Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1679
Views
0
Helpful
17
Replies

can't access server on specific port behind router from my WAN IP

xpace
Level 1
Level 1

ā€Ž08-11-2022 03:27 PM

Hi guys,

this is a strange issue and even ISP can't fix it because they don't know what to fix and blame it on my router.

Router 1941, working with no issues except one but I don't think this is a router issue.

My WAN IP is 103.35.xx.xx and I can access directly the router on remote site via Telnet and also can access wireless access point behind router on port 8443 and cctv on port 8585. Remote site's WAN IP is 14.200.xx.xx

I have set server behind router to accept SSH connections on port 6999, 22, 6185

The port 6999 is default and the others I have added for testing purposes.

Now the issue: I can access the server over SSH from any WAN IP except mine 103.35.xx.xx

When I connect via VPN or from any other server that I maintain that is on remote site, I have no issue connecting whatsoever.

Traceroute on port 6999 from my WAN IP ends at the ISPs gateway, where Traceroute on port 23 ends at the router.

Can anyone explain what is going on?

Router is not blocking any WAN IPs

Thank you

Labels:
0 Helpful
17 Replies 17

paul driver
VIP
VIP

ā€Ž08-11-2022 03:51 PM

Hello
From your host do you have any software firewall that could be negating this connection, is your host reachable from the rtr?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the communityā€™s global network.

Kind Regards
Paul
0 Helpful

MHM Cisco World
VIP
VIP

ā€Ž08-11-2022 04:21 PM

How router know that this traffic is for it or for the Server ??
you need PAT from any port to 22 port and Server IP, 
this make router know if receive port is 22 and to WAN IP then this for router 
if receive port (after PAT->22) and WAN IP then it forward to Server

0 Helpful

xpace
Level 1
Level 1

ā€Ž08-11-2022 04:56 PM

Thanks guys, but as I stated, everything works from any location on the internet except my home location.

Even from my home location I can access everything behind the router except the SSH to the server. 

"you need PAT from any port to 22 port and Server IP,"  this is configured otherwise from other locations it would not be accessible.

"From your host do you have any software firewall that could be negating this connection, is your host reachable from the rtr?" again, all works from other locations, except my home. 

To be clear, everything even works from my home except that one thing - the SSH to the server.

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to xpace

ā€Ž08-11-2022 05:06 PM

I can give you one trick 
do ssh with 22 and check the IP NAT translate are you see the LOCAL SERVER IP AND PORT 22?

0 Helpful

xpace
Level 1
Level 1
In response to MHM Cisco World

ā€Ž08-11-2022 05:10 PM

Yep can see it

tcp 14.200.xx.xx:22 10.0.7.130:22 103.35.xx.xx:38498 103.35.xx.xx:38498

does this mean that server is blocking me somehow? I can't see how.

cheers

0 Helpful

MHM Cisco World
VIP
VIP
In response to xpace

ā€Ž08-11-2022 05:21 PM

the router do job and NAT traffic to LOCAL SERVER IP, that good 
now there is any ACL apply to router ?

0 Helpful

xpace
Level 1
Level 1
In response to MHM Cisco World

ā€Ž08-11-2022 05:28 PM

yes there is  ->

ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.0.7.254 23 interface GigabitEthernet0/1 23
ip nat inside source static tcp 10.0.7.252 443 interface GigabitEthernet0/1 8443
ip nat inside source static tcp 10.0.7.200 80 interface GigabitEthernet0/1 88
ip nat inside source static tcp 10.0.7.222 8585 interface GigabitEthernet0/1 8585
ip nat inside source static tcp 10.0.7.130 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 10.0.0.2 8585 interface GigabitEthernet0/1 8500
ip nat inside source static tcp 10.0.7.130 6999 interface GigabitEthernet0/1 6999
ip nat inside source static tcp 10.0.7.130 7443 interface GigabitEthernet0/1 7443
ip nat inside source static tcp 10.0.0.23 80 interface GigabitEthernet0/1 8080
ip nat inside source static tcp 10.0.7.130 80 interface GigabitEthernet0/1 80
ip nat inside source static udp 10.0.7.130 5066 interface GigabitEthernet0/1 5066
ip nat inside source list OUTSIDE interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.0.7.130 1935 interface GigabitEthernet0/1 1935
ip nat inside source static tcp 10.0.7.130 9123 interface GigabitEthernet0/1 9123
ip nat inside source static tcp 10.0.7.130 6185 interface GigabitEthernet0/1 6185
ip nat inside source static tcp 10.0.7.130 8022 interface GigabitEthernet0/1 8022
ip nat inside source static tcp 10.0.7.130 22 interface GigabitEthernet0/1 22
ip nat inside source static 10.0.7.130 14.200.xx.xx route-map BBB_NAT
ip route 0.0.0.0 0.0.0.0 14.200.xx.xx
ip route 192.168.2.0 255.255.255.0 10.0.2.45
!
ip access-list extended OUTSIDE
permit tcp any any established
permit udp any host 10.0.7.130 range 16384 32768
permit udp any host 10.0.7.130 range 5060 5090
permit udp any any eq domain
permit tcp any eq www any
permit udp any eq domain any
permit ip any any log-input
ip access-list extended UDP_RTP
permit udp host 10.0.7.130 any range 16384 32768
permit udp host 10.0.7.130 any range 5060 5090
!
access-list 1 permit 130.102.128.23
access-list 1 permit 10.0.0.0 0.0.7.255
access-list 1 permit any
!
route-map BBB_NAT permit 10
match ip address UDP_RTP

