dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4886
eXest7
join:2012-10-05
Glendale, AZ

eXest7

Member

[Config] Cisco 1921 Config.. Please help!!

Thanks in advance for looking in on this! So for the last week I've been studying the Cisco IOS and a million forums, tutorials and the Cisco website but I just can't get my 1921 to allow port forwarding! I have a very simple network with static IP's and all I want to do is forward a handful of ips/ports. I have tried every which way that I could find or think of! I'm sure it has to do with the zone based firewall but I'm a real noob with the CLI. I do have the Configuration Professional v2.6 software, which helps a lot, but not enough! Here's my configuration:
WAN1: Integra T1 from AdTran router with static IP(MPLS, VoIP)
WAN2: Internet: COX Cable connection with static IP
VLan1 is driving a 4 port GigabitEthernet card that I have 2 switches plugged into delivering DHCP to clients
I have 3 servers on the VLan1 side that I want various specific ports forwarded because they host websites and DynDNS clients for easily RDPing in. I also need to set up site to site VPN's between the 1921 and my offsite employee's RV042's.
I will list my config file here and hope with all my heart that someone can look at it and help me! Thanks so much!

Building configuration...

Current configuration : 9591 bytes
!
! Last configuration change at 14:08:59 UTC Fri Oct 5 2012 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1921
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$.
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 25
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.99
ip dhcp excluded-address 192.168.2.201 192.168.2.254
!
ip dhcp pool ccp-pool1
network 192.168.2.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.2.1
!
ip dhcp pool static1
host 192.168.2.137 255.255.255.0
client-identifier 0148.5b39.a81d.49
client-name Mike_Thiel
!
ip dhcp pool static2
host 192.168.2.143 255.255.255.0
client-identifier 0174.e50b.9d64.72
client-name Laura_laptop
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1329564060
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1329564060
revocation-check none
rsakeypair TP-self-signed-1329564060
!
!
crypto pki certificate chain TP-self-signed-1329564060
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

quit
license udi pid CISCO1921/K9 sn FTX161582J1
license boot module c1900 technology-package securityk9
!
!
username $$$$$$$ privilege 15 secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$.
!
redundancy
!
!
!
!
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any Incoming-Traffic
match access-group name NEW_Incoming
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect incoming-policy
class type inspect Incoming-Traffic
pass
class class-default
drop
policy-map type inspect ccp-permit
class class-default
drop
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security Outside-to-Inside source out-zone destination in-zone
service-policy type inspect incoming-policy
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address 67.138.151.82 255.255.255.248
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface GigabitEthernet0/1
description $FW_OUTSIDE$$ETH-WAN$
ip address 68.14.216.186 255.255.255.240
ip nat outside
no ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
!
interface GigabitEthernet0/0/0
no ip address
!
interface GigabitEthernet0/0/1
no ip address
!
interface GigabitEthernet0/0/2
no ip address
!
interface GigabitEthernet0/0/3
no ip address
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.2.10 20 68.14.216.186 20 extendable
ip nat inside source static tcp 192.168.2.10 21 68.14.216.186 21 extendable
ip nat inside source static tcp 192.168.2.10 80 68.14.216.186 80 extendable
ip nat inside source static tcp 192.168.2.163 1433 68.14.216.186 1433 extendable
ip nat inside source static udp 192.168.2.163 1433 68.14.216.186 1433 extendable
ip nat inside source static tcp 192.168.2.10 3389 68.14.216.186 3389 extendable
ip nat inside source static tcp 192.168.2.163 3391 68.14.216.186 3391 extendable
ip nat inside source static tcp 192.168.2.168 3392 68.14.216.186 3392 extendable
ip nat inside source static tcp 192.168.2.2 8282 68.14.216.186 8282 extendable
ip nat inside source static tcp 192.168.2.168 8585 68.14.216.186 8585 extendable
ip nat inside source static tcp 192.168.2.163 8686 68.14.216.186 8686 extendable
ip route 0.0.0.0 0.0.0.0 192.168.1.0 permanent
ip route 0.0.0.0 0.0.0.0 192.168.3.0 permanent
ip route 0.0.0.0 0.0.0.0 68.14.216.177
!
ip access-list extended NEW_Incoming
remark Outside Port Forwarding
remark CCP_ACL Category=17
permit ip 192.168.2.0 0.0.0.255 any
permit ip host 255.255.255.255 any
permit ip 127.0.0.0 0.255.255.255 any
permit tcp any any eq www
permit tcp any any eq 3389
permit tcp any any eq ftp-data
permit tcp any any eq ftp
permit tcp any any eq 1433
permit udp any any eq 1433
permit tcp any any eq 3391
permit tcp any any eq 3392
permit tcp any any eq 8585
permit tcp any any eq 8686
permit tcp any any eq 8282
deny ip any any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark CCP_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark CCP_ACL Category=1
permit tcp any any eq 22
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input telnet ssh
!
scheduler allocate 20000 1000
end
aryoba
MVM
join:2002-08-22

aryoba

MVM

With dual WAN connectivity where each serves different purposes, you want to start with setting up proper routing. You need to make sure all MPLS and VoIP traffic is going through your T1 while the Internet traffic is going through the Cable. Using static routes, manually create specific routes to go through the T1 and set default gateway to go through the Cable.

In regards of port forwarding with ZBF in place, I never really like the approach since I think ZBF is not mature enough compared to firewall inspection on ASA. You may want to play around with ZBF setting to have successful result (which I never had )
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to eXest7

MVM

to eXest7
Good news is you're already port forwarding... right here in your config

ip nat inside source static tcp 192.168.2.10 20 68.14.216.186 20 extendable
ip nat inside source static tcp 192.168.2.10 21 68.14.216.186 21 extendable
ip nat inside source static tcp 192.168.2.10 80 68.14.216.186 80 extendable
ip nat inside source static tcp 192.168.2.163 1433 68.14.216.186 1433 extendable
ip nat inside source static udp 192.168.2.163 1433 68.14.216.186 1433 extendable
ip nat inside source static tcp 192.168.2.10 3389 68.14.216.186 3389 extendable
ip nat inside source static tcp 192.168.2.163 3391 68.14.216.186 3391 extendable
ip nat inside source static tcp 192.168.2.168 3392 68.14.216.186 3392 extendable
ip nat inside source static tcp 192.168.2.2 8282 68.14.216.186 8282 extendable
ip nat inside source static tcp 192.168.2.168 8585 68.14.216.186 8585 extendable
ip nat inside source static tcp 192.168.2.163 8686 68.14.216.186 8686 extendable
 

All you'd have to do is "show ip nat translation" to see if those NATs are showing up or not
to ensure point forwarding is operating or not.

Bad news is, like aryoba said, I'm seriously wondering about your routing / NAT here, namely

ip nat inside source list 1 interface GigabitEthernet0/1 overload
<SNIP>
ip route 0.0.0.0 0.0.0.0 192.168.1.0 permanent
ip route 0.0.0.0 0.0.0.0 192.168.3.0 permanent
ip route 0.0.0.0 0.0.0.0 68.14.216.177
 

So Gi0/1 / 68.14.216.186 is doing NAT overload for outbound traffic... so where's Gi 0/0
fit in, or it's not supposed to take anything? Second, where is 192.168.1.0, 192.168.3.0
and 68.14.216.177 for all of this? You've just basically told it "for all traffic anywhere,
go to these two (nonexistent?) networks, THEN go out to this third (nonexistent?) IP address.

If you are new to IOS, what I'd recommend is back up the config to the text file, and start
with a bare config -- for now the DHCP config, the Gig0/1 interface, the VLAN1 interface and
the static NATs above. Once you've got that confirmed working, then go adding the rest like
the Gi0/0 interface and firewall config.

One last point, taking a look at your ZBFW config and ACLs, so incoming-policy is the policy-map,
Incoming-Traffic is the class, and NEW_Incoming defines the traffic that can enter... have you
checked if the ACL and the policy is getting any hits or not? Any log messages from the firewall?

Regards
cramer
Premium Member
join:2007-04-10
Raleigh, NC

cramer

Premium Member

The 192.168.1.0 and 192.168.3.0 routes will not be in the table *because* they don't exist. The 3rd one is (maybe) correct; 177 is valid for a 240 netmask.
eXest7
join:2012-10-05
Glendale, AZ

eXest7

Member

Thank you guys so much for all the help! I think I'm going to take HELLFIRE'S advice and start with a bare config.. I need the practice anyway! What is the best way to get it back to a bare config?
About the NAT table.. I know it's probably messed up, but I was kind of lost as to how to do it. So Gi0/1 is where I have my cable internet hooked up which my building uses for it's internet and my VPN users use to connect with our network for VoIP and access to our servers, however, then we also have an MPLS network that ties our 3 buildings together. The MPLS comes in on Gi0/0. So the routes for 192.168.1.0 and 3.0 are for our 2 other buildings. Currently we have an RV082 at each location and I was just trying to copy the settings from the RV082 and apply them to the Cisco 1921. If any of you have some good pointers on how this should be set up correctly, I would be very appreciative!!
Again, I appreciate all of the help and will post any updates as I work through this!

Mike
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to eXest7

MVM

to eXest7
From the CLI

erase start
reload
 

Start fresh, let us know how it goes, and go from there.

Regards

Da Geek Kid
join:2003-10-11
::1

Da Geek Kid

Member

ol' skool.

wr erase
reload