Redirect port 80 in a zone to port 8070 in a zone - IPFILTER/IPNAT
I have a non-root user running a web server on 8070 in a zone, and he wants port 80 redirected to 8070 so his URL wont have :8070 in it.
On Linux with iptables, I did:
iptables -t nat -I PREROUTING -p tcp dport 80 -j REDIRECT to-ports 8070
Works great, all traffic to port 80 is redirected to port 8070.
How can I do the same with IP Filter? I understand IP Filter has to be run in the global zone, not a problem.
DBSanders, I have a similar configuration on my research network.
I wanted all web traffic coming to the bastion host (stargate) to be routed to 443 on my webserver (prometheus);
dmfe0 is the internal adapter, and dmfe1 is the external adapter.
So, my solution looks like this:
stargate:/etc/ipf/ipf.conf:
pass in quick on dmfe1 from any to any port=80 keep state
pass in quick on dmfe1 from any to any port=8080 keep state
pass in quick on dmfe1 from any to any port=443 keep state
pass out quick from prometheus port=443 to any keep statestargate:/etc/ipf/ipnat.conf:
rdr dmfe1 stargate port 80 -> prometheus port 443 tcp
rdr dmfe1 stargate port 443 -> prometheus port 443 tcp
rdr dmfe1 stargate port 8080 -> prometheus port 443 tcp
Similar Messages
-
How can I add a redirect port, or RPT port, in Windows 7?
I'm dumbfounded. I know in Windows XP there was an option to add a printer and select the redirection port. Seems in Windows 7, or at least my installation, that option is missing. I need to be able to add a redirect port to setup some
specialized printing we do here in our office. Hope my question makes sense and I hope I have just missed something and it's really just not that it's not possible or I'm screwed!
Also I have tried the "Add New Port Type" options and it asks for a driver which I can't seems to find anywhere. Any help is much appreciated as this has halted my Windows 7 roll out.Hi,
Do you mean in Windows XP, we can add a new port in File-> Server Properties-> Ports-> Add Ports?
If this is the issue, please see the information below:
====================================
In Windows 7, we have no Server Properties options. But we can also achieve the same goal by using the following two methods:
Method 1: Right click one of the local printers and select Printer Properties. Click Ports-> Add Port…
Method 2: In Control Panel, click Administrative Tool and select Print Management. Then open Print Servers and select the local machine. Then right click Ports and
click Add Ports…
Hope this can have a little help.
Best regards,
Spencer Shi
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. -
I am to try to redirect port 3500 of dialer0 for an IP 192.168.1.2 in the Lan whit the same port number. Already I moved in nat. E I created rules ACL. But I did not obtain.
Router cisco 836
My config:
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname cisco5000
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
ip subnet-zero
ip name-server xxx.xxx.xxx.xxx
ip name-server xxx.xxx.xxx.xxx
ip cef
ip ips po max-events 100
vpdn enable
l2tp-class PTRP-L2TP
authentication
hello 50
password 7 xx
exit
pseudowire-class PTRP-PWC
encapsulation l2tpv2
protocol l2tpv2 PTRP-L2TP
ip local interface Dialer1
exit
no ftp-server write-enable
interface Ethernet0
description == LAN =
ip address 192.168.1.15 255.255.255.0
ip directed-broadcast
no ip proxy-arp
no ip mroute-cache
no keepalive
no cdp enable
exit
interface BRI0
no ip address
no cdp enable
exit
interface ATM0
no ip address
load-interval 30
no atm ilmi-keepalive
dsl operating-mode auto
exit
interface ATM0.1 point-to-point
pvc 0/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
exit
interface FastEthernet1
no ip address
duplex auto
speed auto
exit
interface FastEthernet2
no ip address
duplex auto
speed auto
exit
interface FastEthernet3
no ip address
duplex auto
speed auto
exit
interface FastEthernet4
no ip address
duplex auto
speed auto
exit
interface Virtual-PPP1
description == Tunel L2TP BE-BT1 ==
ip address negotiated
backup delay 30 30
backup interface Virtual-PPP2
no cdp enable
ppp pap sent-username xx
pseudowire xxx.xxx.xxx.xxx pw-class PTRP-PWC
exit
interface Virtual-PPP2
description == Tunel L2TP BE ==
ip address negotiated
no cdp enable
ppp pap sent-username xx
pseudowire xxx.xxx.xxx.xxx 10 pw-class PTRP-PWC
exit
interface Dialer1
description == ADSL ==
ip address negotiated
ip access-group 111 in
no ip unreachables
encapsulation ppp
no ip route-cache cef
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer remote-name xx
dialer idle-timeout 0
dialer-group 1
ppp pap sent-username xx
exit
ip classless
ip route 0.0.0.0 0.0.0.0 Virtual-PPP1 10
ip route 0.0.0.0 0.0.0.0 Virtual-PPP2 100
ip route xxx.xxx.xxx.xxx 255.255.255.255 Dialer1
ip route xxx.xxx.xxx.xxx 255.255.255.255 Dialer1
ip http server
ip http authentication local
ip http secure-server
access-list 7 remark === Remote CONF ===
access-list 7 permit xxx.xxx.xxx.xxx
access-list 7 permit xxx.xxx.xxx.xxx
access-list 111 remark === internet ===
access-list 111 permit ip host xxx.xxx.xxx.xxx any
access-list 111 permit ip host xxx.xxx.xxx.xxx any
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any time-exceeded
access-list 111 permit ip host xxx.xxx.xxx.xxx any
access-list 111 permit ip host xxx.xxx.xxx.xxx any
access-list 111 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
control-plane
exit
line con 0
no modem enable
transport preferred all
transport output all
stopbits 1
exit
line aux 0
transport preferred all
transport output all
exit
line vty 0 4
access-class 7 in
transport preferred all
transport input all
transport output all
exit
scheduler max-task-time 5000
scheduler interval 500
exit
endcontent WEB_80
vip address 10.1.18.11
add service 1
protocol tcp
add service 2
port 80
advanced-balance sticky-srcip
active
In this example the request will come in through port 80, but for it to go out by port 3500 we can add the following command port xxxx (where xxxx is the number of the port) in a service. This will allow the CSS to redirect the request to the server on the desired port.
This is just an example to let you see how and where to configurate it. -
I know this is a very basic question but how do you redirect port 80? I have an option to port forward or port trigger.
What I am trying to do is use a program called Remote Administrator. It works locally on my network but as soon as I try to connect from outside the network it fails. I suspect port 80 is the issue and no matter what I do it still comes up as stealth on the GRC site. So, I port forwarded 80 (both TCP & UDP) to my local ip address that I want to connect to and no go.
Am I missing some hidden place in the router config that has redirect...
Thanks in advanceI agree with you but someone mislead me to believe that port 80 was the problem. I have port forwarded 4899 to my internal IP and it still does not connect. I have tried using a no-ip program called canyouseemee to verify if the port is open but it appears to be closed. I can connect locally but not over the internet so I assume it's a router/firewall issue.
Any ideas? -
Hey I have created a simple http server, so when i type
> curl http://localhost:8080/
I give me the respons:
> Hello World
now i want the same to happen when I type:
> curl http://localhost:80/
I could do that by changen the port that the http server is lisining on but it will require that i run it as a super user and i don't want that.
I have tryed to use the ipfw command (I have vey limited knowleged about it):
> ipfw add 100 fwd 127.0.0.1,8800 tcp from any to any 80 in
it then says:
> 00100 fwd 127.0.0.1,8800 tcp from any to any dst-port 80 in
I look at the list:
> ipfw -d -e -t -a list
it says:
> 00100 1 64 Thu Aug 4 14:47:51 2011 fwd 127.0.0.1,8800 tcp from any to any dst-port 80 in
> 65535 188 33853 Thu Aug 4 14:45:39 2011 allow ip from any to any
But when i try to get a respons from my http server:
> curl http://localhost:80/
It says:
> curl: (7) couldn't connect to host
I try to restart my computer and check the list again:
> ipfw -d -e -t -a list
It says:
> 65535 464 111936 Thu Aug 4 14:48:39 2011 allow ip from any to any
So somehow the rule has been removed.
What can i do to redirect port 80 to 8080,I should have writen
sudo ipfw add 100 fwd 127.0.0.1,8080 tcp from any to me 80
I belive the important diffrent is the change from any to me in the last part.
And rules applyed to ipfw will be rested after restarting, -
Hello,
Below is my configuration for redirecting http://apps.domain.local to http://apps.domain.local:8080. Please let me know if I am on the right track.
