05-31-2019 08:55 AM - edited 05-31-2019 10:07 AM
I have a 3945 route and I need to get port 6969 open but when I run a port analyzer on it from my internal network I get the following report:
Starting Nmap 7.70 ( https://nmap.org ) at 2019-05-30 17:28 Eastern Daylight Time
NSE: Loaded 148 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:28
Completed NSE at 17:28, 0.00s elapsed
Initiating NSE at 17:28
Completed NSE at 17:28, 0.00s elapsed
Initiating Ping Scan at 17:28
Scanning 166.168.999.999 [4 ports]
Completed Ping Scan at 17:28, 0.17s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:28
Completed Parallel DNS resolution of 1 host. at 17:28, 0.11s elapsed
Initiating SYN Stealth Scan at 17:28
Scanning 999.sub-166-168-999.myvzw.com (166.168.999.999) [65535 ports]
Discovered open port 80/tcp on 166.168.999.999
Discovered open port 22/tcp on 166.168.999.999
Discovered open port 1720/tcp on 166.168.999.999
Discovered open port 443/tcp on 166.168.999.999
Discovered open port 23/tcp on 166.168.999.999
Discovered open port 9131/tcp on 166.168.999.999
Discovered open port 5061/tcp on 166.168.999.999
Discovered open port 2443/tcp on 166.168.999.999
Discovered open port 4131/tcp on 166.168.999.999
SYN Stealth Scan Timing: About 43.86% done; ETC: 17:29 (0:00:40 remaining)
Discovered open port 2000/tcp on 166.168.999.999
Discovered open port 6131/tcp on 166.168.999.999
Discovered open port 5060/tcp on 166.168.999.999
Discovered open port 2131/tcp on 166.168.999.999
Completed SYN Stealth Scan at 17:30, 104.21s elapsed (65535 total ports)
Initiating Service scan at 17:30
Scanning 13 services on 999.sub-166-168-999.myvzw.com (166.168.999.999)
Completed Service scan at 17:32, 156.28s elapsed (13 services on 1 host)
Initiating OS detection (try #1) against 999.sub-166-168-999.myvzw.com 166.168.999.999)
Initiating Traceroute at 17:32
Completed Traceroute at 17:32, 0.01s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 17:32
Completed Parallel DNS resolution of 2 hosts. at 17:32, 0.10s elapsed
NSE: Script scanning 166.168.999.999.
Initiating NSE at 17:32
Completed NSE at 17:33, 15.42s elapsed
Initiating NSE at 17:33
Completed NSE at 17:33, 1.02s elapsed
Nmap scan report for 999.sub-166-168-999.myvzw.com (166.168.999.999)
Host is up (0.00038s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh Cisco SSH 1.25 (protocol 1.99)
| ssh-hostkey:
| 1024 1c:a5:0a:...8f:5a (RSA1)
|_ 1024 bf:4...e3:5c:97 (RSA)
|_sshv1: Server supports SSHv1
23/tcp open telnet Cisco IOS telnetd
80/tcp open http Cisco IOS http config
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=level_15 or view_access
|_http-server-header: cisco-IOS
|_http-title: Site doesn't have a title.
443/tcp open ssl/http Cisco IOS http config
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Basic realm=level_15 or view_access
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: cisco-IOS
|_http-title: Site doesn't have a title.
| ssl-cert: Subject: commonName=IOS-Self-Signed-Certificate-3865562159
| Subject Alternative Name: DNS:TDC_CME_Router.local
| Issuer: commonName=IOS-Self-Signed-Certificate-3865562159
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: md5WithRSAEncryption
| Not valid before: 2018-12-20T15:32:42
| Not valid after: 2020-01-01T00:00:00
| MD5: 739b 4... 3ae6
|_SHA-1: f02e 7...d 9a3f
|_ssl-date: 2019-05-30T21:34:51+00:00; +1m53s from scanner time.
1720/tcp open h323q931?
2000/tcp open cisco-sccp?
2131/tcp open telnet Cisco router telnetd
2443/tcp open tcpwrapped
4131/tcp open tcpwrapped
5060/tcp open sip-proxy Cisco SIP Gateway (IOS 15.2.4.M1)
|_sip-methods: INVITE, OPTIONS, BYE, CANCEL, ACK, PRACK, UPDATE, REFER, SUBSCRIBE, NOTIFY, INFO, REGISTER
5061/tcp open tcpwrapped
6131/tcp open tcpwrapped
9131/tcp open tcpwrapped
OS details: Cisco 836, 890, 1751, 1841, 2800, or 2900 router (IOS 12.4 - 15.1), Cisco Aironet 2600-series WAP (IOS 15.2(2))
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=257 (Good luck!)
IP ID Sequence Generation: Randomized
Service Info: OS: IOS; Devices: switch, router; CPE: cpe:/o:cisco:ios
Host script results:
|_clock-skew: mean: 1m52s, deviation: 0s, median: 1m52s\
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 0.00 ms 192.168.69.2
2 0.00 ms 999.sub-166-168-999.myvzw.com (166.168.999.999)
NSE: Script Post-scanning.
Initiating NSE at 17:33
Completed NSE at 17:33, 0.00s elapsed
Initiating NSE at 17:33
Completed NSE at 17:33, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 281.84 seconds
Raw packets sent: 69434 (3.057MB) | Rcvd: 65945 (2.642MB)
When I check port 6969 from the internet it too says the ports are closed
We use Verizon 4G as our internet source and we DO have a static public IP address from them. I called Verizon and they assure me that they are NOT blocking or closing any ports. We do not have a firewall running (yet) nor has any security configured on the 3945.
