I'm having trouble forwarding ports using a Cisco 1811W with Zone Based Firewall
Interface FastEthernet 1 - Zone OUTSIDE (The Internet)
Interface FastEthernet 0 - Zone DMZ (Raspberry Pi Server - 10.0.0.4)
Switchports/Wifi - Zone INSIDE (The LAN)
Basically I'm trying to forward ports from 10.0.0.4 like so...
ip nat inside source static tcp 10.0.0.4 3389 interface FastEthernet1 3389
ip nat inside source static tcp 10.0.0.4 22 interface FastEthernet1 22
ip nat inside source static tcp 10.0.0.4 8080 interface FastEthernet1 8080
and for now the ACL's are set to...
ip access-list extended ACL_DMZ_TO_OUTSIDE
permit ip any any
ip access-list extended ACL_OUTSIDE_TO_DMZ
permit ip any any
But I can't get in from the Internet, the LAN and the DMZ can both access the internet and currently each other too. Using the local IP 10.0.0.4 (Raspberry Pi) I can SSH 22, RDP 3389 and HTTP 8080 but no luck using the domain name or IP address of Interface FastEthernet 1.
Below is most of my config:
************************************
!
! Last configuration change at 18:27:06 AEDT Sat Mar 12 2016 by me
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname My_Router
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 1048576
logging console critical
enable secret 5 $/
!
aaa new-model
!
!
aaa authentication login local_auth local-case
!
!
aaa session-id common
!
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-318598295
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-318598295
revocation-check none
rsakeypair TP-self-signed-318598295
!
!
dot11 syslog
!
dot11 ssid Home
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 07
!
no ip source-route
no ip gratuitous-arps
!
!
ip dhcp excluded-address 192.168.100.1 192.168.100.100
!
ip dhcp pool LAN
network 192.168.100.0 255.255.255.0
default-router 192.168.100.2
dns-server 211.29.132.12 198.142.0.51
lease infinite
!
!
!
ip cef
no ip bootp server
ip name-server 198.142.0.51
ip name-server 211.29.132.12
ip ips config location flash:/IPS retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips advanced
retired false
!
ip sdee messages 500
login block-for 60 attempts 3 within 60
login delay 10
login on-failure log
login on-success log
no ipv6 cef
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map type inspect match-any CLASS_MAP_DMZ_TO_OUTSIDE
match access-group name ACL_DMZ_TO_OUTSIDE
class-map type inspect match-any CLASS_MAP_OUTSIDE_TO_DMZ
match access-group name ACL_OUTSIDE_TO_DMZ
class-map type inspect match-any CLASS_MAP_OUTSIDE_TO_SELF
match access-group name ACL_OUTSIDE_TO_SELF
class-map type inspect match-any CLASS_MAP_INSIDE_TO_OUTSIDE
match access-group name ACL_INSIDE_TO_OUTSIDE
class-map type inspect match-any CLASS_MAP_OUTSIDE_TO_INSIDE
match access-group name ACL_OUTSIDE_TO_INSIDE
class-map type inspect match-any CLASS_MAP_DMZ_TO_INSIDE
match access-group name ACL_DMZ_TO_INSIDE
class-map type inspect match-any CLASS_MAP_INSIDE_TO_DMZ
match access-group name ACL_INSIDE_TO_DMZ
!
!
policy-map type inspect POLICY_MAP_DMZ_TO_INSIDE
class type inspect CLASS_MAP_DMZ_TO_INSIDE
inspect
class class-default
drop
policy-map type inspect POLICY_MAP_INSIDE_TO_DMZ
class type inspect CLASS_MAP_INSIDE_TO_DMZ
inspect
class class-default
drop
policy-map type inspect POLICY_MAP_OUTSIDE_TO_SELF
class type inspect CLASS_MAP_OUTSIDE_TO_SELF
pass
class class-default
drop
policy-map type inspect POLICY_MAP_INSIDE_TO_OUTSIDE
class type inspect CLASS_MAP_INSIDE_TO_OUTSIDE
inspect
class class-default
drop
policy-map type inspect POLICY_MAP_OUTSIDE_TO_INSIDE
class type inspect CLASS_MAP_OUTSIDE_TO_INSIDE
inspect
class class-default
drop
policy-map type inspect POLICY_MAP_DMZ_TO_OUTSIDE
class type inspect CLASS_MAP_DMZ_TO_OUTSIDE
pass
class class-default
drop
policy-map type inspect POLICY_MAP_OUTSIDE_TO_DMZ
class type inspect CLASS_MAP_OUTSIDE_TO_DMZ
pass
class class-default
drop
!
