Cisco 877 Port 80/443 Forwarding (NAT)

Unanswered Question
Apr 17th, 2010
User Badges:

Hello All,


I will start this question by pointing out that I am by no means a Cisco expert and that this question may seem simple, however if you dont know the answer (which i dont) then it may not be that simple.


I have a Cisco 877 router connected to my broadband with a static IP address assigned, I have got it working as far as internet access is concerned and also got it working with port forwarding (NAT) of smtp, pop and rdp ports using SDM Express 2.5.


However when i used the same process to forward port 80 and 443 (to exchange server for webmail) it came up with the cisco sdm website from the external IP address. After some reading i have changed the ports sdm uses to 8080 and 4443 so as to free up those ports.


I hoped this would let the port forwarding work but alas it has not .... can someone please tell me what i need to do to get this working ...


Below is the show config of my router;


VINT-GW01# show config
Using 13989 out of 131072 bytes
!
! Last configuration change at 20:51:34 London Sat Apr 17 2010 by Administrator
! NVRAM config last updated at 20:51:37 London Sat Apr 17 2010 by Administrator
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname VINT-GW01
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
clock timezone London 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-431638806
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-431638806
revocation-check none
rsakeypair TP-self-signed-431638806
!
!
crypto pki certificate chain TP-self-signed-431638806
certificate self-signed 01 nvram:IOS-Self-Sig#10.cer
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.151 10.10.10.254
!
ip dhcp pool sdm-pool1
   import all
   network 10.10.10.0 255.255.255.0
   domain-name 255.255.255.0
   dns-server 212.104.130.9 212.104.130.65
   default-router 10.10.10.1
!
!
ip port-map user-protocol--2 port tcp 3389
ip port-map user-protocol--3 port tcp 445
ip port-map user-protocol--1 port tcp 47
ip domain name vintnet.com
ip name-server 212.104.130.9
ip name-server 212.104.130.65
!
!
!
username Administrator privilege 15 secret 5 $1$M5g2$1ACLK88Lc6a6bdAWPcCgC0
!
!
archive
log config
  hidekeys
!
!
!
class-map type inspect match-all sdm-nat-http-4
match access-group 126
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-4
match access-group 127
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-smtp-4
match access-group 125
match protocol smtp
class-map type inspect match-all sdm-nat-user-protocol--1-4
match access-group 123
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-2
match access-group 111
match protocol smtp
class-map type inspect match-all sdm-nat-user-protocol--1-3
match access-group 116
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 108
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-http-1
match access-group 105
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 106
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 109
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-3
match access-group 118
match protocol smtp
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 102
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-2
match access-group 113
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-2
match access-group 112
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 104
match protocol smtp
class-map type inspect match-all sdm-nat-user-protocol--2-3
match access-group 120
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-3
match access-group 119
match protocol http
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-1
match access-group 101
match protocol pptp
class-map type inspect match-all sdm-nat-pptp-2
match access-group 108
match protocol pptp
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-all sdm-nat-pptp-3
match access-group 115
match protocol pptp
class-map type inspect match-all sdm-nat-pptp-4
match access-group 122
match protocol pptp
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-pop3-1
match access-group 107
match protocol pop3
class-map type inspect match-all sdm-nat-pop3-2
match access-group 114
match protocol pop3
class-map type inspect match-all sdm-nat-pop3-3
match access-group 121
match protocol pop3
class-map type inspect match-all sdm-nat-pop3-4
match access-group 128
match protocol pop3
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-nat-https-4
match access-group 124
match protocol https
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-https-3
match access-group 117
match protocol https
match access-group 110
class-map type inspect match-all sdm-nat-https-2
match access-group 110
match protocol https
match access-group 109
class-map type inspect match-all sdm-nat-https-1
match access-group 103
match protocol https
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-pptp-1
  inspect
class type inspect sdm-nat-user-protocol--1-1
  inspect
class type inspect sdm-nat-https-1
  inspect
class type inspect sdm-nat-smtp-1
  inspect
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-nat-user-protocol--2-1
  inspect
class type inspect sdm-nat-pop3-1
  inspect
class type inspect sdm-nat-pptp-2
  inspect
class type inspect sdm-nat-user-protocol--1-2
  inspect
class type inspect sdm-nat-https-2
  inspect
class type inspect sdm-nat-smtp-2
  inspect
class type inspect sdm-nat-http-2
  inspect
class type inspect sdm-nat-user-protocol--2-2
  inspect
class type inspect sdm-nat-pop3-2
  inspect
class type inspect sdm-nat-pptp-3
  inspect
class type inspect sdm-nat-user-protocol--1-3
  inspect
class type inspect sdm-nat-https-3
  inspect
class type inspect sdm-nat-smtp-3
  inspect
class type inspect sdm-nat-http-3
  inspect
class type inspect sdm-nat-user-protocol--2-3
  inspect
class type inspect sdm-nat-pop3-3
  inspect
class type inspect sdm-nat-pptp-4
  inspect
class type inspect sdm-nat-user-protocol--1-4
  inspect
class type inspect sdm-nat-https-4
  inspect
class type inspect sdm-nat-smtp-4
  inspect
class type inspect sdm-nat-http-4
  inspect
class type inspect sdm-nat-user-protocol--2-4
  inspect
class type inspect sdm-nat-pop3-4
  inspect
class type inspect sdm-nat-user-protocol--3-1
  inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class type inspect SDM-Voice-permit
  inspect
class class-default
  pass
policy-map type inspect sdm-permit
class class-default
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname <<<broadband username>>>
ppp chap password 7 <<<broadband password>>>
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 100
!
ip http server
ip http port 8080
ip http access-class 23
ip http authentication local
ip http secure-server
ip http secure-port 4443
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.10.10.2 1723 interface Dialer0 1723
ip nat inside source static tcp 10.10.10.2 47 interface Dialer0 47
ip nat inside source static tcp 10.10.10.2 25 interface Dialer0 25
ip nat inside source static tcp 10.10.10.2 80 interface Dialer0 80
ip nat inside source static tcp 10.10.10.2 3389 interface Dialer0 3389
ip nat inside source static tcp 10.10.10.2 110 interface Dialer0 110
ip nat inside source static tcp 10.10.10.2 443 interface Dialer0 443
!
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 10.10.10.2
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 10.10.10.2
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 10.10.10.2
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 10.10.10.2
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 10.10.10.2
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 10.10.10.2
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 10.10.10.2
access-list 108 remark SDM_ACL Category=0
access-list 108 permit ip any host 10.10.10.2
access-list 109 remark SDM_ACL Category=0
access-list 109 permit ip any host 10.10.10.2
access-list 110 remark SDM_ACL Category=0
access-list 110 permit ip any host 10.10.10.2
access-list 111 remark SDM_ACL Category=0
access-list 111 permit ip any host 10.10.10.2
access-list 112 remark SDM_ACL Category=0
access-list 112 permit ip any host 10.10.10.2
access-list 113 remark SDM_ACL Category=0
access-list 113 permit ip any host 10.10.10.2
access-list 114 remark SDM_ACL Category=0
access-list 114 permit ip any host 10.10.10.2
access-list 115 remark SDM_ACL Category=0
access-list 115 permit ip any host 10.10.10.2
access-list 116 remark SDM_ACL Category=0
access-list 116 permit ip any host 10.10.10.2
access-list 117 remark SDM_ACL Category=0
access-list 117 permit ip any host 10.10.10.2
access-list 118 remark SDM_ACL Category=0
access-list 118 permit ip any host 10.10.10.2
access-list 119 remark SDM_ACL Category=0
access-list 119 permit ip any host 10.10.10.2
access-list 120 remark SDM_ACL Category=0
access-list 120 permit ip any host 10.10.10.2
access-list 121 remark SDM_ACL Category=0
access-list 121 permit ip any host 10.10.10.2
access-list 122 remark SDM_ACL Category=0
access-list 122 permit ip any host 10.10.10.2
access-list 123 remark SDM_ACL Category=0
access-list 123 permit ip any host 10.10.10.2
access-list 124 remark SDM_ACL Category=0
access-list 124 permit ip any host 10.10.10.2
access-list 125 remark SDM_ACL Category=0
access-list 125 permit ip any host 10.10.10.2
access-list 126 remark SDM_ACL Category=0
access-list 126 permit ip any host 10.10.10.2
access-list 127 remark SDM_ACL Category=0
access-list 127 permit ip any host 10.10.10.2
access-list 128 remark SDM_ACL Category=0
access-list 128 permit ip any host 10.10.10.2
dialer-list 1 protocol ip permit
no cdp run
!
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to
http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17179869
ntp server 207.46.232.182 source Dialer0 prefer
end

VINT-GW01#




Thanks in advance


Andrew Vint

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sat, 04/17/2010 - 15:56
User Badges:
  • Cisco Employee,

As far as NAT is concern, it has been correctly configured.


ZBFW (Zone Based FW) is the one that breaks your connection on port 80 and 443.


Here is a quick fix:

class-map type inspect match-all sdm-nat-http-1

     no match access-group 105


class-map type inspect match-all sdm-nat-https-1
     no match access-group 103


Recommendation: I would remove all the ZBFW configuration if you are not familiar with those because currently more than half of your configuration is ZBFW config and lots of repetition and some are incorrect.


Here is some reading on ZBFW if you are interested:

http://cisco.com/en/US/partner/docs/ios/sec_data_plane/configuration/guide/sec_zone_polcy_firew.html


Hope that helps.

Actions

This Discussion