Problem with nat and port forwarding with Cisco 877W

Hi!! I have just finished my personal configuration, everything works pretty, but the nat does not forward any port... so that emule or voip doesn't work. Can you check my config and tell me what is wrong? I have a Cisco 877W with IOS 12-24.15T6.

My config:

******************************************** no service pad service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname Router ! boot-start-marker boot system flash c870-advipservicesk9-mz.124-15.T6.bin boot-end-marker ! logging buffered 4096 ! no aaa new-model clock timezone MET 1 clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00 ! crypto pki trustpoint TP-self-signed-36xxxxxxxxx enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-36xxxxxxxxx revocation-check none rsakeypair TP-self-signed-36xxxxxxx ! ! crypto pki certificate chain TP-self-signed-36xxxxxxxxx certificate self-signed 01 nvram:IOS-Self-Sig#E.cer dot11 syslog ! dot11 ssid wifiReti vlan 1 authentication open authentication key-management wpa guest-mode wpa-psk ascii 0 passw ! ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 192.168.1.12 ! ip dhcp pool sdm-pool1 network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server 195.186.1.111 195.186.4.111 lease infinite ! ip dhcp pool STATIC-1 host 192.168.1.2 255.255.255.0 client-identifier 0100.12dc.5c47.6b client-name AladinoVoip ! ip dhcp pool STATIC-2 host 192.168.1.3 255.255.255.0 client-identifier 0100.0129.d1a5.83 client-name Armor ! ip dhcp pool STATIC-3 host 192.168.1.4 255.255.255.0 client-identifier 0100.14bf.62ca.d9 client-name NSLU2 ! ip dhcp pool STATIC-4 host 192.168.1.5 255.255.255.0 client-identifier 0100.1731.c2ee.97 client-name Amelia ! ip dhcp pool STATIC-5 host 192.168.1.6 255.255.255.0 client-identifier 0108.1073.0dcd.b0 client-name Vale ! ip dhcp pool STATIC-6 host 192.168.1.7 255.255.255.0 client-identifier 0100.2100.6593.7f client-name Maggi ! ip dhcp pool STATIC-7 host 192.168.1.8 255.255.255.0 client-identifier 0100.16fe.7b43.70 client-name HP-rw6815 ! ip dhcp pool STATIC-8 host 192.168.1.9 255.255.255.0 client-identifier 0100.1d0f.b59d.5f client-name Crema-wifi ! ip dhcp pool STATIC-9 host 192.168.1.11 255.255.255.0 client-identifier 0100.0c6e.a800.62 client-name Crema-eth ! ! ip name-server 195.186.1.111 ip name-server 195.186.4.111 ip inspect log drop-pkt ip inspect name Firewall cuseeme ip inspect name Firewall dns ip inspect name Firewall ftp ip inspect name Firewall h323 ip inspect name Firewall https ip inspect name Firewall icmp ip inspect name Firewall imap ip inspect name Firewall pop3 ip inspect name Firewall rcmd ip inspect name Firewall realaudio ip inspect name Firewall rtsp ip inspect name Firewall esmtp ip inspect name Firewall sqlnet ip inspect name Firewall streamworks ip inspect name Firewall tftp ip inspect name Firewall tcp ip inspect name Firewall udp ip inspect name Firewall vdolive ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ip ddns update method sdm_ddns1 HTTP add http://xxx: snipped-for-privacy@members.dyndns.org/nic/updatesystem=dyndns&hostname=&myip= remove http://xxx: snipped-for-privacy@members.dyndns.org/nic/updatesystem=dyndns&hostname=&myip= ! ! multilink bundle-name authenticated ! ! username xxxxxxxxxx privilege 15 password 0 xxxxxxxx ! ! archive log config hidekeys ! ! ! bridge irb ! ! interface ATM0 no ip address no atm ilmi-keepalive dsl operating-mode adsl2+ ! interface ATM0.1 point-to-point description $ES_WAN$ pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! ! interface FastEthernet0 ! interface FastEthernet1 ! interface FastEthernet2 ! interface FastEthernet3 ! interface Dot11Radio0 no ip address ! encryption vlan 1 mode ciphers tkip ! ssid ArmorReti ! speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root world-mode dot11d country IT both ! interface Dot11Radio0.1 encapsulation dot1Q 1 native bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 no ip address ip tcp adjust-mss 1452 bridge-group 1 ! interface Dialer0 ip ddns update hostname xxxxxx.gotdns.com ip ddns update sdm_ddns1 ip address negotiated ip access-group 101 in ip mtu 1492 ip nat outside ip inspect Firewall out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname snipped-for-privacy@tiscali.it ppp chap password 0 xxxxxxxxxx ! interface BVI1 ip address 192.168.1.1 255.255.255.0 ip access-group 102 in ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! ip http server ip http authentication local ip http secure-server ip nat inside source list 1 interface Dialer0 overload ip nat inside source static udp 192.168.1.2 5060 interface Dialer0 5060 ip nat inside source static tcp 192.168.1.2 5060 interface Dialer0 5060 ip nat inside source static udp 192.168.1.3 9 interface Dialer0 9 ip nat inside source static tcp 192.168.1.3 4711 interface Dialer0 4711 ip nat inside source static tcp 192.168.1.3 7395 interface Dialer0 7395 ip nat inside source static udp 192.168.1.3 8457 interface Dialer0 8457 ip nat inside source static udp 192.168.1.3 35238 interface Dialer0 35238 ip nat inside source static tcp 192.168.1.3 35238 interface Dialer0 35238 ip nat inside source static tcp 192.168.1.3 81 interface Dialer0 81 ip nat inside source static tcp 192.168.1.3 5900 interface Dialer0 5900 ip nat inside source static tcp 192.168.1.3 6346 interface Dialer0 6346 ip nat inside source static udp 192.168.1.3 6346 interface Dialer0 6346 ip nat inside source static tcp 192.168.1.4 4712 interface Dialer0 4712 ip nat inside source static udp 192.168.1.4 5672 interface Dialer0 5672 ip nat inside source static udp 192.168.1.4 4665 interface Dialer0 4665 ip nat inside source static tcp 192.168.1.3 5800 interface Dialer0 5800 ip nat inside source static tcp 192.168.1.3 36433 interface Dialer0 36433 ip nat inside source static tcp 192.168.1.3 6348 interface Dialer0 6348 ip nat inside source static udp 192.168.1.3 6348 interface Dialer0 6348 ip nat inside source static tcp 192.168.1.3 15698 interface Dialer0 15698 ip nat inside source static udp 192.168.1.3 15698 interface Dialer0 15698 ip nat inside source static tcp 192.168.1.3 6347 interface Dialer0 6347 ip nat inside source static udp 192.168.1.3 6347 interface Dialer0 6347 ip nat inside source static tcp 192.168.1.4 5662 interface Dialer0 5662 ! access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 169.254.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.0.2.0 0.0.0.255 any access-list 101 permit tcp host 63.208.196.96 eq www any log access-list 101 permit udp host 207.46.232.42 eq ntp any access-list 101 permit udp host 192.43.244.18 eq ntp any access-list 101 remark Traffico abilitato ad entrare nel router da internet access-list 101 deny ip 0.0.0.0 0.255.255.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 198.18.0.0 0.1.255.255 any access-list 101 deny ip 224.0.0.0 0.15.255.255 any access-list 101 deny ip any host 255.255.255.255 access-list 101 permit udp host 195.186.1.111 eq domain any access-list 101 permit gre any any access-list 101 deny icmp any any echo access-list 101 deny ip any any log access-list 101 permit udp host 195.186.4.111 eq domain any access-list 102 deny udp any any eq 135 log access-list 102 deny tcp any any eq 135 log access-list 102 deny udp any any eq netbios-ns log access-list 102 deny udp any any eq netbios-dgm log access-list 102 deny tcp any any eq 445 log access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 102 remark Traffico abilitato ad entrare nel router dalla ethernet access-list 102 permit ip any host 192.168.1.1 access-list 102 deny ip any host 192.168.1.255 access-list 102 deny udp any any eq tftp log access-list 102 deny ip any 0.0.0.0 0.255.255.255 log access-list 102 deny ip any 10.0.0.0 0.255.255.255 log access-list 102 deny ip any 127.0.0.0 0.255.255.255 log access-list 102 deny ip any 169.254.0.0 0.0.255.255 log access-list 102 deny ip any 172.16.0.0 0.15.255.255 log access-list 102 deny ip any 192.0.2.0 0.0.0.255 log access-list 102 deny ip any 192.168.0.0 0.0.255.255 log access-list 102 deny ip any 198.18.0.0 0.1.255.255 log access-list 102 permit ip any host 255.255.255.255 access-list 102 deny ip any any log dialer-list 1 protocol ip permit ! ! ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! line con 0 no modem enable line aux 0 line vty 0 4 privilege level 15 login local transport input telnet ssh ! scheduler max-task-time 5000 sntp server 207.46.197.32 sntp server 192.43.244.18 end

