Re: connections refused for webpage with address of ip:portal by ISR 4431

txu · ‎08-14-2019

Hi,

I have a router (Cisco 4431) that manages a few servers within a client's network: the router gets an IP (172.24.62.135) within client's network that I can access and each of the servers gets a portal with nat translation as shown below

ip nat inside source static tcp 192.168.2.10 22 172.24.62.135 2210 extendable (Portal22 translation)

ip nat inside source static tcp 192.168.2.10 8080 172.24.62.135 9080 extendable (Portal8080 translation)

192.168.2.10 is one of the servers

Also with the Portal22 translation, I can ssh into 192.168.2.10 portal 22 like this

ssh -p 2210 username@172.24.62.135

Meanwhile 192.168.2.10 host a webpage via :8080 portal. If there was no router, the normal web address looks like

192.168.2.10:8080/admin

with Portal8080 translation above, the web address changes to

172.24.62.135:9080/admin

This used to work a few months ago (something might have been changed since then, but I don't know what/when). Now, 172.24.62.135:9080/admin gets errors like

This site can't be reached, 172..24.62.135 refused to connect.

I wonder if you could please help on what went wrong and how to fix it. Most likely the problem is from router, as another server 192.168.2.25 which is very similar to the 192.168.2.10 server, and both .25 and .10 cannot show :9080/admin page.

THANK YOU FOR YOUR INPUT!

The current settings of the router is pasted below (with private info strings changed):

ROUTER#wr term

Building configuration...

Current configuration : 7287 bytes

!

! Last configuration change at 15:55:17 UTC Wed Aug 14 2019 by admin

!

version 15.5

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

no platform punt-keepalive disable-kernel-core

!

hostname XXXXXX-YYYY-ROUTER

!

boot-start-marker

boot-end-marker

!

vrf definition Mgmt-intf

!

address-family ipv4

exit-address-family

!

address-family ipv6

exit-address-family

!

logging buffered informational

no logging console

enable secret 5 $1$Tzun$Dxxxxxxxxxxxxxxx

!

no aaa new-model

!

ip name-server 129.176.100.5 129.176.171.5

ip domain name yyyyclinic.org

ip dhcp excluded-address 192.168.2.1 192.168.2.200

!

ip dhcp pool YYYY-CLINIC

network 192.168.2.0 255.255.255.0

default-router 192.168.2.1

dns-server 129.176.199.5 127.0.0.1

domain-name yyyyclinic.org

!

subscriber templating

multilink bundle-name authenticated

!

license udi pid ISR4431/K9 sn FOC21482HQ1

!

spanning-tree extend system-id

!

username admin privilege 15 password 7 14xxxxxxxxxxxxxxxxxxx7B

username username privilege 15 password 7 14xxxxxxxxxxxxxxxxxxx7B

!

redundancy

mode none

!

vlan internal allocation policy ascending

!

interface GigabitEthernet0/0/0

description CONNECTION TO Cisco SG200 SW gig 0/0/0

ip address 172.24.62.135 255.255.254.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

negotiation auto

!

interface GigabitEthernet0/0/1

description LAN ISOLATED NETWORK

ip address 192.168.2.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

negotiation auto

!

interface GigabitEthernet0/0/2

no ip address

negotiation auto

!

interface GigabitEthernet0/0/3

no ip address

negotiation auto

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

no ip address

shutdown

negotiation auto

!

interface Vlan1

no ip address

shutdown

!

ip nat inside source static tcp 192.168.2.10 22 172.24.62.135 2210 extendable

ip nat inside source static tcp 192.168.2.11 22 172.24.62.135 2211 extendable

ip nat inside source static tcp 192.168.2.12 22 172.24.62.135 2212 extendable

(many lines of nat translation entries)

ip nat inside source static tcp 192.168.2.19 443 172.24.62.135 4439 extendable

ip nat inside source static tcp 192.168.2.10 8080 172.24.62.135 9080 extendable

ip nat inside source static tcp 192.168.2.25 8080 172.24.62.135 8025 extendable

ip nat inside source list XXXXXX-OUTBOUND interface GigabitEthernet0/0/0 overload

ip forward-protocol nd

no ip http server

no ip http secure-server

ip tftp source-interface GigabitEthernet0

ip route 0.0.0.0 0.0.0.0 172.24.62.1

ip ssh time-out 60

ip ssh authentication-retries 5

!

ip access-list extended XXXXXX-OUTBOUND

permit ip 192.168.2.0 0.0.0.255 any

!

control-plane

!

banner exec ^CCC***CAUTION: You are connected to XXXXXX-YYYY-ROUTER ***^C

banner login ^CCC

Warning: This system is for authorized use only. Any use of this system without

or in excess of approved authority is subject to prosecution. All activities on

this system are monitored, recorded and reviewed. Anyone using this system

is advised that if such monitoring reveals possible evidence of criminal

activity, this information may be provided to law enforcement or other

authorized agencies.

^C

!

line con 0

exec-timeout 60 0

stopbits 1

line aux 0

stopbits 1

line vty 0 4

exec-timeout 60 0

password 7 10580xxxxxxxxxxxxxxxxx7

login local

transport input telnet ssh

!

end

txu · ‎08-14-2019

Forgot to mention, one more nat translation

ip nat inside source static tcp 192.168.2.10 80 172.24.62.135 8080 extendable (Portal80 translation)

with the Portal80 translation, the webpage of

192.168.2.10:80/stats

translated into

172.24.62.135:8080/stats

which shows the page well

This indicates 192.168.2.10 server can show :80 page, but not :8080 page.