WRVS4400N Static Port Forwarding
Hi
I'm trying to get 3CX working and it is detecting that there are issues with the firewall on router. I think have narrowed it down to the router as the problem still exists with Kaspersky and Windows Firewall off. Please see the bottom of this page for the results page from 3CX.
There is a description 3CX provide on getting this working are for Linksys and Cisco routers.
The Linksys description is fairly straight forward and doesn't make any difference; the Cisco description appears to be a Windows based Utility with some similarities to the WRVS4400N web interface and setting up ACL rules and as close as I can replicate what I think should be set doesn't work either.
The link for the cisco description is http://www.3cx.com/blog/voip-howto/cisco-voip-configuration/
The link for NAT firewall issues on 3CX http://www.3cx.com/blog/voip-howto/static-port-mappings/
If anyone has any ideas or can point me in the right direction i'd be very grateful.
Kind regards
Mark
Firewall Output
3CX Firewall Checker, v1.0. Copyright (C) 3CX Ltd. All rights reserved.
<11:40:57>: Phase 1, checking servers connection, please wait...
<11:40:57>: Stun Checker service is reachable. Phase 1 check passed.
<11:40:57>: Phase 2a, Check Port Forwarding to UDP SIP port, please wait...
<11:41:07>: UDP SIP Port is set to 5060. Response received WITH TRANSLATION 5061::5060. Phase 2a check passed with WARNINGS. Some functionality will be LIMITED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/
<11:41:07>: Phase 2b. Check Port Forwarding to TCP SIP port, please wait...
<11:41:08>: TCP SIP Port is set to 5060. Response received WITH TRANSLATION 5061::5060. Phase 2b check passed with WARNINGS. Some functionality will be LIMITED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/
<11:41:08>: Phase 3. Check Port Forwarding to TCP Tunnel port, please wait...
<11:41:08>: TCP TUNNEL Port is set to 5090. Response received correctly with no translation. Phase 3 check passed.
<11:41:08>: Phase 4. Check Port Forwarding to RTP external port range, please wait...
<11:43:23>: UDP RTP Port 9000. Response received correctly with no translation. Phase 4-01 check passed.
<11:43:23>: UDP RTP Port 9001. Response received correctly with no translation. Phase 4-02 check passed.
<11:43:23>: UDP RTP Port 9002. Response received correctly with no translation. Phase 4-03 check passed.
<11:43:23>: UDP RTP Port 9003. Response received correctly with no translation. Phase 4-04 check passed.
<11:43:23>: UDP RTP Port 9004. Response received correctly with no translation. Phase 4-05 check passed.
<11:43:23>: UDP RTP Port 9005. NO RESPONSE received. Phase 4-06 check failed with ERRORS. Some functionality will be LIMITED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/
<11:43:23>: UDP RTP Port 9006. Response received correctly with no translation. Phase 4-07 check passed.
<11:43:23>: UDP RTP Port 9007. Response received correctly with no translation. Phase 4-08 check passed.
<11:43:23>: UDP RTP Port 9008. Response received correctly with no translation. Phase 4-09 check passed.
<11:43:23>: UDP RTP Port 9009. Response received correctly with no translation. Phase 4-10 check passed.
<11:43:23>: UDP RTP Port 9010. Response received correctly with no translation. Phase 4-11 check passed.
<11:43:23>: UDP RTP Port 9011. Response received correctly with no translation. Phase 4-12 check passed.
<11:43:23>: UDP RTP Port 9012. Response received correctly with no translation. Phase 4-13 check passed.
<11:43:23>: UDP RTP Port 9013. Response received correctly with no translation. Phase 4-14 check passed.
<11:43:23>: UDP RTP Port 9014. Response received correctly with no translation. Phase 4-15 check passed.
<11:43:23>: UDP RTP Port 9015. Response received correctly with no translation. Phase 4-16 check passed.
<11:43:23>: UDP RTP Port 9016. Response received correctly with no translation. Phase 4-17 check passed.
<11:43:23>: UDP RTP Port 9017. Response received correctly with no translation. Phase 4-18 check passed.
<11:43:23>: UDP RTP Port 9018. Response received correctly with no translation. Phase 4-19 check passed.
<11:43:23>: UDP RTP Port 9019. Response received correctly with no translation. Phase 4-20 check passed.
<11:43:23>: UDP RTP Port 9020. Response received correctly with no translation. Phase 4-21 check passed.
