Sunday, April 12, 2015

configuration - Cisco ios config



I'm setting up a cisco 881 (this is my first ios device)



I got everything working the way i want except port forwarding



im trying forward all incoming port 80 traffic to 10.10.10.60 and I don't see that option anywhere in the cisco configuration professional. so i assume ill have to add it command line style



Please also feel free to point out any other issues you feel might cause issues for me.

(password have been altered to protect the innocent)




Using 16191 out of 262136 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption

!
hostname MARKONHQ
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
enable secret 5 #password was here#
!

aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
!
 --More--         !
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!
crypto pki trustpoint TP-self-signed-3499699271
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3499699271
 revocation-check none
 rsakeypair TP-self-signed-3499699271
!
!
crypto pki certificate chain TP-self-signed-3499699271
 certificate self-signed 01 nvram:IOS-Self-Sig#D.cer

ip source-route
ip dhcp excluded-address 10.10.10.1 10.10.10.74
!
ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.0
   default-router 10.10.10.1 
   dns-server #dns servers were here#
   lease infinite
 --More--         !

!
ip cef
ip domain name markonsolutions.com
ip name-server 
ip name-server 
ip port-map user-protocol--2 port udp 53322
ip port-map user-protocol--3 port udp 80
ip port-map user-protocol--1 port tcp 53322
!
!

parameter-map type regex ccp-regex-nonascii
 pattern [^\x00-\x80]

parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com

 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com
 --More--         
parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
 server name scsa.msg.yahoo.com
 server name scsb.msg.yahoo.com
 server name scsc.msg.yahoo.com
 server name scsd.msg.yahoo.com
 server name cs16.msg.dcn.yahoo.com

 server name cs19.msg.dcn.yahoo.com
 server name cs42.msg.dcn.yahoo.com
 server name cs53.msg.dcn.yahoo.com
 server name cs54.msg.dcn.yahoo.com
 server name ads1.vip.scd.yahoo.com
 server name radio1.launch.vip.dal.yahoo.com
 server name in1.msg.vip.re2.yahoo.com
 server name data1.my.vip.sc5.yahoo.com
 server name address1.pim.vip.mud.yahoo.com
 server name edit.messenger.yahoo.com

 server name messenger.yahoo.com
 server name http.pager.yahoo.com
 server name privacy.yahoo.com
 server name csa.yahoo.com
 server name csb.yahoo.com
 --More--          server name csc.yahoo.com

!
!
username admin privilege 15 secret 5 #password was here#

username xxxx privilege 15 secret 5 #password was here#
! 
!
!
archive
 log config
  hidekeys
!
!
!

class-map type inspect match-all sdm-nat-http-4
 match access-group 112
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-4
 match access-group 114
 match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--2-5
 match access-group 116
 --More--          match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-5

 match access-group 117
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-5
 match access-group 115
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-4
 match access-group 113
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--3-1
 match access-group 107

 match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--1-3
 match access-group 108
 match protocol user-protocol--1
class-map type inspect imap match-any ccp-app-imap
 match  invalid-command
class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 103
 match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-1

 match access-group 102
 --More--          match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-2
 match access-group 104
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 101
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--2-2
 match access-group 106

 match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-2
 match access-group 105
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--3-2
 match access-group 111
 match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--2-3
 match access-group 110
 match protocol user-protocol--2

class-map type inspect match-all sdm-nat-http-3
 match access-group 109
 match protocol http
class-map type inspect match-any CCP-Voice-permit
 --More--          match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns

 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp

 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
 --More--         class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices

 match  service any 
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
 match  service any 
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
 match protocol ymsgr yahoo-servers
 match protocol msnmsgr msn-servers

 match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
 match  service any 
class-map type inspect match-all ccp-protocol-pop3
 match protocol pop3
class-map type inspect pop3 match-any ccp-app-pop3
 match  invalid-command
class-map type inspect msnmsgr match-any ccp-app-msn
 match  service text-chat 
class-map type inspect ymsgr match-any ccp-app-yahoo

