1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Port forwarding on 877W Router over ADSL

Discussion in 'Routing & Switching' started by jonpaulm, Jun 4, 2010.

  1. jonpaulm

    jonpaulm New Member

    1
    0
    1
    Hi,

    I am fairly new to Cisco kit and I have been given a 877W router to setup for our office. I have it working for internet access fine and the wifi is also setup.

    I would like some help on setting up the port forwding on Port 25 and 80 to go to our web/email server.
    The config of the unit is below. i have got some port forwarding info programmed in already but when i do a scan on our public IP i get that the ports are closed. This also is the case if you go to the public IP in IE, which should bring up our website, instead it brings up the router login box.

    IF anyone can spot the problem i would be very happy.

    Kind regards,

    Jon-Paul

    Code:
    Current configuration : 8683 bytes
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname <hostname>
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200
    logging console critical
    enable secret 5 <password>!
    aaa new-model
    !
    !
    aaa group server radius rad_eap
    !
    aaa group server radius rad_mac
    !
    aaa group server radius rad_acct
    !
    aaa group server radius rad_admin
    !
    aaa group server tacacs+ tac_admin
    !
    aaa group server radius rad_pmip
    !
    aaa group server radius dummy
    !
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization ipmobile default group rad_pmip
    aaa accounting network acct_methods start-stop group rad_acct
    !
    !
    aaa session-id common
    clock timezone PCTime 0
    clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
    !
    crypto pki trustpoint TP-self-signed-1480278219
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-1480278219
     revocation-check none
     rsakeypair TP-self-signed-1480278219
    !
    !
    crypto pki certificate chain TP-self-signed-1480278219
     certificate self-signed 01
      30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31343830 32373832 3139301E 170D3032 30333033 32313339
      30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34383032
      37383231 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100B3C7 657B0729 03B9347A 08C02194 FBA42C9E 2EFE1EA7 A6292DD9 B247391D
      3FFBD8F0 3CB02B1B 67C75626 F007E7DA A452BE87 08AAD311 04FF74B9 7E3BCC93
      9A1CB190 E979B3AE 0FC9A802 17417172 481E6B3F F5B6A689 74054BFC 13AAF994
      C8E19820 A30B461B 1DEB9482 D2556C2B 6A8260DF FBDD0199 7EED03DB 261F3AB4
      B4530203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
      551D1104 1F301D82 1B6D6463 726F7574 65722E6D 61636C65 616E6461 74612E63
      6F2E756B 301F0603 551D2304 18301680 1414617D B0C02DB3 2D5EEFAE CDADF1CB
      9D952F82 C3301D06 03551D0E 04160414 14617DB0 C02DB32D 5EEFAECD ADF1CB9D
      952F82C3 300D0609 2A864886 F70D0101 04050003 8181005D 97101839 E5A6C009
      A5610C2B 99263CB4 0097ABE5 99087559 61E14A06 E6B31256 7754D195 5240C841
      9D852C4A EDE6B3DE 56C72E93 F853A629 5BE8B44A 5B374265 E34E3794 72FC0FEE
      9C5899B7 6267DEDF E47585B4 FBAFBE25 14B68DE9 4D376250 949F42E7 56F833A9
      942C40B4 D665A502 6F301362 EFC4EB18 9CB32ABF 5C1CA1
            quit
    dot11 syslog
    !
    dot11 ssid MacleanData
       authentication open
    !
    dot11 ssid macleandata
       authentication open
       guest-mode
       infrastructure-ssid optional
       wpa-psk ascii 7 045A5F0D57264D1A024102
    !
    no ip source-route
    ip cef
    !
    !
    no ip bootp server
    no ip domain lookup
    ip domain name <domain name>
    !
    !
    !
    username admin privilege 15 secret 5 <password>
    !
    !
    archive
     log config
      hidekeys
    !
    !
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    class-map type inspect match-any ccp-cls-insp-traffic
     match protocol cuseeme
     match protocol dns
     match protocol ftp
     match protocol h323
     match protocol https
     match protocol icmp
     match protocol imap
     match protocol pop3
     match protocol netshow
     match protocol shell
     match protocol realmedia
     match protocol rtsp
     match protocol smtp extended
     match protocol sql-net
     match protocol streamworks
     match protocol tftp
     match protocol vdolive
     match protocol tcp
     match protocol udp
    class-map type inspect match-all ccp-insp-traffic
     match class-map ccp-cls-insp-traffic
    class-map type inspect match-any ccp-cls-icmp-access
     match protocol icmp
    class-map type inspect match-all ccp-invalid-src
     match access-group 100
    class-map type inspect match-all ccp-icmp-access
     match class-map ccp-cls-icmp-access
    class-map type inspect match-all ccp-protocol-http
