Port forwarding on 877W Router over ADSL

Discussion in 'Routing & Switching' started by jonpaulm, Jun 4, 2010.

  1. jonpaulm

    jonpaulm New Member


    I am fairly new to Cisco kit and I have been given a 877W router to setup for our office. I have it working for internet access fine and the wifi is also setup.

    I would like some help on setting up the port forwding on Port 25 and 80 to go to our web/email server.
    The config of the unit is below. i have got some port forwarding info programmed in already but when i do a scan on our public IP i get that the ports are closed. This also is the case if you go to the public IP in IE, which should bring up our website, instead it brings up the router login box.

    IF anyone can spot the problem i would be very happy.

    Kind regards,


    Current configuration : 8683 bytes
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    hostname <hostname>
    logging buffered 51200
    logging console critical
    enable secret 5 <password>!
    aaa new-model
    aaa group server radius rad_eap
    aaa group server radius rad_mac
    aaa group server radius rad_acct
    aaa group server radius rad_admin
    aaa group server tacacs+ tac_admin
    aaa group server radius rad_pmip
    aaa group server radius dummy
    aaa authentication login eap_methods group rad_eap
    aaa authentication login mac_methods local
    aaa authorization ipmobile default group rad_pmip
    aaa accounting network acct_methods start-stop group rad_acct
    aaa session-id common
    clock timezone PCTime 0
    clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
    crypto pki trustpoint TP-self-signed-1480278219
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-1480278219
     revocation-check none
     rsakeypair TP-self-signed-1480278219
    crypto pki certificate chain TP-self-signed-1480278219
     certificate self-signed 01
      30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 31343830 32373832 3139301E 170D3032 30333033 32313339
      30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34383032
      37383231 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100B3C7 657B0729 03B9347A 08C02194 FBA42C9E 2EFE1EA7 A6292DD9 B247391D
      3FFBD8F0 3CB02B1B 67C75626 F007E7DA A452BE87 08AAD311 04FF74B9 7E3BCC93
      9A1CB190 E979B3AE 0FC9A802 17417172 481E6B3F F5B6A689 74054BFC 13AAF994
      C8E19820 A30B461B 1DEB9482 D2556C2B 6A8260DF FBDD0199 7EED03DB 261F3AB4
      B4530203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
      551D1104 1F301D82 1B6D6463 726F7574 65722E6D 61636C65 616E6461 74612E63
      6F2E756B 301F0603 551D2304 18301680 1414617D B0C02DB3 2D5EEFAE CDADF1CB
      9D952F82 C3301D06 03551D0E 04160414 14617DB0 C02DB32D 5EEFAECD ADF1CB9D
      952F82C3 300D0609 2A864886 F70D0101 04050003 8181005D 97101839 E5A6C009
      A5610C2B 99263CB4 0097ABE5 99087559 61E14A06 E6B31256 7754D195 5240C841
      9D852C4A EDE6B3DE 56C72E93 F853A629 5BE8B44A 5B374265 E34E3794 72FC0FEE
      9C5899B7 6267DEDF E47585B4 FBAFBE25 14B68DE9 4D376250 949F42E7 56F833A9
      942C40B4 D665A502 6F301362 EFC4EB18 9CB32ABF 5C1CA1
    dot11 syslog
    dot11 ssid MacleanData
       authentication open
    dot11 ssid macleandata
       authentication open
       infrastructure-ssid optional
       wpa-psk ascii 7 045A5F0D57264D1A024102
    no ip source-route
    ip cef
    no ip bootp server
    no ip domain lookup
    ip domain name <domain name>
    username admin privilege 15 secret 5 <password>
     log config
    ip tcp synwait-time 10
    ip ssh time-out 60
    ip ssh authentication-retries 2
    class-map type inspect match-any ccp-cls-insp-traffic
     match protocol cuseeme
     match protocol dns
     match protocol ftp
     match protocol h323
     match protocol https
     match protocol icmp
     match protocol imap
     match protocol pop3
     match protocol netshow
     match protocol shell
     match protocol realmedia
     match protocol rtsp
     match protocol smtp extended
     match protocol sql-net
     match protocol streamworks
     match protocol tftp
     match protocol vdolive
     match protocol tcp
     match protocol udp
    class-map type inspect match-all ccp-insp-traffic
     match class-map ccp-cls-insp-traffic
    class-map type inspect match-any ccp-cls-icmp-access
     match protocol icmp
    class-map type inspect match-all ccp-invalid-src
     match access-group 100
    class-map type inspect match-all ccp-icmp-access
     match class-map ccp-cls-icmp-access
    class-map type inspect match-all ccp-protocol-http
     match protocol http
    policy-map type inspect ccp-permit-icmpreply
     class type inspect ccp-icmp-access
     class class-default
    policy-map type inspect ccp-inspect
     class type inspect ccp-invalid-src
      drop log
     class type inspect ccp-protocol-http
     class type inspect ccp-insp-traffic
     class class-default
    policy-map type inspect ccp-permit
     class class-default
    zone security out-zone
    zone security in-zone
    zone-pair security ccp-zp-self-out source self destination out-zone
     service-policy type inspect ccp-permit-icmpreply
    zone-pair security ccp-zp-in-out source in-zone destination out-zone
     service-policy type inspect ccp-inspect
    zone-pair security ccp-zp-out-self source out-zone destination self
     service-policy type inspect ccp-permit
    bridge irb
    interface ATM0
     no ip address
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip route-cache flow
     no atm ilmi-keepalive
     dsl operating-mode auto
    interface ATM0.1 point-to-point
     description $FW_OUTSIDE$$ES_WAN$
     pvc 0/38
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface Dot11Radio0
     no ip address
     encryption key 1 size 40bit 7 20885CCA6BDE transmit-key
     encryption mode wep mandatory
     ssid macleandata
     speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
    asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
     station-role root
     bridge-group 1
     bridge-group 1 subscriber-loop-control
     bridge-group 1 spanning-disabled
     bridge-group 1 block-unknown-source
     no bridge-group 1 source-learning
     no bridge-group 1 unicast-flooding
    interface Vlan1
     no ip address
     ip tcp adjust-mss 1452
     bridge-group 1
    interface Dialer0
     description $FW_OUTSIDE$
     ip address negotiated
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip nat outside
     ip virtual-reassembly
     zone-member security out-zone
     encapsulation ppp
     ip route-cache flow
     dialer pool 1
     dialer-group 1
     no cdp enable
     ppp authentication chap callin
     ppp chap hostname <username>
     ppp chap password 7 <password>
    interface BVI1
     description $ES_LAN$$FW_INSIDE$
     ip address
     ip nat inside
     ip virtual-reassembly
     zone-member security in-zone
     ip tcp adjust-mss 1412
    ip forward-protocol nd
    ip route Dialer0
    ip http server
    ip http access-class 23
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 1 interface Dialer0 overload
    ip nat inside source static tcp 25 interface Dialer0 25
    ip nat inside source static tcp 80 interface Dialer0 80
    ip nat inside source static tcp 3389 interface Dialer0 3389
    ip nat inside source static tcp 1723 interface Dialer0 1723
    logging trap debugging
    access-list 1 remark INSIDE_IF=BVI1
    access-list 1 remark CCP_ACL Category=2
    access-list 1 permit
    access-list 100 remark CCP_ACL Category=128
    access-list 100 permit ip host any
    access-list 100 permit ip any
    dialer-list 1 protocol ip permit
    no cdp run
    radius-server attribute 32 include-in-access-req format %h
    radius-server vsa send accounting
    bridge 1 protocol ieee
    bridge 1 route ip
    banner exec !
    line con 0
     no modem enable
     transport output telnet
    line aux 0
     transport output telnet
    line vty 0 4
     privilege level 15
     transport input telnet ssh
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
  2. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    Since you are using the zone-based firewall you'll need to do more than just make a nat translation for tcp 25 and 80 to the server. You have two zones defined, in-zone and out-zone, and some policies that control what traffic may pass from one zone to another. Without a policy no traffic can pass between zones. So you'll need to make a policy for traffic to pass from the out-zone to the in-zone.

    So, you'll need a class-map to select the traffic you want to permit, a policy-map to set what you want done to the traffic, and a zone pair to set what zones the policy applies to.

    Here is a good link to configuring zbf:


    Also, I would suggest tightening access to the router, it is too open, you have telnet, ssh and http all available to anyone on the Internet. At a minimum remove unneeded access protocols and put an access list on the vty lines and http. And be careful when redacting router configs for posting, wireless ssid's and psk's are easy to overlook and accidently leave in the posted config.

    Last edited: Jun 9, 2010
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
  3. jushin100

    jushin100 Bit Poster


Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.