zone security OUTSIDE
zone security INSIDE
zone security DMZ
zone-pair security ZONE_PAIR_OUTSIDE_TO_SELF source OUTSIDE destination self
service-policy type inspect POLICY_MAP_OUTSIDE_TO_SELF
zone-pair security ZONE_PAIR_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect POLICY_MAP_INSIDE_TO_OUTSIDE
zone-pair security ZONE_PAIR_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect POLICY_MAP_OUTSIDE_TO_INSIDE
zone-pair security ZONE_PAIR_INSIDE_TO_DMZ source INSIDE destination DMZ
service-policy type inspect POLICY_MAP_INSIDE_TO_DMZ
zone-pair security ZONE_PAIR_DMZ_TO_INSIDE source DMZ destination INSIDE
service-policy type inspect POLICY_MAP_DMZ_TO_INSIDE
zone-pair security ZONE_PAIR_OUTSIDE_TO_DMZ source OUTSIDE destination DMZ
service-policy type inspect POLICY_MAP_OUTSIDE_TO_DMZ
zone-pair security ZONE_PAIR_DMZ_TO_OUTSIDE source DMZ destination OUTSIDE
service-policy type inspect POLICY_MAP_DMZ_TO_OUTSIDE
!
!
!
bridge irb
!
!
!
!
interface Dot11Radio0
description 2.4GHz Band
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
encryption vlan 1 mode ciphers aes-ccm
!
broadcast-key vlan 1 change 30
!
!
ssid Los Cuyes
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
description 5GHz Band
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface FastEthernet0
description DMZ
ip address 10.0.0.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
duplex auto
speed auto
!
interface FastEthernet1
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 100
zone-member security OUTSIDE
duplex auto
speed auto
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
!
interface FastEthernet9
no ip address
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
bridge-group 1
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface BVI1
ip address 192.168.100.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list NAT interface FastEthernet1 overload
ip nat inside source static tcp 10.0.0.4 3389 interface FastEthernet1 3389
ip nat inside source static tcp 10.0.0.4 80 interface FastEthernet1 80
ip nat inside source static tcp 10.0.0.4 22 interface FastEthernet1 22
ip nat inside source static tcp 10.0.0.4 8080 interface FastEthernet1 8080
ip route 0.0.0.0 0.0.0.0 FastEthernet1
!
ip access-list extended ACL_DMZ_TO_INSIDE
permit ip any any
deny ip any any
ip access-list extended ACL_DMZ_TO_OUTSIDE
permit ip any any
ip access-list extended ACL_INSIDE_TO_DMZ
permit ip any any
deny ip any any
ip access-list extended ACL_INSIDE_TO_OUTSIDE
permit ip any any
ip access-list extended ACL_OUTSIDE_TO_DMZ
permit ip any any
ip access-list extended ACL_OUTSIDE_TO_INSIDE
permit udp any host 192.168.100.55 eq 5060
permit udp any host 192.168.100.55 range 1020 1040
permit udp any host 192.168.100.55 range 16384 16482
ip access-list extended ACL_OUTSIDE_TO_SELF
permit udp any any eq bootpc
permit udp host 150.101.217.196 any eq ntp
ip access-list extended NAT
permit ip 192.168.100.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
deny ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
no cdp run
!
!
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
banner motd CUnauthorized access strictly prohibited and prosecuted to the full extent of the law
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line 1
exec-timeout 15 0
login authentication local_auth
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
exec-timeout 15 0
privilege level 15
logging synchronous
login authentication local_auth
transport input ssh
!
ntp server 150.101.217.196
end
Interface FastEthernet 1 - Zone OUTSIDE (The Internet)
Interface FastEthernet 0 - Zone DMZ (Raspberry Pi Server - 10.0.0.4)
Switchports/Wifi - Zone INSIDE (The LAN)
Basically I'm trying to forward ports from 10.0.0.4 like so...
ip nat inside source static tcp 10.0.0.4 3389 interface FastEthernet1 3389
ip nat inside source static tcp 10.0.0.4 22 interface FastEthernet1 22
ip nat inside source static tcp 10.0.0.4 8080 interface FastEthernet1 8080
and for now the ACL's are set to...
ip access-list extended ACL_DMZ_TO_OUTSIDE
permit ip any any
ip access-list extended ACL_OUTSIDE_TO_DMZ
permit ip any any
But I can't get in from the Internet, the LAN and the DMZ can both access the internet and currently each other too. Using the local IP 10.0.0.4 (Raspberry Pi) I can SSH 22, RDP 3389 and HTTP 8080 but no luck using the domain name or IP address of Interface FastEthernet 1.
Below is most of my config:
************************************
!
! Last configuration change at 18:27:06 AEDT Sat Mar 12 2016 by me
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname My_Router
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 1048576
logging console critical
enable secret 5 $/
!
aaa new-model
!
!
aaa authentication login local_auth local-case
!
!
aaa session-id common
!
clock timezone AEST 10 0
clock summer-time AEDT recurring 1 Sun Oct 2:00 1 Sun Apr 3:00
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-318598295
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-318598295
revocation-check none
rsakeypair TP-self-signed-318598295
!
!
dot11 syslog
!
dot11 ssid Home
vlan 1
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 7 07
!
no ip source-route
no ip gratuitous-arps
!
!
ip dhcp excluded-address 192.168.100.1 192.168.100.100
!
ip dhcp pool LAN
network 192.168.100.0 255.255.255.0
default-router 192.168.100.2
dns-server 211.29.132.12 198.142.0.51
lease infinite
!
!
!
ip cef
no ip bootp server
ip name-server 198.142.0.51
ip name-server 211.29.132.12
ip ips config location flash:/IPS retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips advanced
retired false
!
ip sdee messages 500
login block-for 60 attempts 3 within 60
login delay 10
login on-failure log
login on-success log
no ipv6 cef
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map type inspect match-any CLASS_MAP_DMZ_TO_OUTSIDE
match access-group name ACL_DMZ_TO_OUTSIDE
class-map type inspect match-any CLASS_MAP_OUTSIDE_TO_DMZ
match access-group name ACL_OUTSIDE_TO_DMZ
class-map type inspect match-any CLASS_MAP_OUTSIDE_TO_SELF
match access-group name ACL_OUTSIDE_TO_SELF
class-map type inspect match-any CLASS_MAP_INSIDE_TO_OUTSIDE
match access-group name ACL_INSIDE_TO_OUTSIDE
class-map type inspect match-any CLASS_MAP_OUTSIDE_TO_INSIDE
match access-group name ACL_OUTSIDE_TO_INSIDE
class-map type inspect match-any CLASS_MAP_DMZ_TO_INSIDE
match access-group name ACL_DMZ_TO_INSIDE
class-map type inspect match-any CLASS_MAP_INSIDE_TO_DMZ
match access-group name ACL_INSIDE_TO_DMZ
!
!
policy-map type inspect POLICY_MAP_DMZ_TO_INSIDE
class type inspect CLASS_MAP_DMZ_TO_INSIDE
inspect
class class-default
drop
policy-map type inspect POLICY_MAP_INSIDE_TO_DMZ
class type inspect CLASS_MAP_INSIDE_TO_DMZ
inspect
class class-default
drop
policy-map type inspect POLICY_MAP_OUTSIDE_TO_SELF
class type inspect CLASS_MAP_OUTSIDE_TO_SELF
pass
class class-default
drop
policy-map type inspect POLICY_MAP_INSIDE_TO_OUTSIDE
class type inspect CLASS_MAP_INSIDE_TO_OUTSIDE
inspect
class class-default
drop
policy-map type inspect POLICY_MAP_OUTSIDE_TO_INSIDE
class type inspect CLASS_MAP_OUTSIDE_TO_INSIDE
inspect
class class-default
drop
policy-map type inspect POLICY_MAP_DMZ_TO_OUTSIDE
class type inspect CLASS_MAP_DMZ_TO_OUTSIDE
pass
class class-default
drop
policy-map type inspect POLICY_MAP_OUTSIDE_TO_DMZ
class type inspect CLASS_MAP_OUTSIDE_TO_DMZ
pass
class class-default
drop
!
