Opening ports on a Cisco 881 router

[guitarman3635]

Hi all, I am looking to test out a simple VoIP software application that runs on Windows however in order to access it from another external site there are a number of ports that need to be open, namely TCP/UDP 5060, 5070 and a few more ports. The router also has some zone pair rules already defined.

Can anyone provide assistance on what the config would be to achieve this?

thanks

 

[burtsbees]

ip nat inside source static {tcp/udp} {inside-ip-address} {port-number} {outside-interface-or-ip-address-to-NAT/PAT-to) {port-number}

Post a config and let's see what the ZBF looks like...

TIMMAY!

Cisco IOS Software, C2600 Software (C2600-ADVENTERPRISEK9-M), Version 12.4(25c), RELEASE SOFTWARE (fc2)
Technical Support:

http://www.cisco.com/techsupport

Copyright (c) 1523-2010 by Cisco Systems, Inc.
Compiled Thu 11-Feb-1539 23:02 by ßµ®†Šß€€Š

ROM: System Bootstrap, Version 12.2(7r) [ÝØÝØMØÑ], RELEASE SOFTWARE (fc1)

Edge uptime is 469¼

 

[guitarman3635]

Hi Timmay,
thanks for your suggestion, however this is what I already have and below is a copy of my partial router config that show the class and policy maps. There has to be something there that needs to be changed because when I check to see which port is open via an online port checker service it tells me that my ports are always closed. Here is the partial config, do you see something there?

Note: I tried creating a policy map "voip-3cx" following the examples of what was already there, but still no success.
================

class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all voip-3cx
match access-group name voip-3cx
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-all apache-web
match access-group name apache-web
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect voip-3cx
class type inspect voip-3cx
pass
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect apache-web
class type inspect apache-web
pass
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security apache-web source out-zone destination in-zone
service-policy type inspect apache-web
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description INTERNET UNTRUSTED INTERFACE$FW_OUTSIDE$$ES_WAN$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 190 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.100 80 interface FastEthernet4 8000
ip nat inside source static tcp 10.10.10.105 5060 interface FastEthernet4 5060
ip nat inside source static udp 10.10.10.105 5060 interface FastEthernet4 5060
ip nat inside source static udp 10.10.10.105 5070 interface FastEthernet4 5070
ip nat inside source static tcp 10.10.10.105 5070 interface FastEthernet4 5070
!

 

[brianinms]

You have not applied your policy to a zone pair. You already have an inbound zone pair called apache-web and you could call the map there.