How to get the port mapping to work on SR520

Unanswered Question
Jun 17th, 2009
User Badges:
  • Bronze, 100 points or more

I have been using CCA 2.0 and configured the device based on documents (a recurring story) and well it wont work...... again.


This is the results of the 'show tcp brief'

SR520#show tcp brief all
TCB       Local Address               Foreign Address             (state)
84C8EFD4              ESTAB
86479CB0             ESTAB
8647850C             ESTAB
84B08378              ESTAB
83B7FAB8              ESTAB
851D6704  *.443                       *.*                         LISTEN
851D5CF4  *.443                       *.*                         LISTEN
851D56B8  *.80                        *.*                         LISTEN
85419B70  *.80                        *.*                         LISTEN
85DAD264   *.*                         LISTEN

It appears that CCA is not correctly adding the info into the configuration or is it.

It made these acl entries:

access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host
access-list 106 remark SDM_ACL Category=128
access-list 106 permit ip any host XX.XX.XX.194

It added this for one port but not for the others:

ip port-map user-protocol--1 port tcp 3389

and it added this:

ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 3389 interface FastEthernet4 3389
ip nat inside source static tcp 5060 interface FastEthernet4 5060
ip nat inside source static udp 5060 interface FastEthernet4 5060
ip nat inside source static tcp 1720 interface FastEthernet4 1720

Yet none of these ports are allowed through the firewall.

Please help me figure this out.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Steven DiStefano Mon, 07/13/2009 - 06:30
User Badges:
  • Blue, 1500 points or more

I think the CCA team knows of some issue with this.  In May, I had heard that while configuration of NAT static entry is supported by CCA there is an issue in that CCA currently does not modify the firewall configuration to allow the statically mapped IP and TCP port to pass through.

I heard  we were looking to resolve in a subsequent CCA release. I will find out when or ask that team to reply....

Steve DiStefano

SE Small Business Sales

U.S. Field Channel

Tomoo Esaka Mon, 07/13/2009 - 09:47
User Badges:
  • Cisco Employee,

This is resolved in CCA 2.0(1). TCP or UDP ports configured for static NAT mapping should be passed through the firewall.



Steven DiStefano Mon, 07/13/2009 - 09:57
User Badges:
  • Blue, 1500 points or more

MOST excellent news!!!!   2.0(1) is NOW available as well!!!!!  Since last week....


This Discussion

Related Content