50.60-1
  host 10.10.50.60
  nat (inside,outside) static interface service tcp 80 80
  object network INSIDE
  nat (inside,outside) dynamic interface
  object network WWW-SERVER
  nat (inside,outside) static interface service tcp 80 80
  access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80
  access-group Outside_access_in in interface Outside

• Cisco 5520 ASA Port Forward to Endian Firewall VPN Question

  Hello,
  We have had a VPN operational on our Endian Firewall which uses OpenVPN server on port number 1194.  We recently purchased a Cisco 5520 ASA to put in front of our Endian Firewall and I am still hoping to use our current Endian Firewall VPN server.  So I am thinking the easiest way to make this happen is to port forward all vpn traffic through the ASA to our Endian Firewall to access the VPN.  Anyhow, I am just hoping someone with higher knowledge can let me know if this is the best course of action or if there is another easier or more efficient way of doing this?
  Thanks for your comments in advance I am new to cisco technology,
  Joe        

  Wrong forum, post in "Secuirity - Firewalling". You can move your posting with the Actions panel on the right.

• ASA 9.2 Port Forward

  Hello,
  i have a problem with a single port forward with 9.2 ASA (5505). Here is the related config.:
  access-list outside_access_in extended permit icmp any any
  access-list outside_access_in extended permit tcp any host 10.168.50.5 eq www log
  access-list DMZ_in extended permit ip any any
  nat (DMZ,outside) source dynamic obj_any interface
  nat (DMZ,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
  nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP
  object network Public_Server
   nat (DMZ,outside) static interface service tcp www www
  access-group outside_access_in in interface outside
  access-group DMZ_access_in in interface DMZ
  When i try to access the server, the console said ACL drops. The packet tracer said that it dropped in the implicit deny rule. Can you help me what can be the problem?
  Thank You!

  Yes, of course, i can ping, and also from VPN. And also the web service works from VPN, local. Tha packet-tracer said the same, the implicit deny catch it.:
  packet-tracer input outside tcp 8.8.8.8 http OUTIFIP http det
  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit Rule
  Additional Information:
   Forward Flow based lookup yields rule:
   in  id=0xad2a1718, priority=1, domain=permit, deny=false
          hits=89868, user_data=0x0, cs_id=0x0, l3_type=0x8
          src mac=0000.0000.0000, mask=0000.0000.0000
          dst mac=0000.0000.0000, mask=0100.0000.0000
          input_ifc=outside, output_ifc=any
  Phase: 2
  Type: ROUTE-LOOKUP
  Subtype: Resolve Egress Interface
  Result: ALLOW
  Config:
  Additional Information:
  in   OUTIFIP  255.255.255.255 identity
  Phase: 3
  Type: NAT
  Subtype: per-session
  Result: ALLOW
  Config:
  Additional Information:
   Forward Flow based lookup yields rule:
   in  id=0xad071248, priority=1, domain=nat-per-session, deny=true
          hits=1199, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
          input_ifc=any, output_ifc=any
  Phase: 4
  Type: ACCESS-LIST
  Subtype:
  Result: DROP
  Config:
  Implicit Rule
  Additional Information:
   Forward Flow based lookup yields rule:
   in  id=0xad2a23b8, priority=0, domain=permit, deny=true
          hits=883, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
          src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
          dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
          input_ifc=outside, output_ifc=any
  Result:
  input-interface: outside
  input-status: up
  input-line-status: up
  output-interface: NP Identity Ifc
  output-status: up
  output-line-status: up
  Action: drop
  Drop-reason: (acl-drop) Flow is denied by configured rule