Re: C3925 cannot get port forwarding to work to RDP

Michael Durham · ‎03-20-2019

I have Googled this quite bit and from what I have read, my configuration should work. However, I am not able to connect to my Server from the Internet.

I can RDP to my server across the internal network with no problem, the server is 2003 and has NO firewall. I moved the port from 3389 to 5959. I open RDP and enter 192.168.70.200:5959 and can login.

When I try from the Internet using my static IP 166.166.16.16:5959 I do not get connected. I have an un-managed IP/connection from Verizon so they are not blocking any ports.

I have a static IP address with Verizon 4G (yes cellular), there is no firewall on the system. Here are my configs:

chat-script ltescript "" "AT!CALL1" TIMEOUT 20 "OK"

!
interface GigabitEthernet0/0.70
description "Data Network"
encapsulation dot1Q 70 native
ip address 192.168.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
ip tcp adjust-mss 1300
ip policy route-map clear-df
!

interface Cellular0/3/0
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string ltescript
dialer watch-group 1
async mode interactive
pulse-time 0
!

interface Dialer0
ip address negotiated
ip mtu 1452
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string 123456
dialer persistent
dialer-group 1
no cdp enable
!

ip nat inside source static tcp 192.168.70.200 5959 166.166.16.16 5959 extendable

ip route 0.0.0.0 0.0.0.0 Cellular0/3/0 track 10

!

access-list 151 permit ip any any
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit

!

nls resp-timeout 1
cpd cr-id 1
route-map clear-df permit 10
set ip df 0
!

line 0/3/0
script dialer ltescript
modem InOut
no exec
transport input telnet
rxspeed 100000000
txspeed 50000000

!

Any ideas? Any debug commands to run?

Jaderson Pessoa · ‎03-20-2019

@Michael Durham Hello,

insert command in bold below and test again.

interface Dialer0
ip address negotiated

ip nat outside
ip mtu 1452
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string 123456
dialer persistent
dialer-group 1
no cdp enable

Jaderson Pessoa
*** Rate All Helpful Responses ***

Michael Durham · ‎05-24-2019

That did NOT fix the issue. I went to https://www.yougetsignal.com/tools/open-ports/ and entered my public IP address and port 80. It came back as port 80 is OPEN. Then I tested port 5959 and it comes back as CLOSED.

We do not have a firewall set up and Verizon is not blocking any ports so no idea what is closing the ports. I also tested port 43, 21, and others, they tested CLOSED too.

Jaderson Pessoa · ‎05-24-2019

your nat config is wrong.

ip nat inside source static tcp 192.168.70.200 5959 166.166.16.16 5959 extendable <<< your NAT
ip nat inside source static tcp 192.168.70.200 3389 166.166.16.16 5959 extendable <<< new as it

Jaderson Pessoa
*** Rate All Helpful Responses ***

Michael Durham · ‎05-25-2019

That is not the solution. As I stated above, I can RDP to my server across the internal network with no problem, the server is 2003 and has NO firewall. I moved the port from 3389 to 5959. I open RDP and enter 192.168.70.200:5959 and can login.

Georg Pauwen · ‎05-26-2019

Hello,

is this the full configuration ? It looks like either some stuff has been omitted in your output, or some stuff is redundant. Either way, I have marked some lines (in bold) to be removed/changed, try if that makes a difference (it basically strips your config to the bare necessities):

chat-script ltescript "" "AT!CALL1" TIMEOUT 20 "OK"
!
interface GigabitEthernet0/0.70
description "Data Network"
encapsulation dot1Q 70 native
ip address 192.168.70.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
--> ip route-cache
--> no ip tcp adjust-mss 1300
--> no ip policy route-map clear-df
!
interface Cellular0/3/0
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string ltescript
--> no dialer watch-group 1
async mode interactive
pulse-time 0
!
--> no interface Dialer0
ip address negotiated
ip mtu 1452
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string 123456
dialer persistent
dialer-group 1
no cdp enable
!
ip nat inside source static tcp 192.168.70.200 5959 166.166.16.16 5959 extendable
ip nat inside source list 1 interface Cellular0/3/0 overload
!
--> ip route 0.0.0.0 0.0.0.0 Cellular0/3/0
!
access-list 1 permit 192.168.70.0
!
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
nls resp-timeout 1
cpd cr-id 1
--> no route-map clear-df permit 10
set ip df 0
!

line 0/3/0
script dialer ltescript
modem InOut
no exec
transport input telnet
rxspeed 100000000
txspeed 50000000

Michael Durham · ‎05-31-2019

Most of the commands that you are asking me to remove are needed. We use Verizon cellular 4G as our internet source and those commands are necessary to get Verizon to work.