04-01-2020 08:21 AM
I feel this probably has a obvious easy answer, but struggling a bit. PBX is 172.31.213.130
The public IPs are completely public and cinnected to our ISP.
At a branch office they are setting up a PBX box that we have assigned to a vlan. But cant get port forwarding to work.
These are the forwarding rules:
ip nat inside source static udp 172.31.213.130 2727 <public_primary_ip> 2727 extendable ip nat inside source static udp 172.31.213.130 8181 <public_primary_ip> 8181 extendable ip nat inside source static udp 172.31.213.130 9300 <public_primary_ip> 9300 extendable ip nat inside source static udp 172.31.213.130 15060 <public_primary_ip> 35560 extendable ip nat inside source static tcp 172.31.213.130 15061 <public_primary_ip> 35561 extendable ip nat inside source static 172.31.213.131 <public_secondary_ip>
Interfaces:
interface GigabitEthernet0/1 description ** First connection to IED Office - Public **$ETH-LAN$$FW_OUTSIDE$ ip address <public_primary_ip> 255.255.255.248 ip address <public_secondary_ip> 255.255.255.248 secondary ip access-group ACLLine1 in no ip redirects no ip proxy-arp ip flow ingress ip nat outside ip virtual-reassembly in zone-member security ZoneOutside duplex auto speed auto no mop enabled service-policy output QoS !
! interface GigabitEthernet0/0.51 description PBX_VLAN encapsulation dot1Q 51 ip address 172.31.213.129 255.255.255.248 no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip nat inside ip virtual-reassembly in zone-member security ZoneDMZ no cdp enable !
NOTE: I have tried to completely disable the incoming ACL and Zone based firewall to see if it was something blocking, but no go :(
Now we also have the following configured, is this conflicting?
ip nat inside source route-map NAT_LINE1_ROUTEMAP interface GigabitEthernet0/1 overload route-map NAT_LINE1_ROUTEMAP permit 10 match ip address LANInside match interface GigabitEthernet0/1 ip access-list extended LANInside
deny ip 172.21.13.0 0.0.0.255 172.16.0.0 0.15.255.255
deny ip 172.21.13.0 0.0.0.255 57.66.8.48 0.0.0.15
permit ip 172.24.100.0 0.0.0.255 any
permit ip 172.21.13.0 0.0.0.255 any
Solved! Go to Solution.
04-01-2020 08:33 AM
04-02-2020 02:41 AM
Ok, found the issue.
We have two ISP interfaces, and it didnt like asymetric routing. Adjusted our routing and now it works.
Thanks for all the replies
04-01-2020 08:26 AM
Hello,
the 'extendable' keyword is needed when you want to translate a private IP address to more than one public IP address. So in your case, the static entries should look like below:
ip nat inside source static udp 172.31.213.130 2727 <public_primary_ip> 2727
ip nat inside source static udp 172.31.213.130 8181 <public_primary_ip> 8181
ip nat inside source static udp 172.31.213.130 9300 <public_primary_ip> 9300
ip nat inside source static udp 172.31.213.130 15060 <public_primary_ip> 35560
ip nat inside source static tcp 172.31.213.130 15061 <public_primary_ip> 35561
ip nat inside source static 172.31.213.131 <public_secondary_ip> extendable
04-01-2020 08:33 AM
04-01-2020 09:31 AM
Hi,
Most probably you need the PBX to be accessed from the outside, so leave the static NAT statements, it was good (as long as you've properly configured the port bindings). You don't care about the "extendable" keyword, it's there by default, it does not affect you.
To stay on the NAT problem, remove the ingress ACL and the interface zone membership on both interfaces, ands try again. While you send traffic matching your NAT statements, look in "show ip nat translations" and do "debug ip nat detailed". This has to work, otherwise post the outputs.
If it does work and stops working with ZBFW, post the complete ZBFW configuration; if using ZBFW, it is not recommended and redundant to have an ingress ACL on any zone member interfaces, so the ACL should be removed anyways.
