5 Replies Latest reply on May 17, 2016 2:18 PM by creston

    I screwed up existing port fowarding by using the wizard and need help.

    creston New Member

      I was trying to add another server to port forward for remote desktop and it overwrote the existing policy-classes This is an Adtran 3448 router. I have attached the config I really need help nobody can work.

        • Re: I screwed up existing port fowarding by using the wizard and need help.
          petersjncv Visitor

          First question - do you have a backup config you can roll back to?  In the future, you may want to make a backup before rolling through changes if you are unsure of what to do.

           

          Are you fixing this through CLI?  You need to fix your public policy.  You will need to restore the rules to the policy to make it work.

           

          So these are the ACL's that match traffic to your WAN on a specific port.

          ip access-list extended web-acl-13

             remark Remote to Server p:3389

             permit tcp any  host WANIP.x.x.x eq 3389   log

          !

          ip access-list extended web-acl-14

             remark Christie's RDP port 3390

             permit tcp any  host WANIP.x.x.x eq 3390   log

          !

          ip access-list extended web-acl-15

             remark Q's Test PC - SLCSURGERY

             permit tcp any  host WANIP.x.x.x eq 3391   log

          !

          ip access-list extended web-acl-16

             remark 1335 Web Access

             permit tcp any  host WANIP.x.x.x eq 8080   log

           

           

          So those need to be match in the Public access policy and NAT'd to the correct destination IP address.  I hope you recall which port mapping is for each internal server.

          I am also guessing the web-acl-3 (admin) ACL is for the WAN side... although allowing HTTP, SSH, or telnet connections to your router from any IP on the internet is a bad idea.

           

          ip policy-class Public

            allow list web-acl-3 self

            nat destination list web-acl-13 address x.x.x.x (internal server IP1)

            nat destination list web-acl-14 address x.x.x.x (internal server IP2)

            nat destination list web-acl-15 address x.x.x.x (internal server IP3)

            nat destination list web-acl-16 address x.x.x.x (internal server IP4)

           

          If you are also port translating the inbound conenciton, you need to put that in the nat destination rule as well.

          example:   nat destination list web-acl-14 address 192.168.10.10 port 3389

          This will translate traffic to WAN address 209.63.139.18 connecting to port 3390 to internal address 192.168.10.10 port 3389.

           

          That's the best I can suggest at the moment without knowing more about how this was setup prior.  You can always save a copy of the running config locally to another filename through the CLI, or back it up to a PC/server, or just copy the text config out of the CLI to a notepad file.