Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Port Forwarding & Access List Problems

Good morning all,

 

I am trying to set up port forwarding for a Webserver we have hosted here on ip: 192.168.0.250 - I have set up access lists, and port forwarding configurations and I can not seem to access the server from outside the network. . I've included my config file below, any help would be greatly appreciated!  I've researched a lot lately but I'm still learning.  Side note:  I've replaced the external ip address with 1.1.1.1.

I've added the bold lines in the config file below in hopes to forward port 80 to 192.168.0.250 to no avail.  You may notice I dont have access-list 102 that i created on any interfaces.  This is because whenever I add it to FastEthernet0/0, our internal network loses connection to the internet. 

 

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname pantera-office
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$JP.D$6Oky5ZhtpOAbNT7fLyosy/
!
aaa new-model
!
!
aaa authentication login default local
!
!
aaa session-id common
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.150
ip dhcp excluded-address 192.168.0.251 192.168.0.254
!
ip dhcp pool private
   import all
   network 192.168.0.0 255.255.255.0
   dns-server 8.8.8.8 8.8.4.4 
   default-router 192.168.0.1 
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip domain name network.local
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-4211276024
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4211276024
 revocation-check none
 rsakeypair TP-self-signed-4211276024
!
!
crypto pki certificate chain TP-self-signed-4211276024
 certificate self-signed 01
  3082025A 308201C3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 34323131 32373630 3234301E 170D3132 30383232 32303535 
  31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32313132 
  37363032 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100B381 8073BAC2 C322B5F5 F9595F43 E0BE1A27 FED75A75 68DFC6DD 4C062626 
  31BFC71F 2C2EF48C BEC8991F 2FEEA980 EA5BC766 FEBEA679 58F15020 C5D04881 
  1D6DFA74 B49E233A 8D702553 1F748DB5 38FDA3E6 2A5DDB36 0D069EF7 528FEAA4 
  93C5FA11 FBBF9EA8 485DBF88 0E49DF51 F5F9ED11 9CF90FD4 4A4E572C D6BE8A96 
  D61B0203 010001A3 8181307F 300F0603 551D1301 01FF0405 30030101 FF302C06 
  03551D11 04253023 82217061 6E746572 612D6F66 66696365 2E70616E 74657261 
  746F6F6C 732E6C6F 63616C30 1F060355 1D230418 30168014 31F245F1 7E3CECEF 
  41FC9A27 62BD24CE F01819CD 301D0603 551D0E04 16041431 F245F17E 3CECEF41 
  FC9A2762 BD24CEF0 1819CD30 0D06092A 864886F7 0D010104 05000381 8100604D 
  14B9B30B D2CE4AC1 4E09C4B5 E58C9751 11119867 C30C7FDF 7A02BDE0 79EB7944 
  82D93E04 3D674AF7 E27D3B24 D081E689 87AD255F B6431F94 36B0D61D C6F37703 
  E2D0BE60 3117C0EC 71BB919A 2CF77604 F7DCD499 EA3D6DD5 AB3019CA C1521F79 
  D77A2692 DCD84674 202DFC97 D765ECC4 4D0FA1B7 0A00475B FD1B7288 12E8
  quit
!
!
username pantera privilege 15 password 0 XXXX
username aneuron privilege 15 password 0 XXXX
archive
 log config
  hidekeys
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxx address 2.2.2.2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 description Tunnel to 2.2.2.2
 set peer 2.2.2.2
 set transform-set ESP-3DES-SHA 
 match address 100
!
!
!
!
!
!
interface FastEthernet0/0
 description $ETH-WAN$
 ip address 2.2.2.2 255.255.255.0
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet0/1
 description $ETH-LAN$
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 1.1.1.1
!
!
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.0.254 20 1.1.1.1 20 extendable
ip nat inside source static tcp 192.168.0.254 21 1.1.1.1 21 extendable
ip nat inside source static tcp 192.168.0.252 22 1.1.1.1 22 extendable
ip nat inside source static tcp 192.168.0.252 25 1.1.1.1 25 extendable
ip nat inside source static tcp 192.168.0.250 80 1.1.1.1 80 extendable
ip nat inside source static tcp 192.168.0.252 110 1.1.1.1 110 extendable
ip nat inside source static tcp 192.168.0.250 443 1.1.1.1 443 extendable
ip nat inside source static tcp 192.168.0.252 587 1.1.1.1 587 extendable
ip nat inside source static tcp 192.168.0.252 995 1.1.1.1 995 extendable
ip nat inside source static tcp 192.168.0.252 8080 1.1.1.1 8080 extendable
ip nat inside source static tcp 192.168.0.249 8096 1.1.1.1 8096 extendable
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.0.0 0.0.0.255 10.0.100.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark Web Server ACL
access-list 102 permit tcp any any
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps ds1
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps envmon
snmp-server enable traps flash insertion removal
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps bgp
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ipsla
snmp-server enable traps rf
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
!
control-plane
!
!
line con 0
 logging synchronous
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end
 
 
Any/All help is greatly appreciated!  I'm sorry if I sound like a newby!
 
-Evan
  • WAN Routing and Switching
1 REPLY
New Member

Hello,

Hello,

 

According to the config you posted 2.2.2.2 is your wan ip address and 1.1.1.1 is the next hop address for your wan connection. The ip nat configuration for port forwarding should look like

Ip nat inside source static tcp 192.168.0.250 80 2.2.2.2 80

 

If your provider assigns you a dynamic ipv4 address to the wan interface you can use

Ip nat inside source static tcp 192.168.0.250 80 interface fastethernet0/0 80

 

Verify the settings with show ip nat translation.

Your access list 102 permits only tcp traffic. If you apply the acl to an interface dns won't work anymore (and all other udp traffic). You might want to use a statefull firewall solution like cbac or zbf combined with an inbound acl on the wan interface.

 

Best Regards

Lukasz

374
Views
0
Helpful
1
Replies