Re: Cisco 880 port forwarding works but not quite

adamo · ‎09-20-2018

Port forwarding works but not quite

I have a Cisco 880 router
and this problem

I want to forward tcp packet from outside to inside to a specific port

In my configuration it works, but it's strange that it work for first entry (5959 to 5900 tcp port)
and for the second entry (either tcp 80 to 80 or 8080 to 80 or whatever to 80 ) is not anymore

in my despair. I entry permit tcp for everyone, but it also does not help for this, but why does the redirection work perfectly for 5959?

wonder why?

below is my config

Current configuration : 4435 bytes
!
! No configuration change since last restart
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone year
service timestamps log datetime msec localtime show-timezone year
service password-encryption
service sequence-numbers
!
hostname cisco880
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 10
logging buffered 5192
!
no aaa new-model
memory-size iomem 10
clock timezone PCTIME 0 0
clock summer-time SUMMER recurring 4 Sun Mar 2:00 4 Sun Oct 3:00
!
crypto pki trustpoint TP-self-signed-1434272116
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1434272116
 revocation-check none
 rsakeypair TP-self-signed-1434272116
!
!
crypto pki certificate chain TP-self-signed-1434272116
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31343334 32373231 3136301E 170D3138 30393036 31323032
  35355A17 0D323030 31303130 30303030 305A3031 312F3023 06035504 03132649
  4F566D53 656C662D 5369676E 65634D43 65727469 66696331 74652D31 34333432
  37323131 3630819F 300D0609 2A864886 F70D0101 01050303 818D0030 81890281
  8100F2F7 7F565338 1DF084E4 71A342A0 09C62E51 38C4345E CD507D32 8449C874
  CE5244AC 2013E1C9 49D866B2 17C0C8B0 8B907DF9 84231E36 D9CA4A57 35D7C464
  D0909214 F60D0D4C 1BBF4834 8E18A9EA D9946B16 BE54F479 7BEAA832 FB9D3A63
  56A913AB E35DBC93 95A9F2EA 87885E11 16F39AF4 575D69DF 8B794632 2BBE454D
  3AB50203 010001A3 53305130 0F060355 1D130101 FF040530 030104FF 301F0603
  551D2304 18301680 14704C95 35DB88AF DAFBA24E A9B58C43 4F6050A7 9B301D06
  03551D0E 04134414 704C9535 DB88AFDA FBA245A9 B58C434F 6066A79B 300D0609
  2A864886 F70D0101 05050003 81810078 0D341DFC 520E5F59 7E7FC6B0 9DF24EF6
  24E78539 B68AE2AB BA99ED24 FBE8127B 0B8C8759 83E53776 3664A8A9 970596E8
  236328B4 E0291EB0 B7807B31 E9B03AC4 1873BCAB 8142969F C1D4421B 2AAE181D
  56C8CB06 DB96FBDD E52683CA 1E4A22C3 ED1562DD 2BACD11F FF6A7FDD E546759C
  5D9899E9 AC71E210 6FF8653B D143DA
        quit
no ip source-route
no ip gratuitous-arps
!
!
!
!


!
ip dhcp excluded-address 192.168.20.1 192.168.20.100
!
ip dhcp pool LANPOOL
 import all
 network 192.168.20.0 255.255.255.0
 default-router 192.168.20.1
 dns-server 8.8.8.8 8.8.4.4 1.1.1.1
 domain-name RAYOFSUN
 lease 7
!
!
!
no ip bootp server
no ip domain lookup
ip domain name rayofsun.local
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ1808C4F9
!
!
username root privilege 15 secret 4 gWre1P5/PsdfyiPSU.StEKn.ZvAsfdEmyV18NvrX6
!
!
!
!
!
ip ssh time-out 30
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
!
!
!
!
!
interface FastEthernet0
 description LAN
 no ip address
!
interface FastEthernet1
 description LAN
 no ip address
!
interface FastEthernet2
 description LAN
 no ip address
!
interface FastEthernet3
 description LAN
 no ip address
!
interface FastEthernet4
 ip address 88.144.222.238 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-default 100
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH_LAN$
 ip address 192.168.20.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.20.10 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.20.101 5900 interface FastEthernet4 5959
ip route 0.0.0.0 0.0.0.0 FastEthernet4 88.144.222.237
!
access-list 100 permit tcp any any
access-list 101 permit ip 192.168.20.0 0.0.0.255 any

no cdp run
!
!
control-plane
!
!
!
end

sh ip nat trans | i 80

shows:

tcp 88.144.222.238:80     192.168.20.10:80      87.105.190.136:16056  87.105.190.136:16056
tcp 88.144.222.238:80     192.168.20.10:80      87.105.190.136:16058  87.105.190.136:16058
tcp 88.144.222.238:80     192.168.20.10:80      ---                   ---

so there is entry for nat translation but if i try to get from outside i have timeout.

host 192.168.20.10:80 is accesible without any problem from local network

on windows 10 inside local i have

TCP    192.168.20.101:53785   192.168.20.10:80       ESTABLISHED     1376
  TCP    192.168.20.101:53786   192.168.20.10:80       ESTABLISHED     1376
  TCP    192.168.20.101:53787   192.168.20.10:80       ESTABLISHED     1376

where do I make a mistake?

