can't access server on specific port behind router from my WAN IP

xpace · ‎08-11-2022

Hi guys,

this is a strange issue and even ISP can't fix it because they don't know what to fix and blame it on my router.

Router 1941, working with no issues except one but I don't think this is a router issue.

My WAN IP is 103.35.xx.xx and I can access directly the router on remote site via Telnet and also can access wireless access point behind router on port 8443 and cctv on port 8585. Remote site's WAN IP is 14.200.xx.xx

I have set server behind router to accept SSH connections on port 6999, 22, 6185

The port 6999 is default and the others I have added for testing purposes.

Now the issue: I can access the server over SSH from any WAN IP except mine 103.35.xx.xx

When I connect via VPN or from any other server that I maintain that is on remote site, I have no issue connecting whatsoever.

Traceroute on port 6999 from my WAN IP ends at the ISPs gateway, where Traceroute on port 23 ends at the router.

Can anyone explain what is going on?

Router is not blocking any WAN IPs

Thank you

paul driver · ‎08-11-2022

Hello
From your host do you have any software firewall that could be negating this connection, is your host reachable from the rtr?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

MHM Cisco World · ‎08-11-2022

How router know that this traffic is for it or for the Server ??
you need PAT from any port to 22 port and Server IP,
this make router know if receive port is 22 and to WAN IP then this for router
if receive port (after PAT->22) and WAN IP then it forward to Server

xpace · ‎08-11-2022

Thanks guys, but as I stated, everything works from any location on the internet except my home location.

Even from my home location I can access everything behind the router except the SSH to the server.

"you need PAT from any port to 22 port and Server IP," this is configured otherwise from other locations it would not be accessible.

"From your host do you have any software firewall that could be negating this connection, is your host reachable from the rtr?" again, all works from other locations, except my home.

To be clear, everything even works from my home except that one thing - the SSH to the server.

MHM Cisco World · ‎08-11-2022

I can give you one trick
do ssh with 22 and check the IP NAT translate are you see the LOCAL SERVER IP AND PORT 22?

xpace · ‎08-11-2022

Yep can see it

tcp 14.200.xx.xx:22 10.0.7.130:22 103.35.xx.xx:38498 103.35.xx.xx:38498

does this mean that server is blocking me somehow? I can't see how.

cheers

MHM Cisco World · ‎08-11-2022

the router do job and NAT traffic to LOCAL SERVER IP, that good
now there is any ACL apply to router ?

xpace · ‎08-11-2022

yes there is ->

ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.0.7.254 23 interface GigabitEthernet0/1 23
ip nat inside source static tcp 10.0.7.252 443 interface GigabitEthernet0/1 8443
ip nat inside source static tcp 10.0.7.200 80 interface GigabitEthernet0/1 88
ip nat inside source static tcp 10.0.7.222 8585 interface GigabitEthernet0/1 8585
ip nat inside source static tcp 10.0.7.130 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 10.0.0.2 8585 interface GigabitEthernet0/1 8500
ip nat inside source static tcp 10.0.7.130 6999 interface GigabitEthernet0/1 6999
ip nat inside source static tcp 10.0.7.130 7443 interface GigabitEthernet0/1 7443
ip nat inside source static tcp 10.0.0.23 80 interface GigabitEthernet0/1 8080
ip nat inside source static tcp 10.0.7.130 80 interface GigabitEthernet0/1 80
ip nat inside source static udp 10.0.7.130 5066 interface GigabitEthernet0/1 5066
ip nat inside source list OUTSIDE interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.0.7.130 1935 interface GigabitEthernet0/1 1935
ip nat inside source static tcp 10.0.7.130 9123 interface GigabitEthernet0/1 9123
ip nat inside source static tcp 10.0.7.130 6185 interface GigabitEthernet0/1 6185
ip nat inside source static tcp 10.0.7.130 8022 interface GigabitEthernet0/1 8022
ip nat inside source static tcp 10.0.7.130 22 interface GigabitEthernet0/1 22
ip nat inside source static 10.0.7.130 14.200.xx.xx route-map BBB_NAT
ip route 0.0.0.0 0.0.0.0 14.200.xx.xx
ip route 192.168.2.0 255.255.255.0 10.0.2.45
!
ip access-list extended OUTSIDE
permit tcp any any established
permit udp any host 10.0.7.130 range 16384 32768
permit udp any host 10.0.7.130 range 5060 5090
permit udp any any eq domain
permit tcp any eq www any
permit udp any eq domain any
permit ip any any log-input
ip access-list extended UDP_RTP
permit udp host 10.0.7.130 any range 16384 32768
permit udp host 10.0.7.130 any range 5060 5090
!
access-list 1 permit 130.102.128.23
access-list 1 permit 10.0.0.0 0.0.7.255
access-list 1 permit any
!
route-map BBB_NAT permit 10
match ip address UDP_RTP