     match protocol http
    !
    !
    policy-map type inspect ccp-permit-icmpreply
     class type inspect ccp-icmp-access
      inspect
     class class-default
      pass
    policy-map type inspect ccp-inspect
     class type inspect ccp-invalid-src
      drop log
     class type inspect ccp-protocol-http
      inspect
     class type inspect ccp-insp-traffic
      inspect
     class class-default
    policy-map type inspect ccp-permit
     class class-default
    !
    zone security out-zone
    zone security in-zone
    zone-pair security ccp-zp-self-out source self destination out-zone
     service-policy type inspect ccp-permit-icmpreply
    zone-pair security ccp-zp-in-out source in-zone destination out-zone
     service-policy type inspect ccp-inspect
    zone-pair security ccp-zp-out-self source out-zone destination self
     service-policy type inspect ccp-permit
    !
    bridge irb
    !
    !
    interface ATM0
     no ip address
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip route-cache flow
     no atm ilmi-keepalive
     dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
     description $FW_OUTSIDE$$ES_WAN$
     pvc 0/38
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Dot11Radio0
     no ip address
     !
     encryption key 1 size 40bit 7 20885CCA6BDE transmit-key
     encryption mode wep mandatory
     !
     ssid macleandata
     !
     speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
    asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    !
    interface Vlan1
     description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
     no ip address
     ip tcp adjust-mss 1452
     bridge-group 1
    !
    interface Dialer0
     description $FW_OUTSIDE$
     ip address negotiated
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip nat outside
     ip virtual-reassembly
     zone-member security out-zone
     encapsulation ppp
     ip route-cache flow
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication chap callin
     ppp chap hostname <username>
     ppp chap password 7 <password>
    !
    interface BVI1
     description $ES_LAN$$FW_INSIDE$
     ip address 192.168.16.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
     zone-member security in-zone
     ip tcp adjust-mss 1412
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static tcp 192.168.16.3 25 interface Dialer0 25
    ip nat inside source static tcp 192.168.16.3 80 interface Dialer0 80
    ip nat inside source static tcp 192.168.16.3 3389 interface Dialer0 3389
    ip nat inside source static tcp 192.168.16.3 1723 interface Dialer0 1723
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=BVI1
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit 192.168.16.0 0.0.0.255
    access-list 100 remark CCP_ACL Category=128
    access-list 100 permit ip host 255.255.255.255 any
    access-list 100 permit ip 127.0.0.0 0.255.255.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    !
    radius-server attribute 32 include-in-access-req format %h
    radius-server vsa send accounting
    !
    control-plane
    !
    bridge 1 protocol ieee
    bridge 1 route ip
    banner exec !
    line con 0
     no modem enable
     transport output telnet
    line aux 0
     transport output telnet
    line vty 0 4
     privilege level 15
     transport input telnet ssh
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end
     
  2. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    Since you are using the zone-based firewall you'll need to do more than just make a nat translation for tcp 25 and 80 to the server. You have two zones defined, in-zone and out-zone, and some policies that control what traffic may pass from one zone to another. Without a policy no traffic can pass between zones. So you'll need to make a policy for traffic to pass from the out-zone to the in-zone.

    So, you'll need a class-map to select the traffic you want to permit, a policy-map to set what you want done to the traffic, and a zone pair to set what zones the policy applies to.

    Here is a good link to configuring zbf:

    http://www.cisco.com/en/US/products...ts_tech_note09186a00808bc994.shtml#stateful-1

    Also, I would suggest tightening access to the router, it is too open, you have telnet, ssh and http all available to anyone on the Internet. At a minimum remove unneeded access protocols and put an access list on the vty lines and http. And be careful when redacting router configs for posting, wireless ssid's and psk's are easy to overlook and accidently leave in the posted config.

    Spice_Weasel
     
    Last edited: Jun 9, 2010
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  3. jushin100

    jushin100 Bit Poster

    15
    0
    2

Share This Page

Loading...