Can't open ports

[vincentw56]

I have a Cisco 804 ISDN router. I am trying to open it up completly. I want it to pass everything through no matter what. For some reason I cannot get it to open up completly. Posted below is the config file. What am I doing wrong? Please be detailed as I have some experience with the IOS but not a lot.

version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
!
dial-peer voice 1 pots
 no forward-to-unused-port
 call-waiting
 ring 0
 port 1
 destination-pattern xxxxxxx
!
dial-peer voice 2 pots
 no forward-to-unused-port
 call-waiting
 ring 0
 port 2
 destination-pattern xxxxxxx
!
pots country US
ip subnet-zero
no ip source-route
!
isdn switch-type basic-ni
!
!
process-max-time 200
!
interface Ethernet0
 ip address 192.168.0.1 255.255.255.0
 ip access-group 111 in
 no ip directed-broadcast
 no ip proxy-arp
 ip nat inside
!
interface BRI0
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 dialer pool-member 1
 isdn switch-type basic-ni
 isdn spid1 x
 isdn spid2 x
 isdn incoming-voice modem
 ppp authentication chap pap callin
 ppp multilink
!
interface Dialer1
 description ISP
 ip address negotiated
 ip access-group 111 in
 no ip directed-broadcast
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 no ip split-horizon
 dialer remote-name Cisco1
 dialer idle-timeout 300
 dialer string x class DialClass
 dialer hold-queue 10
 dialer load-threshold 10 either
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname x
 ppp chap password x
 ppp pap sent-username x
 ppp multilink
!
ip nat inside source list 18 interface Dialer1 overload
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
map-class dialer DialClass
 dialer isdn speed 56
access-list 18 permit 192.168.0.0 0.0.0.255
access-list 111 permit ip any any
access-list 121 deny   udp any eq netbios-dgm any
access-list 121 deny   udp any eq netbios-ns any
access-list 121 deny   udp any eq netbios-ss any
access-list 121 deny   tcp any eq 137 any
access-list 121 deny   tcp any eq 138 any
access-list 121 deny   tcp any eq 139 any
access-list 121 permit ip any any time-range TIME
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 transport input none
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
!
time-range TIME
 periodic daily 0:00 to 23:59
!
end

Thanks,
Vincent

Vincent Wright
Web Developer
NSI Software, Inc.

 

[ChrisAC]

If you don't put any ACL's in then all traffic will be passed. It's a router so it has a "pass all traffic" default setting.

Chris.


**********************
Chris A.C, CCNA, CCSA
**********************

 

[vincentw56]

Thanks for the reply. I took the access list off both the ethernet and dialer1 interfaces. It still will not open up completely.

What I want is to be able to pass a specific port in and out. Once of the ports is tcp 4662. I just want it opened completely so that all information on this port will pass in to IP 192.168.0.2 and pass back out. The outside ip address is dynamic. What do I have to do? If you could post commands, that would help. Thanks.

Vincent Wright
Web Developer
NSI Software, Inc.

 

[ChrisAC]

What you are trying to do is port forwarding.

interface Ethernet0
ip nat inside
!
interface Dialer1
ip nat outside
!
ip nat inside source static tcp 192.168.0.2 4622 interface Dialer 1 4622

This means that any traffic hitting the external interface on port TCP 4622 will be forwarded to 192.168.0.2 on the same port.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[vincentw56]

Well, that does not work. I had that setup just like that and it still does not work. Below is the current config. As you can see, I have no ACLs and I have setup the port forwarding and it still does not work. Is there something else I am missing? Thanks.

version 12.0
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
enable secret 5 $1$E6BC$pqas8F1B5pY.dI5SREX.81
!
username Router password 7 00120457550A53565F
!
!
!
!
!
dial-peer voice 1 pots
 no forward-to-unused-port
 call-waiting
 ring 0
 port 1
 destination-pattern 8318679
!
dial-peer voice 2 pots
 no forward-to-unused-port
 call-waiting
 ring 0
 port 2
 destination-pattern 8318689
!
pots country US
ip subnet-zero
no ip source-route
!
ip name-server 207.251.201.10
ip name-server 207.251.201.11
isdn switch-type basic-ni
!
!
process-max-time 200
!
interface Ethernet0
 ip address 192.168.0.1 255.255.255.0
 no ip directed-broadcast
 no ip proxy-arp
 ip nat inside
!
interface BRI0
 no ip address
 no ip directed-broadcast
 encapsulation ppp
 dialer pool-member 1
 isdn switch-type basic-ni
 isdn spid1 31783186790101 8318679
 isdn spid2 31783186890101 8318689
 isdn incoming-voice modem
 ppp authentication chap pap callin
 ppp multilink
!
interface Dialer1
 description ISP
 ip address negotiated
 no ip directed-broadcast
 no ip proxy-arp
 ip nat outside
 encapsulation ppp
 no ip split-horizon
 dialer remote-name Cisco1
 dialer idle-timeout 300
 dialer string 7223300 class DialClass
 dialer hold-queue 10
 dialer load-threshold 10 either
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname vincentw56@iquest.net
 ppp chap password 7 1516190D032525757A
 ppp pap sent-username vincentw56@iquest.net password 7 1516190D032525757A
 ppp multilink
!
ip nat inside source list 18 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.2 4662 interface Dialer1 4662
ip nat inside source static udp 192.168.0.2 4672 interface Dialer1 4672
no ip http server
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
map-class dialer DialClass
 dialer isdn speed 56
access-list 18 permit 192.168.0.0 0.0.0.255
access-list 111 permit ip any any
access-list 121 deny   udp any eq netbios-dgm any
access-list 121 deny   udp any eq netbios-ns any
access-list 121 deny   udp any eq netbios-ss any
access-list 121 deny   tcp any eq 137 any
access-list 121 deny   tcp any eq 138 any
access-list 121 deny   tcp any eq 139 any
access-list 121 permit ip any any time-range TIME
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 transport input none
 stopbits 1
line vty 0 4
 exec-timeout 0 0
 login local
!
time-range TIME
 periodic daily 0:00 to 23:59
!
end

Vincent Wright
Web Developer
NSI Software, Inc.

 

[ChrisAC]

The NAT statement is correct, so either that port is being blocked by your upstream provider or your device on that internal IP address is not listening on that port.

Chris.

**********************
Chris A.C, CCNA, CCSA
**********************

 

[vincentw56]

That is weird because it worked fine with my NetGear router. I "upgraded" to the Cisco because I needed IPSEC for the VPN at work, but it has been nothing but a pain. I wish I had not sold my NetGear.

Thanks for your help and I will keep playing with it to see what I can find out.

Vincent Wright
Web Developer
NSI Software, Inc.