**********************************************************

Thanks ;-)

Reply to
Galerio
Loading thread data ...

Problema in parte risolto: dal log del firewall vedevo che i pacchetti eran bloccati dalla "Access-list 101" che contiene un po' di regole per bloccare/abilitare il traffico abilitato a entrare nel router da internet (varie regole anti spoofing). E avendo questa config:

interface Dialer0 ip access-group 101 in

che risponde a questa lista di accessi:

access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 169.254.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.0.2.0 0.0.0.255 any access-list 101 permit tcp host 63.208.196.96 eq www any log access-list 101 permit udp host 207.46.232.42 eq ntp any access-list 101 permit udp host 192.43.244.18 eq ntp any access-list 101 remark Traffico abilitato ad entrare nel router da internet access-list 101 deny ip 0.0.0.0 0.255.255.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 198.18.0.0 0.1.255.255 any access-list 101 deny ip 224.0.0.0 0.15.255.255 any access-list 101 deny ip any host 255.255.255.255 access-list 101 permit udp host 195.186.1.111 eq domain any access-list 101 permit gre any any access-list 101 deny icmp any any echo access-list 101 deny ip any any log access-list 101 permit udp host 195.186.4.111 eq domain any

il traffico internet veniva impedito e non dirottato nella giusta porta, mentre se elimino la riga ip access-group 101 in allora tutto funziona perfettamente.

ma allora cosa devo mettere fra le regole della access-list 101 per permettere al traffico internet di esser forwardato sulla giusta porta del giusto ip senza che sia bloccato e senza rinunciare alle regole anti-spoofing?

Reply to
Galerio

ip nat inside source static tcp 192.168.1.3 5900 interface Dialer0

5900

Presumably this is to facilitate VNC inbound to 192.168.1.3.

You will need to also allow this traffic in access-list 101 otherwise it will not work.

Secondly - as answer you have not asked for:) Unless you are *hosting* a dns server you do not need

access-list 101 permit udp host 195.186.1.111 eq domain any

interface Dialer0 ip inspect Firewall out

The Inspect operation will allow the traffic to return without the explicit ACL.

ip inspect name Firewall dns

Also - access-list 101 deny ip any any log access-list 101 permit udp host 195.186.4.111 eq domain any

The latter will never be checked.

Reply to
bod43

I don't know if emule is a voip service that uses h323 but inspecting h323 traffic may be an issue

If it is h323 based service then consider checking if their are adjustable timeout settings in the Firewall IOS inspection of h323.

"ip inspect name Firewall h323" You are inspecting h323 traffic with firewall IOS per command above.

Regards

.com/photos/galerio/

Reply to
jrguent

Ho, emule is a p2p program, not a voip service. Anyway I don't have any h323 inspecting.

