Having issues with port forwarding on my ISR. I have it as my border router in my home network, with PAT to get all the computers inside to talk to the outside. ZBF has been setup and seems to be working properly, but when trying to assign static NAT to access the web server and mail server in my DMZ (lab computers), I just cant get them to work. Port scan shows everything that should be open, is being filtered, but anything going to those ports just times out.
Note that any traffic from the inside is translated properly.
show run below (edited, ofc)
Current configuration : 5507 bytes
!
! Last configuration change at 16:35:21 UTC Fri Oct 12 2018 by x
! NVRAM config last updated at 02:10:04 UTC Fri Oct 12 2018 by x
! NVRAM config last updated at 02:10:04 UTC Fri Oct 12 2018 by x
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Nexus
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 xxx
!
no aaa new-model
!
no process cpu extended history
no process cpu autoprofile hog
!
no ipv6 cef
ipv6 spd queue min-threshold 62
ipv6 spd queue max-threshold 63
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 10.0.0.100
ip dhcp excluded-address 10.0.0.106
ip dhcp excluded-address 192.168.1.2 192.168.1.5
ip dhcp excluded-address 192.168.1.10 192.168.1.11
!
ip dhcp pool LabNet
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.10
!
ip dhcp pool GameNet
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 192.168.1.10
!
!
no ip domain lookup
ip domain name audemed.com
ip port-map user-RDP-ACCESS port tcp 3389
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO2921/K9 sn FGL1647115S
!
!
username xxx
!
redundancy
!
!
!
!
ip ssh version 2
!
class-map type inspect match-any IN-OUT-PROTOCOLS
match protocol tcp
match protocol icmp
match protocol udp
class-map type inspect match-any DMZ-TO-IN-PROTOCOLS
match protocol ssh
match protocol dns
match protocol user-RDP-ACCESS
match protocol ftp
match protocol smtp
match protocol pop3s
match protocol nfs
class-map type inspect match-any DMZ-OUT-PROTOCOLS
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any OUT-TO-DMZ-PROTOCOLS
match protocol ssh
match protocol dns
match protocol ftp
match protocol http
match protocol smtp
match protocol pop3s
match protocol user-RDP-ACCESS
match protocol https
!
!
policy-map type inspect DMZ-OUT-POLICY
class type inspect DMZ-OUT-PROTOCOLS
inspect
class class-default
drop
policy-map type inspect OUT-TO-DMZ-POLICY
class type inspect OUT-TO-DMZ-PROTOCOLS
class class-default
drop
policy-map type inspect DMZ-TO-IN-POLICY
class type inspect DMZ-TO-IN-PROTOCOLS
inspect
class class-default
drop
policy-map type inspect IN-TO-OUT-POLICY
class type inspect IN-OUT-PROTOCOLS
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone security DMZ
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
zone-pair security OUT-TO-DMZ source OUTSIDE destination DMZ
service-policy type inspect OUT-TO-DMZ-POLICY
zone-pair security DMZ-TO-IN source DMZ destination INSIDE
service-policy type inspect DMZ-TO-IN-POLICY
zone-pair security IN-TO-DMZ source INSIDE destination DMZ
service-policy type inspect IN-TO-OUT-POLICY
zone-pair security DMZ-TO-OUT source DMZ destination OUTSIDE
service-policy type inspect DMZ-OUT-POLICY
!
!
!
!
!
!
!
interface Port-channel1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security DMZ
hold-queue 150 in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
no cdp enable
!
interface GigabitEthernet0/0
ip dhcp client client-id ascii audemed.com
ip dhcp client lease 100 0 0
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/2
ip address 192.168.3.1 255.255.255.0
shutdown
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/0/0
no ip address
duplex auto
speed auto
channel-group 1
no cdp enable
!
interface FastEthernet0/0/1
no ip address
duplex auto
speed auto
channel-group 1
no cdp enable
!
ip default-gateway xx.xx.226.1
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool masternet xx.xx.227.121 xx.xx.227.121 netmask 255.255.254.0
ip nat inside source list 3 pool masternet overload
ip nat inside source static tcp 192.168.1.20 80 xx.xx.227.121 80 extendable
ip nat inside source static tcp 192.168.1.20 81 xx.xx.227.121 81 extendable
ip nat inside source static tcp 192.168.1.20 443 xx.xx.227.121 443 extendable
ip nat inside source static tcp 192.168.1.20 444 xx.xx.227.121 444 extendable
ip nat inside source static tcp 192.168.1.20 3389 xx.xx.227.121 3389 extendable
ip default-network xx.xx.226.0
ip route 0.0.0.0 0.0.0.0 xx.xx.226.1
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 permit 192.168.2.0 0.0.0.255
access-list 101 permit ip any any
!
no cdp advertise-v2
!
!
!
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input ssh
!
scheduler allocate 20000 1000
end
No comments:
Post a Comment