Solved: Re: RTMP Server fw rules

CombinedEffort · ‎03-27-2010

Hi All,

I'm hosting a Flash Media Server on tcp port 1935, but my Cisco 857 seems to refusing to forward packets from the external interface to the internal server. I swapped out the 857 for a Speedtouch ST510 and it fowarded the packets fine.

The rule I have on the 857 is :

ip nat inside source static tcp 192.168.0.2 1935 interface Dialer0 1935

which I assume is sufficient? Any handy debug statements to help me figure out why packets are being dropped?

Cheers,

Rich.

Kureli Sankar · ‎03-28-2010

Richard,

Seems like

access-list 1 is tied to the nat overload

access-list 103 looks like it is applied IN on the outside

access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any
access-list 103 permit tcp any any eq 1935  -----------> (the "deny ip any any" above this line will not permit this line)

The permit that you added, is below the deny so this flow is getting denied.

You need to remove the deny, add this line and then add the explicit deny or insert the permit for port 1935 above 
the deny.

You can do the following

config t
ip access-list ext 103
 1 permit tcp any any eq 1935

issue a sh access-list 103 and note down the sequence number for the last line after the "deny ip any any" 
and you can remove that 

conf t
ip access-list ext 103
 no 

-KS

View solution in original post

Jennifer Halim · ‎03-27-2010

I assume you already have "ip nat inside" on your internal interface, and "ip nat outside" on Dialer0 interface?

What about ACL, do you have any configured on the Dialer0 interface?

CombinedEffort · ‎03-28-2010

Thank for taking the time to reply.

I have the following configured:


interface Vlan1
 ip nat inside

interface Dialer0
 ip nat outside

ip nat inside source static tcp 192.168.0.2 25 interface Dialer0 25
ip nat inside source static tcp 192.168.0.2 80 interface Dialer0 80
ip nat inside source static tcp 192.168.0.2 110 interface Dialer0 110
ip nat inside source static tcp 192.168.0.2 993 interface Dialer0 993
ip nat inside source static tcp 192.168.0.2 443 interface Dialer0 443
ip nat inside source static tcp 192.168.0.2 1935 interface Dialer0 1935
ip nat inside source static tcp 192.168.0.2 6881 interface Dialer0 6881
ip nat inside source static udp 192.168.0.2 4444 interface Dialer0 4444

access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 remark auto generated by Cisco SDM Express firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by Cisco SDM Express firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp any any eq 443
access-list 103 permit tcp any any eq 993
access-list 103 permit tcp any any eq pop3
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq smtp
access-list 103 deny   ip 192.168.0.0 0.0.0.255 any
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any
access-list 103 permit tcp any any eq 1935
dialer-list 1 protocol ip permit
no cdp run

The 'first' lot of fw rules (ports 80,25,??) where configured via SDM Express (I'm learning, alright!) and I hoped by merely adding

ip nat inside source static tcp 192.168.0.2 1935 interface Dialer0 1935
access-list 103 permit tcp any any eq 1935

I would allow 1935 through - maybe there is more to it than that... Also, I did this:

cisco#debug ip packet detail
IP packet debugging is on (detailed)
cisco#                              
000170: *Mar 19 01:17:45.918: IP: s=82.132.248.155 (Dialer0), d=62.49.68.200, len 52, access denied                
000171: *Mar 19 01:17:45.918:     TCP src=44766, dst=1935, seq=568284441, ack=0, win=49640 SYN                     
000172: *Mar 19 01:17:46.370: IP: s=194.159.169.245 (Dialer0), d=224.0.0.5, len 76, access denied, proto=89        
000173: *Mar 19 01:17:49.299: IP: s=82.132.248.155 (Dialer0), d=62.49.68.200, len 52, access denied                
000174: *Mar 19 01:17:49.299:     TCP src=44766, dst=1935, seq=568284441, ack=0, win=49640 SYN

82.132.248.155 is my client and 62.49.68.200 is my server - you can see an access denied message in the above log - is there any way of getting *what* rule caused that?

TIA

Rich.

Jon Marshall · ‎03-28-2010

Richard

Can you post router config as it is unclear which acls are applied to which interfaces ?

Jon

Kureli Sankar · ‎03-28-2010

Richard,

Seems like

access-list 1 is tied to the nat overload

access-list 103 looks like it is applied IN on the outside

access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any
access-list 103 permit tcp any any eq 1935  -----------> (the "deny ip any any" above this line will not permit this line)

The permit that you added, is below the deny so this flow is getting denied.

You need to remove the deny, add this line and then add the explicit deny or insert the permit for port 1935 above 
the deny.

You can do the following

config t
ip access-list ext 103
 1 permit tcp any any eq 1935

issue a sh access-list 103 and note down the sequence number for the last line after the "deny ip any any" 
and you can remove that 

conf t
ip access-list ext 103
 no 

-KS

CombinedEffort · ‎03-29-2010

Thanks all - working now.

I should've realised fw rules were applied sequentially, like in good 'ole ipchains / iptables.

I had to remove the offending 1935 rule before I was able to add it again with a lower sequence number, but that's to be expected.

I just need to remember to do a copy running-config startup-config...

Cheers,

Rich.

Jennifer Halim · ‎03-28-2010

The permit statement for port 1935 should be above the deny any any statement, as the access-list is processed from top to bottom.

Here is what you can add:

ip access-list extended 103

1 permit tcp any any eq 1935

Hope that helps.