Thanks,
rserver redirect REDIRECT_TO_8080
description SAP BO Redirect RServer from 80 to 8080
webhost-redirection http://%h%p:8080 301
inservice
serverfarm redirect SF_REDIRECT_8080
description SAP BO Redirect RServer from 80 to 8080
rserver REDIRECT_TO_8080
inservice
class-map match-all VIP_SAP_BO_8080
2 match virtual-address 10.1.0.99 tcp eq 8080
class-map match-all VIP_SAP_BO_80
2 match virtual-address 10.1.0.99 tcp eq 80
policy-map type loadbalance first-match PM_REDIRECT_8080
class class-default
serverfarm SF_REDIRECT_8080
policy-map type loadbalance first-match PM_LB_SAP_BO
description Load Balance Policy for SAP Business Objects
class class-default
sticky-serverfarm IP_STICKY_SAP_BO
policy-map multi-match PM_MULTI_MATCH_LB
description Load Balancing Service Policy 1
class VIP_VIP_SAP_BO_80
loadbalance vip inservice
loadbalance policy PM_REDIRECT_8080
loadbalance vip icmp-reply active
class VIP_SAP_BO_8080
loadbalance vip inservice
loadbalance policy PM_LB_SAP_BO
loadbalance vip icmp-reply activeHello,
I have the similar requirement and i have tried unsuccessfully to achieve it, will appreciate your help on it. Below is the scenario, ace loadbalances request recieved on port 8080 but when ace receives the request on port 80, iam unable to redirect to port 8080. Please let me know mistake in this configuration as it doesnt seems to work.
And the configuration is as follows:
access-list permitany line 8 extended permit ip any any
access-list permitany line 9 extended permit icmp any any
access-list permitany line 10 extended permit tcp any any
probe tcp CONTENT-PROBE-SERVERS-8080
port 8080
interval 30
passdetect interval 10
open 1
rserver host CONTENT-SERVER-1
ip address 192.168.3.130
inservice
rserver host CONTENT-SERVER-2
ip address 192.168.3.140
inservice
serverfarm host CONTENT-SERVERS-8080
probe CONTENT-PROBE-SERVERS-8080
rserver CONTENT-SERVER-1 8080
inservice
rserver CONTENT-SERVER-2 8080
inservice
sticky ip-netmask 255.255.255.255 address source STICKY-CONTENT-SERVERS-8080
timeout 120
replicate sticky
serverfarm CONTENT-SERVERS-8080
class-map match-any CMAP-CONTENT-SERVERS-8080
2 match virtual-address 192.168.3.145 tcp eq 8080
class-map match-any CMAP-WEB-SERVERS-80
2 match virtual-address 192.168.3.145 tcp eq www
class-map type management match-any remote_access
2 match protocol xml-https any
3 match protocol icmp any
4 match protocol telnet any
5 match protocol ssh any
6 match protocol http any
7 match protocol https any
8 match protocol snmp any
policy-map type management first-match MANAGEMENT-ACCESS
class remote_access
permit
policy-map type loadbalance first-match PMAP-CONTENT-SERVERS-8080
class class-default
sticky-serverfarm STICKY-CONTENT-SERVERS-8080
policy-map type loadbalance first-match PMAP-WEB-SERVERS-80
class class-default
sticky-serverfarm STICKY-CONTENT-SERVERS-8080
policy-map multi-match NLB-SERVERS
class CMAP-WEB-SERVERS-80
loadbalance vip inservice
loadbalance policy PMAP-WEB-SERVERS-80
loadbalance vip icmp-reply
class CMAP-CONTENT-SERVERS-8080
loadbalance vip inservice
loadbalance policy PMAP-CONTENT-SERVERS-8080
loadbalance vip icmp-reply
nat dynamic 1000 vlan 113
interface vlan 113
description **** CLIENT VLAN ****
bridge-group 1
mac-sticky enable
no icmp-guard
access-group input NONIP
access-group input permitany
access-group output permitany
nat-pool 1000 192.168.3.145 192.168.3.145 netmask 255.255.255.255 pat
service-policy input MANAGEMENT-ACCESS
service-policy input NLB-SERVERS
no shutdown
interface vlan 500
description **** SERVER VLAN ****
bridge-group 1
access-group input NONIP
access-group input permitany
access-group output permitany
service-policy input MANAGEMENT-ACCESS
no shutdown
interface bvi 1
ip address 192.168.3.234 255.255.255.0
alias 192.168.3.236 255.255.255.0
peer ip address 192.168.3.235 255.255.255.0
no shutdown -
Hello All,
Im a litle confuse, and im not getting there.
I had this config scheme, and it works fine:
Every SSL Traffic is ended in SSL Module, and give it back to content as port 80.
It matchs the content HTTP-Aplj, and sends traffic to service esl0011-7777.
It works fine, with http and https.
Then i had tryed many unsucessefully times the following:
I want that http traffic goes just like the actual config, ending on backend servers on port 7777, but want the https traffic to be redirected to 4443.
I have done some trys on several parts of the configs, adding new services for 4443 port, ssl-proxy-list, and adding a new content.
I even got this message, when was trying to active the content SSL.Aplj:
%% Not all content VIP:Port combinations are configured in a ssl-proxy-list for sslAccel type of services
Please give me some ideias to achieve this goal.
The following config is the basic config for the 1st step. The working one.
Best Regards,
Bruno Petrónio
************** SSL-Proxy-List **************
ssl-server 90 vip address 10.1.2.136
ssl-server 90 urlrewrite 1 https:\\10.1.2.136
ssl-server 90 rsacert xxxxcert
ssl-server 90 rsakey xxxxkey
ssl-server 90 cipher rsa-export-with-rc4-40-md5 10.1.2.136 80
************** SERVICE **************
service MODSSL
slot 2
type ssl-accel
keepalive type none
add ssl-proxy-list ssl1
active
service esl0011-7777
ip address 10.1.1.120
port 7777
keepalive type http
keepalive port 7777
keepalive uri "/"
active
************** OWNER **************
owner Test
content HTTP-Aplj
vip address 10.1.2.136
port 80
protocol tcp
add service esl0011-7777
redundancy-l4-stateless
active
content SSL-Aplj
vip address 10.1.2.136
add service MODSSL
application ssl
advanced-balance ssl
protocol tcp
port 443
url "/*"
redundancy-l4-stateless
activetry the following
ssl-server 90 vip address 10.1.2.136
ssl-server 90 urlrewrite 1 10.1.2.136
ssl-server 90 rsacert xxxxcert
ssl-server 90 rsakey xxxxkey
ssl-server 90 cipher rsa-export-with-rc4-40-md5 10.1.2.136 4443
service esl0011-4443
ip address 10.1.1.120
port 4443
keepalive type http
keepalive uri "/"
active
content HTTP-4443
vip address 10.1.2.136
port 4443
protocol tcp
add service esl0011-4443
active
BTW, I also corrected your urlrewrite command as it was incorrect. You need to specify the host. So not http or https in front.
Gilles. -
How can I redirect a tcp/udp port through a CSS ??? I have an application running on VLAN2 and it needs to connect to a server running on VLAN3. This application first go to a vip address in the CSS, and this vip is balancing the service across TCP port 1352 in a Raptor Fw. The log in the Raptor said "Non-transparent call from x.x.x.x" ... Any susggestion ???
If you're only doing firewall loadbalancing, the CSS is not going to NAT the traffic or change any port.
Your firewalls should be doing this.
If you also have a VIP defined with services, each service representing a server, you can configure different port for each one of them.
If you still need more help, please give us an example of traffic flow with traffic before and after the CSS and what you expect to see.
Gilles. -
I am running a local zone on Solaris 10 on a SunFire 480R. I would like to know how to redirect ports 80 and 443 to 8080 and 8443.
Yes , that is how I solved my problem. I gave the username for the application authorization to access the lower ports (<1024) and had the software points to them.
...thanks... -
DesktopApp auto update URL port redirection.
Hi Everyone,
We are using Filr-1.0.1-HP1 and we are using the port-redirection option to redirect port 80 & 443 to 8080 & 8443 respectively. However this port-redirection doesn't seem to work for the auto update URL. I would rather not open the port 8443 on the firewall. Am i missing some configuration option somewhere?
https://<baseurl>/Desktopapp
invalid URL
https://<baseurl>:8443/Desktopapp
OK
Kind Regards,
Justin Zandbergen
edit: typo'sOriginally Posted by thsundel
Justin, take a look here: https://forums.novell.com/showthread...67#post2295867
Tomas
Hi Thomas,
Thanks for the advice, i knew that was an option, but i would have preferred to stick it on filr.<customer>.nl/desktopapp instead of something.<customer>.nl/desktopapp. Ah well, it works now. Thanks!
Kind Regards,
Justin Zandbergen -
Hi.
I have a question about redirecting GPIB port.
I have two applications for controling one instrument. The problem is that program one wants the instrument to be on gpib port 14 and the other program wants the instrument to be on gpib port 2.
So instead of switching the instrument gpib port all the time, i wonder if there in any better solution like
redirecting port 2 to 14...
Best Regards.Hello!
I am afraid that I don't fully understand what you are asking for. You have two programs that are controlling the very same instrument through the same GPIB controller, is that correct? What address does MAX says the instrument has? Which programming environment are you in? How do you set up the addresses for the instrument?
Just questions as you see but I would like to get a better understanding of your problem!
Regards,
Jimmie A.
Applications Engineer, National Instruments
Regards,
Jimmie Adolph
Systems Engineer Manager, National Instruments Northern Region
Bring Me The Horizon - Sempiternal -
Port Forwarding for RDP 3389 is not working
Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
functions svc-enabled
svc address-pool "sat-ipsec-vpn-pool"
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 10.0.0.0 255.0.0.0
svc split include 192.168.0.0 255.255.0.0
svc split include 172.16.0.0 255.240.0.0
svc dns-server primary 10.20.30.20
svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
endHi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
This is problably a stupid question but how do I open a prot on a cisco 1811? I have a cisco 1811 and a computer that has VNC installed on it. I want to be able to access that computer from out side the network using the external ip address and port 5950. People outside the network will be able to open vnc viewer and type in *external ip address*:5950 and it will be directed to the computer with a static internal ip address of 10.11.101.10. What commands do I use to do this?
Thanks,That didn't work. Here is the new running config:
Building configuration...
Current configuration : 12519 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname *Host Name*
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$3R6c$adcoV0cvM5hTzxOoPBByc0
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-1097866965
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1097866965
revocation-check none
rsakeypair TP-self-signed-1097866965
crypto pki certificate chain TP-self-signed-1097866965
certificate self-signed 01
30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303937 38363639 3635301E 170D3131 30393039 31383130
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30393738
36363936 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1C3 0B9F3231 E9911C7A 7A84E566 F4530769 16830F32 4A61F775 12CDDB5C
23227963 5A53E5C5 2C0E8945 640DB32C ACD17F1A 2C52EC96 7C274099 5D4BBD26
6E7C4DA9 32C5162B 0A54D437 64B719B9 36904DDA 7B23FC3C E7763F5E BF651874
1870462E FA0ABE9C 37918D53 2B5B13A7 4FADFC9E 1D8B0B64 141733A7 8DC61C03
80E90203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603
551D1104 22302082 1E426F77 5F49736C 616E6453 43414441 2E796F75 72646F6D
61696E2E 636F6D30 1F060355 1D230418 30168014 0AEF8942 249D4EF1 A18B1BA6
389822CB 16CB4922 301D0603 551D0E04 1604140A EF894224 9D4EF1A1 8B1BA638
9822CB16 CB492230 0D06092A 864886F7 0D010104 05000381 81008DC2 DFF3604C
93BE4175 7078AC30 7391F8AF 4A15E116 C53D523E 12F6B5F4 15CA5635 C12576F7
0D5D1A2A F330F781 459F3418 7E82FFBD 2679E17C CDF07A4F A257B599 E7CCC9C6
38617B96 F2E66F0D 6BFBC000 524B377B 969D51BD 48A9BF8F 8C0220D4 BB249435
08688D18 794CAFB3 1F74F2F9 4E0C0245 AEA8E55A 2AE758A0 36CC
quit
dot11 syslog
no ip source-route
ip dhcp excluded-address 10.11.101.1 10.11.101.99
ip dhcp pool ccp-pool1
import all
network 10.11.101.0 255.255.255.0
default-router 10.11.101.1
ip cef
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip inspect log drop-pkt
no ipv6 cef
multilink bundle-name authenticated
username *UserName* privilege 15 secret 5 $1$1O79$nIJGrBD9hCpDqheT3mDsC1
username VPNuser secret 5 $1$nPz8$Cni5jyIWv9zlKAU3B5no9.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *Key* address *External VPN IP Address*
crypto isakmp client configuration group VPN_Users
key *Key*
pool *VPN_pool*
acl 102
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to*External VPN IP Address*
set peer *External VPN IP Address*
set transform-set ESP-3DES-SHA
match address 103
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 105
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 101
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 104
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-all VNC_CLASS
match access-group name VNC
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect VNC_POLICY
class type inspect VNC_CLASS
inspect
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect VNC-POLICY
class type inspect VNC_CLASS
inspect
zone security out-zone
zone security in-zone
zone security sslvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
interface FastEthernet9
interface Virtual-Template1
ip unnumbered FastEthernet0
zone-member security sslvpn-zone
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 10.11.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
ip local pool *VPN_pool* 10.11.101.50 10.11.101.99
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.11.101.10 5950 interface FastEthernet0 5950
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended VNC
permit tcp any host 10.11.101.10 eq 5950
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.11.101.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any host 70.65.185.156
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 10.11.101.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 104 remark CCP_ACL Category=128
access-list 104 permit ip host *External VPN IP Address* any
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 106 permit ip 10.11.101.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 106
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username privilege 15 secret 0
Replace and with the username and password you want to
use.