<11:43:23>: UDP RTP Port 9021. Response received correctly with no translation. Phase 4-22 check passed.
<11:43:23>: UDP RTP Port 9022. Response received correctly with no translation. Phase 4-23 check passed.
<11:43:23>: UDP RTP Port 9023. Response received correctly with no translation. Phase 4-24 check passed.
<11:43:23>: UDP RTP Port 9024. Response received correctly with no translation. Phase 4-25 check passed.
<11:43:23>: UDP RTP Port 9025. Response received correctly with no translation. Phase 4-26 check passed.
<11:43:23>: UDP RTP Port 9026. Response received correctly with no translation. Phase 4-27 check passed.
<11:43:23>: UDP RTP Port 9027. Response received correctly with no translation. Phase 4-28 check passed.
<11:43:23>: UDP RTP Port 9028. Response received correctly with no translation. Phase 4-29 check passed.
<11:43:23>: UDP RTP Port 9029. Response received correctly with no translation. Phase 4-30 check passed.
<11:43:23>: UDP RTP Port 9030. Response received correctly with no translation. Phase 4-31 check passed.
<11:43:23>: UDP RTP Port 9031. Response received correctly with no translation. Phase 4-32 check passed.
<11:43:23>: UDP RTP Port 9032. Response received correctly with no translation. Phase 4-33 check passed.
<11:43:23>: UDP RTP Port 9033. Response received correctly with no translation. Phase 4-34 check passed.
<11:43:23>: UDP RTP Port 9034. Response received correctly with no translation. Phase 4-35 check passed.
<11:43:23>: UDP RTP Port 9035. Response received correctly with no translation. Phase 4-36 check passed.
<11:43:23>: UDP RTP Port 9036. Response received correctly with no translation. Phase 4-37 check passed.
<11:43:23>: UDP RTP Port 9037. Response received correctly with no translation. Phase 4-38 check passed.
<11:43:23>: UDP RTP Port 9038. Response received correctly with no translation. Phase 4-39 check passed.
<11:43:23>: UDP RTP Port 9039. Response received correctly with no translation. Phase 4-40 check passed.
<11:43:23>: UDP RTP Port 9040. Response received correctly with no translation. Phase 4-41 check passed.
<11:43:23>: UDP RTP Port 9041. NO RESPONSE received. Phase 4-42 check failed with ERRORS. Some functionality will be LIMITED. For more information, please visit http://www.3cx.com/blog/docs/firewall-checker/
<11:43:23>: UDP RTP Port 9042. Response received correctly with no translation. Phase 4-43 check passed.
<11:43:23>: UDP RTP Port 9043. Response received correctly with no translation. Phase 4-44 check passed.
<11:43:23>: UDP RTP Port 9044. Response received correctly with no translation. Phase 4-45 check passed.
<11:43:23>: UDP RTP Port 9045. Response received correctly with no translation. Phase 4-46 check passed.
<11:43:23>: UDP RTP Port 9046. Response received correctly with no translation. Phase 4-47 check passed.
<11:43:23>: UDP RTP Port 9047. Response received correctly with no translation. Phase 4-48 check passed.
<11:43:23>: UDP RTP Port 9048. Response received correctly with no translation. Phase 4-49 check passed.
<11:43:23>: UDP RTP Port 9049. Response received correctly with no translation. Phase 4-50 check passed.
Application exit code is 4
Hi Sir,
I'm sorry if i dind't understand your question, but already you tried the configuration as attached? Please change the IP to your 3CX IP.
Regards.
Andrey Cassemiro
Similar Messages
-
Port forwarding for PSP and Wii
I know the Xbox and PS3 set up static port forwarding across the BT Hub using UPnP. Does anyone know if the Play Station Portable or the Wii set up static port forwarding using UPnP in the same way for on line game play?
Thanks
Solved!
Go to Solution.Wii works for me as a straight connection, no need of port forwarding.
Ray. -
WRVS4400n port forwarding (SSH access)
I have a WRVS4400n and a CentOS server that I need to enable a SSH access to from WAN.
I created a single port forward rule to open port 22 and forward to server (which address is 192.168.41.3)
However ssh connect doesn't happen, the command "ssh user@{external_IP}" times out after 20 seconds.
Wondering why...
If I connect my server directly to modem through outside interface - I have no problems connecting to it. Once it's behind router - no luck.
