topic Cannot connect to router via public IP address in Routing and SD-WAN

Cannot connect to router via public IP address

Joshua Smick — Tue, 05 Mar 2019 05:17:13 GMT

Forgive me, I'm pretty much brand new to Cisco networking. I've just set up a Cisco 3825 router to practice on, and I cannot connect to the router via my public IP address (http(s), telnet, ssh, etc), and I'm not quite sure as to where I've gone wrong. I'm not having any issues connecting to the router from behind the network, and there are no issues with anything behind the network accessing the internet. Where might I start looking to troublehsoot this issue?

Cannot connect to router via public IP address

cadet alain — Fri, 11 Oct 2013 06:24:46 GMT

Hi,

Can you post your config and tell us from where you are trying to access the router with its public IP.

Regards

Alain

Don't forget to rate helpful posts.

Cannot connect to router via public IP address

Joshua Smick — Fri, 11 Oct 2013 08:02:04 GMT

Hi Alain, I just wiped my original configuration and rebuilt it because I thought I had too many mistakes in the old one. This is what I have now:

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

hostname Router

boot-start-marker

boot-end-marker

enable secret 4 L3yDU5muhsZ/hpwNZQ1owTr51gJKqTKSL0o7ewMUVJs

no aaa new-model

dot11 syslog

ip source-route

ip cef

ip dhcp excluded-address 192.168.1.1

ip dhcp pool TARDIS_CLIENTS

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

no ipv6 cef

multilink bundle-name authenticated

voice-card 0

crypto pki token default removal timeout 0

crypto pki trustpoint TP-self-signed-2013182566

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2013182566

revocation-check none

rsakeypair TP-self-signed-2013182566

crypto pki certificate chain TP-self-signed-2013182566

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 32303133 31383235 3636301E 170D3133 31303131 30373437

30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30313331

38323536 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B56B E21BB94D EAF82B97 8DD74544 37CB065C 4167BCE8 07919F9E A40ECB10

52E01F20 0C99DBA6 575488F5 471F5D44 F22008D9 EB8A43A2 04543B98 2DE93479

FCD433D4 99413B0C A46DE6DE 9E7702B7 D3AD3C72 D0C30F65 6461870E B55ADA2A

E8EC6AB5 477F2163 909EC85C 5432C5B6 6C57C95A EF9389AC AF9AE269 0A2A48A1

823D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14B4B90E 6B3A34C7 4BF07C00 53CA4C07 466BFBD5 C3301D06

03551D0E 04160414 B4B90E6B 3A34C74B F07C0053 CA4C0746 6BFBD5C3 300D0609

2A864886 F70D0101 05050003 8181009C 3947D807 D136FE11 E394F131 B9DFCE81

68EE60F4 C53C8D4E 3E6D98E5 A9F64DC4 B6B31D6D DDCC34BD DD732735 77CBBB84

EDA5A708 324CFEB4 2D42374B E0751E80 D526D9AB 662BD3F9 3DF8F952 3BF042E7

6BB3B1EB 30763DFC 010DEC50 13451155 422ADC5D 6A70A370 31DA33F2 1BA5173F

176269F9 39919D01 0D393B55 3815FC

quit

license udi pid CISCO3825 sn FTX1002C11E

username josh privilege 15 secret 4 L3yDU5muhsZ/hpwNZQ1owTr51gJKqTKSL0o7ewMUVJs

redundancy

interface GigabitEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

media-type rj45

interface GigabitEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

media-type rj45

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 101 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

control-plane

mgcp profile default

line con 0

line aux 0

line vty 0 4

privilege level 15

password 7 0023120A0D550A5457711C0F

transport input telnet ssh

transport output telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

transport output telnet ssh

scheduler allocate 20000 1000

end

Thanks,

Josh

Cannot connect to router via public IP address

cadet alain — Fri, 11 Oct 2013 09:27:58 GMT

Hi,

1st do this:

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

ip route 0.0.0.0 0.0.0.0 dhcp

And tell us what is connected out g0/0, I suppose it is an xdsl modem/router, if so you should make a manual reservation on it for the IP address of g0/0 and port forward the necessary services you want to access on the router.

do this on the router to facilitate the reservation on the modem/router:

int g0/0

ip dhcp client client-id interface g0/0

and take note of the MAC of g0/0 interface with do show int g0/0 | i bia

Regards

Alain

Don't forget to rate helpful posts.

Cannot connect to router via public IP address

Richard Burts — Fri, 11 Oct 2013 14:27:35 GMT

I would suggest changing your address translation. Try using something like this and tell us if it makes a difference

ip nat inside source list 1 interface GigabitEthernet0/0 overload

access-list 1 permit ip 192.168.1.0 0.0.0.255

HTH

Rick

Cannot connect to router via public IP address

Joshua Smick — Sat, 12 Oct 2013 03:33:22 GMT

Alain, that absolutely fixed it. Thank you so much! Richard, if Alain's suggestion worked, should I try adding yours as well?

Thanks,

Josh

Cannot connect to router via public IP address

Richard Burts — Sat, 12 Oct 2013 16:44:50 GMT

Josh

I am glad that the suggestion from Alain fixed your problem.

The standard access list that I suggest has the same effect as the extended access list that you were using, since your extended access list was checking only the source address and not the destination address. I still believe that a standard access list is better than an extended access list for your address translation (especially since your extended access list 101 was only checking the source address - and I have seen some situations where extended access lists with permit any destination caused some issues). But if your router is working fine with the extended access list then maybe it is good enough.

HTH

Rick