How to get the port mapping to work on SR520

Unanswered Question
Jun 17th, 2009

I have been using CCA 2.0 and configured the device based on documents (a recurring story) and well it wont work...... again.

ports-sr520.jpg

This is the results of the 'show tcp brief'

SR520#show tcp brief all
TCB       Local Address               Foreign Address             (state)
84C8EFD4  192.168.75.1.23             172.16.33.10.3227           ESTAB
86479CB0  192.168.75.1.443            172.16.33.10.3078           ESTAB
8647850C  192.168.75.1.443            172.16.33.10.3122           ESTAB
84B08378  192.168.75.1.23             172.16.33.10.3062           ESTAB
83B7FAB8  192.168.75.1.23             172.16.33.10.3041           ESTAB
851D6704  *.443                       *.*                         LISTEN
851D5CF4  *.443                       *.*                         LISTEN
851D56B8  *.80                        *.*                         LISTEN
85419B70  *.80                        *.*                         LISTEN
85DAD264  XXX.XXX.XXX.194.ptr.us.443   *.*                         LISTEN
SR520#

It appears that CCA is not correctly adding the info into the configuration or is it.

It made these acl entries:

access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.75.2
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.75.2
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.75.2
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.10.12
access-list 106 remark SDM_ACL Category=128
access-list 106 permit ip any host XX.XX.XX.194

It added this for one port but not for the others:

ip port-map user-protocol--1 port tcp 3389

and it added this:

ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.10.12 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.75.2 5060 interface FastEthernet4 5060
ip nat inside source static udp 192.168.75.2 5060 interface FastEthernet4 5060
ip nat inside source static tcp 192.168.75.2 1720 interface FastEthernet4 1720

Yet none of these ports are allowed through the firewall.

Please help me figure this out.

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Steven DiStefano Mon, 07/13/2009 - 06:30

I think the CCA team knows of some issue with this.  In May, I had heard that while configuration of NAT static entry is supported by CCA there is an issue in that CCA currently does not modify the firewall configuration to allow the statically mapped IP and TCP port to pass through.

I heard  we were looking to resolve in a subsequent CCA release. I will find out when or ask that team to reply....

Steve DiStefano

SE Small Business Sales

U.S. Field Channel

Tomoo Esaka Mon, 07/13/2009 - 09:47

This is resolved in CCA 2.0(1). TCP or UDP ports configured for static NAT mapping should be passed through the firewall.

Rgds,

Tomoo

Actions

This Discussion

Related Content