Reply to
Galerio

I have tried to add a rule in access-list 101 that traffic with lines like this:

"access-list 101 permit tcp any host 192.168.0.3 eq 5900"

and so I've done for each other port I have to open to internet traffic inbound.

but it doesn't work. The only way to get internet traffic to pass to the right port of the right device is to disable at all the access-list

101 by doing this: "interface Dialer0 no ip access-group 101 in"

but this way I lost all basic protections!

this ip is not on my lan, it is an internet public dns.

Anyway, thanks for the tips ;-)

Reply to
Galerio

Do you know that the access list is processed sequentially?

That is, if the "deny ip any any" is *before* some permit statement then the permit statement is ignored.

Obviously.

You are allowing it *inbound* from the internet.

My point is that if your DNS access requirement is for a DNS clients inside to use the DNS server

195.186.1.111 then the "Inspect" feature will permit the replies to come in. You do not need to create explicit entries in the inbound access-list.

The Inspect feature temporarily opens access for response traffic in replies to requests.

In summary my suggestions are probably correct. This is my day job.

Reply to
bod43

Sorry, it was my bad brain that misundestands everything this night! I got an important lesson! Thanks :D I'm new to IOS so I'm still learning...

Go to bed now, bye!

Reply to
Galerio

Sorry for that - bit irritated tonight.

if you are adding the ACL entries with access-list 101 ......

then the new lines go at the bottom (after the deny ip any any).

You need to delete the ACL and re-add the whole thing.

no access-l 101 .... ....

Alternatively there is a more recent editor.

sh ip access-list 101 - displays with line numbers conf t ip access-l extended 101

no 10 ! remove line 10

15 permit .........

Add new line between 10 and 20.

If in doubt re-test and post config again. Also sh ip access-list might be useful.

If you expand your logging buffer you will be able to see logged access-list packets.

logging buffered 50000 logg buff deb

sh log

Reply to
bod43

:-@ No, no, you have no excuses! I'm a noob, that's why I permit myself to contradict a pro like you :oÞ

this is more than a help! Thanks!!!

Reply to
Galerio

Ok, the problem is always here.

my config:

***************************** interface Dialer0 ip ddns update hostname xxxxxx.gotdns.com ip ddns update sdm_ddns1 ip address negotiated ip access-group 101 in ip mtu 1492 ip nat outside ip inspect Firewall out ip virtual-reassembly encapsulation ppp dialer pool 1 dialer-group 1 ppp authentication chap callin ppp chap hostname xxxxxxxxx ppp chap zxxx 0 xxxx **********************************

I have done this:

***************************** interface Dialer0 no ip inspect Firewall out *****************************

but as you can see I always have the line "ip inspect Firewall out" (please, dont' laugh!!) Anyway it seems that dns requests still pass. These are my ip inspect name Firewall:

************************************** ip inspect name Firewall cuseeme ip inspect name Firewall dns ip inspect name Firewall ftp ip inspect name Firewall h323 ip inspect name Firewall https ip inspect name Firewall icmp ip inspect name Firewall imap ip inspect name Firewall pop3 ip inspect name Firewall rcmd ip inspect name Firewall realaudio ip inspect name Firewall rtsp ip inspect name Firewall esmtp ip inspect name Firewall sqlnet ip inspect name Firewall streamworks ip inspect name Firewall tftp ip inspect name Firewall tcp ip inspect name Firewall udp ip inspect name Firewall vdolive ********************************************

Then my nat and firewall:

