cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3313
Views
5
Helpful
17
Replies

Allow access to LAN hosts from outside the LAN

broberto82
Level 1
Level 1

Hi,
I would need some help with a NAT problem.
With some previous help from this community I configured a Cisco ISR 1113-8p, but I cannot allow users from outside my LAN to access to some hosts inside my LAN. They're getting a "connection refused". message
I don't have a public IP but a dynamically given from ISP. For this reason I've a Dynamic DNS (it's working correctly and pointing to my actual public IP).
RoutingRouting
Based on my running-config shown at the end of this post, I basically would like that:
- requests from external users on port 80 could be sent to 192.168.178.109:80
- requests from external users on port 81 could be sent to 192.168.178.200:81

 

version 16.10
!
hostname Router
!
boot-start-marker
boot-end-marker
!
ip name-server 8.8.8.8
ip dhcp excluded-address 192.168.178.1 192.168.178.2
ip dhcp excluded-address 192.168.178.109
ip dhcp excluded-address 192.168.178.110
ip dhcp excluded-address 192.168.178.25
ip dhcp excluded-address 192.168.178.30
ip dhcp excluded-address 192.168.178.38
ip dhcp excluded-address 192.168.178.200
!
ip dhcp pool CASA_POOL
network 192.168.178.0 255.255.255.0
default-router 192.168.178.1
dns-server 8.8.8.8
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface ATM0/2/0
no ip address
atm oversubscribe factor 2
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
no ip address
no negotiation auto
!
interface Ethernet0/2/0.835
encapsulation dot1Q 835
ip nat inside
pppoe enable group global
pppoe-client dial-pool-number 1
ip virtual-reassembly
!
interface Vlan1
ip address 192.168.178.1 255.255.255.0
ip nat inside
!
interface Dialer0
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication pap chap callin
ppp chap hostname timadsl
ppp chap password 0 timadsl
ppp pap sent-username timadsl password 0 timadsl
ppp ipcp dns request accept
!
ip forward-protocol nd
no ip http server
ip http secure-server
ip http secure-port 8080
ip nat translation udp-timeout 600
ip nat translation max-entries 40000
ip nat inside source static tcp 192.168.178.109 80 interface Dialer1 80
ip nat inside source static udp 192.168.178.109 80 interface Dialer1 80
ip nat inside source static tcp 192.168.178.109 443 interface Dialer1 443
ip nat inside source static udp 192.168.178.109 443 interface Dialer1 443
ip nat inside source static tcp 192.168.178.200 81 interface Dialer1 81
ip nat inside source static udp 192.168.178.200 81 interface Dialer1 81
ip nat inside source static udp 192.168.178.200 5060 interface Dialer1 5060
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 1 permit 192.168.178.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
!
!
!
!
!
end


Thanks in advance to everyone that could help me!

1 Accepted Solution

Accepted Solutions

Hello

Looking at the current confiuration, apart from that interface which is still showing an inside nat domain, I assumed you delelted the static UDP nat statements if so then the only thing i can see now is your are accepting the ISP dns server for name resolution, however in your dhcp scope you dont have your own rtr as the dns server for dhcp client ip release.

interface Dialer1
ppp ipcp dns request accept <-------- ISP dns details

ip dhcp pool CASA_POOL
network 192.168.178.0 255.255.255.0
default-router 192.168.178.1
dns-server 8.8.8.8  <------- This should be 192.168.178.1

ip dns server 192.168.178.1
no ip name-server 192.168.178.1


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

17 Replies 17

Hello,

 

what IP address are your external hosts connecting to ? Are they actually allowed on the internal servers ?

Hi Georg,
they're actually trying to connect to X.Y.W.Z, address which is given them by the Dynamic DNS.
I'm pretty sure Internal servers allow connections because they're actually reachable from inside the LAN with their private IPs and also I could connect them from outside when I had the previous router (Cisco RV134W), so this is the reason because I'm wondering about the nat or ACL configuration on the 1113-8p...