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
scheduler interval 500
webvpn gateway gateway_1
ip address *External IP Address*port 443
http-redirect port 80
ssl trustpoint TP-self-signed-1097866965
inservice
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179-anyconnect.pkg sequence 1
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 2
webvpn context *VPN_pool*
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
functions svc-enabled
svc address-pool "*VPN_pool*"
svc keep-client-installed
virtual-template 1
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
inservice
end -
Config network web-auth-port 8080
I configured the command config network web-auth-port 8080 in the controller. Now i want to revert it back to the previous settings.
Which command will revert back to the default setting?Hi,
Just type the command again and put 0 as the redirect port:
config network web-auth-port 0
Save it and reboot the WLC. That will remove the additional port.
Thanks,
Lee -
Help: Port forward in Cisco SOHO 97
Hi there!
I have a Cisco SOHO 97.
The IP is: 10.0.0.1/24
Gw: 0.0.0.0
*Default route via DIALER1
I also have a RV042 configured as VPN Server (PPTP and IPSec).
The IP is: 10.0.0.2/24
I need help to configure the router to I be able to connect to VPN server from OUTSIDE-WORLD.
I imagine I need Port forwarding from Cisco SOHO to RV042.
I hope for possibles answers!
Thanks!Sorry i found the issue.
The problem was that, i wanted to redirect port 443 (https) to an private address.
But by default port 443 is reserved to access ASA via https for management.
I just reserved another port 888 for https management access and now i can redirect port 443 normaly as i wanted.
Using this command: http server enable 888
Germain
Maybe you are looking for
-
Office 2013 sequencing recipes for App-v 5.0
Hi, I want to create a sequence package for Microsoft Office 2013 in App-v 5.0 . I got some information about Deployment Tool Click To Run. But I need proper sequencing method of Office 2013. Could anyone please help me on this.
-
Need help in refining the query
Hello Experts, Need your help in refining the query further more. table structure Mskey Col A Col B 1 empno [20141127-20151128]1234 1 empno [20151201-99991231]232544 1 salutation [20141127-99991231]Mrs 1 salutation [20151127-99991231]Mr 2
-
[SOLVED] check pacman source sign failed on sh4 CPU
I've build 'base' packages on sh4 CPU. (Some base library still use the original linux distributions. eg. gcc,glibc,...) I followed Pacman-key to setup key rings. pacman-key --init pacman-key --populate archlinux pacman-key --refresh-keys I run previ
-
Open a PDF link in safari or adobe.
I am on a website that pulls up a single page PDF. On my laptop I can click on the bookmarks chain to the left to open another PDF book. In safari on my ipad 2 I cannot find a bookmarks tab. If I open the web page in adobe I can click on the bookmark
-
Someone help me out in finding the answer
SELECT pd.NodeID, pd.DefaultLocation AS Location, d.DComment AS Description, (SELECT FieldValue FROM PhysItemExt AS p2 WHERE (FieldName = N'Title_Name') AND (NodeID = p1.NodeID)) AS Title, pd.PhysItemKeywords AS Keyword, (SELECT FieldValue FROM PhysI