*************************************** ip http server ip http authentication local ip http secure-server ip nat inside source list 1 interface Dialer0 overload ip nat inside source static udp 192.168.1.2 5060 interface Dialer0 5060 ip nat inside source static tcp 192.168.1.2 5060 interface Dialer0 5060 ip nat inside source static udp 192.168.1.3 9 interface Dialer0 9 ip nat inside source static tcp 192.168.1.3 4711 interface Dialer0 4711 ip nat inside source static tcp 192.168.1.3 7395 interface Dialer0 7395 ip nat inside source static udp 192.168.1.3 8457 interface Dialer0 8457 ip nat inside source static udp 192.168.1.3 35238 interface Dialer0 35238 ip nat inside source static tcp 192.168.1.3 35238 interface Dialer0 35238 ip nat inside source static tcp 192.168.1.3 81 interface Dialer0 81 ip nat inside source static tcp 192.168.1.3 5900 interface Dialer0 5900 ip nat inside source static tcp 192.168.1.3 6346 interface Dialer0 6346 ip nat inside source static udp 192.168.1.3 6346 interface Dialer0 6346 ip nat inside source static tcp 192.168.1.4 4712 interface Dialer0 4712 ip nat inside source static udp 192.168.1.4 5672 interface Dialer0 5672 ip nat inside source static udp 192.168.1.4 4665 interface Dialer0 4665 ip nat inside source static tcp 192.168.1.3 5800 interface Dialer0 5800 ip nat inside source static tcp 192.168.1.3 36433 interface Dialer0 36433 ip nat inside source static tcp 192.168.1.3 6348 interface Dialer0 6348 ip nat inside source static udp 192.168.1.3 6348 interface Dialer0 6348 ip nat inside source static tcp 192.168.1.3 15698 interface Dialer0 15698 ip nat inside source static udp 192.168.1.3 15698 interface Dialer0 15698 ip nat inside source static tcp 192.168.1.3 6347 interface Dialer0 6347 ip nat inside source static udp 192.168.1.3 6347 interface Dialer0 6347 ip nat inside source static tcp 192.168.1.4 5662 interface Dialer0 5662 ! access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 101 remark ************************************** access-list 101 remark *** ACL port forwarding *** access-list 101 permit tcp any host 192.168.0.3 eq 4711 access-list 101 permit tcp any host 192.168.0.3 eq 7395 access-list 101 permit tcp any host 192.168.0.3 eq 35238 access-list 101 permit tcp any host 192.168.0.3 eq 81 access-list 101 permit tcp any host 192.168.0.3 eq 5900 access-list 101 permit tcp any host 192.168.0.3 eq 6346 access-list 101 permit tcp any host 192.168.0.3 eq 5800 access-list 101 permit tcp any host 192.168.0.3 eq 36433 access-list 101 permit tcp any host 192.168.0.3 eq 6348 access-list 101 permit tcp any host 192.168.0.3 eq 15698 access-list 101 permit tcp any host 192.168.0.3 eq 6347 access-list 101 permit tcp any host 192.168.0.2 eq 5060 access-list 101 permit udp any host 192.168.0.2 eq 5060 access-list 101 permit tcp any host 192.168.0.4 eq 4712 access-list 101 permit tcp any host 192.168.0.4 eq 5662 access-list 101 permit udp any host 192.168.0.4 eq 5672 access-list 101 permit udp any host 192.168.0.4 eq 4665 access-list 101 permit udp any host 192.168.0.3 eq discard access-list 101 permit udp any host 192.168.0.3 eq 8457 access-list 101 permit udp any host 192.168.0.3 eq 35238 access-list 101 permit udp any host 192.168.0.3 eq 6346 access-list 101 permit udp any host 192.168.0.3 eq 6348 access-list 101 permit udp any host 192.168.0.3 eq 15698 access-list 101 permit udp any host 192.168.0.3 eq 6347 access-list 101 remark ********************************** access-list 101 remark *** inbound **** access-list 101 permit tcp host 63.208.196.96 eq www any log access-list 101 permit udp host 207.46.232.42 eq ntp any access-list 101 permit udp host 192.43.244.18 eq ntp any access-list 101 permit gre any any access-list 101 deny ip 0.0.0.0 0.255.255.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip 169.254.0.0 0.0.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.0.2.0 0.0.0.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 198.18.0.0 0.1.255.255 any access-list 101 deny ip 224.0.0.0 0.15.255.255 any access-list 101 deny ip any host 255.255.255.255 access-list 101 deny icmp any any echo access-list 101 deny ip any any log access-list 102 remark ****************************** access-list 102 remark in from ethernet access-list 102 permit ip any host 192.168.1.1 access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 102 permit ip any host 255.255.255.255 access-list 102 deny ip any host 192.168.0.255 access-list 102 deny udp any any eq tftp log access-list 102 deny ip any 0.0.0.0 0.255.255.255 log access-list 102 deny ip any 10.0.0.0 0.255.255.255 log access-list 102 deny ip any 127.0.0.0 0.255.255.255 log access-list 102 deny ip any 169.254.0.0 0.0.255.255 log access-list 102 deny ip any 172.16.0.0 0.15.255.255 log access-list 102 deny ip any 192.0.2.0 0.0.0.255 log access-list 102 deny ip any 192.168.0.0 0.0.255.255 log access-list 102 deny ip any 198.18.0.0 0.1.255.255 log access-list 102 deny udp any any eq 135 log access-list 102 deny tcp any any eq 135 log access-list 102 deny udp any any eq netbios-ns log access-list 102 deny udp any any eq netbios-dgm log access-list 102 deny tcp any any eq 445 log access-list 102 deny ip any any log access-list 102 remark ****************************** dialer-list 1 protocol ip permit no cdp run **********************************************