0 Helpful

MHM Cisco World
VIP
VIP
In response to xpace

ā€Ž08-11-2022 06:01 PM - edited ā€Ž08-11-2022 06:25 PM

show tcp brief all 
do you see the router have TCP ESTAB ??
check this point

0 Helpful

xpace
Level 1
Level 1
In response to MHM Cisco World

ā€Ž08-11-2022 06:22 PM

ip nat inside source list OUTSIDE interface GigabitEthernet0/1 overload

0 Helpful

MHM Cisco World
VIP
VIP
In response to xpace

ā€Ž08-11-2022 06:25 PM

try this 

ip nat inside source static tcp 10.0.7.130 22 interface GigabitEthernet0/1 222 <<- access Server using 222 and this will NAT to 22 and pass to server. 

0 Helpful

xpace
Level 1
Level 1

ā€Ž08-11-2022 06:23 PM

please keep in mind that all this works from different WAN IP address!

0 Helpful

MHM Cisco World
VIP
VIP
In response to xpace

ā€Ž08-11-2022 06:34 PM - edited ā€Ž08-11-2022 06:34 PM

ip nat inside source static tcp 10.0.7.252 443 interface GigabitEthernet0/1 8443 <<- why you use 8443 not direct 443? because there is two or more service share the same port 443

same case for 22

Server(22)-Router(WAN 222)-Internet-Client 
Client will access using 222 and WAN interface of Router 
Router will NAT 222 to 22 port and from WAN to Server IP.

my concern here the port may be use by other service.


0 Helpful

xpace
Level 1
Level 1
In response to MHM Cisco World

ā€Ž08-11-2022 07:30 PM

I think it's very obvious that I'm using different services for same port, so that's why the 8443 to 443

"my concern here the port may be use by other service."

As I said many times before all is working OK from different WAN IP so translations got nothing to do with it.

0 Helpful

paul.driver
Level 1
Level 1
In response to xpace

ā€Ž08-12-2022 12:01 AM

Hello

@xpace wrote:

I think it's very obvious that I'm using different services for same port, so that's why the 8443 to 443

I have set server behind router to accept SSH connections on port 6999, 22, 6185

ip nat inside source list OUTSIDE interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.0.7.130 6999 interface GigabitEthernet0/1 6999
ip nat inside source static tcp 10.0.7.130 7443 interface GigabitEthernet0/1 7443
ip nat inside source static tcp 10.0.7.130 80 interface GigabitEthernet0/1 80
ip nat inside source static udp 10.0.7.130 5066 interface GigabitEthernet0/1 5066
ip nat inside source static tcp 10.0.7.130 1935 interface GigabitEthernet0/1 1935
ip nat inside source static tcp 10.0.7.130 9123 interface GigabitEthernet0/1 9123
ip nat inside source static tcp 10.0.7.130 6185 interface GigabitEthernet0/1 6185
ip nat inside source static tcp 10.0.7.130 8022 interface GigabitEthernet0/1 8022
ip nat inside source static tcp 10.0.7.130 22 interface GigabitEthernet0/1 22
ip nat inside source static 10.0.7.130 14.200.xx.xx route-map BBB_NAT

ip access-list extended OUTSIDE
permit tcp any any established
permit udp any host 10.0.7.130 range 16384 32768
permit udp any host 10.0.7.130 range 5060 5090
permit udp any any eq domain
permit tcp any eq www any
permit udp any eq domain any
permit ip any any log-input

ip access-list extended UDP_RTP
permit udp host 10.0.7.130 any range 16384 32768
permit udp host 10.0.7.130 any range 5060 5090

 

Your nat is very convoluted for what you are trying to achieve, you have not only two dynamic pat statements pertaining to that host that overlap but also an ACL with an any any ace entry that is allowing everything and logging enabled which NAT doesnt like!
You say this is working but it isnt if your cannot obtain connection from a certain host and i beleive it down to the way you have your NAT setup.

You should exclude any static pat statments from the dynamic nat listing and also remove the logging from the acl

lasty trying removing one of the thee two statments they can alwaysbe reappplied if you encounter furhter failure
ip nat inside source list OUTSIDE interface GigabitEthernet0/1 overload
ip nat inside source static 10.0.7.130 14.200.xx.xx route-map BBB_NAT

0 Helpful
Customers Also Viewed These Support Documents