Hello
First of all please remove that address, you dont want to share pubic addressing to your network on public forums,

Lastly I have just tried conecting to that address on port 80/81 and its connected so it looks like you natting is fine, maybe the dns entrys your people are using is incorrect.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hello,

 

odd indeed. Try and add the lines in bold to your dialer interface and configuration, not sure if that makes a difference:

 

interface Dialer1
--> mtu 1492
ip address negotiated
--> no ip redirects
--> no ip unreachables
--> no ip proxy-arp
ip nat outside
encapsulation ppp
dialer pool 1
--> dialer-group 1
--> ip tcp adjust-mss 1452
ppp authentication pap chap callin
ppp chap hostname timadsl
ppp chap password 0 timadsl
ppp pap sent-username timadsl password 0 timadsl
ppp ipcp dns request accept

!

--> dialer-list 1 protocol ip permit

Hi Georg,
I tried to do what you said but unfortunately the behaviour hasn't changed.
As Paul wrote before, the external interface is reachable and its ports are opened. But I don't know why the packets, once reached the external port, aren't submitted at the internal device's port...

If you've any other suggestion, I can try!
Thanks in advance!

Hi guys,
I don't know if this could be a useful information for you to help me, but this is the result of
show ip nat translations
command (I masked my actual public IP with XX.YY.WW.ZZ):

Pro Inside global Inside local Outside local Outside global
tcp XX.YY.WW.ZZ:80 192.168.178.109:80 --- ---
udp XX.YY.WW.ZZ:80 192.168.178.109:80 --- ---
tcp XX.YY.WW.ZZ:443 192.168.178.109:443 --- ---
udp XX.YY.WW.ZZ:443 192.168.178.109:443 --- ---
tcp XX.YY.WW.ZZ:81 192.168.178.200:81 --- ---
udp XX.YY.WW.ZZ:81 192.168.178.200:81 --- ---
udp XX.YY.WW.ZZ:5060 192.168.178.200:5060 --- ---
tcp XX.YY.WW.ZZ:10368 192.168.178.13:39480 216.58.208.168:443 216.58.208.168:443
tcp XX.YY.WW.ZZ:10565 192.168.178.4:60925 64.233.167.188:5228 64.233.167.188:5228
tcp XX.YY.WW.ZZ:6363 192.168.178.3:53652 151.99.109.59:443 151.99.109.59:443
tcp XX.YY.WW.ZZ:9863 192.168.178.10:57214 216.58.208.163:443 216.58.208.163:443
tcp XX.YY.WW.ZZ:11046 192.168.178.3:51667 156.54.225.18:80 156.54.225.18:80
tcp XX.YY.WW.ZZ:5675 192.168.178.9:38092 31.13.86.52:443 31.13.86.52:443
tcp XX.YY.WW.ZZ:11121 192.168.178.9:34690 31.13.86.34:443 31.13.86.34:443

I even tried changing the access-list to permit any, but it didn't work...

Hello

try the following 

make sure yor external hosts have the correct dns entries to resolve the web server pat inside global ip address

then

interface Ethernet0/2/0.835
ip nat outside

no access-list 1

no ip nat inside source-list 1 interface dailer1 overload 

access-list 100 deny ip host 192.168.178.109 any

access-list 100 deny ip host 192.168.178.200 any

access-list 100 permit ip 192.168.178.0 0.0.0.255 any

ip nat inside source-list 100 interface dailer1


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,
and thank you for your kind reply.
The external hosts are using Google DNS, 8.8.8.8 to be exact, so it seems they're ok but tell me if I can check some more.

I also tried to configure what you suggested, but the scenario hasn't changed... still unable to access from outside. I'm open to any test if you've other solutions!

Thanks in advance!

Hello

Just to confirm these external hosts are indeed external from your local network ,What I mean is that they are not internal hosts trying to connect to an internal web server via its public natted address correct?

Also can you access this internal web server internally via it internal ip address or hostname, Do you have a successful connection.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,
yes for both your assumptions: the external hosts are completely outside my LAN, they're mobile devices with their own 4G connections. And yes, I can access the two servers through their private ip / ports.

Hello
Can you remove the static UDP nat statements and then post the config of the router again please.

On a external client perform a dns lookup and see if the FQDN resloves to your public ip routers address  and try accessi ng the web server via the public ip addreess instead

nslookup
>mywebserver.com

 

Do your internal clients access the internet via nat okay?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,
the nslookup from the external client shows this (I masked FQDN and public IP address):

Server: n1-43-168-192.mas2.nsw.optusnet.com.au
Address: 192.168.43.1

Non-authoritative answer:
Nome: <FQDN>
Address: X.Y.W.Z

I can confirm I can't access the webservers neither from the FQDN nor the public ip address (ERR_CONNECTION_REFUSED in both cases) and also the hosts of my LAN have no problem accessing the Internet.

 

And this is my actual complete running-config, where I cut off the static nat part (according to your request) and the certificate part (just to keep it shorter):

Building configuration...


Current configuration : 7876 bytes
!
! Last configuration change at 21:32:27 UTC Sat Feb 8 2020
!
version 16.10
service timestamps debug datetime msec
service timestamps log datetime msec
service call-home
platform qfp utilization monitor load 80
no platform punt-keepalive disable-kernel-core
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method http
no destination transport-method email
!
ip name-server 192.168.178.1
ip dhcp excluded-address 192.168.178.1 192.168.178.2
ip dhcp excluded-address 192.168.178.109
ip dhcp excluded-address 192.168.178.110
ip dhcp excluded-address 192.168.178.25
ip dhcp excluded-address 192.168.178.30
ip dhcp excluded-address 192.168.178.38
ip dhcp excluded-address 192.168.178.200
!
ip dhcp pool CASA_POOL
network 192.168.178.0 255.255.255.0
default-router 192.168.178.1
dns-server 8.8.8.8
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl
!
crypto pki trustpoint TP-self-signed-1842956524
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1842956524
revocation-check none
rsakeypair TP-self-signed-1842956524
!
!
crypto pki certificate chain SLA-TrustPoint
<----omitted---->
!
license udi pid C1113-8P sn FCZ2343C2X0
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
!
!
redundancy
mode none
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface ATM0/2/0
no ip address
atm oversubscribe factor 2
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
no ip address
no negotiation auto
!
interface Ethernet0/2/0.835
encapsulation dot1Q 835
ip nat inside
pppoe enable group global
pppoe-client dial-pool-number 1
ip virtual-reassembly
!
interface Vlan1
ip address 192.168.178.1 255.255.255.0
ip nat inside
!
interface Dialer0
!
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname timadsl
ppp chap password 0 timadsl
ppp pap sent-username timadsl password 0 timadsl
ppp ipcp dns request accept
!
ip forward-protocol nd
no ip http server
ip http secure-server
ip http secure-port 8080
ip nat translation udp-timeout 600
ip nat translation max-entries 40000
<----------omitted------------->
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 100 deny ip host 192.168.178.109 any
access-list 100 deny ip host 192.168.178.200 any
access-list 100 permit ip 192.168.178.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
!
!
!
!
!
end

...just want to say you I really appreciate your interest and help, btw!

Hello,

 

just looking at the last configuration you posted:

 

interface Ethernet0/2/0.835
encapsulation dot1Q 835
ip nat inside --> change this to 'ip nat outside'
pppoe enable group global
pppoe-client dial-pool-number 1
ip virtual-reassembly

 

Not sure what difference that makes. In any case, also leave the 'mtu 1492' on the dialer interface...

Hello

Looking at the current confiuration, apart from that interface which is still showing an inside nat domain, I assumed you delelted the static UDP nat statements if so then the only thing i can see now is your are accepting the ISP dns server for name resolution, however in your dhcp scope you dont have your own rtr as the dns server for dhcp client ip release.

interface Dialer1
ppp ipcp dns request accept <-------- ISP dns details

ip dhcp pool CASA_POOL
network 192.168.178.0 255.255.255.0
default-router 192.168.178.1
dns-server 8.8.8.8  <------- This should be 192.168.178.1

ip dns server 192.168.178.1
no ip name-server 192.168.178.1


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul