Solved: Issue with External Connection, Destination port unreachable

Jacob_A · ‎06-20-2021

Hello,

I´ve followed the following instructions for setting up MGMT-access directly towards the hosts in my network-simulation https://developer.cisco.com/docs/modeling-labs/#!external-connectivity-for-simulations

External-connector is configured as a bridge and hosts in my lab get´s a DHCP-adress on 192.168.255.x/24 Network but are unreachable from the other VLANs in the same site. I´ve routed 192.168.255.0/24 towards the CML host in the firewall and traffic is allowed.

C:\Users\Jacob Åkerblom>ping 192.168.255.217

Pinging 192.168.255.217 with 32 bytes of data:
Reply from 10.182.3.20: Destination port unreachable.
Reply from 10.182.3.20: Destination port unreachable.
Reply from 10.182.3.20: Destination port unreachable.
Reply from 10.182.3.20: Destination port unreachable.

Ping statistics for 192.168.255.217:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Where 192.168.255.217 is the DHCP-leased address to the Management-interface of a host in the Network-simulation and 10.182.3.20 is the host running CML. From the host in the network simulation I am able to reach the gateway of the CML host with IP 192.168.255.1

Spine-01#show run interfaces management 1
interface Management1
   vrf MGMT
   ip address dhcp
Spine-01#show ip int bri
                                                                        Address 
Interface      IP Address             Status     Protocol         MTU   Owner   
-------------- ---------------------- ---------- ------------ --------- ------- 
Ethernet1      10.0.1.0/31            up         up              9214           
Ethernet2      10.0.1.2/31            up         up              9214           
Ethernet3      10.0.1.4/31            up         up              9214           
Ethernet4      10.0.1.6/31            up         up              9214           
Loopback0      10.0.250.1/32          up         up             65535           
Management1    192.168.255.217/24     up         up              1500           

Spine-01#
Spine-01#show ip route vrf MGMT

VRF: MGMT
Codes: C - connected, S - static, K - kernel, 
       O - OSPF, IA - OSPF inter area, E1 - OSPF external type 1,
       E2 - OSPF external type 2, N1 - OSPF NSSA external type 1,
       N2 - OSPF NSSA external type2, B - BGP, B I - iBGP, B E - eBGP,
       R - RIP, I L1 - IS-IS level 1, I L2 - IS-IS level 2,
       O3 - OSPFv3, A B - BGP Aggregate, A O - OSPF Summary,
       NG - Nexthop Group Static Route, V - VXLAN Control Service,
       DH - DHCP client installed default route, M - Martian,
       DP - Dynamic Policy Route, L - VRF Leaked,
       RC - Route Cache Route

Gateway of last resort:
 S        0.0.0.0/0 [1/0] via 192.168.255.1, Management1

 C        192.168.255.0/24 is directly connected, Management1
 
Spine-01#ping vrf MGMT 192.168.255.1
PING 192.168.255.1 (192.168.255.1) 72(100) bytes of data.
80 bytes from 192.168.255.1: icmp_seq=1 ttl=64 time=0.590 ms
80 bytes from 192.168.255.1: icmp_seq=2 ttl=64 time=0.421 ms
80 bytes from 192.168.255.1: icmp_seq=3 ttl=64 time=0.388 ms
80 bytes from 192.168.255.1: icmp_seq=4 ttl=64 time=0.373 ms
80 bytes from 192.168.255.1: icmp_seq=5 ttl=64 time=0.216 ms

--- 192.168.255.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 7ms
rtt min/avg/max/mdev = 0.216/0.397/0.590/0.121 ms, ipg/ewma 1.899/0.486 ms
Spine-01#ping vrf MGMT 10.182.3.20
PING 10.182.3.20 (10.182.3.20) 72(100) bytes of data.
80 bytes from 10.182.3.20: icmp_seq=1 ttl=64 time=0.589 ms
80 bytes from 10.182.3.20: icmp_seq=2 ttl=64 time=0.376 ms
80 bytes from 10.182.3.20: icmp_seq=3 ttl=64 time=0.359 ms
80 bytes from 10.182.3.20: icmp_seq=4 ttl=64 time=0.267 ms
80 bytes from 10.182.3.20: icmp_seq=5 ttl=64 time=0.368 ms

--- 10.182.3.20 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 7ms
rtt min/avg/max/mdev = 0.267/0.391/0.589/0.109 ms, ipg/ewma 1.766/0.486 ms

Spine-01#ping vrf MGMT 10.182.3.1
PING 10.182.3.1 (10.182.3.1) 72(100) bytes of data.

--- 10.182.3.1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 41ms

Spine-01#

Jacob_A · ‎06-23-2021

Managed to resolve the issue. Our installation of CML came with the firewall enabled by default. By disabling the firewall in the CML Cent-OS host with "sudo systemctl stop firewalld" I was able to login into my devices by the external-connection.

View solution in original post

MHM Cisco World · ‎06-20-2021

outside to host behind the Router "with NAT" and this host get ip from the DHCP?

you need 1:1 NAT if you want to access from outside to host and host must get same ip from dhcp otherwise the 1:1 NAT is not work.

Jacob_A · ‎06-20-2021

Hello!

The connection I am trying to make is from another VLAN in the same site, not from the internet. I have updated the post to clarify this!

Best Regards Jacob

Jacob_A · ‎06-23-2021

Managed to resolve the issue. Our installation of CML came with the firewall enabled by default. By disabling the firewall in the CML Cent-OS host with "sudo systemctl stop firewalld" I was able to login into my devices by the external-connection.