MHM Cisco World · ‎08-11-2022

show tcp brief all
do you see the router have TCP ESTAB ??
check this point

xpace · ‎08-11-2022

ip nat inside source list OUTSIDE interface GigabitEthernet0/1 overload

MHM Cisco World · ‎08-11-2022

try this

ip nat inside source static tcp 10.0.7.130 22 interface GigabitEthernet0/1 222 <<- access Server using 222 and this will NAT to 22 and pass to server.

xpace · ‎08-11-2022

please keep in mind that all this works from different WAN IP address!

MHM Cisco World · ‎08-11-2022

ip nat inside source static tcp 10.0.7.252 443 interface GigabitEthernet0/1 8443 <<- why you use 8443 not direct 443? because there is two or more service share the same port 443

same case for 22

Server(22)-Router(WAN 222)-Internet-Client
Client will access using 222 and WAN interface of Router
Router will NAT 222 to 22 port and from WAN to Server IP.

my concern here the port may be use by other service.

xpace · ‎08-11-2022

I think it's very obvious that I'm using different services for same port, so that's why the 8443 to 443

"my concern here the port may be use by other service."

As I said many times before all is working OK from different WAN IP so translations got nothing to do with it.

paul.driver · ‎08-12-2022

Hello

@xpace wrote:

I think it's very obvious that I'm using different services for same port, so that's why the 8443 to 443

I have set server behind router to accept SSH connections on port 6999, 22, 6185

ip nat inside source list OUTSIDE interface GigabitEthernet0/1 overload
ip nat inside source static tcp 10.0.7.130 6999 interface GigabitEthernet0/1 6999
ip nat inside source static tcp 10.0.7.130 7443 interface GigabitEthernet0/1 7443
ip nat inside source static tcp 10.0.7.130 80 interface GigabitEthernet0/1 80
ip nat inside source static udp 10.0.7.130 5066 interface GigabitEthernet0/1 5066
ip nat inside source static tcp 10.0.7.130 1935 interface GigabitEthernet0/1 1935
ip nat inside source static tcp 10.0.7.130 9123 interface GigabitEthernet0/1 9123
ip nat inside source static tcp 10.0.7.130 6185 interface GigabitEthernet0/1 6185
ip nat inside source static tcp 10.0.7.130 8022 interface GigabitEthernet0/1 8022
ip nat inside source static tcp 10.0.7.130 22 interface GigabitEthernet0/1 22
ip nat inside source static 10.0.7.130 14.200.xx.xx route-map BBB_NAT

ip access-list extended OUTSIDE
permit tcp any any established
permit udp any host 10.0.7.130 range 16384 32768
permit udp any host 10.0.7.130 range 5060 5090
permit udp any any eq domain
permit tcp any eq www any
permit udp any eq domain any
permit ip any any log-input

ip access-list extended UDP_RTP
permit udp host 10.0.7.130 any range 16384 32768
permit udp host 10.0.7.130 any range 5060 5090

Your nat is very convoluted for what you are trying to achieve, you have not only two dynamic pat statements pertaining to that host that overlap but also an ACL with an any any ace entry that is allowing everything and logging enabled which NAT doesnt like!
You say this is working but it isnt if your cannot obtain connection from a certain host and i beleive it down to the way you have your NAT setup.

You should exclude any static pat statments from the dynamic nat listing and also remove the logging from the acl

lasty trying removing one of the thee two statments they can alwaysbe reappplied if you encounter furhter failure
ip nat inside source list OUTSIDE interface GigabitEthernet0/1 overload
ip nat inside source static 10.0.7.130 14.200.xx.xx route-map BBB_NAT