Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Port Forwarding cisco 881 router not working with Access lists?

I need to port forward on a cisco 881. There are 3 subnets configured (10, 172, 192) and ACLs for NAT and VLAN ACLs that block certain IPs from within the local network and outside network coming in. I'm trying to get ports open for internal IP 192.168.46.200 (ports 22,554, and 88) and access them from public port 7000.

Here is the config for the Cisco 881, I have tried to port forward is a static nat command...

enable secret pass
 
clock timezone CST -6
clock summer-time CDT recurring
ip cef
 
vlan 10
name 46-Office
vlan 192
name 46-Camera
vlan 172
name 46-Register
 
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.42.1.240 10.42.1.254
 
!
ip dhcp pool 42-data
   network 10.42.1.0 255.255.255.0
   default-router 10.42.1.254
   domain-name xxxxxxxx
   dns-server 208.67.222.222 208.67.220.220
 
   
!
!
no ip domain lookup
ip inspect name Firewall dns
ip inspect name Firewall ftp
ip inspect name Firewall h323
ip inspect name Firewall https
ip inspect name Firewall icmp
ip inspect name Firewall imap
ip inspect name Firewall pop3
ip inspect name Firewall netshow
ip inspect name Firewall rcmd
ip inspect name Firewall realaudio
ip inspect name Firewall rtsp
ip inspect name Firewall esmtp
ip inspect name Firewall sqlnet
ip inspect name Firewall streamworks
ip inspect name Firewall tftp
ip inspect name Firewall tcp
ip inspect name Firewall udp
ip inspect name Firewall vdolive
ip inspect name Firewall ssh
!
interface FastEthernet0
description == To LAN Switch ==
 spanning-tree portfast
switchport mode trunk
!
interface FastEthernet1
 spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
description == To Camera Switch ==
switchport access vlan 192
 
!
interface FastEthernet4
 description == Internet Connection ==
 ip address xx.xx.xx.xx 255.255.255.192
 ip access-group Firewall-in in
 no ip proxy-arp
 ip nat outside
 ip inspect Firewall out
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 no cdp enable
no shut
 
interface Vlan1
shutdown
 
interface Vlan10
description = Store 46 Office LAN =
 ip address 10.46.1.254 255.255.255.0
 ip nat inside
 ip inspect Firewall in
 ip virtual-reassembly
 ip access-group 42-Office in
 
interface Vlan192 <-----where host 192.168.46.200 resides
description = Store 46 Camera LAN =
 ip address 192.168.46.254 255.255.255.0
 ip nat inside
 ip inspect Firewall in
 ip virtual-reassembly
 ip access-group 46-Cameras in
 ip access-group 46-Cameras-in in
 
interface Vlan172
description = Store 46 Register LAN =
 ip address 172.16.46.254 255.255.255.0
 ip nat inside
 ip inspect Firewall in
 ip virtual-reassembly
 ip access-group PCI-IN in
 
 
 
 
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx
ip route 0.0.0.0 0.0.0.0 dhcp
!
 
ip access-list extended Firewall-in
 permit udp any eq bootps any eq bootpc
 permit udp any any eq isakmp
 permit esp any any
 permit gre any any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit udp any any eq 3074
 permit tcp any any eq 3074
 permit tcp any any eq www
 permit tcp any any eq 88
 permit udp any any eq 88
 permit icmp any any traceroute
 permit tcp any 192.168.46.200 eq 22
 permit tcp any 192.168.46.200 eq 554
 permit tcp any 192.168.46.200 eq 7000
 deny   ip any any
 
ip access-list extended Inside-NAT
 deny   ip 10.46.1.0 0.0.0.255 172.16.46.0 0.0.0.255
 deny   ip 172.16.46.0 0.0.0.255 10.46.1.0 0.0.0.255
 permit ip 10.46.1.0 0.0.0.255 any
 permit ip 172.16.46.0 0.0.0.255 any
 permit ip 192.168.46.0 0.0.0.255 any
 
 
 
ip access-list extended 46-Office <---vlan 10 access group out
permit ip any any
permit ip 192.168.46.0 0.0.0.255 10.46.1.0 0.0.0.255
deny ip any any
 
ip access-list extended 46-Office-in <----vlan 10 access group in
permit udp any eq bootpc any eq bootps
permit ip any any
 
ip access-list extended 46-Cameras <---vlan 192 access group out
permit tcp any any eq 22
permit tcp any any eq 554
permit tcp any any eq 7000
permit ip any any
deny ip any any
 
ip access-list extended 46-Cameras-in <---vlan 192 access group in
permit tcp any eq 22 any
permit tcp any eq 554 any
permit tcp any eq 7000 any
permit ip any any
 
ip access-list extended PCI-IN
permit ip any any
 
ip access-list extended PCI-OUT
permit ip any any
 
!
!
!
!
route-map NAT permit 10
 match ip address Inside-NAT
 
ip nat inside soruce static tcp 192.168.46.200 22 interface FastEthernet 4 22
ip nat inside source static tcp 192.168.46.200 554 interface FastEthernet 4 554
ip nat inside source static tcp 192.168.46.200 7000 interface FastEthernet 4 7000
ip nat inside source static tcp 192.68.46.200 80 interface FastEthernet 4 80
ip nat inside source route-map NAT interface FastEthernet4 overload
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password 
 login
 
 
^
482
Views
0
Helpful
0
Replies
CreatePlease login to create content