[NAT]Ports Filtered on C2503

rbourdin · ‎04-07-2004

Hello,

We've a C2503 on which I have set NAT rules as following :

...

ip nat inside source static tcp 192.168.1.51 21 x.x.x.x 21 extendable

ip nat inside source static tcp 192.168.1.51 22 x.x.x.x 22 extendable

ip nat inside source static tcp 192.168.1.51 25 x.x.x.x 25 extendable

...

==> FTP, SSH and SMTP are forwarded on a local server in order to reach it from the Internet.

But sometimes we cannot initialize a FTP or a SSH connection on it.

I used the "nmap" tool from a linux in order to test the router ports and it appears that FTP and/or SSH ports are filtered.

Only a reboot of the router can help it but it doesn't work all the time, and it is not bearable to do this each time the ports are filtered...

Any help would be appreciated

Thanks

R. B-G

sbondy · ‎04-08-2004

Do you have a NAT pool set up? is x.x.x.x in your pool?

If so, another host may be using it. When the problem occurs, try doing:

show ip nat translations

It will show you if the mapping you think you should be getting is what you are actually getting.

averzosa · ‎04-08-2004

Hi Renaud,

Is it possible for you to post the complete show run of your router.

In the meantime I have a working configuration here in our laboratory but this one only allows SSH traffic.

Topology:

PIX515E_Firewall---(fa0/1)2621_Router(fa0/0)---Switch---PC

PIX=> Ethernet0 ip address= 192.168.0.2

2621=> Fa0/1 ip address= 192.168.0.1

=> Fa0/0 ip address= 10.199.249.254

PC=> ip address= 10.199.249.113

####

"show run" of 2621 Router

interface FastEthernet0/0

ip address 10.199.249.254 255.255.255.0

ip nat outside

speed auto

full-duplex

!

interface FastEthernet0/1

ip address 192.168.0.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.0.2 22 10.199.249.254 22 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 10.199.249.1

no ip http server

!

access-list 101 deny tcp host 192.168.0.2 eq 22 any

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

####

"show ip nat translation" of 2621 Router

Pro Inside global Inside local Outside local Outside global

tcp 10.199.249.254:22 192.168.0.2:22 --- ---

####

Here is how I tested it.

1) The PIX firewall will act as the server(the one that you have on your network) and I configured

the PIX to allow SSH session.

2) The 2621 router is configured almost the same as your SOHO91 device the only difference is I

didn't use DHCP and I assigned an IP address to the outside interface of the 2621 router rather than

using ip address negotiated.

3) Here is the output when I tried connecting to the PIX firewall from my PC using PUTTY (SSH client

software) with an IP address of 10.199.249.113.

login as: ansley

Sent username "ansley"

ansley@10.199.249.254's password:

Type help or '?' for a list of available commands.

pixfirewall>

pixfirewall> en

Password: *****

Invalid password

Password:

pixfirewall# login as: ansley

4) As you can see I was able to connect successfully connect to the PIX firewall in which its

outside interface has an IP address of 192.168.0.2 and is statically translated to 10.199.249.254.

Please see below the 'show ssh session' on my pix firewall.

pixfirewall# sh ssh session

Session ID Client IP Version Encryption State Username

0 10.199.249.113 1.5 3DES 6 ansley

I hope these helps.

Best Regards,

Ansley R. Verzosa

rbourdin · ‎04-13-2004

Hi there,

My config looks like to Ansley's one.

At The moment the SSH port is filtered, and I've checked the "IP NAT TRANSLATIONS" table. I Found this :

tcp x.x.x.x:22 192.168.1.61:139 192.168.245.1:1082 192.168.245.1:1082

It appears that port 22 is used... by what exactly ? I don't understand clearly because the IP address 192.168.245.1 is unknown in my company.

x.x.x.x is my public address and it is in a nat pool (only this IP is in) :

ip nat pool test x.x.x.x x.x.x.x prefix-length 30

Should I remove this nat pool ?

Thx,

Renaud

sbondy · ‎04-14-2004

I suspect that your problem is the pool. Here's an example of a problem I had somewhat like this. Notice there are 2 addresses in the pool:

ip nat pool NATPOOL a.b.c.1 a.b.c.2 netmask 255.255.255.0

ip nat inside source list 1 pool NATPOOL overload

ip nat inside source static tcp 10.1.1.1 25 a.b.c.1 23 extendable

access-list 1 permit 10.1.1.0 0.255.255.255

Notice that a.b.c.1 is in the pool AND is also in the static translation statement.

When the router starts, if someone on the inside on a host other than 10.1.1.1 begins a connection, they will be assigned the public address a.b.c.d.1 - and ALL ports associated with that address. Thus when you try to connect to your host on a.b.c.1:23, it doesn't work. If you clear the translation table, then re-try, you might get connected.

The same result will happen with a single address in the pool if you omit the "overload" keyword.

Try adding the "overload" to your pool.

As for removing the pool, you need it if you want outbound traffic to be translated without static entries. for example, from other hosts on this network.

Good luck.

Steve

rbourdin · ‎04-15-2004

Well I see the problem... But I've already set the "overload" keyword. here's my config :

ip nat pool MASQ a.b.c.182 a.b.c.182 prefix-length 30

ip nat inside source list 7 MASQ test overload

ip nat inside source static tcp 192.168.1.51 21 a.b.c.182 21 extendable

ip nat inside source static tcp 192.168.1.51 22 a.b.c.182 22 extendable

ip nat inside source static tcp 192.168.1.51 25 a.b.c.182 25 extendable

ip nat inside source static tcp 192.168.1.51 80 a.b.c.182 8080 extendable

access-list 7 permit 192.168.1.0 0.0.0.255

sbondy · ‎04-15-2004

I have a question I did not think to ask earlier.

Is the IP address in your pool the same address you have on the outside interface?

If so, you might try

ip nat inside source list 7 MASQ interface Serial0/0 overload

(I'm assuming here the interface outside is Serial 0/0 - change as needed)

Posting as much of your config as you can would help.