Regards,
Cristian Matei.
04-01-2020 10:10 AM - edited 04-01-2020 10:11 AM
Thanks :)
So without ACL and without ZBFW, something is happening but ports still reported as closed when i test from outside. According to the company settting up the PBX there should also be a web interface available at 8181. But im having no luck with both firewall and ZBFW off. (Im using https://www.yougetsignal.com/tools/open-ports/ to test)
tcp <public_ip1>:8181 172.31.213.130:8181 198.199.98.246:50632 198.199.98.246:50632 tcp <public_ip1>:8181 172.31.213.130:8181 198.199.98.246:50638 198.199.98.246:50638 tcp <public_ip1>:8181 172.31.213.130:8181 198.199.98.246:50643 198.199.98.246:50643 tcp <public_ip1>:8181 172.31.213.130:8181 --- --- udp <public_ip1>:8181 172.31.213.130:8181 --- --- udp <public_ip1>:9300 172.31.213.130:9300 --- --- udp <public_ip1>:35560 172.31.213.130:15060 --- --- tcp <public_ip1>:35561 172.31.213.130:15061 --- --- Pro Inside global Inside local Outside local Outside global tcp <public_ip2>:23 172.31.213.131:23 79.1.194.79:6413 79.1.194.79:6413 --- <public_ip2> 172.31.213.131 --- --- 08547: Apr 1 17:48:18.696 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip1>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1 008549: Apr 1 17:48:18.696 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip1>, dest-port:0) 008550: Apr 1 17:48:18.700 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip1>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1 008552: Apr 1 17:48:18.700 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip1>, dest-port:0) 008599: Apr 1 17:48:20.696 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip1>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1 008601: Apr 1 17:48:20.696 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip1>, dest-port:0) 008789: Apr 1 17:48:37.152 CET: NAT: API parameters passed: src_addr:218.102.109.119, src_port:0 dest_addr:<public_ip1>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1 008791: Apr 1 17:48:37.152 CET: NAT: API Failed to get Translated-Info from: (src-addr:218.102.109.119, src-port:0) (dest-addr:<public_ip1>, dest-port:0)
With the ACL in place not much happens
udp <public_ip1>:2727 172.31.213.130:2727 --- --- tcp <public_ip1>:8181 172.31.213.130:8181 --- --- udp <public_ip1>:8181 172.31.213.130:8181 --- --- udp <public_ip1>:9300 172.31.213.130:9300 --- --- udp <public_ip1>:35560 172.31.213.130:15060 --- --- tcp <public_ip1>:35561 172.31.213.130:15061 --- --- --- <public_ip2> 172.31.213.131 --- --- 08547: Apr 1 17:48:18.696 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip2>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1 008549: Apr 1 17:48:18.696 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip2>, dest-port:0) 008550: Apr 1 17:48:18.700 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip2>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1 008552: Apr 1 17:48:18.700 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip2>, dest-port:0) 008599: Apr 1 17:48:20.696 CET: NAT: API parameters passed: src_addr:198.199.98.246, src_port:0 dest_addr:<public_ip2>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1 008601: Apr 1 17:48:20.696 CET: NAT: API Failed to get Translated-Info from: (src-addr:198.199.98.246, src-port:0) (dest-addr:<public_ip2>, dest-port:0) 008789: Apr 1 17:48:37.152 CET: NAT: API parameters passed: src_addr:218.102.109.119, src_port:0 dest_addr:<public_ip2>, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1 008791: Apr 1 17:48:37.152 CET: NAT: API Failed to get Translated-Info from: (src-addr:218.102.109.119, src-port:0) (dest-addr:<public_ip2>, dest-port:0)