Kind reg.

adamo

Georg Pauwen · ‎09-20-2018

Hello,

delete both static NAT entries and replace them with the statements below:

ip nat inside source static tcp 192.168.20.10 80 88.144.222.238 80 extendable
ip nat inside source static tcp 192.168.20.101 5900 88.144.222.238 5959 extendable

adamo · ‎09-21-2018

OK i done as you mentioned

first of all i deleted both old "ip nat inside source static" with specified interface entry

next folow you hints i configured NAT with outside local ip address and "extendable" statment

and now i have

interface FastEthernet4
 ip address 88.144.222.238 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-default 100
 duplex auto
 speed auto
!
interface Vlan1
 description $ETH_LAN$
 ip address 192.168.20.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
!
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
..
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.20.101 5900 88.144.222.238 5959 extendable
ip nat inside source static tcp 192.168.20.10 80 88.144.222.238 8080 extendable
ip route 0.0.0.0 0.0.0.0 FastEthernet4 88.144.222.237
!
access-list 100 permit tcp any any
access-list 101 permit ip 192.168.20.0 0.0.0.255 any
no cdp run
!
..

try to conect on port 5959 - works
try to connect on port 8080 - it doesn't

reload

try to conect on port 5959 - works
try to connect on port 8080 - it doesn't

what?

while i'm getting timeout on port 8080 trying to reach webpage

ip nat trans shows:

cisco880#sh ip nat trans
Pro Inside global         Inside local          Outside local         Outside global
tcp 88.144.222.238:8080   192.168.20.10:80      88.145.190.136:50434  88.145.192.136:50434
tcp 88.144.222.238:8080   192.168.20.10:80      88.145.190.136:50435  88.145.192.136:50435
tcp 88.144.222.238:8080   192.168.20.10:80      88.145.190.136:50438  88.145.192.136:50438
tcp 88.144.222.238:8080   192.168.20.10:80      88.145.190.136:50439  88.145.192.136:50439
tcp 88.144.222.238:8080   192.168.20.10:80      ---                   ---
tcp 88.144.222.238:5959   192.168.20.101:5900   88.145.190.136:50080  88.145.192.136:50080
tcp 88.144.222.238:5959   192.168.20.101:5900   ---                   ---

I know nothing

Georg Pauwen · ‎09-21-2018

Hello,

try and change the MTU size on FastEthernet4:

interface FastEthernet4
ip address 88.144.222.238 255.255.255.248

ip mtu 1492
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside

ip tcp adjust-mss 1452
ip virtual-reassembly in
ip verify unicast source reachable-via rx allow-default 100
duplex auto
speed auto

adamo · ‎09-21-2018

still these same behavior
although after adding mtu and tcp adjust-mss config file looks like

interface FastEthernet4
 ip address 88.144.222.238 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast source reachable-via rx allow-default 100
 ip tcp adjust-mss 1452
 duplex auto
 speed auto

but i still have

cisco880#sh int fa4
FastEthernet4 is up, line protocol is up
  Hardware is PQII_PRO_UEC, address is 3c08.f67f.0cb4 (bia 3c08.f67f.0cb4)
  Internet address is 88.144.222.238/29
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, 100BaseTX/FX
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 00:00:00, output 00:00:00, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 5000 bits/sec, 9 packets/sec
  5 minute output rate 39000 bits/sec, 10 packets/sec
     1635 packets input, 122358 bytes
     Received 49 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog
     0 input packets with dribble condition detected

is that too big transmission unit issue, or

is something wrong with my acl lists?

im not certenly this command whith i added

ip verify unicast source reachable-via rx allow-default 100

I wrote this as a "good practice". I theoretically understand it, but..

Georg Pauwen · ‎09-21-2018

Hello,

can you access 192.168.20.10 on port 80 locally, that is, from another machine in the 192.168.20.0 subnet ?

paul driver · ‎09-21-2018

Hello

Change URPF to loose mode and test again

Int fa0/4

no ip verify unicast source reachable-via rx allow-default 100
ip verify unicast source reachable-via any allow-default

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

adamo · ‎09-27-2018

im sorry to write that but

ip verify unicast source reachable-via any allow-default

any - anyway it does not change anything

still redirect to http 80 is timeoutet
i added couple of diffrents redirect entry for ip nat inside source static tcp
and for outside local port
to 5900 from 5959 extendable, vnc protocol works
to 5900 from 5960 extendable, vnc protocol works
to 5900 from 5961 extendable, vnc protocol works
to 5900 form 8080 extendable, vnc protocol works
to 80 from 8080 extendable, http protocol timeout
to 5900 from 8081 extendable, vnc protocol works

from a local side of course a http server over 80 port works like a charm

so. please forgive me but where or what should i looking for?

is http content are special treating by the router?

Georg Pauwen · ‎09-27-2018

Hello,

does it work when you reverse the ports:

ip nat inside source static tcp 192.168.20.10 8080 88.144.222.238 80 extendable

?

paul driver · ‎09-27-2018

Hello

@adamo wrote:
still redirect to http 80 is timeoutet
to 80 from 8080 extendable, http protocol timeout

from a local side of course a http server over 80 port works like a charm

so. please forgive me but where or what should i looking for?

So why if internally to can connect via tcp 80 are you trying to pat from source 8080 to 80 ? - have you tired using th same src/dst tcp 80

Also suggest whilst troubleshooting temporarily remove your URPF

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul