Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Port Forwarding on Cisco 1941 router

Status
Not open for further replies.
Aug 16, 2008
9
US
I have a Cisco 1941 router that works fine and port forwards rdp (3389) to an internal terminal server just fine. Using that as an example, I now need to port forward ssl (443) to another internal server 10.0.0.245. Below is the config file with the lines that I added in bold and italics

This did not work. Any ideas?
To take it one step further, I would like to have only a certain range of outside addresses to be forwarded to 10.0.0.245, so that in the future I can port forward ssl to a different internal server.

Thanks.
Dale

Current configuration : 8293 bytes
!
! Last configuration change at 21:24:11 UTC Tue Mar 31 2015 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname M******r
!
boot-start-marker
boot-end-marker
!
logging console errors
logging monitor warnings
enable secret 5 $1$d3KK$AuXL0Oa56h3iABHpUC7tV1
enable password cisco123
!
no aaa new-model
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.9
!
ip dhcp pool sdm-pool1
import all
network 10.0.0.0 255.255.255.0
default-router 10.0.0.2
dns-server 10.0.0.1 10.0.0.2
!
!
no ip bootp server
ip domain name mcinnistyner.com
ip name-server 68.109.202.25
ip name-server 68.109.202.30
ip port-map user-RDP port tcp 3389 list 2 description RDP
ip inspect log drop-pkt
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-1820779413
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1820779413
revocation-check none
rsakeypair TP-self-signed-1820779413
!
!
crypto pki certificate chain TP-self-signed-1820779413
certificate self-signed 01
30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383230 37373934 3133301E 170D3131 30313238 32333338
33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38323037
37393431 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DA6E 3E1C7CFD D8094079 CDF7C06E 83A21E33 86135D9C E3240FE6 F3A175B4
8BBD2D1A 27684A3B F5A63330 B0D222F7 FAE00DE9 009A3B68 7F6A8320 4F8AB5AF
23A9DB04 78E9CC70 6262F31A 3DEE3CF9 744CB808 AF92E088 04B5CB04 D1C579CB
0BFAFAE3 A1867370 6048DA37 B00BC962 45CBE2F3 33BEEBE4 9F9020A3 50FD37BE
9E4B0203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
551D1104 21301F82 1D4D6349 6E6E6973 54796E65 722E6D63 696E6E69 7374796E
65722E63 6F6D301F 0603551D 23041830 16801450 86BDC692 CEDDC0C5 12207E02
207D02F9 85A33930 1D060355 1D0E0416 04145086 BDC692CE DDC0C512 207E0220
7D02F985 A339300D 06092A86 4886F70D 01010405 00038181 00C60662 2F3D04EB
C9F1D215 A1600114 85DA419D 43985FAC 56706B6F E3F80FD8 0612465A A306C36E
EF1B41CD 1E1EB4BC BB261D41 B2A18127 2C95A2AD B5C2E880 DA119F9F 058CBDF3
A0FDE03A 079FE749 6769EB28 8EDDD50F 7D0A8BF1 A6BA17BD E2E7F95A 7399117D
7604553B 667C3752 198FE8ED D203AFEE 2ED56133 FD23B60D A0
quit
license udi pid CISCO1941/K9 sn FTX143802EW
!
!
username admin privilege 15 password 0 sysapp
!
redundancy
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
!
!
!
!
interface GigabitEthernet0/0
[pre]description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$[/pre]
ip address 10.0.0.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/1
[pre]description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$[/pre]
ip address 70.184.195.226 255.255.255.224
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 10.0.0.254 3389 interface GigabitEthernet0/1 3389
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.0.0.153 8888 interface GigabitEthernet0/1 8888
ip nat inside source static tcp 10.0.0.245 443 interface GigabitEthernet0/1 443
ip route 0.0.0.0 0.0.0.0 70.184.195.225
!
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.0.0.254
access-list 3 permit 10.0.0.153
access-list 4 permit 10.0.0.245
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 216.231.108.136 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any host 68.15.170.132 log
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 68.109.202.30 eq domain any
access-list 101 permit udp host 68.109.202.25 eq domain any
access-list 101 permit udp host 216.83.237.238 eq domain host 216.231.108.139
access-list 101 deny ip 10.0.0.0 0.0.0.255 any
access-list 101 permit icmp any host 216.231.108.139 echo-reply
access-list 101 permit icmp any host 216.231.108.139 time-exceeded
access-list 101 permit icmp any host 216.231.108.139 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 105 permit tcp any host 70.184.195.226 eq 3389
dialer-list 1 protocol ip permit
!
 
You have an access list (105) on your outside interface:

access-list 105 permit tcp any host 70.184.195.226 eq 3389

This indicates the only incoming traffic allowed is traffic to TCP port 3389.
Is this router allowing any other traffic other than RDP? by the looks of it, this access-list will block all other incoming traffic other than RDP.

Either remove the access-list from the interface, or add the following command:

access-list 105 permit tcp any host 70.184.195.226 eq 22
 
Sorry, can't edit my post above. The command should be:

access-list 105 permit tcp any host 70.184.195.226 eq 443

(don't know why I was thinking SSH)
 
Thanks for the reply.
Every workstation is able to browse the Internet and retrieve pop3 emails. And I also successfully remote into their servers using Teamviewer, so this means that other traffic is being passed, correct?

I see the "ip access-group 105 in" under the "interface GigabitEthernet0/1" section, so if I understand correctly, that means the "access-list 105 permit tcp any host 70.184.195.226 eq 3389" ACL should permit RDP traffic and an explicit deny should stop other traffic, like you indicated.

I can try adding the "access-list 105 permit tcp any host 70.184.195.226 eq 443" line tomorrow and see.
Thanks,
 
Thanks GM85,
adding access-list 105 permit tcp any host 70.184.195.226 eq 443
and it worked.
Now does anyone know who I can route this port 443 traffic only if it comes from a particular range of outside addresses?
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top