Solved: Cisco 1941 Router - Portforwarding

svenkasier · ‎11-15-2014

Hello Everyone,

I am trying to portforward on my Cisco 1941 Router.

The situation:

ISP Router: 192.168.0.1 (WAN IP: x.x.x.x)

- DMZ: 192.168.0.114

Cisco Router: int g0/1 : 20.30.40.1

int g0/0 : 192.168.0.114

I want an IP inside the 20.30.40.* range to listen on port 3389

My routers config is the following:

Building configuration...

Current configuration : 3341 bytes

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname S1941C

!

boot-start-marker

boot-end-marker

!

enable secret 4 *****

enable password 7 ****

!

no aaa new-model

!

ip cef

!

ip dhcp excluded-address 20.30.40.75 20.30.40.200

!

ip dhcp pool pool1

network 20.30.40.0 255.255.255.0

domain-name ChesterHOME.local

dns-server 8.8.8.8 1.2.3.4

default-router 20.30.40.1

lease 0 23

!

no ipv6 cef

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-3125917043

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3125917043

revocation-check none

rsakeypair TP-self-signed-3125917043

!

crypto pki certificate chain TP-self-signed-3125917043

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33313235 39313730 3433301E 170D3134 31303237 31363538

33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31323539

31373034 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100A49C A7F0DCF6 5A08F59B 2F7879B3 94775E42 3666A648 1ADE8252 DE34B1E5

C8F1FFD0 54DA870A 890280C1 DBE7C0B5 1D0D2D73 FFA15207 BC498DAB D74AE032

665C0161 36866E44 26BA9807 FC12A04E 1E2D4F35 840BC08F 6CA38F52 9B00EE8E

B66EB4E5 CEB90937 35D68A46 B238B751 7749FD11 AD250E7D ADF76D89 A3E4CB87

A1610203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14DC1BA0 D4986172 D3892A02 865CB2EC 686C2943 02301D06

03551D0E 04160414 DC1BA0D4 986172D3 892A0286 5CB2EC68 6C294302 300D0609

2A864886 F70D0101 05050003 81810077 8168C141 C1B743D9 7F3FE88A 4714738E

DC12700C 5D60D613 38A6D99C 72DCA45A CE7BD1A7 BA46A7C5 EE424BA7 CAB72E1F

EDE6FEF9 FA376AD7 54B9C003 DEEE327D 768F2735 A724CF90 CBB054BD 318270A0

892D231C E88A71EB 93F93889 F7A575B3 F6F7FD13 5A95EAEE 1B40F8DC CB7B6243

1B5B7B48 CB6EF5C9 6798BD28 31CD4E

quit

license udi pid CISCO1941/K9 sn *****

!

username Chester privilege 15 secret 4 ********

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

ip address 20.30.40.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

no mop enabled

!

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

!

ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 192.168.0.1

!

access-list 100 permit ip 20.30.40.0 0.0.0.255 any

!

control-plane

!

banner motd c ** c

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Is anyone able to help me?

Thanks in advance

ghostinthenet · ‎11-16-2014

Ultimately, this is what needs to happen.

Internet traffic needs to flow to your ISP router, which will "DMZ" forward everything it doesn't have a NAT entry for to 192.168.0.114. It doesn't need any kind of routing for this because 192.168.0.0/24 is directly-connected.

Your Cisco 1921 needs to forward traffic from its WAN interface's 3389/tcp port to 20.30.40.53's 3389/tcp port. It also needs to have a static route to the Internet via 192.168.0.1, which it already has. No other routing needs to be configured because everything else is directly-connected.

Relevant configuration is as follows:

interface GigabitEthernet0/0
 ip address 192.168.0.114 255.255.255.0
 ip nat outside
!
interface GigabitEthernet0/1
 ip address 20.30.40.1 255.255.255.0
 ip nat inside
!
access-list 100 permit ip 20.30.40.0 0.0.0.255 any
!
ip nat inside source list 100 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 20.30.40.53 3389 interface GigabitEthernet0/0 3389
!
ip route 0.0.0.0 0.0.0.0 192.168.0.1

The inside machine should use address 20.30.40.53, subnet mask 255.255.255.0 and gateway 20.30.40.1.

It looks like I typoed the 3389/tcp forwarding command earlier in the conversation and had things running off of the wrong interface. It's corrected in the commands above.

That should make everything work.

View solution in original post

ghostinthenet · ‎11-16-2014

That will do it.

I'm glad I could be of help. If you could rate any more helpful comments and mark one or more as correct, I would appreciate it.

View solution in original post

ghostinthenet · ‎11-15-2014

You should be able to do this with the following command:

ip nat inside source static tcp 20.30.40.x 3389 interface GigabitEthernet0/1 3389

Once this is in place, connections to GigabitEthernet0/1's dynamic IPv4 address on 3389/tcp will forward to 20.30.40.x on 3389/tcp.

svenkasier · ‎11-15-2014

Does not work.

So to be clear, what I am trying to do, is connect to the 20.30.40.* by coming from an extern connection. In another building other network. a standard RDP session.

thanks in advance

ghostinthenet · ‎11-15-2014

What result do you get when you attempt to connect to the GigabitEthernet0/1 address on 3389/tcp from a machine on the 192.168.0.0/24 network?

Also, can you telnet to 20.30.40.x on 3389/tcp from the router using GigabitEthernet0/1 as the source?

svenkasier · ‎11-16-2014

Hello,

I don't know how I can test the connectivity on that exact port :/

What I can do is acces the router from the 192.168.0.0 range.. (http only)

Thanks in advance..

ghostinthenet · ‎11-16-2014

From a machine on 192.168.0.0/24:

telnet 192.168.0.a 3389

From the router:

telnet 20.30.40.a 3389 /source GigabitEthernet0/1

svenkasier · ‎11-16-2014

Thanks, output:

From the router: Connection timed out. remote host not responding.

From a machine: does not work also..

So I don't really see the problem.. :/

ghostinthenet · ‎11-16-2014

Looks like it might be a gateway issue on the host or a firewall problem.

Do these work from the router?

telnet 20.30.40.a 3389

ping 20.30.40.a

svenkasier · ‎11-16-2014

telnet 20.30.40.a 3389 - ... open

ping 20.30.40.a - works from the 20.30.40.1 router

still I can't connect via rdp to the machine.

from an external server ofc.

So I think; when i RDP to my ISP's IP: **.*.***.**:3389 it does not route correctly?

ghostinthenet · ‎11-16-2014

This definitely sounds like a gateway problem. Can you check the machine you're forwarding to and make sure it has a correct default gateway and subnet mask? The fact that you can ping from the LAN interface of the router, but not from its WAN interface is telling.

svenkasier · ‎11-16-2014

My gateway is 192.168.0.114, right?

When I test via open port, port 3389 is not open..

Thanks in advance!

ghostinthenet · ‎11-16-2014

No. The gateway has to be on the same subnet, so it should be 20.30.40.1.

svenkasier · ‎11-16-2014

Tried that, not working...

It's strange, the port isn't open on my WANIP

ghostinthenet · ‎11-16-2014

The port is forwarded, but if there's nothing answering at the other end, it won't be open. So the target machine has 20.30.40.x as an IPv4 address, 255.255.255.0 as the subnet mask and 20.30.40.1 as the gateway? Can it successfully connect outbound to the Internet?

svenkasier · ‎11-16-2014

Yes as you can see in screenshot attached.

Everything works fine on the host.