Normal traffic still pass (eg: firefox can show websites), but applications that require port forwarding don't work.

here is my log:

*****************************

Mar 6 09:59:26.884: %SEC-6-IPACCESSLOGP: list 101 denied udp

121.233.122.166(37800) -> 78.12.114.135(8457), 1 packet Mar 6 09:59:27.936: %SEC-6-IPACCESSLOGP: list 101 denied udp 218.25.237.238(8560) -> 78.12.114.135(8457), 1 packet Mar 6 09:59:29.252: %SEC-6-IPACCESSLOGP: list 101 denied udp 78.8.53.127(5218)

-> 78.12.114.135(8457), 1 packet Mar 6 09:59:30.592: %SEC-6-IPACCESSLOGP: list 101 denied udp

81.44.238.47(10353) -> 78.12.114.135(8457), 1 packet Mar 6 09:59:31.704: %SEC-6-IPACCESSLOGP: list 101 denied udp 91.23.48.117(63077) -> 78.12.114.135(8457), 1 packet Mar 6 09:59:34.184: %SEC-6-IPACCESSLOGP: list 101 denied udp 91.180.222.114(15869) -> 78.12.114.135(8457), 1 packet Mar 6 09:59:35.208: %SEC-6-IPACCESSLOGP: list 101 denied udp 79.5.228.36(16975)

-> 78.12.114.135(8457), 1 packet Mar 6 09:59:37.500: %SEC-6-IPACCESSLOGP: list 101 denied udp

80.174.53.168(5467) -> 78.12.114.135(8457), 1 packet Mar 6 09:59:38.656: %SEC-6-IPACCESSLOGP: list 101 denied udp 213.114.111.215(14297) -> 78.12.114.135(54956), 1 packet Mar 6 09:59:42.844: %SEC-6-IPACCESSLOGP: list 101 denied udp 60.180.50.250(4670) -> 78.12.114.135(8457), 1 packet Mar 6 09:59:46.516: %SEC-6-IPACCESSLOGP: list 101 denied udp 117.192.1.78(17280) -> 78.12.114.135(54956), 1 packet Mar 6 09:59:48.064: %SEC-6-IPACCESSLOGRL: access-list logging rate-limited or missed 99 packets Mar 6 09:59:49.148: %SEC-6-IPACCESSLOGP: list 101 denied udp 87.14.230.80(52884) -> 78.12.114.135(8457), 1 packet Mar 6 09:59:50.584: %SEC-6-IPACCESSLOGP: list 101 denied udp 79.178.99.149(6393) -> 78.12.114.135(8457), 1 packet Mar 6 09:59:55.944: %SEC-6-IPACCESSLOGP: list 101 denied udp 151.32.66.113(21419) -> 78.12.114.135(8457), 1 packet Mar 6 09:59:56.972: %SEC-6-IPACCESSLOGP: list 101 denied udp 60.216.164.123(8561) -> 78.12.114.135(8457), 1 packet Mar 6 09:59:58.492: %SEC-6-IPACCESSLOGP: list 101 denied udp 222.68.153.208(12082) -> 78.12.114.135(8457), 1 packet Mar 6 09:59:59.620: %SEC-6-IPACCESSLOGP: list 101 denied udp 79.55.60.107(4672)

