I Can't Port forwarding with Cisco 1921 to internal web server

jiggaracci · ‎01-18-2019

I have a cisco 1921 router that I can not get to port forward/allow access to my internal webserver. SSH is open so it appears that the ISP or modem isn't blocking it (I could be wrong). Inside LAN works getting out to the internet.

Gateway of last resort is 68.119.44.1 to network 0.0.0.0

S*    0.0.0.0/0 [254/0] via 68.119.44.1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/24 is directly connected, GigabitEthernet0/0
L        10.0.0.1/32 is directly connected, GigabitEthernet0/0
      68.0.0.0/8 is variably subnetted, 3 subnets, 2 masks
S        68.114.38.242/32 [254/0] via 68.119.44.1, GigabitEthernet0/1
C        68.119.44.0/22 is directly connected, GigabitEthernet0/1
L        68.119.44.240/32 is directly connected, GigabitEthernet0/1
R     192.168.1.0/24 [120/1] via 10.0.0.2, 00:00:01, GigabitEthernet0/0
crib#
crib#show run
Building configuration...

Current configuration : 1347 bytes
!
! Last configuration change at 01:39:03 UTC Fri Jan 18 2019 by jigga
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname crib
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
!
!
!
!
!
aaa session-id common
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
no ip domain lookup
ip domain name xxxxxxxxxx
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn xxxxxxxx
!
!
username grover privilege 15 secret 5 xxxxxxxxxxxx
!
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 10.0.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 shutdown
 no clock rate 2000000
!
router rip
 version 2
 network 10.0.0.0
 network 68.0.0.0
 no auto-summary
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.21 80 interface GigabitEthernet0/1 80

!
access-list 1 permit 10.0.0.0 0.255.255.255
!
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 transport input ssh
!
scheduler allocate 20000 1000
end

ga88errus · ‎01-18-2019

please show: sh ip nat trans

with section about

192.168.1.21 80

jiggaracci · ‎01-18-2019

tcp 68.119.44.240:64981 10.0.0.2:64981 23.46.200.165:443 23.46.200.165:443
tcp 68.119.44.240:80 192.168.1.21:80 --- ---
crib#

ga88errus · ‎01-20-2019

try this:

ip nat inside source static tcp 192.168.1.21 80 interface GigabitEthernet0/1 80 extendable

jiggaracci · ‎01-21-2019

still port 80 not opened

crib#show ip nat translations
Pro Inside global      Inside local       Outside local      Outside global
udp 68.119.44.240:49399 10.0.0.2:49399    62.248.193.132:51348 62.248.193.132:51348
udp 68.119.44.240:49399 10.0.0.2:49399    176.228.38.95:63342 176.228.38.95:63342
tcp 68.119.44.240:56106 10.0.0.2:56106    40.122.32.148:443 40.122.32.148:443
udp 68.119.44.240:59855 10.0.0.2:59855    74.125.21.190:443 74.125.21.190:443
tcp 68.119.44.240:60353 10.0.0.2:60353    34.212.58.105:443 34.212.58.105:443
tcp 68.119.44.240:80   192.168.1.21:80    ---                ---
crib#

Jon Marshall · ‎01-21-2019

Can you ping the web server from the router ?

If not check default gateway of web server.

Jon

jiggaracci · ‎01-21-2019

Nope

Jon Marshall · ‎01-22-2019

If you cannot ping the server then it is not going to work.

You have a route to the 192.168.1.0/24 network on your firewall so check your server and see where it's default gateway points to.

Jon

jiggaracci · ‎01-21-2019

It looks like my Netgear N150 logs that someone from 52.202.215.126 was able to get LAN access from Remote 52.202.215.126. Looks like they're using AWS probably a hacker. It's a shame others can get access but I can't, lol

ga88errus · ‎01-21-2019

show route from 192.168.1.21

jiggaracci · ‎01-24-2019

Looks like the issue is with Charter...

jiggaracci · ‎01-24-2019

This whole thing is weird. How my setup is, I have Charter Spectrum a cable modem, connected to e1 on cisco router, e0 goes to netgear router, on this router, I can't enter any (0.0.0.0 0.0.0.0 route).

When I put the Netgear N150 that was originally behind the cisco router, connect it directly to the modem and I get an entirely different ip address. From 68.x.x.x, to 100.x.x.x. If I connect my laptop directly, I get an entire new address scheme. If I do have the netgear wifi router plugged directly to the modem, then the port forwarding works, but not with the cisco router.

Jon Marshall · ‎01-25-2019

As I have said already if you cannot ping the server from your router then it will not work.

Either get the routing between the routers working or remove one of the routers.

Jon

jiggaracci · ‎01-25-2019

I connected the modem to the router via switch, eliminating other netgear router. I verified i could ping all 3 devices in the switch. Router, server, laptop. All can communicate. I start my server, open the website canyouseeme.com. scan port 80, it's open. I stop the server, scan again, port 80 is closed.

Jon Marshall · ‎01-25-2019

So either you need to sort the routing out or just use the Cisco router instead.

Jon