Hi there,
I'm having issues configuring a Cisco 800 series router.
basically I have followed many guids on adding the port forwards both telnet session and via SDM
I have added the line
ip nat inside source static tcp 192.168.1.3 3389 interface dialer0 3389
Which should do the job of forwarding port 3389 from the interface dialer0 to port 3389 on the SBSERVER (192.168.1.3)
I have gone thought the firewall configuration wizard also but that fails when getting ot the stage of applying the config (usually fails withing first command or 2!)
Here is my current configuration without the line above which is not responding to ping or doing any port forwards.
(EDITED OUT USER AND PASS for ADSL)
ROUTER CONFIGURATION
--------------------------------------------------
!This is the running config of the router: 192.168.1.225
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name yourdomain.com
!
!
crypto pki trustpoint TP-self-signed-3800918812
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3800918812
revocation-check none
rsakeypair TP-self-signed-3800918812
!
!
crypto pki certificate chain TP-self-signed-3800918812
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383030 39313838 3132301E 170D3032 30333031 30313332
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38303039
31383831 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B0D7 F05E4059 B17CC5C7 4AD8D77A 7B0A1CD7 269130FD 560002B9 D53D7290
8A7DB50C BB24B5EF CAA6058C C17224CE F5E1BD57 A796B32F CBCE26C7 05979A36
DCBAD68E E2491A70 E73D7A48 D6B67A6D BBE9C3C1 9109EC12 54F5A648 F52DFB0E
64DFEA1E 1373D626 7C4FC82C A6C51548 B27C537C 3F9765DC 8EB11ECB C1D6E147
44790203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14B2CDAA F562187D 5D253323 B3B16E49 7F14EB4C
6E301D06 03551D0E 04160414 B2CDAAF5 62187D5D 253323B3 B16E497F 14EB4C6E
300D0609 2A864886 F70D0101 04050003 81810034 AAEEC63E 74C34B67 BAC7A878
E0020FBC 03E33EC3 EDC3715D 304BAE10 9CAD0ABA FD93E96F 7A6030F3 03A1566A
0E5C9B08 AD458880 6C993705 2A3F5EA5 F2781250 7C7B8F36 22E917A5 76411552
172EB8AA 7C6D15E0 85648E48 F7239CEE 05AA6122 A21C0150 38586084 B6832EFF
0BEC58FA 9F903161 251EC185 0A53D97A 376BC3
quit
username admin privilege 15 secret 5 $1$vraO$CKYmiB3X5YZ0l.szH3lW3.
username Services secret 5 $1$5Uei$Y5ohT2kjCUrTNkgWs9Udb0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group RDP_Clients
key *Morse*Watchman**
max-users 3
crypto isakmp profile sdm-ike-profile-1
match identity group RDP_Clients
isakmp authorization list sdm_vpn_group_ml_3
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA2
set isakmp-profile sdm-ike-profile-1
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.1.225 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address 85.189.10.1 255.255.255.252
ip access-group 104 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ****-****@proweb.broadband
ppp chap password 0 *****
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 3 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static 192.168.0.2 85.189.10.2
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 85.189.10.1 eq non500-isakmp
access-list 101 permit udp any host 85.189.10.1 eq isakmp
access-list 101 permit esp any host 85.189.10.1
access-list 101 permit ahp any host 85.189.10.1
access-list 101 permit icmp any host 85.189.10.1 echo-reply
access-list 101 permit icmp any host 85.189.10.1 time-exceeded
access-list 101 permit icmp any host 85.189.10.1 unreachable
access-list 101 permit tcp any host 85.189.10.1 eq 443
access-list 101 permit tcp any host 85.189.10.1 eq 22
access-list 101 permit tcp any host 85.189.10.1 eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip 85.189.10.0 0.0.0.3 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host 85.189.10.1 eq non500-isakmp
access-list 104 permit udp any host 85.189.10.1 eq isakmp
access-list 104 permit esp any host 85.189.10.1
access-list 104 permit ahp any host 85.189.10.1
access-list 104 permit tcp any host 85.189.10.2 eq 3389
access-list 104 deny ip 192.168.1.0 0.0.0.255 any
access-list 104 permit icmp any host 85.189.10.1 echo-reply
access-list 104 permit icmp any host 85.189.10.1 time-exceeded
access-list 104 permit icmp any host 85.189.10.1 unreachable
access-list 104 permit tcp any host 85.189.10.1 eq 443
access-list 104 permit tcp any host 85.189.10.1 eq 22
access-list 104 permit tcp any host 85.189.10.1 eq cmd
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to -----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
end
--------------------------------
Kind Regards
Liam Wheldon
I'm having issues configuring a Cisco 800 series router.
basically I have followed many guids on adding the port forwards both telnet session and via SDM
I have added the line
ip nat inside source static tcp 192.168.1.3 3389 interface dialer0 3389
Which should do the job of forwarding port 3389 from the interface dialer0 to port 3389 on the SBSERVER (192.168.1.3)
I have gone thought the firewall configuration wizard also but that fails when getting ot the stage of applying the config (usually fails withing first command or 2!)
Here is my current configuration without the line above which is not responding to ping or doing any port forwards.
(EDITED OUT USER AND PASS for ADSL)
ROUTER CONFIGURATION
--------------------------------------------------
!This is the running config of the router: 192.168.1.225
!----------------------------------------------------------------------------
!version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name yourdomain.com
!
!
crypto pki trustpoint TP-self-signed-3800918812
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3800918812
revocation-check none
rsakeypair TP-self-signed-3800918812
!
!
crypto pki certificate chain TP-self-signed-3800918812
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383030 39313838 3132301E 170D3032 30333031 30313332
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38303039
31383831 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B0D7 F05E4059 B17CC5C7 4AD8D77A 7B0A1CD7 269130FD 560002B9 D53D7290
8A7DB50C BB24B5EF CAA6058C C17224CE F5E1BD57 A796B32F CBCE26C7 05979A36
DCBAD68E E2491A70 E73D7A48 D6B67A6D BBE9C3C1 9109EC12 54F5A648 F52DFB0E
64DFEA1E 1373D626 7C4FC82C A6C51548 B27C537C 3F9765DC 8EB11ECB C1D6E147
44790203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14B2CDAA F562187D 5D253323 B3B16E49 7F14EB4C
6E301D06 03551D0E 04160414 B2CDAAF5 62187D5D 253323B3 B16E497F 14EB4C6E
300D0609 2A864886 F70D0101 04050003 81810034 AAEEC63E 74C34B67 BAC7A878
E0020FBC 03E33EC3 EDC3715D 304BAE10 9CAD0ABA FD93E96F 7A6030F3 03A1566A
0E5C9B08 AD458880 6C993705 2A3F5EA5 F2781250 7C7B8F36 22E917A5 76411552
172EB8AA 7C6D15E0 85648E48 F7239CEE 05AA6122 A21C0150 38586084 B6832EFF
0BEC58FA 9F903161 251EC185 0A53D97A 376BC3
quit
username admin privilege 15 secret 5 $1$vraO$CKYmiB3X5YZ0l.szH3lW3.
username Services secret 5 $1$5Uei$Y5ohT2kjCUrTNkgWs9Udb0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group RDP_Clients
key *Morse*Watchman**
max-users 3
crypto isakmp profile sdm-ike-profile-1
match identity group RDP_Clients
isakmp authorization list sdm_vpn_group_ml_3
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA2
set isakmp-profile sdm-ike-profile-1
!
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 192.168.1.225 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
description $FW_OUTSIDE$
ip address 85.189.10.1 255.255.255.252
ip access-group 104 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname ****-****@proweb.broadband
ppp chap password 0 *****
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 3 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static 192.168.0.2 85.189.10.2
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 85.189.10.1 eq non500-isakmp
access-list 101 permit udp any host 85.189.10.1 eq isakmp
access-list 101 permit esp any host 85.189.10.1
access-list 101 permit ahp any host 85.189.10.1
access-list 101 permit icmp any host 85.189.10.1 echo-reply
access-list 101 permit icmp any host 85.189.10.1 time-exceeded
access-list 101 permit icmp any host 85.189.10.1 unreachable
access-list 101 permit tcp any host 85.189.10.1 eq 443
access-list 101 permit tcp any host 85.189.10.1 eq 22
access-list 101 permit tcp any host 85.189.10.1 eq cmd
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip 85.189.10.0 0.0.0.3 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark auto generated by SDM firewall configuration
access-list 104 remark SDM_ACL Category=1
access-list 104 permit udp any host 85.189.10.1 eq non500-isakmp
access-list 104 permit udp any host 85.189.10.1 eq isakmp
access-list 104 permit esp any host 85.189.10.1
access-list 104 permit ahp any host 85.189.10.1
access-list 104 permit tcp any host 85.189.10.2 eq 3389
access-list 104 deny ip 192.168.1.0 0.0.0.255 any
access-list 104 permit icmp any host 85.189.10.1 echo-reply
access-list 104 permit icmp any host 85.189.10.1 time-exceeded
access-list 104 permit icmp any host 85.189.10.1 unreachable
access-list 104 permit tcp any host 85.189.10.1 eq 443
access-list 104 permit tcp any host 85.189.10.1 eq 22
access-list 104 permit tcp any host 85.189.10.1 eq cmd
access-list 104 deny ip 10.0.0.0 0.255.255.255 any
access-list 104 deny ip 172.16.0.0 0.15.255.255 any
access-list 104 deny ip 192.168.0.0 0.0.255.255 any
access-list 104 deny ip 127.0.0.0 0.255.255.255 any
access-list 104 deny ip host 255.255.255.255 any
access-list 104 deny ip host 0.0.0.0 any
access-list 104 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
control-plane
!
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege level of 15.
Please change these publicly known initial credentials using SDM or the IOS CLI.
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want to use.
For more information about SDM please follow the instructions in the QUICK START
GUIDE for your router or go to -----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
end
--------------------------------
Kind Regards
Liam Wheldon