I even added same rule for UDP, not sure if it's needed, but it definitely didn't hepl.
The router is on firmware version 2.0.1.3, version on a bottom is 2.
Any suggestions?Hi Randy Manthey, Thanks for quick response. The server has 2 interfaces: eth0 (outside, WAN) currently down. When it was up it had a static IP, default gateway and mask assigned by ISP. It was plugged into the cable modem at that time, it was accessible. eth1 (inside, LAN), up, address 192.168.41.3, default gateway 192.168.41.1 (which is above mentioned Cisco router WRVS4400n). It can ping all machines on LAN, including gateway. It is accessible to all machines on LAN and can be pinged by the Cisco router. It CANNOT ping any IP address on WAN (I understand this is because eth0 is down). Let me know if you need any other info. Thank you.
Edit: I got home (the router is in one of my offices) and scanned the router with nmap:
nmap -v -sT -PN XXX.YYY.ZZZ.88
Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-24 23:24 EDT
Initiating Parallel DNS resolution of 1 host. at 23:24
Completed Parallel DNS resolution of 1 host. at 23:24, 0.04s elapsed
Initiating Connect Scan at 23:24
Scanning wsip-XXX-YYY-ZZZ-88.nn.nn.nnn.net (XXX.YYY.ZZZ.88) [1000 ports]
Discovered open port 8080/tcp on XXX.YYY.ZZZ.88
Completed Connect Scan at 23:24, 6.06s elapsed (1000 total ports)
Nmap scan report for wsip-XXX-YYY-ZZZ-88.nn.nn.nnn.net (XXX.YYY.ZZZ.88)
Host is up (0.033s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
8080/tcp open http-proxy
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.14 seconds
Port 8080 - is a port for remoute router administration. -
Port Forwarding and Static IP addresses
Netcomm NB1300 router and Airport Express.
I want to use and old G3 mac running 10.3.9 as a server for HTTP and FTP. The Mac is currently connected via Airport but I can connect it via Ethernet if necessary.
I understand that I will have to activate Port Forwarding on my Router with Ports 21 and 80 to allow external Internet access to the G3. I will also have to configure DHCP Manually for a Static IP address and probably link up with a Free DNS service to maintain reliable access to the G3.
I have other computers on the network, two Macs (Ethernet / 10.3.9 & Airport 10.4.11) and two PC's (one with Vista, one with XP / both on Airport). Only one of the extra Macs is connected via ethernet, the rest are connected via Airport.
Will I have to assign Static IP addresses to all the computers or just the one I want to use as a server?
And also, can anyone tell me about Port Forwarding via Port 22 to give more security from external observation/attacks? I know nothing about this security measure.
Thanks in advance.
Christo.Hi--
Christo wrote:
I am now assuming I will be able to access the 'server' from an external location. Very optimistic! But I can't test that for a couple of days.
Ah, but you've given up too soon! You can access your web server from outside your network real easy: you just need to find an external client you can point back to your site. I like to use the W4C validator to do that. It has the happy side effect of also telling you if your web page markup is valid. So you'd point your browser to the validator page:
http://validator.w3.org/
I like to choose "More Options" and tell it to show the page source. That way I can also verify that it's seeing the page I want it to see.
If I disconnect the iBook from Ethernet, can it still be accessible from an external location if it is connected to the Router via Airport, or do I have do so something like Port Forwarding with my Airport Express as well? Note the iBook can still connect to the Internet via Airport.
It would depend on how your Airport is set up. I think there are a couple of ways to set them up. One is to make the Airport a DHCP server, which would make the wireless network essentially a separate network. In that case, you'd have to forward throught the Airport, too.
My wireless network, though, is set up to bridge, so it's all one network. In that case, all I'd have to do to forward wirelessly to a client would be to set up the forward on the main router.
Being that persons other than myself will be accessing the iBook via FTP, do I give them the user account password of the Mac, or can I set a password in the Router or something else?
Also, when accessing the iBook on my local network using Cyberduck, I can see the entire directory of the iBook's user account. Is there a way to limit access to just one folder, such as the Public folder, or a self-designated folder?
Unfortunately, I don't know anything about setting up FTP. I would suggest that you look into maybe making an account on the iBook specifically for the FTP user and only give out that username and password. You might want to poke around in the Networking and the Web and Unix discussions in the Mac OS X Technologies area. I've seen a number of posts there about setting up FTP, and you might be able to find your answers there.
charlie -
Port Forwarding and Printing with Static IP Address
Hey there -
I am trying to setup a network printer that can be printed to from anywhere in the world. My organization has 5 static IP addresses given to us by our ISP. Four of those I have on computers, and one of them I have on my Linksys router (WRT54G v.8).
