Solved: Ultimately, this is what - Page 2

svenkasier · ‎11-15-2014

Hello Everyone,

I am trying to portforward on my Cisco 1941 Router.

The situation:

ISP Router: 192.168.0.1 (WAN IP: x.x.x.x)

- DMZ: 192.168.0.114

Cisco Router: int g0/1 : 20.30.40.1

int g0/0 : 192.168.0.114

I want an IP inside the 20.30.40.* range to listen on port 3389

My routers config is the following:

Building configuration...

Current configuration : 3341 bytes

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname S1941C

!

boot-start-marker

boot-end-marker

!

enable secret 4 *****

enable password 7 ****

!

no aaa new-model

!

ip cef

!

ip dhcp excluded-address 20.30.40.75 20.30.40.200

!

ip dhcp pool pool1

network 20.30.40.0 255.255.255.0

domain-name ChesterHOME.local

dns-server 8.8.8.8 1.2.3.4

default-router 20.30.40.1

lease 0 23

!

no ipv6 cef

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-3125917043

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3125917043

revocation-check none

rsakeypair TP-self-signed-3125917043

!

crypto pki certificate chain TP-self-signed-3125917043

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33313235 39313730 3433301E 170D3134 31303237 31363538

33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31323539

31373034 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100A49C A7F0DCF6 5A08F59B 2F7879B3 94775E42 3666A648 1ADE8252 DE34B1E5

C8F1FFD0 54DA870A 890280C1 DBE7C0B5 1D0D2D73 FFA15207 BC498DAB D74AE032

665C0161 36866E44 26BA9807 FC12A04E 1E2D4F35 840BC08F 6CA38F52 9B00EE8E

B66EB4E5 CEB90937 35D68A46 B238B751 7749FD11 AD250E7D ADF76D89 A3E4CB87

A1610203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14DC1BA0 D4986172 D3892A02 865CB2EC 686C2943 02301D06

03551D0E 04160414 DC1BA0D4 986172D3 892A0286 5CB2EC68 6C294302 300D0609

2A864886 F70D0101 05050003 81810077 8168C141 C1B743D9 7F3FE88A 4714738E

DC12700C 5D60D613 38A6D99C 72DCA45A CE7BD1A7 BA46A7C5 EE424BA7 CAB72E1F

EDE6FEF9 FA376AD7 54B9C003 DEEE327D 768F2735 A724CF90 CBB054BD 318270A0

892D231C E88A71EB 93F93889 F7A575B3 F6F7FD13 5A95EAEE 1B40F8DC CB7B6243

1B5B7B48 CB6EF5C9 6798BD28 31CD4E

quit

license udi pid CISCO1941/K9 sn *****

!

username Chester privilege 15 secret 4 ********

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

ip address 20.30.40.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.0.1

!

access-list 100 permit ip 20.30.40.0 0.0.0.255 any

!

control-plane

!

banner motd c ** c

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Is anyone able to help me?

Thanks in advance

ghostinthenet · ‎11-16-2014

Just to be clear, you're testing your inbound port forwarding from a machine that's physically on the 192.168.0.0/24 network, correct?

svenkasier · ‎11-16-2014

No, I am trying to connect from an other network. Like the neighbors, work area, the office,

Thanks

ghostinthenet · ‎11-16-2014

Let's keep it simple for starters and try connecting directly from the 192.168.0.0/24 network. If that works, the configuration on the Cisco is good.

Given that you're using a 192.168.0.0/24 address on your WAN interface, I suspect that both your upstream router and your Cisco are doing NAT. If so, you will need to do port forwarding on the upstream router.

svenkasier · ‎11-16-2014

Hello,

Sorry for my bad knowledge..

I am now on a device 192.168.0.227 trying to connect to 20.30.40.53:3389
This does not work. I also can not ping 20.30.40.1 from here.

From my 20.30.40.53 machine I can ping 192.168.0.0 range.

ghostinthenet · ‎11-16-2014

From the 192.168.0.0/24 network, you want to try to connect via RDP to the WAN IPv4 address of the Cisco, which I think was 192.168.0.114, but you'll want to verify that.

Just as a side note, if you're doing port forwarding, you may want to set a static IPv4 address on the WAN interface rather than use DHCP.

svenkasier · ‎11-16-2014

My WAN interface now has the static ip of 192.168.0.114
from the 192.168.0.0/24 network I cannot open a RDP to the wan IPv4 Adress.

What I just want to do is.

Open an RDP session to 20.30.40.53 from an other location outside my country.

As I cannot ping 20.30.40.1/24 range from 192.168.0.0/24, is their an IP route command not given correct?

ghostinthenet · ‎11-16-2014

Alright. Let's go back to basics then.

You have a Cisco 1941 router with a 192.168.0.114/24 WAN address and a 20.30.40.1/24 LAN address.

You have an ISP router (most probably performing NAT) with a public WAN address and a 192.168.0.1 LAN address.

You want to be able to reach the 20.30.40.53 host from the Internet, but are having difficulties due to the complexity of having two NAT routers in the path.

The simple solution to what you're trying to accomplish, assuming no other requirements, is to change the LAN address of the ISP router to 20.30.40.1, do the port forwarding on that router and take the 1941 out of the picture.

For the record. You really should change 20.30.40.0/24 to 10.30.40.0/24. The 20.0.0.0/8 network really shouldn't be used internally.

svenkasier · ‎11-16-2014

Hello,

Thanks for ur work..

Sad enough here in Belgium we cannot change the ranges/ip of our ISP router.

Now I really want to port forward on my cisco 1941..

Do u have any tips/tutorials?

Thanks still...

ghostinthenet · ‎11-16-2014

Does your ISP router allow you to do port forwarding? Also, does it allow you to set static routes? Without that first one, port forwarding on your 1941 won't work because there won't be a way to get the traffic to your router in the first place.

svenkasier · ‎11-16-2014

Our ISP does support portforwarding, also DMZ can be given. For devices that need direct acces to the internet.

It also support static IP routes. Before the Cisco I had a C7 TP Link, everything I portforwarded there was not a problem and got picked up instantly.

Thanks in advance

ghostinthenet · ‎11-16-2014

Okay, let's set your ISP router's DMZ to the Cisco's WAN address and continue from where we were.

svenkasier · ‎11-16-2014

DMZ IP address: 192.168.0.114/24

What now?

ghostinthenet · ‎11-16-2014

Ultimately, this is what needs to happen.

Internet traffic needs to flow to your ISP router, which will "DMZ" forward everything it doesn't have a NAT entry for to 192.168.0.114. It doesn't need any kind of routing for this because 192.168.0.0/24 is directly-connected.

Your Cisco 1921 needs to forward traffic from its WAN interface's 3389/tcp port to 20.30.40.53's 3389/tcp port. It also needs to have a static route to the Internet via 192.168.0.1, which it already has. No other routing needs to be configured because everything else is directly-connected.

Relevant configuration is as follows:

interface GigabitEthernet0/0
 ip address 192.168.0.114 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 20.30.40.1 255.255.255.0
 ip nat inside
!
access-list 100 permit ip 20.30.40.0 0.0.0.255 any
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 20.30.40.53 3389 interface GigabitEthernet0/0 3389
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1

The inside machine should use address 20.30.40.53, subnet mask 255.255.255.0 and gateway 20.30.40.1.

It looks like I typoed the 3389/tcp forwarding command earlier in the conversation and had things running off of the wrong interface. It's corrected in the commands above.

That should make everything work.

svenkasier · ‎11-16-2014

Hello Sir,

When I try to enter this command:

ip nat inside source list 100 interface GigabitEthernet0/0 overload

it says: %Dynamic mapping in use, cannot change

What to do now?

ghostinthenet · ‎11-16-2014

This only means that the command is already in the configuration. As long as all of the commands above are present in the configuration when you're done, everything should be fine.

Cisco 1941 Router - Portforwarding