ploughingon
Technical User
Hi
We've got an 1841 Router, that amongst other things, we use as an ssl vpn gateway.
Currently it works ok forwarding 3389 with no problem , but i was asked to get it to forward some other applications. I've added in the relevant details and it looks ok to me, but I guess i must have missed something as its not forwarding the new ports (22, 2002 , 21800)
any ideas what i've missed. All I've done so far is created the host entries for Hush and smtp and added the following lines.
port-forward list HushSFTP local-port 60089 remote-server Hush remote-port 22
port-forward list HushCTi local-port 60091 remote-server Hush remote-port 2002
port-forward list HushVNC local-port 60090 remote-server Hush remote-port 21800
port-forward list smtptest local-port 60101 remote-server smtp remote-port 25
Comments appreciated, thank you for your time.
router#show running
Building configuration...
Current configuration : 11436 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 $1$Uoqv$7bJj4ndFgiDGdCF4qirnx1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_auth local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip cef
!
!
ip tcp synwait-time 10
!
!
no ip bootp server
ip domain name XXXXXXXXXX
ip host router.XXXXXXXXXX XXX.XXX.XXX.XXX
ip host ra-01.XXXXXXXXXX 172.16.7.154
ip host Hush 172.16.7.95
ip host smtp 172.16.7.225
ip name-server 172.16.6.181
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip inspect name autosec_inspect https
ip inspect name autosec_inspect isakmp
ip inspect name autosec_inspect ipsec-msft
ip ips notify SDEE
ip ips name XXXXXIPS
login block-for 3 attempts 3 within 10
!
!
webvpn enable gateway-addr XXX.XXX.XXX.XXX
!
webvpn
title "XXXXXXXXXXXX"
text-color black
idle-timeout 600
ssl encryption 3des-sha1
ssl trustpoint local
login-message "WARNING! UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have exp
licit permission to access this device."
port-forward list RDP local-port 60001 remote-server RA-01 remote-port 3389
port-forward list HushSFTP local-port 60089 remote-server Hush remote-port 22
port-forward list HushCTi local-port 60091 remote-server Hush remote-port 2002
port-forward list HushVNC local-port 60090 remote-server Hush remote-port 21800
port-forward list smtptest local-port 60101 remote-server smtp remote-port 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint local
enrollment selfsigned
serial-number
subject-name CN=router.XXXXXXXXXX
revocation-check crl
rsakeypair router.XXXXXXXXXX 1024 1024
!
!
crypto pki certificate chain local
certificate self-signed 01
Cert removed
quit
username XXXX secret XXXXX
!
!
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key hsbxhsbx999 address XXX.XXX.XXX.XXX
crypto isakmp key j4hd01sgWE0p address XXX.XXX.XXX.XXX.4
crypto isakmp key j4hd01sgWE0p addressXXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set XXXXX esp-3des esp-sha-hmac
!
crypto map XXXXX 10 ipsec-isakmp
set peerXXX.XXX.XXX.XXX
set transform-set XXXXX
match address production
crypto map XXXXX 20 ipsec-isakmp
set peer XXX.XXX.XXX.XXX.4
set transform-set XXXXX
match address staging
crypto map XXXXX 30 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set XXXXX
match address XXXX
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_OUTSIDE$
ip address XXX.XXX.XXX.XXX 255.255.255.240
ip access-group autosec_firewall_acl in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect autosec_inspect in
ip ips XXXXXIPS in
speed 10
full-duplex
no mop enabled
crypto map XXXXX
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 172.16.6.181 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
speed 100
full-duplex
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
ip route 172.16.0.0 255.255.0.0 172.16.7.252
!
!
no ip http server
ip http access-class 99
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip access-list extended autosec_firewall_acl
remark SDM_ACL Category=17
permit udp host XXX.XXX.XXX.XXX.4 host XXX.XXX.XXX.XXX eq isakmp
permit udp hostXXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX eq isakmp
permit esp hostXXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX
permit esp host XXX.XXX.XXX.XXX.4 host XXX.XXX.XXX.XXX
permit udp host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX eq isakmp
permit esp host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX
permit tcp any host XXX.XXX.XXX.XXX eq 443
deny ip any any log
ip access-list extended inside
ip access-list extended XXXX
permit tcp host 172.16.6.132 host 192.168.26.10 eq 1433
permit tcp host 172.16.6.132 host 192.168.26.10 eq 1434
permit tcp host 172.16.6.132 host 192.168.26.10
ip access-list extended production
permit ip host 172.16.7.213 host XXXXXXXXXX
permit ip host 172.16.7.213 host XXXXXXXXXX
permit ip host 172.16.7.213 host XXXXXXXXXX
ip access-list extended staging
permit ip host 172.16.7.213 host XXXXXXXXXX
permit ip host 172.16.7.213 host XXXXXXXXXX
!
logging trap debugging
logging facility local2
access-list 99 remark SDM_ACL Category=17
access-list 99 permit 172.16.0.0 0.0.255.255 log
access-list 99 deny any
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server location Comms Room
snmp-server contact helpdesk
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner login ^C This device is owned by XXXX. You must have explicit rights to a
ccess it. Any unauthorized access will be logged. ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
session-timeout 5
access-class 99 in
exec-timeout 5 0
privilege level 15
transport input telnet
line vty 5 14
access-class 99 in
privilege level 15
password 7 111D115119411F5B557C7E
login authentication local_auth
transport input ssh
line vty 15
access-class 99 in
privilege level 15
password 7 111D115119411F5B557C7E
login authentication local_auth
transport input ssh
parser view SDM_Firewall
secret 5 $1$YShs$47.MTL1punReI4XWU8xPQ0
commands interface include all ip inspect
commands interface include all ip verify
commands interface include all ip access-group
commands interface include ip
commands interface include description
commands interface include all no ip inspect
commands interface include all no ip verify
commands interface include all no ip access-group
commands interface include no ip
commands interface include no description
commands interface include no
commands configure include end
commands configure include all access-list
commands configure include all ip access-list
commands configure include all interface
commands configure include all policy-map
commands configure include all class-map
commands configure include all crypto
commands configure include all appfw
commands configure include all ip inspect
commands configure include all ip port-map
commands configure include ip cef
commands configure include ip
commands configure include no end
commands configure include all no access-list
commands configure include all no ip access-list
commands configure include all no interface
commands configure include all no policy-map
commands configure include all no class-map
commands configure include all no crypto
commands configure include all no appfw
commands configure include all no ip inspect
commands configure include all no ip port-map
commands configure include no ip cef
commands configure include no ip
commands configure include no
commands exec include all vlan
commands exec include dir all-filesystems
commands exec include dir
commands exec include crypto ipsec client ezvpn connect
commands exec include crypto ipsec client ezvpn xauth
commands exec include crypto ipsec client ezvpn
commands exec include crypto ipsec client
commands exec include crypto ipsec
commands exec include crypto
commands exec include write memory
commands exec include write
commands exec include all ping ip
commands exec include ping
commands exec include configure terminal
commands exec include configure
commands exec include all show
commands exec include all debug appfw
commands exec include debug
commands exec include all clear
!
!
end
router#
We've got an 1841 Router, that amongst other things, we use as an ssl vpn gateway.
Currently it works ok forwarding 3389 with no problem , but i was asked to get it to forward some other applications. I've added in the relevant details and it looks ok to me, but I guess i must have missed something as its not forwarding the new ports (22, 2002 , 21800)
any ideas what i've missed. All I've done so far is created the host entries for Hush and smtp and added the following lines.
port-forward list HushSFTP local-port 60089 remote-server Hush remote-port 22
port-forward list HushCTi local-port 60091 remote-server Hush remote-port 2002
port-forward list HushVNC local-port 60090 remote-server Hush remote-port 21800
port-forward list smtptest local-port 60101 remote-server smtp remote-port 25
Comments appreciated, thank you for your time.
router#show running
Building configuration...
Current configuration : 11436 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
no logging console
no logging monitor
enable secret 5 $1$Uoqv$7bJj4ndFgiDGdCF4qirnx1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_auth local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
no ip gratuitous-arps
ip cef
!
!
ip tcp synwait-time 10
!
!
no ip bootp server
ip domain name XXXXXXXXXX
ip host router.XXXXXXXXXX XXX.XXX.XXX.XXX
ip host ra-01.XXXXXXXXXX 172.16.7.154
ip host Hush 172.16.7.95
ip host smtp 172.16.7.225
ip name-server 172.16.6.181
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip inspect name autosec_inspect https
ip inspect name autosec_inspect isakmp
ip inspect name autosec_inspect ipsec-msft
ip ips notify SDEE
ip ips name XXXXXIPS
login block-for 3 attempts 3 within 10
!
!
webvpn enable gateway-addr XXX.XXX.XXX.XXX
!
webvpn
title "XXXXXXXXXXXX"
text-color black
idle-timeout 600
ssl encryption 3des-sha1
ssl trustpoint local
login-message "WARNING! UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS PROHIBITED. You must have exp
licit permission to access this device."
port-forward list RDP local-port 60001 remote-server RA-01 remote-port 3389
port-forward list HushSFTP local-port 60089 remote-server Hush remote-port 22
port-forward list HushCTi local-port 60091 remote-server Hush remote-port 2002
port-forward list HushVNC local-port 60090 remote-server Hush remote-port 21800
port-forward list smtptest local-port 60101 remote-server smtp remote-port 25
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint local
enrollment selfsigned
serial-number
subject-name CN=router.XXXXXXXXXX
revocation-check crl
rsakeypair router.XXXXXXXXXX 1024 1024
!
!
crypto pki certificate chain local
certificate self-signed 01
Cert removed
quit
username XXXX secret XXXXX
!
!
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
crypto isakmp key hsbxhsbx999 address XXX.XXX.XXX.XXX
crypto isakmp key j4hd01sgWE0p address XXX.XXX.XXX.XXX.4
crypto isakmp key j4hd01sgWE0p addressXXX.XXX.XXX.XXX
!
!
crypto ipsec transform-set XXXXX esp-3des esp-sha-hmac
!
crypto map XXXXX 10 ipsec-isakmp
set peerXXX.XXX.XXX.XXX
set transform-set XXXXX
match address production
crypto map XXXXX 20 ipsec-isakmp
set peer XXX.XXX.XXX.XXX.4
set transform-set XXXXX
match address staging
crypto map XXXXX 30 ipsec-isakmp
set peer XXX.XXX.XXX.XXX
set transform-set XXXXX
match address XXXX
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_OUTSIDE$
ip address XXX.XXX.XXX.XXX 255.255.255.240
ip access-group autosec_firewall_acl in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect autosec_inspect in
ip ips XXXXXIPS in
speed 10
full-duplex
no mop enabled
crypto map XXXXX
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 172.16.6.181 255.255.252.0
no ip redirects
no ip unreachables
no ip proxy-arp
speed 100
full-duplex
no mop enabled
!
ip classless
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
ip route 172.16.0.0 255.255.0.0 172.16.7.252
!
!
no ip http server
ip http access-class 99
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
!
ip access-list extended autosec_firewall_acl
remark SDM_ACL Category=17
permit udp host XXX.XXX.XXX.XXX.4 host XXX.XXX.XXX.XXX eq isakmp
permit udp hostXXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX eq isakmp
permit esp hostXXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX
permit esp host XXX.XXX.XXX.XXX.4 host XXX.XXX.XXX.XXX
permit udp host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX eq isakmp
permit esp host XXX.XXX.XXX.XXX host XXX.XXX.XXX.XXX
permit tcp any host XXX.XXX.XXX.XXX eq 443
deny ip any any log
ip access-list extended inside
ip access-list extended XXXX
permit tcp host 172.16.6.132 host 192.168.26.10 eq 1433
permit tcp host 172.16.6.132 host 192.168.26.10 eq 1434
permit tcp host 172.16.6.132 host 192.168.26.10
ip access-list extended production
permit ip host 172.16.7.213 host XXXXXXXXXX
permit ip host 172.16.7.213 host XXXXXXXXXX
permit ip host 172.16.7.213 host XXXXXXXXXX
ip access-list extended staging
permit ip host 172.16.7.213 host XXXXXXXXXX
permit ip host 172.16.7.213 host XXXXXXXXXX
!
logging trap debugging
logging facility local2
access-list 99 remark SDM_ACL Category=17
access-list 99 permit 172.16.0.0 0.0.255.255 log
access-list 99 deny any
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server location Comms Room
snmp-server contact helpdesk
no cdp run
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
banner login ^C This device is owned by XXXX. You must have explicit rights to a
ccess it. Any unauthorized access will be logged. ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
session-timeout 5
access-class 99 in
exec-timeout 5 0
privilege level 15
transport input telnet
line vty 5 14
access-class 99 in
privilege level 15
password 7 111D115119411F5B557C7E
login authentication local_auth
transport input ssh
line vty 15
access-class 99 in
privilege level 15
password 7 111D115119411F5B557C7E
login authentication local_auth
transport input ssh
parser view SDM_Firewall
secret 5 $1$YShs$47.MTL1punReI4XWU8xPQ0
commands interface include all ip inspect
commands interface include all ip verify
commands interface include all ip access-group
commands interface include ip
commands interface include description
commands interface include all no ip inspect
commands interface include all no ip verify
commands interface include all no ip access-group
commands interface include no ip
commands interface include no description
commands interface include no
commands configure include end
commands configure include all access-list
commands configure include all ip access-list
commands configure include all interface
commands configure include all policy-map
commands configure include all class-map
commands configure include all crypto
commands configure include all appfw
commands configure include all ip inspect
commands configure include all ip port-map
commands configure include ip cef
commands configure include ip
commands configure include no end
commands configure include all no access-list
commands configure include all no ip access-list
commands configure include all no interface
commands configure include all no policy-map
commands configure include all no class-map
commands configure include all no crypto
commands configure include all no appfw
commands configure include all no ip inspect
commands configure include all no ip port-map
commands configure include no ip cef
commands configure include no ip
commands configure include no
commands exec include all vlan
commands exec include dir all-filesystems
commands exec include dir
commands exec include crypto ipsec client ezvpn connect
commands exec include crypto ipsec client ezvpn xauth
commands exec include crypto ipsec client ezvpn
commands exec include crypto ipsec client
commands exec include crypto ipsec
commands exec include crypto
commands exec include write memory
commands exec include write
commands exec include all ping ip
commands exec include ping
commands exec include configure terminal
commands exec include configure
commands exec include all show
commands exec include all debug appfw
commands exec include debug
commands exec include all clear
!
!
end
router#