topic Jon, in Network Security

Port Forwarding Issues

whoa_i_wasnt_expecting_that — Tue, 12 Mar 2019 07:09:58 GMT

Hello everyone,

I have a cisco 2801 router at home, and i am having the time of my life trying to get some ports forwarded to support some servers. I have tried googling it many times but haven't found anything that will actually work. I keep trying to use the ip nat inside source static statement to forward the ports, but it doesn't seem to make a difference.

In case you are wondering, this is for a Minecraft server which runs on tcp 25565.

Here are the important parts of the config:

(Output Omitted)

interface FastEthernet0/0
description LAN Link
ip address 192.168.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description WAN Link
ip address dhcp
ip access-group InternetACL in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto

(Output Omitted)

ip nat inside source list LANSubnet interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.3 25565 interface FastEthernet0/1 25565

(Output Omitted)

ip access-list standard LANSubnet
permit 192.168.0.0 0.0.0.255
deny any
!
ip access-list extended InternetACL
permit tcp any any established
permit udp any eq domain any
permit udp any eq bootps any
permit udp any range 3478 3479 any
permit icmp any any
permit udp any eq 4380 any
permit gre any any
permit udp any range 4000 4001 any
permit udp any range 5009 5013 any
permit udp any range 27015 27100 any
permit udp any eq 1500 any
permit udp any eq 3101 any
permit udp any eq 28960 any
permit udp any eq 3005 any
permit tcp any eq 25565 any

(Output Omitted)

Everything i have seen online says that this statement is supposed to make it work, but it doesn't seem to make a difference:

ip nat inside source static tcp 192.168.0.3 25565 interface FastEthernet0/1 25565

Also, here's what my show ip nat translations looks like:

Pro Inside global Inside local Outside local Outside global
tcp ***Censored***:25565 192.168.0.3:25565 --- ---

-Huge list of translations after this-

For whatever reason, it's not mapping any external addresses to said ports, even when i try to have someone connect to it.

When i go to canyouseeme.org, it tells me that there is no route to host on that particular port number...

Basically, i'm at a loss here and i don't know what i'm doing wrong.

Any help is appreciated!!!

Thank you

The Nat statement is fine it

Jon Marshall — Tue, 19 Jan 2016 23:49:19 GMT

It is your acl entry.

Change this -

permit tcp any eq 25565 any

to this -

permit tcp any any eq 25565

Jon

Jon,

whoa_i_wasnt_expecting_that — Wed, 20 Jan 2016 00:47:42 GMT

Jon,

I will try this when i get home and let you know the results.

Thanks for the reply!

Jon,

whoa_i_wasnt_expecting_that — Wed, 20 Jan 2016 01:57:48 GMT

Jon,

That fixed it!! Thank you so much!

I hate to bug you too much more, but what is the main difference between those 2 entries?

The entry you originally had

Jon Marshall — Wed, 20 Jan 2016 02:49:43 GMT

The entry you originally had said allow any source IP with a source port of 25565 to any IP address on any port but the source port would be a random source port generated by the client ie. not 25565 so your acl did not allow the traffic and it was blocked.

The entry you replaced it with says allow any source IP using any port to any IP with a destination port of 25565 which works because that is the port your server is using.

Hope that explains it, if not let me know and I'll go into more detail.

Glad you got it working

Jon

Jon,

whoa_i_wasnt_expecting_that — Wed, 20 Jan 2016 03:48:03 GMT

Jon,

Sorry to bug you again, but this should be the last time.

Should i be doing the same thing for the udp ports? I tried changing the acl entries for the udp ports to the same syntax as the tcp entry you gave and it wouldn't let traffic through so i had to change it back. Why would it be different between tcp and udp? Also, would i have to do anything different to forward udp ports, or is it just the same process except for changing tcp to udp?

Sorry to bombard you with these questions, but i really enjoy the help you've given so far. If nothing else, a nudge in the right direction will be more than enough for me.

Thank you so much!!

Don't worry about asking

Jon Marshall — Wed, 20 Jan 2016 13:22:09 GMT

Don't worry about asking questions, that's what these forums are for and you can ask as many questions as you like.

I was a bit rushed last night so I'll give a bit more explanation and apologies if you already know this.

Whether it is TCP or UDP when a client connects to (usually) a server for the vast majority of applications the client generates a random port number. The server port number is a fixed port number because the client needs to know what port to connect on.

That applies to virtually all applications.

The direction you apply your acl is also important because it determines what are the source and destination IPs and port numbers.

In your case you applied it inbound so the source IP and port numbers are the clients on the internet and the destination IP and port numbers were the server which is why you needed to modify the acl entry.

I'm not sure why your UDP entries didn't work so by all means give some more details and we can look at that issue.

If you wanted to port forward UDP ports to an internal server then yes you would do exactly the same ie. a static NAT statement and then an entry in your acl in the format we used.

Feel free to come back with any more queries etc. you have.

Jon

Jon,

whoa_i_wasnt_expecting_that — Wed, 20 Jan 2016 19:40:58 GMT

Jon,

I will test it some more when i get home tonight, but yesterday i tried changing the udp entries in the ACL to be match the syntax of the tcp entries.

Example:

FROM - permit udp any eq 53 any TO - permit udp any any eq 53

I did this with all the udp entries in the InternetACL.

When i brought the connection back up with the updated udp entries, my WAN port (f0/1) wouldn't get a DHCP address from the modem. I changed the bootps entry back to permit any eq bootps any, and then i got an ip address, but left the other entries in the new format.

After trying to get around on the internet for a little bit and not getting anywhere, i ended up changing all the udp entries back to the old format (permit any eq 53 any) and everything was working again. Although when i tried to forward the udp ports it didn't seem to work.

This doesn't make sense to me because the syntax for the ACL entry that works means that it's looking at any source host from a specific port to access and destination host on any port, and from what you told me it should work the same as tcp.

I'm probably typing something wrong somewhere... Like i said though, i will try it out again tonight and see if i run into the same issue.

Thanks again!

Jon,

whoa_i_wasnt_expecting_that — Sat, 23 Jan 2016 20:22:37 GMT

Jon,

Thanks for the help! I was able to get everything working the way i needed thanks to your explanation of the ACL entries and the reminder of how source and destination ports work.

Everything is good now, and hopefully i won't be back with too many more questions.

Thanks again!