What I want to do is be able to setup a printer on my router that I can print to from anywhere I have an internet connection. My wireless router's static IP address is 74.172.54.XXX - The address on my network is 192.168.7.1 - I have a printer statically assigned the IP address 192.168.7.2 - and I have a port forwarding for port 70 to forward to 192.168.7.2
In theory, I would think that now I could print to 74.172.54.XXX:70 and have no problems. But that doesn't seem to be working. Even printing to 192.168.7.1:70 doesn't seem to work either.
Also, the printer has a web GUI interface that if I type http://192.168.7.1/ into my browser it comes up, so in theory I would think typing http://74.172.54.XXX:70 into my browser it should come up (but it doesn't nor does http://192.168.7.1:70).
Anybody got any suggestions? I tried to do a search about this, but ever Port Forwarding question seemed to deal with gaming (which I have no desire to do). Thanks!
I will include two screen snapshots of what I am talking about:
Thanks for any help.Is the router setup to accept static connections?
I have my router set up to accept both, so from 192.168.1.100 to 192.168.1.192 the addresses are static the other addresses are given by DHCP.
If you do not define a range and the address your laptop has as static IP conflicts with the address given by DHCP your loose ... as in you get no address.
Set up of that feature may depend on your type of router but usually any decent router will have that capability ... read your manual for specifics about your unit.
Best of luck.
R.
Last edited by ralvez (2009-12-10 00:08:50) -
WRT610N - Need to Set Static IP for Server and Port Forwarding
Does anyone know how I can assign a static IP for my Home Media Server in the WRT610N router? I need to do this because of the settings I need to set for the server in the Single Port Forwarding.
Thanks in advance!Never mind. I got it.
-
Trouble with setting Static IP in order to port forward thru 2 routers
I currently have cable internet connected to one router (Linksys E2000 w/ firmware v1.0.03). That router is connected to another router, a Linksys E3200 w/ firmware v1.0.02. In order to properly forward ports through the E3200, I understand that I need to set up a static IP on that router.
I've basically followed the steps outlined in this video, but when I enter all the IP addresses for Static IP settings, it won't allow me to access the router's setup page. I try entering the new IP that I've given it (which it tries to direct itself to automatically after I save the settings) and the connection times out. I am able to access the internet otherwise, however. From here I'm forced to do a factory reset on the router and start from square one.
Anybody have any ideas? I'm getting pretty frustrated and would love to get the ports forwarded so I can get my server properly set up.
Solved!
Go to Solution.I apologize, I should have been more specific. I have an ethernet cable connected from a standard port on the E2000 to a standard port on the E3200, which gives it internet access. On a hunch, last night I tried switching the cable to the Internet port on the E3200, but that gave no internet access.
The two routers are chained because I'm living in a friend's house and he has his own router (the E2000) set up with his own devices. Thus, I have 3 devices of my own connected to the E3200, including a Synology DiskStation NAS, which I would like to forward some ports to. I don't need two LAN subnets-- honestly whatever it takes to forward the ports through the two routers to my NAS would be enough for me. -
WRVS4400N port forwarding unresponsive
Router: WRVS4400N
Firmware: 2.0.2.1
Background:
Port forwarding external port 1234 to internal port 123 on a NAS appliance (ip 192.168.1.111)
Successfully accessed NAS like this:
https://11.22.33.44:1234/MyShare
Everything was working perfectly for several weeks
Last week I changed the subnet to 172.17.888.x
Problem:
Everything back to normal on the LAN except that port forwarding to the NAS no longer works.
Gerfingerpoken:
I opened another port (1235) and forwarded that to the NAS (in addition to the original port). No success.
I tried a port scanner. The port scanner reported that port 1234 was open on the router, but didn't mention 1235.
I repeated with yet another port. Same result: only port 1234 is reported open by the port scanner.
Software rebooted the router, same result
Hard reset (button) the router, still no change.
QUESTIONS:
1. How can I test if the router is actually forwarding new ports? (software tool?)
2. Any thoughts or suggestions?Update.
Port forwarding was working, but the recipient device (NAS) was not accepting connections due to a misconfigured security certificate. It was necessary to regenerate the security certificate on the NAS device and all started working.
HOWEVER, it would be very nice to know if port forwarding was actually working. Knowing that would have eliminated half the possibilities and greatly simplified troubleshooting. -
I just got a new Verizon/Actiontec replacement router and I want to configure 4 or 5 static IP addresses beginning at 192.168.1.201 and above.
At this point, I have changed the DHCP range from 192.168.1.2 - 192.168.1.250, to 192.168.1.2 - 192.168.1.200, so that is now the DHCP pool. That presumably leaves anything above 192.168.1.200 open for static IP assignments.
a) So now how do I create a Static IP reservation for a device? (what router screens should I use? do the device(s) that I want a static IP have to be connected?, etc.)
b) Once I have the static IP address reserved/configured, how can I make the appropriate port forward rule(s) for the devices? Specifically, I want to allow SSH connections to each of the static IP addresses/devices.
(I tried this once but the router complained after I made the first port forwarding rule saying that it was already in use!?!? and I want to avoid this problem again).
Thanks
-Jthanks for your suggestion. I figured out what to do...I let each device receive an address by DHCP, and then in the router, I went to Advanced -> Connections, double clicked on the device to get more details and set the "Static Lease" check box.
What this does is a address reservation for the device, but still configures it via DHCP.
It would be nice if the router manual noted this small detail, that devices can be configured as having a static address 'reservation' that is administered by the DHCP service, OR, one can set a 'static IP address' by ensuring that the device address is outside of the DHCP pool. -
WRVS4400N IPS vs port forwarding ?
Hi,
I was questioning if there was already some fix for the problem that ppl can't use portforwarding when disabling IPS.
Now I have to enable IPS ( 20mbit on a 60mbit isp... ) to let port forwarding do his work, sorry but that's a bit poor for a 200$ router...
I got the v1.1 model with latest fw ( 1.1.13 ).
In the 1.1.13 patch notes there is mentioned that it ' Resolved an issue that causes Port Forwarded packets to fail to go through the
HardwareNAT table when IPS is disabled. '
Is that still what is failing atm ?Only if you can convince the ARD client on the
external computer to use a different port. You would
need to configure the AEBS so that each external port
mapped to a specific computer.
Yeah, now that makes sense. But, it would seem that ARD is not going to cooperate. At least not that I know. Perhaps I can check with the ARD Forum and find out if it's workable.
And then, is my understanding of what happens when disabling the NAT/DHCP Server right -- in terms of ARD access and also of the machines behind the AEBS getting their public IP numbers from the cable company (i.e., that AEBS wouldn't interfere with what they can do already, if the AEBS was not there)?
iBook G4 1.42 GHz & iMac G4 Flat Panel 800 MHz Mac OS X (10.4.8) -
Port Forwarding for RDP 3389 is not working
Hi,
I am having trouble getting rdp (port 3389) to forward to my server (10.20.30.20). I have made sure it is not an issue with the servers firewall, its just the cisco. I highlighted in red to what i thought I need in my config to get this to work. I have removed the last 2 octets of the public IP info for security .Here is the configuration below:
TAMSATR1#show run
Building configuration...
