Solved: WRVS4400n port forwarding (SSH access)

vlad1977cisco · ‎04-24-2012

I have a WRVS4400n and a CentOS server that I need to enable a SSH access to from WAN.

I created a single port forward rule to open port 22 and forward to server (which address is 192.168.41.3)

However ssh connect doesn't happen, the command "ssh user@{external_IP}" times out after 20 seconds.

Wondering why...

If I connect my server directly to modem through outside interface - I have no problems connecting to it. Once it's behind router - no luck.

I even added same rule for UDP, not sure if it's needed, but it definitely didn't hepl.

The router is on firmware version 2.0.1.3, version on a bottom is 2.

Any suggestions?

rmanthey · ‎04-25-2012

Vladyslav,

The reason the server is not responding to the port forward is because if the traffic is unknown to that subnet it is not being sent to the 41.1 address it sounds like. If you can't ping any other subnet then the local LAN subnet on the server you will not be able to communicate with a public IP or even a PC through a VPN tunnel, because the destination IP address is outside the LAN subnet. This was the reason for asking if the server could ping the internet.

Is it possible to remove the default gateway on the eth0 interface just in case it is causing problems with the route statements on the server.

Is this a linux server? if so can you run the route -n command to see what your routing table looks like?

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

View solution in original post

rmanthey · ‎04-24-2012

Hello Vladyslav,

Can the server ping the internet?

What is the default gateway set to on the CentOS?

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

vlad1977cisco · ‎04-24-2012

Hi Randy Manthey, Thanks for quick response. The server has 2 interfaces: eth0 (outside, WAN) currently down. When it was up it had a static IP, default gateway and mask assigned by ISP. It was plugged into the cable modem at that time, it was accessible. eth1 (inside, LAN), up, address 192.168.41.3, default gateway 192.168.41.1 (which is above mentioned Cisco router WRVS4400n). It can ping all machines on LAN, including gateway. It is accessible to all machines on LAN and can be pinged by the Cisco router. It CANNOT ping any IP address on WAN (I understand this is because eth0 is down). Let me know if you need any other info. Thank you.

Edit: I got home (the router is in one of my offices) and scanned the router with nmap:

nmap -v -sT -PN XXX.YYY.ZZZ.88

Starting Nmap 5.21 ( http://nmap.org ) at 2012-04-24 23:24 EDT

Initiating Parallel DNS resolution of 1 host. at 23:24

Completed Parallel DNS resolution of 1 host. at 23:24, 0.04s elapsed

Initiating Connect Scan at 23:24

Scanning wsip-XXX-YYY-ZZZ-88.nn.nn.nnn.net (XXX.YYY.ZZZ.88) [1000 ports]

Discovered open port 8080/tcp on XXX.YYY.ZZZ.88

Completed Connect Scan at 23:24, 6.06s elapsed (1000 total ports)

Nmap scan report for wsip-XXX-YYY-ZZZ-88.nn.nn.nnn.net (XXX.YYY.ZZZ.88)

Host is up (0.033s latency).

Not shown: 999 filtered ports

PORT STATE SERVICE

8080/tcp open http-proxy

Read data files from: /usr/share/nmap

Nmap done: 1 IP address (1 host up) scanned in 6.14 seconds

Port 8080 - is a port for remoute router administration.

rmanthey · ‎04-25-2012

Vladyslav,

The reason the server is not responding to the port forward is because if the traffic is unknown to that subnet it is not being sent to the 41.1 address it sounds like. If you can't ping any other subnet then the local LAN subnet on the server you will not be able to communicate with a public IP or even a PC through a VPN tunnel, because the destination IP address is outside the LAN subnet. This was the reason for asking if the server could ping the internet.

Is it possible to remove the default gateway on the eth0 interface just in case it is causing problems with the route statements on the server.

Is this a linux server? if so can you run the route -n command to see what your routing table looks like?

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

vlad1977cisco · ‎04-25-2012

Solved.

I initially set up interfaces with system-config-network command. And configuration was successfully saved. That's what made me believing I have no problems on that side. But I don't believe I restarted networking on server. So... that was a culprit. /etc/init.d/network restart did the trick.

Thank you, Randy.