 --More--          match  service text-chat 
class-map type inspect match-all ccp-protocol-im
 match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect http match-any ccp-app-httpmethods
 match  request method bcopy
 match  request method bdelete

 match  request method bmove
 match  request method bpropfind
 match  request method bproppatch
 match  request method connect
 match  request method copy
 match  request method delete
 match  request method edit
 match  request method getattribute
 match  request method getattributenames
 match  request method getproperties

 match  request method index
 match  request method lock
 match  request method mkcol
 --More--          match  request method mkdir
 match  request method move
 match  request method notify
 match  request method options
 match  request method poll
 match  request method propfind
 match  request method proppatch

 match  request method put
 match  request method revadd
 match  request method revlabel
 match  request method revlog
 match  request method revnum
 match  request method save
 match  request method search
 match  request method setattribute
 match  request method startrev
 match  request method stoprev

 match  request method subscribe
 match  request method trace
 match  request method unedit
 match  request method unlock
 match  request method unsubscribe
class-map type inspect http match-any ccp-http-blockparam
 --More--          match  request port-misuse im
 match  request port-misuse p2p
 match  request port-misuse tunneling
 match  req-resp protocol-violation

class-map type inspect match-all ccp-protocol-imap
 match protocol imap
class-map type inspect aol match-any ccp-app-aol
 match  service text-chat 
class-map type inspect match-all ccp-protocol-http
 match protocol http
class-map type inspect http match-any ccp-http-allowparam
 match  request port-misuse tunneling
!
!

policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-protocol--1-1
  inspect 
 class type inspect sdm-nat-http-1
  inspect 
 --More--          class type inspect sdm-nat-user-protocol--2-1

  inspect 
 class type inspect sdm-nat-user-protocol--1-2
  inspect 
 class type inspect sdm-nat-http-2
  inspect 
 class type inspect sdm-nat-user-protocol--2-2
  inspect 
 class type inspect sdm-nat-user-protocol--3-1
  inspect 
 class type inspect sdm-nat-user-protocol--1-3

  inspect 
 class type inspect sdm-nat-http-3
  inspect 
 class type inspect sdm-nat-user-protocol--2-3
  inspect 
 class type inspect sdm-nat-user-protocol--3-2
  inspect 
 class type inspect sdm-nat-http-4
  inspect 
 class type inspect sdm-nat-user-protocol--1-4

  inspect 
 class type inspect sdm-nat-user-protocol--2-4
 --More--           inspect 
 class type inspect sdm-nat-user-protocol--1-5
  inspect 
 class type inspect sdm-nat-user-protocol--2-5
  inspect 
 class type inspect sdm-nat-http-5
  inspect 
 class class-default

  drop
policy-map type inspect im ccp-action-app-im
 class type inspect aol ccp-app-aol
  log
  allow
 class type inspect msnmsgr ccp-app-msn
  log
  allow
 class type inspect ymsgr ccp-app-yahoo
  log

  allow
 class type inspect aol ccp-app-aol-otherservices
  log
  reset
 class type inspect msnmsgr ccp-app-msn-otherservices
 --More--           log
  reset
 class type inspect ymsgr ccp-app-yahoo-otherservices
  log
  reset

policy-map type inspect http ccp-action-app-http
 class type inspect http ccp-http-blockparam
  log
  reset
 class type inspect http ccp-app-httpmethods
  log
  reset
 class type inspect http ccp-http-allowparam
  log
  allow

policy-map type inspect imap ccp-action-imap
 class type inspect imap ccp-app-imap
  log
policy-map type inspect pop3 ccp-action-pop3
 class type inspect pop3 ccp-app-pop3
  log
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
 --More--           drop log
 class type inspect ccp-protocol-http

  inspect 
  service-policy http ccp-action-app-http
 class type inspect ccp-protocol-imap
  inspect 
  service-policy imap ccp-action-imap
 class type inspect ccp-protocol-pop3
  inspect 
  service-policy pop3 ccp-action-pop3
 class type inspect ccp-protocol-im
  inspect 

  service-policy im ccp-action-app-im
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect CCP-Voice-permit
  inspect 
 class class-default
  pass
policy-map type inspect ccp-permit
 class class-default
  drop

