cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
creston
New Contributor

I screwed up existing port fowarding by using the wizard and need help.

Jump to solution

I was trying to add another server to port forward for remote desktop and it overwrote the existing policy-classes This is an Adtran 3448 router. I have attached the config I really need help nobody can work.

Labels (1)
Tags (1)
0 Kudos
1 Solution

Accepted Solutions
Anonymous
Not applicable

Re: I screwed up existing port fowarding by using the wizard and need help.

Jump to solution

First question - do you have a backup config you can roll back to?  In the future, you may want to make a backup before rolling through changes if you are unsure of what to do.

Are you fixing this through CLI?  You need to fix your public policy.  You will need to restore the rules to the policy to make it work.

So these are the ACL's that match traffic to your WAN on a specific port.

ip access-list extended web-acl-13

   remark Remote to Server p:3389

   permit tcp any  host WANIP.x.x.x eq 3389   log

!

ip access-list extended web-acl-14

   remark Christie's RDP port 3390

   permit tcp any  host WANIP.x.x.x eq 3390   log

!

ip access-list extended web-acl-15

   remark Q's Test PC - SLCSURGERY

   permit tcp any  host WANIP.x.x.x eq 3391   log

!

ip access-list extended web-acl-16

   remark 1335 Web Access

   permit tcp any  host WANIP.x.x.x eq 8080   log

So those need to be match in the Public access policy and NAT'd to the correct destination IP address.  I hope you recall which port mapping is for each internal server.

I am also guessing the web-acl-3 (admin) ACL is for the WAN side... although allowing HTTP, SSH, or telnet connections to your router from any IP on the internet is a bad idea.

ip policy-class Public

  allow list web-acl-3 self

  nat destination list web-acl-13 address x.x.x.x (internal server IP1)

  nat destination list web-acl-14 address x.x.x.x (internal server IP2)

  nat destination list web-acl-15 address x.x.x.x (internal server IP3)

  nat destination list web-acl-16 address x.x.x.x (internal server IP4)

If you are also port translating the inbound conenciton, you need to put that in the nat destination rule as well.

example:   nat destination list web-acl-14 address 192.168.10.10 port 3389

This will translate traffic to WAN address 209.63.139.18 connecting to port 3390 to internal address 192.168.10.10 port 3389.

That's the best I can suggest at the moment without knowing more about how this was setup prior.  You can always save a copy of the running config locally to another filename through the CLI, or back it up to a PC/server, or just copy the text config out of the CLI to a notepad file.

View solution in original post

0 Kudos
5 Replies
Anonymous
Not applicable

Re: I screwed up existing port fowarding by using the wizard and need help.

Jump to solution

First question - do you have a backup config you can roll back to?  In the future, you may want to make a backup before rolling through changes if you are unsure of what to do.

Are you fixing this through CLI?  You need to fix your public policy.  You will need to restore the rules to the policy to make it work.

So these are the ACL's that match traffic to your WAN on a specific port.

ip access-list extended web-acl-13

   remark Remote to Server p:3389

   permit tcp any  host WANIP.x.x.x eq 3389   log

!

ip access-list extended web-acl-14

   remark Christie's RDP port 3390

   permit tcp any  host WANIP.x.x.x eq 3390   log

!

ip access-list extended web-acl-15

   remark Q's Test PC - SLCSURGERY

   permit tcp any  host WANIP.x.x.x eq 3391   log

!

ip access-list extended web-acl-16

   remark 1335 Web Access

   permit tcp any  host WANIP.x.x.x eq 8080   log

So those need to be match in the Public access policy and NAT'd to the correct destination IP address.  I hope you recall which port mapping is for each internal server.

I am also guessing the web-acl-3 (admin) ACL is for the WAN side... although allowing HTTP, SSH, or telnet connections to your router from any IP on the internet is a bad idea.

ip policy-class Public

  allow list web-acl-3 self

  nat destination list web-acl-13 address x.x.x.x (internal server IP1)

  nat destination list web-acl-14 address x.x.x.x (internal server IP2)

  nat destination list web-acl-15 address x.x.x.x (internal server IP3)

  nat destination list web-acl-16 address x.x.x.x (internal server IP4)

If you are also port translating the inbound conenciton, you need to put that in the nat destination rule as well.

example:   nat destination list web-acl-14 address 192.168.10.10 port 3389

This will translate traffic to WAN address 209.63.139.18 connecting to port 3390 to internal address 192.168.10.10 port 3389.

That's the best I can suggest at the moment without knowing more about how this was setup prior.  You can always save a copy of the running config locally to another filename through the CLI, or back it up to a PC/server, or just copy the text config out of the CLI to a notepad file.

0 Kudos
creston
New Contributor

Re: I screwed up existing port fowarding by using the wizard and need help.

Jump to solution

Thanks I will use this to try and get it up and going.  They only have one server so the IP should be the same for all.

creston
New Contributor

Re: I screwed up existing port fowarding by using the wizard and need help.

Jump to solution

I can't get to other computers across the vpn either  I can ping any IP on the 192.168.1.x from the router itself buy not from a computer on the 10.10.10.x network.

Anonymous
Not applicable

Re: I screwed up existing port fowarding by using the wizard and need help.

Jump to solution

Right, sorry, I overlooked that.

You need rules in the public and private policies for VPN traffic as well.

Here are the ACL rules matching traffic.

ip access-list extended VPN-10-vpn-selectors

  permit ip 10.10.10.0 0.0.0.255  172.16.1.0 0.0.0.255   

!

ip access-list extended VPN1-10-vpn-selectors

  permit ip 10.10.10.0 0.0.0.255  192.168.2.0 0.0.0.255 

So you want them to be matched on the LAN so the traffic doesn't get NAT'd, and matched on the WAN so it is allowed in from the tunnel.

ip policy-class Private

  allow list VPN-10-vpn-selectors stateless

  allow list VPN1-10-vpn-selectors stateless

  allow list self self

  nat source list wizard-ics interface eth 0/1 overload

ip policy-class Public

  allow reverse list VPN-10-vpn-selectors stateless

  allow reverse list VPN1-10-vpn-selectors stateless

  allow list web-acl-3 self

  nat destination list web-acl-13 address x.x.x.x (internal server IP1)

  nat destination list web-acl-14 address x.x.x.x (internal server IP2)

  nat destination list web-acl-15 address x.x.x.x (internal server IP3)

  nat destination list web-acl-16 address x.x.x.x (internal server IP4)


creston
New Contributor

Re: I screwed up existing port fowarding by using the wizard and need help.

Jump to solution

never mind I just had to add the access list for the vpn back into the Private policy.  Everything is up thank you.