Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

871W DMZ port forwarding

Status
Not open for further replies.
kfriday

kfriday

Technical User
Nov 3, 2008
1
CA
Hi,

I'm trying to setup a DMZ for a SIP server, I have VLAN1 and VLAN2-DMZ on port FE2.
I am unable to get any traffic forwarded to the SIP server from the FastEthernet4 interface. Can someone please look at my config and see what I am missing? Thanks.




Current configuration : 8856 bytes
!
! Last configuration change at 14:01:16 PCTime Mon Nov 3 2008 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname LibreSIP
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
logging console critical
enable secret 5 $1$ZZN.$oZf8YW6Kr9GS389Wa3Spa1
!
no aaa new-model
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.200 10.10.10.254
ip dhcp excluded-address 10.10.20.1 10.10.20.99
ip dhcp excluded-address 10.10.20.201 10.10.20.254
!
ip dhcp pool dpool1
network 10.10.10.0 255.255.255.0
dns-server 205.200.16.69 205.200.16.65
default-router 64.x.xx.xxx
!
ip dhcp pool dpoolVlan2
import all
network 10.10.20.0 255.255.255.0
dns-server 205.200.16.69 205.200.16.65
default-router 10.10.20.2
!
!
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
ip tcp synwait-time 10
no ip bootp server
ip domain name LibreSIP.com
ip name-server 205.200.16.69
ip name-server 205.200.16.65
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-2832867886
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2832867886
revocation-check none
rsakeypair TP-self-signed-2832867886
!
!
crypto pki certificate chain TP-self-signed-2832867886
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383332 38363738 3836301E 170D3037 30393236 32313337
32385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38333238
36373838 3630819F 300D0609 2A864886 F70D0101 01050003
ADF36C41 00D0BCA3 968837A4 064941FF 3C4B686C 2C10122D E1E068C2 85D8398B
5100A868 60AA6FC2 067501FB AFDA543B DE8B1A6D 00CC78A2 31B18F68 888B6AD6
B6677294 9D71C761 91309B63 CD643EDC 31ECB923 849006C6 F32CED16 EAE5EE02
46790203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 154C6962 72655349 502E4C69 62726553 49502E63 6F6D301F
0603551D 23041830 168014D2 4AACD766 1A63FA4E 59827A8E 4F34CA69 A3BAB530
1D060355 1D0E0416 0414D24A ACD7661A 63FA4E59 827A8E4F 34CA69A3 BAB5300D
06092A86 4886F70D 01010405 00038181 00AA1EEF 7E0B40B3 14F37466 959CA46E
28217E55 CCFDB87F
64F3C51D F9DB38F3 744BF2E2 1959C160 46
quit
!
!
username admin privilege 15 secret 5
!
!
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class class-default
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
description DMZ SIParator
switchport access vlan 2
switchport trunk native vlan 2
!
interface FastEthernet3
switchport access vlan 2
switchport mode trunk
!
interface FastEthernet4
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address 64.x.xx.xxx 255.255.255.248
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
ip route-cache flow
shutdown
!
ssid LibreSIP
authentication open
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.2 255.255.255.0
ip access-group 100 in
ip inspect dmzinspect in
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan2
description $FW_DMZ$
ip address 10.10.20.2 255.255.255.0
ip access-group 101 in
ip inspect dmzinspect out
ip virtual-reassembly
ip route-cache flow
!
ip route 0.0.0.0 0.0.0.0 64.4.81.212
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static udp 10.10.20.3 5060 interface FastEthernet4 5060
ip nat inside source static udp 10.10.20.3 5061 interface FastEthernet4 5061
ip nat inside source static tcp 10.10.20.3 5061 interface FastEthernet4 5061
ip nat inside source static tcp 10.10.20.3 5060 interface FastEthernet4 5060
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source list 101 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.20.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 10.10.20.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip 64.4.81.208 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=3
access-list 101 permit ip any any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit tcp any eq 5060 host 64.4.81.211 eq 5060
access-list 102 permit tcp any eq 5061 host 64.4.81.211 eq 5061
access-list 102 permit udp any eq 5061 host 64.4.81.211 eq 5061
access-list 102 permit udp any eq 5060 host 64.4.81.211 eq 5060
access-list 102 remark Media Range
access-list 102 permit udp any range 58024 58099 any range 58024 58099
access-list 102 permit udp host 205.200.16.65 eq domain host 64.4.81.211
access-list 102 permit udp host 205.200.16.69 eq domain host 64.4.81.211
access-list 102 permit icmp any host 64.4.81.211 echo-reply
access-list 102 permit icmp any host 64.4.81.211 time-exceeded
access-list 102 permit icmp any host 64.4.81.211 unreachable
access-list 102 permit tcp any host 10.10.20.3 eq 5060
access-list 102 permit tcp any host 10.10.20.3 eq 5061
access-list 102 permit udp any host 10.10.20.3 eq 5060
access-list 102 permit udp any host 10.10.20.3 eq 5061
access-list 102 deny ip 10.10.10.0 0.0.0.255 any
access-list 102 deny ip 10.10.20.0 0.0.0.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
no cdp run
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
238
Zero6
Zero6
Gartech
  • Locked
  • Question
LAN Port Test Device
Replies
3
Views
240
ipohead
ipohead
BleuBell
  • Locked
  • Question
Command Rejected : Exceeded NNI ports Allowed
Replies
0
Views
179
BleuBell
BleuBell
amelamel
  • Locked
  • Question
port has faulty link
Replies
2
Views
477
ADB100
ADB100
CDIV
  • Locked
  • Question
Use uplink port as access port 2960 1
Replies
9
Views
637
CDIV
CDIV

Part and Inventory Search

Sponsor

Back
Top