Current configuration : 11082 bytes
version 15.2
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname TAMSATR1
boot-start-marker
boot system flash:/c880data-universalk9-mz.152-1.T.bin
boot-end-marker
logging count
logging buffered 16384
enable secret
aaa new-model
aaa authentication login default local
aaa authentication login ipsec-vpn local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization console
aaa authorization exec default local
aaa authorization network groupauthor local
aaa session-id common
memory-size iomem 10
clock timezone CST -6 0
clock summer-time CDT recurring
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-1879941380
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1879941380
revocation-check none
rsakeypair TP-self-signed-1879941380
crypto pki certificate chain TP-self-signed-1879941380
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383739 39343133 3830301E 170D3131 30393136 31393035
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38373939
34313338 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BD7E 754A0A89 33AFD729 7035E8E1 C29A6806 04A31923 5AE2D53E 9181F76C
ED17D130 FC9B5767 6FD1F58B 87B3A96D FA74E919 8A87376A FF38A712 BD88DB31
88042B9C CCA8F3A6 39DC2448 CD749FC7 08805AF6 D3CDFFCB 1FE8B9A5 5466B2A4
E5DFA69E 636B83E4 3A2C02F9 D806A277 E6379EB8 76186B69 EA94D657 70E25B03
542D0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
ip dhcp excluded-address 10.20.30.1 10.20.30.99
ip dhcp excluded-address 10.20.30.201 10.20.30.254
ip dhcp excluded-address 10.20.30.250
ip dhcp pool tamDHCPpool
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
domain-name domain.com
dns-server 10.20.30.20 8.8.8.8
ip domain name domain.com
ip name-server 10.20.30.20
ip cef
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn
crypto vpn anyconnect flash:/webvpn/anyconnect-dart-win-2.5.3054-k9.pkg sequence 1
ip tftp source-interface Vlan1
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
zone security sslvpn-zone
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp policy 20
encr aes 192
authentication pre-share
group 2
crypto isakmp key password
crypto isakmp client configuration group ipsec-ra
key password
dns 10.20.30.20
domain tamgmt.com
pool sat-ipsec-vpn-pool
netmask 255.255.255.0
crypto ipsec transform-set ipsec-ra esp-aes esp-sha-hmac
crypto ipsec transform-set TSET esp-aes esp-sha-hmac
crypto ipsec profile VTI
set security-association replay window-size 512
set transform-set TSET
crypto dynamic-map dynmap 10
set transform-set ipsec-ra
reverse-route
crypto map clientmap client authentication list ipsec-vpn
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.20.250.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
interface Tunnel0
description To AUS
ip address 192.168.10.1 255.255.255.252
load-interval 30
tunnel source
tunnel mode ipsec ipv4
tunnel destination
tunnel protection ipsec profile VTI
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface FastEthernet4
ip address 1.2.3.4
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
ip route-cache policy
ip policy route-map IPSEC-RA-ROUTE-MAP
duplex auto
speed auto
crypto map clientmap
interface Virtual-Template1
ip unnumbered Vlan1
zone-member security sslvpn-zone
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.20.30.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
ip local pool sat-ipsec-vpn-pool 10.20.30.209 10.20.30.239
ip default-gateway 71.41.20.129
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list ACL-POLICY-NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.20.30.20 3389 interface FastEthernet4 3389
ip nat inside source static 10.20.30.20 (public ip)
ip route 0.0.0.0 0.0.0.0 public ip
ip route 10.20.40.0 255.255.255.0 192.168.10.2 name AUS_LAN
ip access-list extended ACL-POLICY-NAT
deny ip 10.0.0.0 0.255.255.255 10.20.30.208 0.0.0.15
deny ip 172.16.0.0 0.15.255.255 10.20.30.208 0.0.0.15
deny ip 192.168.0.0 0.0.255.255 10.20.30.208 0.0.0.15
permit ip 10.20.30.0 0.0.0.255 any
permit ip 10.20.31.208 0.0.0.15 any
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended INTERNET_IN
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any unreachable
permit icmp any any time-exceeded
permit esp host 24.153. host 66.196
permit udp host 24.153 host 71.41.eq isakmp
permit tcp host 70.123. host 71.41 eq 22
permit tcp host 72.177. host 71.41 eq 22
permit tcp host 70.123. host 71.41. eq 22
permit tcp any host 71..134 eq 443
permit tcp host 70.123. host 71.41 eq 443
permit tcp host 72.177. host 71.41. eq 443
permit udp host 198.82. host 71.41 eq ntp
permit udp any host 71.41. eq isakmp
permit udp any host 71.41eq non500-isakmp
permit tcp host 192.223. host 71.41. eq 4022
permit tcp host 155.199. host 71.41 eq 4022
permit tcp host 155.199. host 71.41. eq 4022
permit udp host 192.223. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit udp host 155.199. host 71.41. eq 4022
permit tcp any host 10.20.30.20 eq 3389
evaluate INTERNET_REFLECTED
deny ip any any
ip access-list extended INTERNET_OUT
permit ip any any reflect INTERNET_REFLECTED timeout 300
ip access-list extended IPSEC-RA-ROUTE-MAP
deny ip 10.20.30.208 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.224 0.0.0.15 10.0.0.0 0.255.255.255
deny ip 10.20.30.208 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.224 0.0.0.15 172.16.0.0 0.15.255.255
deny ip 10.20.30.208 0.0.0.15 192.168.0.0 0.0.255.255
deny ip 10.20.30.224 0.0.0.15 192.168.0.0 0.0.255.255
permit ip 10.20.30.208 0.0.0.15 any
deny ip any any
access-list 23 permit 70.123.
access-list 23 permit 10.20.30.0 0.0.0.255
access-list 24 permit 72.177.
no cdp run
route-map IPSEC-RA-ROUTE-MAP permit 10
match ip address IPSEC-RA-ROUTE-MAP
set ip next-hop 10.20.250.2
banner motd ^C
UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED.
You must have explicit permission to access or configure this device. All activities performed on this device are logged and violations of this policy may result in disciplinary and/or legal action.
^C
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
line vty 1 4
access-class 23 in
exec-timeout 5 0
privilege level 15
logging synchronous
transport input telnet ssh
scheduler max-task-time 5000
ntp server 198.82.1.201
webvpn gateway gateway_1
ip address 71.41. port 443
http-redirect port 80
ssl encryption rc4-md5
ssl trustpoint TP-self-signed-1879941380
inservice
webvpn context TAM-SSL-VPN
title "title"
logo file titleist_logo.jpg
secondary-color white
title-color #CCCC66
text-color black
login-message "RESTRICTED ACCESS"
policy group policy_1
functions svc-enabled
svc address-pool "sat-ipsec-vpn-pool"
svc default-domain "domain.com"
svc keep-client-installed
svc split dns "domain.com"
svc split include 10.0.0.0 255.0.0.0
svc split include 192.168.0.0 255.255.0.0
svc split include 172.16.0.0 255.240.0.0
svc dns-server primary 10.20.30.20
svc dns-server secondary 66.196.216.10
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
ssl authenticate verify all
inservice
endHi,
I didnt see anything marked with red in the above? (Atleast when I was reading)
I have not really had to deal with Routers at all since we all access control and NAT with firewalls.
But to me it seems you have allowed the traffic to the actual IP address of the internal server rather than the public IP NAT IP address which in this case seems to be configured to use your FastEthernet4 interfaces public IP address.
There also seems to be a Static NAT configured for the same internal host so I am wondering why the Static PAT (Port Forward) is used?
- Jouni -
ASA 5505 how to create a port forwarding rule
ASA 5505 IOS ver 9.2.3
I need to create a firewall rule that will allow internal services to be accessed externally, but using port forwarding. For example I'd like to enable access to our NAS via ftp external on port 1545 and then have the ASA forward the request to the NAS internally on port 21.
I tried these commands but they didn't work:
object network NAS
host 192.168.2.8
nat (inside,outside) static interface service tcp 21 1545
access-list NASFTP-in permit tcp any object NAS eq 1545
conf t
int vlan 2
access-group NASFTP-in permit tcp any object NAS eq 1545
I really appreciate the help everyone.try this, it worked for me, here is an example of adding a webserver with a ip of 10.10.50.60 and naming it with a object named www-server and forwarding port 80 , the way it works is you need to do three things, u need to "nat it" "foward it" and allow it in "acl"
object network obj-10.10.50.60-1
host 10.10.50.60
nat (inside,outside) static interface service tcp 80 80
object network INSIDE
nat (inside,outside) dynamic interface
object network WWW-SERVER
nat (inside,outside) static interface service tcp 80 80
access-list Outside_access_in extended permit tcp any object WWW-SERVER eq 80
access-group Outside_access_in in interface Outside -
Hello,
i have a problem with a single port forward with 9.2 ASA (5505). Here is the related config.:
access-list outside_access_in extended permit icmp any any
access-list outside_access_in extended permit tcp any host 10.168.50.5 eq www log
access-list DMZ_in extended permit ip any any
nat (DMZ,outside) source dynamic obj_any interface
nat (DMZ,outside) source static any any destination static VPN_Pool VPN_Pool no-proxy-arp route-lookup
nat (outside,DMZ) source dynamic any interface destination static Public_Server Public_Server service HTTP HTTP
object network Public_Server
nat (DMZ,outside) static interface service tcp www www
access-group outside_access_in in interface outside
access-group DMZ_access_in in interface DMZ
When i try to access the server, the console said ACL drops. The packet tracer said that it dropped in the implicit deny rule. Can you help me what can be the problem?