zone security OUTSIDE
zone security INSIDE
zone security DMZ
zone-pair security ZONE_PAIR_OUTSIDE_TO_SELF source OUTSIDE destination self
service-policy type inspect POLICY_MAP_OUTSIDE_TO_SELF
zone-pair security ZONE_PAIR_INSIDE_TO_OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect POLICY_MAP_INSIDE_TO_OUTSIDE
zone-pair security ZONE_PAIR_OUTSIDE_TO_INSIDE source OUTSIDE destination INSIDE
service-policy type inspect POLICY_MAP_OUTSIDE_TO_INSIDE
zone-pair security ZONE_PAIR_INSIDE_TO_DMZ source INSIDE destination DMZ
service-policy type inspect POLICY_MAP_INSIDE_TO_DMZ
zone-pair security ZONE_PAIR_DMZ_TO_INSIDE source DMZ destination INSIDE
service-policy type inspect POLICY_MAP_DMZ_TO_INSIDE
zone-pair security ZONE_PAIR_OUTSIDE_TO_DMZ source OUTSIDE destination DMZ
service-policy type inspect POLICY_MAP_OUTSIDE_TO_DMZ
zone-pair security ZONE_PAIR_DMZ_TO_OUTSIDE source DMZ destination OUTSIDE
service-policy type inspect POLICY_MAP_DMZ_TO_OUTSIDE
!
!
!
bridge irb
!
!
!
!
interface Dot11Radio0
description 2.4GHz Band
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
encryption vlan 1 mode ciphers aes-ccm
!
broadcast-key vlan 1 change 30
!
!
ssid Los Cuyes
!
mbssid
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip redirects
no ip unreachables
no ip proxy-arp
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
description 5GHz Band
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface FastEthernet0
description DMZ
ip address 10.0.0.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
duplex auto
speed auto
!
interface FastEthernet1
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip ips sdm_ips_rule in
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 100
zone-member security OUTSIDE
duplex auto
speed auto
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
no ip address
!
interface FastEthernet9
no ip address
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly in
bridge-group 1
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface BVI1
ip address 192.168.100.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list NAT interface FastEthernet1 overload
ip nat inside source static tcp 10.0.0.4 3389 interface FastEthernet1 3389
ip nat inside source static tcp 10.0.0.4 80 interface FastEthernet1 80
ip nat inside source static tcp 10.0.0.4 22 interface FastEthernet1 22
ip nat inside source static tcp 10.0.0.4 8080 interface FastEthernet1 8080
ip route 0.0.0.0 0.0.0.0 FastEthernet1
!
ip access-list extended ACL_DMZ_TO_INSIDE
permit ip any any
deny ip any any
ip access-list extended ACL_DMZ_TO_OUTSIDE
permit ip any any
ip access-list extended ACL_INSIDE_TO_DMZ
permit ip any any
deny ip any any
ip access-list extended ACL_INSIDE_TO_OUTSIDE
permit ip any any
ip access-list extended ACL_OUTSIDE_TO_DMZ
permit ip any any
ip access-list extended ACL_OUTSIDE_TO_INSIDE
permit udp any host 192.168.100.55 eq 5060
permit udp any host 192.168.100.55 range 1020 1040
permit udp any host 192.168.100.55 range 16384 16482
ip access-list extended ACL_OUTSIDE_TO_SELF
permit udp any any eq bootpc
permit udp host 150.101.217.196 any eq ntp
ip access-list extended NAT
permit ip 192.168.100.0 0.0.0.255 any
permit ip 10.0.0.0 0.0.0.255 any
deny ip any any
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
no cdp run
!
!
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
banner motd CUnauthorized access strictly prohibited and prosecuted to the full extent of the law
!
line con 0
exec-timeout 5 0
login authentication local_auth
transport output telnet
line 1
exec-timeout 15 0
login authentication local_auth
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
exec-timeout 15 0
privilege level 15
logging synchronous
login authentication local_auth
transport input ssh
!
ntp server 150.101.217.196
end
Facebook
Twitter
Instagram