-> 78.12.114.135(8457), 1 packet Mar 6 10:00:01.104: %SEC-6-IPACCESSLOGP: list 101 denied udp

61.134.52.130(62938) -> 78.12.114.135(8457), 1 packet Mar 6 10:00:02.272: %SEC-6-IPACCESSLOGP: list 101 denied udp 87.217.13.229(23460) -> 78.12.114.135(8457), 1 packet Mar 6 10:00:04.184: %SEC-6-IPACCESSLOGP: list 101 denied udp 115.82.114.2(59382) -> 78.12.114.135(8457), 1 packet Mar 6 10:00:06.904: %SEC-6-IPACCESSLOGP: list 101 denied tcp 80.181.42.88(4446)

-> 78.12.114.135(7395), 1 packet Mar 6 10:00:08.780: %SEC-6-IPACCESSLOGP: list 101 denied udp 83.58.153.70(4372)

-> 78.12.114.135(8457), 1 packet Mar 6 10:00:10.644: %SEC-6-IPACCESSLOGP: list 101 denied udp

117.28.58.142(7567) -> 78.12.114.135(8457), 1 packet Mar 6 10:00:11.764: %SEC-6-IPACCESSLOGP: list 101 denied udp 86.212.29.73(36246) -> 78.12.114.135(8457), 1 packet Mar 6 10:00:12.988: %SEC-6-IPACCESSLOGP: list 101 denied udp 201.213.155.120(39100) -> 78.12.114.135(8457), 1 packet Mar 6 10:00:14.008: %SEC-6-IPACCESSLOGP: list 101 denied udp 218.25.237.238(8560) -> 78.12.114.135(8457), 1 packet Mar 6 10:00:15.676: %SEC-6-IPACCESSLOGP: list 101 denied udp 77.126.156.239(32547) -> 78.12.114.135(8457), 1 packet Mar 6 10:00:16.728: %SEC-6-IPACCESSLOGP: list 101 denied udp 78.149.203.220(10028) -> 78.12.114.135(8457), 1 packet Mar 6 10:00:18.308: %SEC-6-IPACCESSLOGP: list 101 denied udp 81.53.228.46(4672)

-> 78.12.114.135(8457), 1 packet Mar 6 10:00:19.596: %SEC-6-IPACCESSLOGP: list 101 denied udp 151.60.9.93(4672)

-> 78.12.114.135(8457), 1 packet Mar 6 10:00:20.768: %SEC-6-IPACCESSLOGP: list 101 denied udp 60.219.12.56(7569)

-> 78.12.114.135(8457), 1 packet Mar 6 10:00:22.836: %SEC-6-IPACCESSLOGP: list 101 denied udp 59.39.247.41(4674)

-> 78.12.114.135(8457), 1 packet Mar 6 10:00:24.260: %SEC-6-IPACCESSLOGP: list 101 denied udp

124.161.88.228(4815) -> 78.12.114.135(8457), 1 packet Mar 6 10:00:26.764: %SEC-6-IPACCESSLOGP: list 101 denied udp 218.173.131.120(4678) -> 78.12.114.135(8457), 1 packet *************************************

and the last thing: I have a line in access-list 101 that is not accepted: access-list 101 permit udp any host 192.168.0.3 eq discard but it must be access-list 101 permit udp any host 192.168.0.3 eq 9 that is for WakeOnLan function!!!

Ok, that's all

Reply to
Galerio

The solution could be this: in ACL I have to specify theip internet address, and not my eth address. so the line: access-list 101 permit tcp any host 192.168.0.3 eq 4711 become access-list 101 permit tcp any any eq 4711 and this way the nat port-forwarding shoul function also with access list.

Bye

Reply to
Galerio

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.