×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Cisco 881 Port Forwarding Config

Unanswered Question
May 31st, 2012
User Badges:

Hello,


Let me first apologize for my lack of knowledge in IOS and Cisco products, a client of mine recently purchased a Cisco 881 and is trying to achieve simple results.


First he would like two ports forwarded to his internal webserver (80, 5900).


Secondly he wants to setup a VPN solution so he can access his network from home using the Cisco VPN Client.


After much reading I have created a configuration for the device to take care of his first request. I have not attempted the VPN side of the project at all as I want to be sure I am headed in the right direction and I am understanding everything correctly. Below is the current configuration of the device. Is this configuration correct for trying to acheive step 1 of what he would like me to configure?


=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2012.05.31 18:16:08 =~=~=~=~=~=~=~=~=~=~=~=

show run

Building configuration...



Current configuration : 8186 bytes

!

! Last configuration change at 17:27:25 PCTime Thu May 31 2012 by cisco

! NVRAM config last updated at 17:27:23 PCTime Thu May 31 2012 by cisco

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname compgallery

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$fpXD$p3Mkcm1fxW7zdPxYczd/h/

!

no aaa new-model

memory-size iomem 10

clock timezone PCTime -5

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-2031701705

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2031701705

revocation-check none

rsakeypair TP-self-signed-2031701705

!

!

crypto pki certificate chain TP-self-signed-2031701705

certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 32303331 37303137 3035301E 170D3132 30353331 32323133

  32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30333137

  30313730 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100CDA4 7793B847 0DAFCE01 8B98A945 11B25D8A 868F98CE C47C92BF C0EE01FF

  CE7544EA 811E3012 4E9D1FD7 A693A292 3B8E40B9 264089A2 87BEC114 A3CBE27F

  853837BB 9DB63E79 029D647E D302A640 BEDB1A2C 61686A40 AA334625 AE44B92B

  7288BE92 532D2D07 BFD83243 184BDE8D 03C3AE50 B18D8902 2076DD13 AEF50493

  B0DF0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603

  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D

  301F0603 551D2304 18301680 145BC724 3F863D14 26FB30EE 058200DC 97A5DF00

  10301D06 03551D0E 04160414 5BC7243F 863D1426 FB30EE05 8200DC97 A5DF0010

  300D0609 2A864886 F70D0101 04050003 81810004 BEF22A40 C5014A11 D78BAF5B

  94B43844 209C3771 83286FD4 DC68D1D8 4013D4C4 0BCB5B7E 3BF101B3 119D83C1

  20DCEC1E 03B81A02 22ECA604 16C5CADA 13F169BC CFBAFF0A FAAF50A6 8F465E38

  F4A51DC1 7E481C78 8ED599AC 20B507FE C0D10A15 16D60004 EBEB08E8 A7751D8C

  7341D8C1 A9104379 7A473064 A30841FF C4EB9D

            quit

no ip source-route

!

!

ip dhcp excluded-address 192.168.1.1 192.168.1.99

ip dhcp excluded-address 192.168.1.200 192.168.1.254

!

ip dhcp pool ccp-pool1

   import all

   network 192.168.1.0 255.255.255.0

   dns-server 72.240.13.5 72.240.13.7

   default-router 192.168.1.1

!

!

ip cef

no ip bootp server

ip domain name compgallery.com

ip name-server 72.240.13.5

ip name-server 72.240.13.7

ip port-map user-protocol--1 port tcp 5900

no ipv6 cef

!

!

license udi pid CISCO881-K9 sn FTX160285BS

!

!

username compgallery privilege 15 secret 5 $1$SyVp$c0pXe/HXOr7qA6pEjfssB.

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-all sdm-nat-http-1

match access-group 101

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 102

match protocol user-protocol--1

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-http-1

  inspect

class type inspect sdm-nat-user-protocol--1-1

  inspect

class class-default

  drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  drop

!

zone security out-zone

zone security in-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

!

!

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address 72.240.126.183 255.255.255.128

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source static tcp 192.168.1.20 80 interface FastEthernet4 80

ip nat inside source static tcp 192.168.1.20 5900 interface FastEthernet4 5900

ip nat inside source list 1 interface FastEthernet4 overload

ip route 0.0.0.0 0.0.0.0 FastEthernet4

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 72.240.126.128 0.0.0.127 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 192.168.1.20

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 192.168.1.20

no cdp run



!

!

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------


Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.


It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.


username <myuser> privilege 15 secret 0 <mypassword>


Replace <myuser> and <mypassword> with the username and password you

want to use.


-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

login local

no modem enable

transport output telnet

line aux 0

login local

transport output telnet

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion