trying to open port on cisco 1760

[kazilian]

I'm trying to open a port on a Cisco 1760 Access Router. But I am having no luck to this point. I want to allow a port "2000" request on TCP from the outside(Internet) to be forwarded to an internal PC. Relevant portion of the config is below. If more is needed to help me out, please let me know. Thanks in advance.



interface Ethernet0/0
no ip address
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0/0
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
speed 100
full-duplex
no cdp enable
!
interface Virtual-Template1
ip unnumbered Dialer1
ip dhcp relay information trusted
peer default ip address pool vpnclients
ppp encrypt mppe 40 required
ppp authentication ms-chap
ppp ipcp dns 192.168.3.2
!
interface Dialer1
ip address negotiated
ip access-group 178 in
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp pap sent-username vze1n7ba password 7 095A540C4E554F47
!
ip local pool pptpclients 192.168.3.128 192.168.3.131
ip local pool ipsecclients 192.168.3.192 192.168.3.195
ip local pool vpnclients 192.168.3.40 192.168.3.49
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
ip access-list extended E0IN
permit icmp any any
permit gre any any
permit tcp any any eq 1723
permit udp any any eq isakmp
deny udp any any
deny tcp any any
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.3.192 0.0.0.3
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.3.192 0.0.0.3
access-list 101 deny ip 192.168.3.0 0.0.0.255 192.168.3.128 0.0.0.3
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
access-list 111 permit ip any any
access-list 120 permit tcp 192.168.3.0 0.0.0.255 any eq telnet
access-list 178 permit tcp any host 192.168.3.10 eq 2000
access-list 178 permit tcp any any established
access-list 178 permit udp any eq domain any
dialer-list 1 protocol ip permit

kazilian
Protector of Wazil

 

[kazilian]

anyone have any ideas?

kazilian
Protector of Wazil

 

[routerman]

Hi kazilian, I'm not sure that you will be able to do this with your current set up. The problem I see is that the outside IP addresses are assigned by DHCP on your dialer interface.

If you could apply static IP addresses, then you could use a combination of static NAT and Policy based routing, or even static NAT and an ACL. Both would rely on being able to hard code the IP addresses.

 

[kazilian]

Thanks routerman, I have one quick follow-up question though...if the dialer interface did have a static ip address, what would the static NAT and ACL lines look like? Thanks.

kazilian
Protector of Wazil

 

[Jeff221]

"ip nat inside source static tcp 192.168.3.10 2000 4.2.2.2 2000 extendable"

This is assuming the inside address is 192.168.3.10 and outside is 4.2.2.2

What you can attempt for the dynamic Dialer1 is:

"ip nat inside source static tcp 10.0.0.1 2000 interface Dialer1 extendable"

Should work, I believe I have had this setup elseware before without a problem.

 

[kazilian]

well, i have tried everything you guys have mentioned, but i am still not able to open this port. I don't know what I'm doing wrong at this point. one thing though, when i enter the command for the "ip nat" using the dialer1 interface as teh outside address, there is no option at the end to enter "extendable". Not sure what is up there. Any help is greatly appreciated. Thanks.

kazilian
Protector of Wazil