Solved: Cisco 881 Port forwarding

matthew_shin · ‎12-10-2014

Hi,

I am trying to setup port forwarding for our DB server.

Forwarding from outside to 172.16.10.100 for port 1433 is required.

We are using Cisco 881 for TPG EFM and current running config as below.

Our public IP is x.x.x.x and DB server is 172.16.10.100.

Internet works fine but 1433 port is not forwarding to the server from outside and I'm not able to access RDP to the server too.

Please correct settings for me.

hostname router1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$fTRI$bgFgMkdStoAKC2Xh3cwD01

enable password router1

!

no aaa new-model

memory-size iomem 10

!

ip dhcp excluded-address 172.16.10.1

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 172.16.10.100

ip dhcp excluded-address 172.16.10.101

!

ip dhcp pool NET-POOL

import all

network 172.16.10.0 255.255.255.0

default-router 172.16.10.1

dns-server 203.12.160.36

lease 9

!

no ip domain lookup

ip domain name router1.local

ip name-server 203.12.160.35

ip name-server 203.12.160.36

ip cef

no ipv6 cef

!

license udi pid CISCO881-K9 sn FGL1821243Q

!

username admin privilege 15 secret 5 2wf23sdas

!

ip ssh time-out 60

ip ssh rsa keypair-name sshkeys

ip ssh version 2

ip ssh pubkey-chain

username admin

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

ip flow ingress

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

interface Vlan1

description $ETH_LAN$

ip address 172.16.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Dialer0

no ip address

no cdp enable

!

interface Dialer1

mtu 1492

ip ddns update DDNS

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

ip tcp adjust-mss 1436

dialer pool 1

ppp chap hostname xxxxx@pig.tpg.com.au

ppp chap password 0 xxxxxx

ppp pap sent-username xxxx@pig.tpg.com.au password 0 xxxxxx

no cdp enable

!

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list ACL_NAT_ALLOW interface Dialer1 overload

ip nat inside source static tcp 172.16.10.100 3389 interface Dialer1 3389

ip nat inside source static tcp 172.16.10.100 1433 interface Dialer1 1433

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended ACL_NAT_ALLOW

permit ip any any

permit tcp any any eq 1433

permit tcp any any eq 3389

permit tcp any any

permit ip 172.16.10.0 0.0.0.255 any

permit tcp any any eq www

permit tcp any host 172.16.10.100 eq 1433

permit gre any host 172.16.10.100

ip access-list extended ACL_OUTSIDE-to-INSIDE

permit tcp any any eq 22

permit tcp any any eq 443

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any ttl-exceeded

permit icmp any any unreachable

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit esp any any

permit tcp any any eq telnet

permit tcp any any eq 3389

permit tcp any any

permit udp any any

permit tcp any any eq 1433

!

access-list 1 permit 0.0.0.0 255.255.255.0

access-list 1 permit 172.16.10.0 0.0.0.255

access-list 1 permit any

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 55 permit 203.12.160.5

access-list 55 permit 172.29.0.3

access-list 55 permit 172.29.0.4

access-list 55 permit 172.29.0.10

no cdp run

!

snmp-server community tpgframe RO 55

snmp-server enable traps tty

ghostinthenet · ‎12-10-2014

I can't see anything wrong with the NAT forwarding in this configuration. What happens when you try the following from the router's CLI?

telnet 172.16.10.100 1433 /source-interface Dialer1
telnet 172.16.10.100 3389 /source-interface Dialer1
telnet 172.16.10.100 1433
telnet 172.16.10.100 3389

View solution in original post

ghostinthenet · ‎12-10-2014

I can't see anything wrong with the NAT forwarding in this configuration. What happens when you try the following from the router's CLI?

telnet 172.16.10.100 1433 /source-interface Dialer1
telnet 172.16.10.100 3389 /source-interface Dialer1
telnet 172.16.10.100 1433
telnet 172.16.10.100 3389

matthew_shin · ‎12-10-2014

We've been usnig the server for many years and only we did is changing the router. Port 1433 and 3389 should be open on the server.

Any other ideas?

ghostinthenet · ‎12-10-2014

Part of this was for testing the port and the other was for testing the routing. Were all four commands successful from the router?

matthew_shin · ‎12-10-2014

It's working now. I don't know why. It didn't work with this settings last night, but now it's working. Thank you very much for your help.

michael o'nan · ‎12-10-2014

ip nat inside source static tcp 172.16.10.100 1433 interface Dialer1 1433

That line of config should port forward a connection coming from Dialer1 on port 1433 to 172.16.10.100. Are you sure the server is listening on port 1433?

matthew_shin · ‎12-10-2014

I havent' checked it, but it's been running ok before we changed the Router. We used to have ADSL with normal ADSL modem and we changed Internet service to Ehternet so we changed the router. We are usnig reservation software for hotel and software provider said that port fowarding needs to be configured on the router.

Do you have any idea?