With ZBFW on, I get :
udp <public_ip1>:2727 172.31.213.130:2727 --- --- tcp <public_ip1>:8181 172.31.213.130:8181 198.199.98.246:52724 198.199.98.246:52724 tcp <public_ip1>:8181 172.31.213.130:8181 198.199.98.246:52729 198.199.98.246:52729 tcp <public_ip1>:8181 172.31.213.130:8181 198.199.98.246:52734 198.199.98.246:52734 tcp <public_ip1>:8181 172.31.213.130:8181 --- --- udp <public_ip1>:8181 172.31.213.130:8181 --- --- udp <public_ip1>:9300 172.31.213.130:9300 --- --- udp <public_ip1>:35560 172.31.213.130:15060 --- --- tcp <public_ip1>:35561 172.31.213.130:15061 --- --- tcp <public_ip2>:1433 172.31.213.131:1433 42.247.5.87:55377 42.247.5.87:55377 --- <public_ip2> 172.31.213.131 --- --- 025140: Apr 1 18:02:51.351 CET: NAT: API parameters passed: src_addr:185.217.0.156, src_port:0 dest_addr:87.198.211 .162, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1 025142: Apr 1 18:02:51.351 CET: NAT: API Failed to get Translated-Info from: (src-addr:185.217.0.156, src-port:0) ( dest-addr:<public_ip1>, dest-port:0) 025143: Apr 1 18:02:51.355 CET: NAT - SYSTEM PORT for <public_ip1>: allocated port 0, refcount 208, localport 429 4967295, localaddr 0.0.0.0, flags 1, syscount 208, proto 6 025294: Apr 1 18:02:59.287 CET: NAT: API parameters passed: src_addr:195.54.166.26, src_port:0 dest_addr:87.198.211 .162, dest_port:0, proto:6 if_input:GigabitEthernet0/1 pak:3D5A9808 get_translated:1 025296: Apr 1 18:02:59.287 CET: NAT: API Failed to get Translated-Info from: (src-addr:195.54.166.26, src-port:0) ( dest-addr:<public_ip1>, dest-port:0) 025297: Apr 1 18:02:59.287 CET: NAT - SYSTEM PORT for <public_ip1>: allocated port 0, refcount 209, localport 429 4967295, localaddr 0.0.0.0, flags 1, syscount 209, proto 6 025305: Apr 1 18:02:59.667 CET: NAT: expiring <public_ip1> (172.31.213.130) tcp 8181 (8181) 025331: Apr 1 18:03:00.691 CET: NAT: expiring <public_ip1> (172.31.213.130) tcp 8181 (8181) 025368: Apr 1 18:03:01.715 CET: NAT: expiring <public_ip1> (172.31.213.130) tcp 8181 (8181)
04-01-2020 10:19 AM
Hello,
post the full running configuration...
04-01-2020 10:45 AM
Hi,
Your static PAT statement for port 8181 makes use of UDP, while i see you generating TCP traffic for port 8181, which clearly doesn't match any NAT statements. So make sure the testing matches the configuration.
Also, what you could do is a 1-to-1 static NAT for the PBX and restrict access at the service level (TCP,UDP) via your ZBFW configuration.
Regards,
Cristian Matei.
04-01-2020 11:07 AM - edited 04-01-2020 11:08 AM
ahh, i had both UDP and TCP, but for testing removed UDP now.
One to one static wouldnt work due to 35560/25561 > 15060/15061. This what I have now:
ip nat inside source static udp 172.31.213.130 2727 <pubIP1> 2727 extendable
ip nat inside source static tcp 172.31.213.130 8181 <pubIP1> 8181 extendable
ip nat inside source static udp 172.31.213.130 9300 <pubIP1> 9300 extendable
ip nat inside source static udp 172.31.213.130 15060 <pubIP1> 35560 extendable
ip nat inside source static tcp 172.31.213.130 15061 <pubIP1> 35561 extendable
ip nat inside source static 172.31.213.131 <pubIP2>
I will try to post the whole config, but gonna take me some time to redact it :(
04-02-2020 02:41 AM
Ok, found the issue.
We have two ISP interfaces, and it didnt like asymetric routing. Adjusted our routing and now it works.
Thanks for all the replies
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide