topic Re: port forwarding from the Internet in Network Security

port forwarding from the Internet

ronshuster — Mon, 11 Mar 2019 13:31:02 GMT

I am trying to grant access from the Internet to one single IP address but have 3 port forwarders, for some reason I cannot open these ports from the Internet, here's what I mean:

here are the acl's to open the ports

access-list outside_incoming extended permit tcp any host 216.a.b.c eq smtp

access-list outside_incoming extended permit tcp any host 216.a.b.c eq https

access-list outside_incoming extended permit tcp any host 216.a.b.c eq www

Here are the static nats:

static (inside,outside) tcp 216.a.b.c www 10.20.4.161 www netmask 255.255.255.255

static (inside,outside) tcp 216.a.b.c https 10.20.4.161 https netmask 255.255.255.255

static (dmz,outside) tcp 216.a.b.c smtp 172.20.0.35 smtp netmask 255.255.255.255

here's the access-group

access-group outside_incoming in interface outside

But when I telnet to port 25, 80, 443 from the Internet on 216.a.b.c I cannot open that port.

Any idea???

Re: port forwarding from the Internet

acomiskey — Wed, 13 Aug 2008 19:17:34 GMT

Is 216.a.b.c your outside interface address? If so then you must use the "interface" keyword in your statics.

static (inside,outside) tcp interface www 10.20.4.161 www netmask 255.255.255.255

static (inside,outside) tcp interface https 10.20.4.161 https netmask 255.255.255.255

static (dmz,outside) tcp interface smtp 172.20.0.35 smtp netmask 255.255.255.255

Re: port forwarding from the Internet

ronshuster — Wed, 13 Aug 2008 19:29:10 GMT

Yes, 216.a.b.c is my public Internet IP address.

In your static nat example, where is the public address? Note that 216.a.b.c is not the PAT'd address and not the outside interface IP address, it is a dedicated address for this port forwarding.

So I don't think putting "interface" will not do the trick. I am pretty confident that the config I have is correct, but for some reason it is not working.

Here's an example online, it's the same as what I have:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

question still remains, why cannot I not open the 3 ports from the Internet.

Note that I can open the ports from the private\internal address so I know the services are running

Re: port forwarding from the Internet

acomiskey — Wed, 13 Aug 2008 19:31:33 GMT

I asked "if 216.a.b.c was your outside interface address". Since it is not, then yes, the interface keyword is not your solution.

Try a show xlate and make sure the translations are there.

Re: port forwarding from the Internet

ronshuster — Thu, 14 Aug 2008 12:50:15 GMT

Still no luck.

I ran a capture on the firewall:

access-list testt permit ip any host tcp 216.a.b.c eq 25

capture rontestt access-list testt interface outside

here is some of the output I am seeing from the capture

show cap rontestt

22: 19:20:17.741462 123.204.0.86.4635 > 216.a.b.c.25: . ack 3517948072 win 65535

23: 19:20:18.483266 123.204.0.86.4635 > 216.a.b.c.25: . ack 3517948072 win 65535

24: 19:20:18.484121 123.204.0.86.4635 > 216.a.b.c.25: . ack 3517948308 win 65300

I am not sure if the output of the capture is saying some outside\Internet IP address was able to open port 25 on 216.a.b.c or simply attempted to open the port. What I do know, when I try to telnet to port 25 from the Internet (or port 80 or 443) I am unable to open the port.

It is worth noting that I can ping 216.a.b.c from the Internet, so it looks like the static NAT is working to some extent, but I am unable to open the three ports.

Is there another way to determining the root cause of this issue in addition to "capture"?

I have posted the config in the first message of this thread. Again, I am followed the same example as here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Any idea why this is not working?