This is an advanced setup from an ASR router. I’m having issues with plex saying remote access is available for a few seconds then not having remote access. I know that remote access works from a former linksys router and port forwarding. I changed out my router with an Cisco ASR (overkill I know) and am working on Zone Based Firewall. I need a lookover to see where I’m messing up in my configuration. Configuration as follows:
class-map type inspect match-all all-private
match access-group name Private
class-map type inspect match-any any-service
match access-group name Services
!
policy-map type inspect pub-priv-pmap
class type inspect any-service
pass
class class-default
drop
policy-map type inspect priv-pub-pmap
class type inspect any-service
pass
class type inspect all-private
inspect
class class-default
drop log
!
zone security private
zone security public
zone-pair security priv-pub source private destination public
service-policy type inspect priv-pub-pmap
zone-pair security pub-priv source public destination private
service-policy type inspect pub-priv-pmap
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
description INTERNET
ip address dhcp
ip nat outside
zone-member security public
negotiation auto
!
interface GigabitEthernet0/0/3
description Private
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip pim sparse-mode
zone-member security private
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.11 255.255.255.0
negotiation auto
!
ip nat inside source static tcp 192.168.1.55 22 interface GigabitEthernet0/0/2 2222
ip nat inside source static udp 192.168.1.55 22 interface GigabitEthernet0/0/2 22
ip nat inside source static udp 192.168.1.20 32400 interface GigabitEthernet0/0/2 32400
ip nat inside source static tcp 192.168.1.20 32400 interface GigabitEthernet0/0/2 32400
ip nat inside source list Private interface GigabitEthernet0/0/2 overload
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip tftp source-interface GigabitEthernet0
!
ip access-list extended Private
permit ip 192.168.1.0 0.0.0.255 any log
ip access-list extended Services
permit tcp any host 192.168.1.55 eq 22
permit tcp any host 192.168.1.55 eq 2222
permit tcp any eq 32400 host 192.168.1.20 eq 32400 log
permit udp any eq 32400 host 192.168.1.20 eq 32400 log
ip access-list extended vty
deny ip any any
Also to note, I can still connect to plex remotely but through the PLEX services not directly to my own server.
packet-tracer input outside tcp any 50000 192.168.1.20 32400 det
There are a few years that I don’t work with Cisco firewall, but as far as I remember, the command is correct.
Or you can use the ASDM to connect to your firewall (unfortunately it’s Java based).
This will simulate a packet coming from outside, from any host (internet), with a high random port (source port is random), to your plex server (192.168.1.20), protocol tcp, on port 32400.
You will be able to see why it’s not working, don’t paste the results here, or, if you post, make sure you don’t paste your public IP.
Thanks for the assist. Unfortunately there is no ASDM to go with this device. I like the idea though. I’ve looked at shodan.io website to do a similar function as the packet tracer command and have seen that port 32400 is not open so I know that much is true. As to why I still haven’t figured that out.
Resolved-ish. Not sure why port forwarding isn’t working but this is the new config and its working really well.
The major change was I made a nat inside statement that forwarded by ip and not by a port. Odd that it didn’t work before.
class-map type inspect match-all all-private
match access-group name Private
class-map type inspect match-any any-service
match access-group name Services
!
policy-map type inspect pub-priv-pmap
class type inspect any-service
pass log
class class-default
drop log
policy-map type inspect priv-pub-pmap
class type inspect any-service
pass log
class type inspect all-private
inspect
class class-default
drop log
!
zone security private
zone security public
zone-pair security priv-pub source private destination public
service-policy type inspect priv-pub-pmap
zone-pair security pub-priv source public destination private
service-policy type inspect pub-priv-pmap
!
!
interface GigabitEthernet0/0/0
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/1
no ip address
shutdown
negotiation auto
!
interface GigabitEthernet0/0/2
description INTERNET
ip address dhcp
ip nat outside
zone-member security public
negotiation auto
!
interface GigabitEthernet0/0/3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip pim sparse-mode
zone-member security private
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 192.168.1.11 255.255.255.0
negotiation auto
!
ip nat inside source static 192.168.1.20 interface GigabitEthernet0/0/2
ip nat inside source static tcp 192.168.1.55 22 interface GigabitEthernet0/0/2 2222
ip nat inside source list Private interface GigabitEthernet0/0/2 overload
ip forward-protocol nd
!
no ip http server
ip http authentication local
no ip http secure-server
ip tftp source-interface GigabitEthernet0
!
ip access-list extended Private
permit ip 192.168.1.0 0.0.0.255 any log
ip access-list extended Services
permit tcp any host 192.168.1.20 eq 32400
permit udp any host 192.168.1.20 eq 32400
permit tcp any host 192.168.1.55 eq 22
permit tcp any host 192.168.1.55 eq 2222
ip access-list extended vty
deny ip any any