!
 --More--         zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self

 service-policy type inspect ccp-permit
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!

interface FastEthernet3
!
interface FastEthernet4
 --More--          description $ETH-WAN$$ES_WAN$$FW_OUTSIDE$
 ip address #external IP was here# 255.255.255.224
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto

!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
!
interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
 --More--         !
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
ip http server

ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat pool websrv 10.10.10.60 10.10.10.60 netmask 255.255.255.0
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source static tcp 10.10.10.40 53322 interface FastEthernet4 53322
ip nat inside source static udp 10.10.10.40 53322 interface FastEthernet4 53322

ip nat inside source static tcp 10.10.10.60 80 interface FastEthernet4 80
ip nat inside source static tcp #external IP was here# 80 10.10.10.60 80 extendable
!
ip access-list extended web
 remark webservr
 remark CCP_ACL Category=2
 permit ip any host 10.10.10.60
!
access-list 1 remark INSIDE_IF=Vlan1
 --More--         access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip  0.0.0.31 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.10.10.40
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.10.10.60

access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 10.10.10.40
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.10.10.40
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 10.10.10.60
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 10.10.10.40
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 10.10.10.60

access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip any host 10.10.10.40
 --More--         access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip any host 10.10.10.60
access-list 110 remark CCP_ACL Category=0
access-list 110 permit ip any host 10.10.10.40
access-list 111 remark CCP_ACL Category=0
access-list 111 permit ip any host 10.10.10.60
access-list 112 remark CCP_ACL Category=0
access-list 112 permit ip any host 10.10.10.60

access-list 113 remark CCP_ACL Category=0
access-list 113 permit ip any host 10.10.10.40
access-list 114 remark CCP_ACL Category=0
access-list 114 permit ip any host 10.10.10.40
access-list 115 remark CCP_ACL Category=0
access-list 115 permit ip any host 10.10.10.40
access-list 116 remark CCP_ACL Category=0
access-list 116 permit ip any host 10.10.10.40
access-list 117 remark CCP_ACL Category=0
access-list 117 permit ip any host 10.10.10.60

no cdp run

!
!
!
 --More--         !
control-plane
!
banner exec ^C
% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device 
and it provides the default username "cisco" for  one-time use. If you have 
already used the username "cisco" to login to the router and your IOS image 
supports the "one-time" user option, then this username has already expired. 
You will not be able to login to the router with this username after you exit 
this session.

It is strongly suggested that you create a new username with a privilege level 

of 15 using the following command.

username  privilege 15 secret 0 

Replace  and  with the username and password you 
want to use.

-----------------------------------------------------------------------
 --More--         ^C
banner login ^C

Any use of the MARKONHQ consents to monitorring and logging by MARKON IT Administrators.  

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  
PUBLICLY-KNOWN CREDENTIALS



IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL 
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.


For more information about Cisco CP please follow the instructions in the 
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp 
-----------------------------------------------------------------------

^C
!
line con 0
 no modem enable
line aux 0
line 2

 --More--          no activation-character
 no exec
 transport preferred none
 transport input all
line vty 0 4
 access-class 23 in
 transport input telnet ssh
!
scheduler max-task-time 5000
end


Answer



I am not quite sure what you want, but if you just want to map port 80 of an external to ip to an internal ip port 80. I think you pretty much have it, but I think you might just need to change:



ip nat inside source static tcp  80 10.10.10.60 80 extendable


to



ip nat inside source static tcp 98.123.123.94 80 10.10.10.60 80 extendable



But besides this, if this is production, once you have it working the way you think you want. You might want to pay a consultant to come in and check your work, it doesn't get much more important than the router.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...