Thank You!Yes, of course, i can ping, and also from VPN. And also the web service works from VPN, local. Tha packet-tracer said the same, the implicit deny catch it.:
packet-tracer input outside tcp 8.8.8.8 http OUTIFIP http det
Phase: 1
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2a1718, priority=1, domain=permit, deny=false
hits=89868, user_data=0x0, cs_id=0x0, l3_type=0x8
src mac=0000.0000.0000, mask=0000.0000.0000
dst mac=0000.0000.0000, mask=0100.0000.0000
input_ifc=outside, output_ifc=any
Phase: 2
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
in OUTIFIP 255.255.255.255 identity
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad071248, priority=1, domain=nat-per-session, deny=true
hits=1199, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0xad2a23b8, priority=0, domain=permit, deny=true
hits=883, user_data=0x9, cs_id=0x0, use_real_addr, flags=0x1000, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule -
HELP!! asa 5505 8.4(5) problem with port forwarding-smtp
Hi I am having a big problem with port forwarding on my asa. I am trying to forward smtp through the asa to my mail server.
my mail server ip is 10.0.0.2 and my outside interface is 80.80.80.80 , the ASA is setup with pppoe (I get internet access no problem and that seems fine)
When I run a trace i get "(ACL-Drop) - flow is deied by configured rule"
below is my config file , any help would be appreciated
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISPDsl
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_SMTP
host 10.0.0.2
access-list outside_access_in extended permit tcp any object server_SMTP eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network server_SMTP
nat (inside,outside) static interface service tcp smtp smtp
nat (inside,outside) after-auto source dynamic any interface
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c5570d7ddffd46c528a76e515e65f366
: endHi Jennifer
I have removed that nat line as suggested but still no joy.
here is my current config
Result of the command: "show running-config"
: Saved
ASA Version 8.4(5)
hostname ciscoasa
domain-name domain.local
enable password mXa5sNUu4rCZ.t5y encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
interface Vlan1
nameif inside
security-level 100
ip address 10.0.0.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
pppoe client vpdn group ISP
ip address 80.80.80.80 255.255.255.255 pppoe setroute
ftp mode passive
dns server-group DefaultDNS
domain-name domain.local
same-security-traffic permit intra-interface
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network Server_Mail
host 10.0.0.2
access-list outside_access_in extended permit tcp any object Server_Mail eq smtp
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
object network obj_any
nat (inside,outside) dynamic interface
object network Server_Mail
nat (inside,outside) static interface service tcp smtp smtp
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 10.0.0.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
vpdn group ISP request dialout pppoe
vpdn group ISP localname [email protected]
vpdn group ISP ppp authentication chap
vpdn username [email protected] password *****
dhcpd auto_config outside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f3bd954d1f9499595aab4f9da8c15795
: end
also here is the packet trace
and my acl
Thanks -
I am trying to setup port forwarding
I am trying to setup port forwarding for a mfi 5510l hotspot. I have made the changes on the hotspot but the hotspot doen't respond when tested. Can anyone help?
If you examine the About section of the Jetpack’s web style user interface, you should find that it has a reserved IP4 IP address. That means your Jetpack doesn’t connect directly to the public internet, your Jetpack is connected to Verizon’s private network. Your port forwarding has no affect on Verizon’s private network.
The standard recommendation is:
Purchase a public facing static IP address from Verizon for a one time fee of $500.
Use a VPN to go around the issue.
Use another ISP that provides a static IP address.
Maybe you are looking for
-
Why I'm giving up my Q10 to go back to the Bold 97...
In light of Robert Vance's earlier post, I wanted to share my own experiences with the BlackBerry Q10, in the hope that BlackBerry will resolve their issues and make a better phone. I had been eagerly anticipating the BlackBerry Q10 for the better pa
-
When I plug in my itunes (the newest version) I get this message that says "the software required for communicating with the Ipod is not installed correctly. Please reinstall Itunes to install the Ipod software." I have tried several times to uninsta
-
Application specific key-value pairs in jndi.properties
Hello, Can I specify my application specific key-value pair in jndi.properties? I tried something like this java.naming.factory.initial=.jndi.WLInitialContextFactory java.naming.provider.url=t3://localhost:7001 myVar=myVal When i tried looking up "my
-
Does Mail (for Lion) have a return receipt function?
i was wondering whether Mail (for Lion) have a return receipt function. I've seen many negative answers, but they're all from 2007 and earlier. How can I configure for some of my messages to have return receipts?
-
Lost iMovie project due to crash
The title pretty much says it, I would just give up and start again except when I got into iMovie library package I see a folder with the same name as my project, and inside there is a text file with the name 'CurrentVersion.imovieevent' is there any