Been asked 1000 times cisco 2811 port forwarding issue

troy_gilbertson · ‎05-23-2019

Ok so im not new to networking but very new to cisco. I have a 2811 that im trying to forward some ports on. 80 and 443 is what im really interested in. I added a few more for troubleshooting purposes.

I have confirmed that port 80 is open on 192.168.2.1, my router is 192.168.2.3 (strange i know but have hard coded prototypes in my lab that need a server at 2.1)

My ISP is also not blocking my ports as when i enable HTTP on the router it works fine.

I'm sure I'm missing something stupid. Any help would greatly be appreciated.

Thank you.

my Config is as follows.

Router#show run
Building configuration...

Current configuration : 1708 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5
enable password
!
no aaa new-model
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.2.0 192.168.2.100
!
ip dhcp pool r2
network 192.168.2.0 255.255.255.0
default-router 192.168.2.3
dns-server 8.8.8.8 8.8.4.4
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.2.3 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.2.1 21 interface FastEthernet0/1 21
ip nat inside source static udp 192.168.2.1 53 interface FastEthernet0/1 53
ip nat inside source static tcp 192.168.2.1 53 interface FastEthernet0/1 53
ip nat inside source static tcp 192.168.2.1 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.2.1 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.2.1 995 104.205.140.100 995 extendable
!
access-list 1 permit 192.168.2.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
!
line con 0
password
login
line aux 0
line vty 0 4
password
login
!
scheduler allocate 20000 1000
!
end

Georg Pauwen · ‎05-23-2019

Hello,

is this the full configuration ? I don't see a default route:

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 dhcp

Also, since your outside interface is getings its IP address va DHCP, you might want to use the 'extendable' keyword on all static entries:

ip nat inside source list 1 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.2.1 21 interface FastEthernet0/1 21 extendable
ip nat inside source static udp 192.168.2.1 53 interface FastEthernet0/1 53 extendable
ip nat inside source static tcp 192.168.2.1 53 interface FastEthernet0/1 53 extendable
ip nat inside source static tcp 192.168.2.1 443 interface FastEthernet0/1 443 extendable
ip nat inside source static tcp 192.168.2.1 80 interface FastEthernet0/1 80 extendable

troy_gilbertson · ‎05-23-2019

is this the full configuration ? I don't see a default route? that's what i get from a sh run and removed passwords.

I have updated the default route as directed but have to head to work this morning. I will update forwarding extendable when i have a chance tonight and keep you posted.

Thank you very much for your reply.

Troy

troy_gilbertson · ‎05-23-2019

Here is what i get when i try to define extendable with my ip nat command.

Router(config)#$tcp 192.168.2.1 21 interface fastEthernet 0/1 21 ?
<cr>

Router(config)#$ce static tcp 192.168.2.1 21 interface fastEthernet 0/1 21 ?
<cr>

Router(config)#$tcp 192.168.2.1 21 interface fastEthernet 0/1 21 extendable
ip nat source static tcp 192.168.2.1 21 interface fastEthernet 0/1 21 extendable ^

% Invalid input detected at '^' marker.

is this strange or have i messed it up in some way?

troy_gilbertson · ‎05-23-2019

So you may have gotten me up and running. But i have a server issue. it seems as if virtualmin is rejecting the connection now for some reason. Im sure it has to do wit not accepting outside connections on my outside IP ? This should be easy-ish to troubleshoot now.

but using the f 0/1 on port forward wont allow the extendable attribute. but specifying the outside ip seems to work now. like this:

missing the first part of command as putty cuts it off.

tcp 192.168.2.1 443 162.157.144.135 443 extendable

and yes my ip changed as my ISP takes forever to set my new mac addresses to static vis DHCP.

Pro Inside global Inside local Outside local Outside global
tcp 162.157.144.135:21 192.168.2.1:21 --- ---
tcp 162.157.144.135:80 192.168.2.1:80 --- ---
tcp 162.157.144.135:443 192.168.2.1:443 205.206.88.215:57221 205.206.88.215:57221
tcp 162.157.144.135:443 192.168.2.1:443 205.206.88.215:57222 205.206.88.215:57222
tcp 162.157.144.135:443 192.168.2.1:443 205.206.88.215:57242 205.206.88.215:57242
tcp 162.157.144.135:443 192.168.2.1:443 205.206.88.215:57575 205.206.88.215:57575
tcp 162.157.144.135:443 192.168.2.1:443 --- ---

troy_gilbertson · ‎05-23-2019

So it was the extendable issue. I can't use it when specifying the interface i have to use the IP. I Server was also blocking the connection as its was from an outside network even though i specified the external IP.

So does extendable make it forward the port even if nothing is listing at that IP and port?

and without extendable it wont open the port unless something is listening?

Thanks for all your help

Troy

Georg Pauwen · ‎05-24-2019

Hello,

just to recap: what is working now, and what is not ? The 'extendable' keyword indeed only works when you specify an IP address...:(

That said, do you really need all the static entries below:

ip nat inside source static tcp 192.168.2.1 21 interface FastEthernet0/1 21
ip nat inside source static udp 192.168.2.1 53 interface FastEthernet0/1 53
ip nat inside source static tcp 192.168.2.1 53 interface FastEthernet0/1 53
ip nat inside source static tcp 192.168.2.1 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.2.1 80 interface FastEthernet0/1 80

The static entries are typically used to access an internal device, but since ou are using DHCP on the exernal inteface, you wouldn't really be sure what IP address you have, since it could change. What if you remove all entires and just use the 'ip nat inside source list 1 interface FastEthernet0/1 overload' statement ? The router doesn't block anything by default...

troy_gilbertson · ‎05-24-2019

My ISP uses dhcp to assign static addresses to our device via MAC address. So once they finally register my router mac it will be static but set to DHCP.

Georg Pauwen · ‎05-24-2019

Hello,

I guess if you can be sure that the DHCP assigned address doesn't change, you could replace the 'interface' with the actual IP address in the static NAT statements...

That said, I lost track of what is working now and what is not...?