Port forwarding on 877W Router over ADSL

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Hi,

I am fairly new to Cisco kit and I have been given a 877W router to setup for our office. I have it working for internet access fine and the wifi is also setup.

I would like some help on setting up the port forwding on Port 25 and 80 to go to our web/email server.
The config of the unit is below. i have got some port forwarding info programmed in already but when i do a scan on our public IP i get that the ports are closed. This also is the case if you go to the public IP in IE, which should bring up our website, instead it brings up the router login box.

IF anyone can spot the problem i would be very happy.

Kind regards,

Jon-Paul

Code:

Current configuration : 8683 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname <hostname>
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 <password>!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods start-stop group rad_acct
!
!
aaa session-id common
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1480278219
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1480278219
 revocation-check none
 rsakeypair TP-self-signed-1480278219
!
!
crypto pki certificate chain TP-self-signed-1480278219
 certificate self-signed 01
  30820253 308201BC A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31343830 32373832 3139301E 170D3032 30333033 32313339
  30325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 34383032
  37383231 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B3C7 657B0729 03B9347A 08C02194 FBA42C9E 2EFE1EA7 A6292DD9 B247391D
  3FFBD8F0 3CB02B1B 67C75626 F007E7DA A452BE87 08AAD311 04FF74B9 7E3BCC93
  9A1CB190 E979B3AE 0FC9A802 17417172 481E6B3F F5B6A689 74054BFC 13AAF994
  C8E19820 A30B461B 1DEB9482 D2556C2B 6A8260DF FBDD0199 7EED03DB 261F3AB4
  B4530203 010001A3 7B307930 0F060355 1D130101 FF040530 030101FF 30260603
  551D1104 1F301D82 1B6D6463 726F7574 65722E6D 61636C65 616E6461 74612E63
  6F2E756B 301F0603 551D2304 18301680 1414617D B0C02DB3 2D5EEFAE CDADF1CB
  9D952F82 C3301D06 03551D0E 04160414 14617DB0 C02DB32D 5EEFAECD ADF1CB9D
  952F82C3 300D0609 2A864886 F70D0101 04050003 8181005D 97101839 E5A6C009
  A5610C2B 99263CB4 0097ABE5 99087559 61E14A06 E6B31256 7754D195 5240C841
  9D852C4A EDE6B3DE 56C72E93 F853A629 5BE8B44A 5B374265 E34E3794 72FC0FEE
  9C5899B7 6267DEDF E47585B4 FBAFBE25 14B68DE9 4D376250 949F42E7 56F833A9
  942C40B4 D665A502 6F301362 EFC4EB18 9CB32ABF 5C1CA1
        quit
dot11 syslog
!
dot11 ssid MacleanData
   authentication open
!
dot11 ssid macleandata
   authentication open
   guest-mode
   infrastructure-ssid optional
   wpa-psk ascii 7 045A5F0D57264D1A024102
!
no ip source-route
ip cef
!
!
no ip bootp server
no ip domain lookup
ip domain name <domain name>
!
!
!
username admin privilege 15 secret 5 <password>
!
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
policy-map type inspect ccp-permit
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
bridge irb
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $FW_OUTSIDE$$ES_WAN$
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
 no ip address
 !
 encryption key 1 size 40bit 7 20885CCA6BDE transmit-key
 encryption mode wep mandatory
 !
 ssid macleandata
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname <username>
 ppp chap password 7 <password>
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.16.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1412
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.16.3 25 interface Dialer0 25
ip nat inside source static tcp 192.168.16.3 80 interface Dialer0 80
ip nat inside source static tcp 192.168.16.3 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.16.3 1723 interface Dialer0 1723
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec !
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Since you are using the zone-based firewall you'll need to do more than just make a nat translation for tcp 25 and 80 to the server. You have two zones defined, in-zone and out-zone, and some policies that control what traffic may pass from one zone to another. Without a policy no traffic can pass between zones. So you'll need to make a policy for traffic to pass from the out-zone to the in-zone.

So, you'll need a class-map to select the traffic you want to permit, a policy-map to set what you want done to the traffic, and a zone pair to set what zones the policy applies to.

Here is a good link to configuring zbf:

http://www.cisco.com/en/US/products...ts_tech_note09186a00808bc994.shtml#stateful-1

Also, I would suggest tightening access to the router, it is too open, you have telnet, ssh and http all available to anyone on the Internet. At a minimum remove unneeded access protocols and put an access list on the vty lines and http. And be careful when redacting router configs for posting, wireless ssid's and psk's are easy to overlook and accidently leave in the posted config.

Spice_Weasel

 

I have a slightly similar (should be more simple) problem here:-
http://www.certforums.com/forums/routing-switching/47141-cisco-877-port-forwarding-nat-not-working.html#post402905

If anyone feels like saving my life please help