Testing ports from the internet:
Port 22 is open
Port 23 is open
Port 80 is open
Port 443 is open
Port 1720 is open
Port 2000 is open
Port 2131 is open
Port 2443 is open
Port 4131 is open
Port 6131 is open
Port 9131 is open
Port 5060 is open
Port 5061 is open
Port 6969 is closed
Below is the config file less the voice stuff:
Current configuration : 37581 bytes
!
! Last configuration change at 11:21:16 DST Fri May 31 2019 by mdurham
! NVRAM config last updated at 15:38:57 DST Tue May 28 2019 by mdurham
! NVRAM config last updated at 15:38:57 DST Tue May 28 2019 by mdurham
version 15.2
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime year
service password-encryption
service internal
service sequence-numbers
!
hostname TDC_CME_Router
!
boot-start-marker
boot-end-marker
!
!
enable secret Cisco
!
no aaa new-model
clock timezone EST -5 0
clock summer-time DST recurring
!
!
crypto pki trustpoint TP-self-signed-331159
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-362159
revocation-check none
rsakeypair TP-self-signed-3318662159
!
!
crypto pki certificate chain TP-self-signed-3318662159
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333138 36363231 3539301E 170D3138 31323230 31353332
34325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33313836
36323135 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A5F0 57625CEC 37B1607D 47A60EB5 00244B15 5EA26DEC EB978F82 898C21BF
2055FD43 5B44908C 52EB4C30 55933CC9 B0769DD7 2F5A61A3 724C2A81 3AC91269
E04CE747 D5E2CE31 11562908 F40832BA 71D503C9 29D5203E 2D7CE69E AD26D968
0E5D42FB 1F89D30D D4E7819F B35D4D3F 20BA83F9 7A9F44EE 98E09D74 E229BCED
8CE1EC47 7B2B8630 72F38E72 774F0706 0636B1EB FCEF7C3D D629630C CE5F761D
ADF1073D 3222259C 290A63BF 6B93FC99 E9AB32D1 C4980427 9CDB03BA 8C964379
B557EAC1 EB6DD51A 8B7F4967 908C54B6 ADC72EB8 D5678318 76FA7141 693AF1C1
7819D0E7 7C444619 4A1A5AB9 D28315F6
quit
!
ip traffic-export profile Anveo mode capture
bidirectional
!
!
!
!
!
!
!
ip dhcp smart-relay
ip dhcp relay information option
ip dhcp excluded-address 10.110.0.1 10.110.0.20
ip dhcp excluded-address 192.168.0.1 192.168.0.155
ip dhcp excluded-address 192.168.0.200 192.168.0.254
ip dhcp excluded-address 192.168.69.1 192.168.69.240
ip dhcp excluded-address 192.168.70.1 192.168.70.20
ip dhcp excluded-address 192.168.200.1 192.168.200.240
ip dhcp excluded-address 192.168.50.1 192.168.50.200
!
ip dhcp pool Voice
network 10.110.0.0 255.255.255.0
default-router 10.110.0.1
option 150 ip 10.110.0.1
dns-server 1.1.1.1
lease 0 12
!
ip dhcp pool Users
network 192.168.69.0 255.255.255.0
default-router 192.168.69.1
dns-server 1.1.1.1
option 150 ip 10.110.0.1
lease 0 12
!
ip dhcp pool TempVMware
network 192.168.70.0 255.255.255.0
default-router 192.168.70.1
dns-server 192.168.50.100
lease 0 12
!
ip dhcp pool Wiireless
network 192.168.200.0 255.255.255.0
default-router 192.168.200.1
dns-server 1.1.1.1
option 150 ip 10.110.0.1
lease 0 12
!
ip dhcp pool VMware
network 192.168.50.0 255.255.255.0
default-router 192.168.50.1
dns-server 192.168.50.5
lease 0 12
!
!
!
ip name-server 1.1.1.1
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip inspect WAAS flush-timeout 10
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
chat-script ltescript "" "AT!CALL1" TIMEOUT 20 "OK"
password encryption aes
!
!
license udi pid C3900-SPE100/K9 sn FOC1432C
license accept end user agreement
license boot module c3900 technology-package securityk9
license boot module c3900 technology-package uck9
hw-module pvdm 0/0
!
redundancy
notification-timer 60000
!
!
controller Cellular 0/3
!
!
track 10 ip sla 1 reachability
delay down 1 up 1
!
track 20 ip sla 2 reachability
delay down 1 up 1
!
!
!
interface Tunnel1
description mGRE - DMVPN Tunnel for customer remote support
ip address 172.16.0.1 255.255.0.0
no ip redirects
ip nhrp authentication cisco
ip nhrp map multicast dynamic
ip nhrp network-id 999
tunnel source 166.168.999.999
tunnel mode gre multipoint
tunnel protection ipsec profile support
!
interface Embedded-Service-Engine0/0
no ip address
!
interface GigabitEthernet0/0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0/0.2
description Sommer's Network for Dish Network TV
encapsulation dot1Q 2
ip address 192.168.0.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
ip tcp adjust-mss 1300
ip policy route-map clear-df
!
interface GigabitEthernet0/0.50
description "VMWare Server HP DL160 Server 3"
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
ip tcp adjust-mss 1300
ip policy route-map clear-df
!
interface GigabitEthernet0/0.69
description "Data Network"
encapsulation dot1Q 69 native
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
ip tcp adjust-mss 1300
ip policy route-map clear-df
!
interface GigabitEthernet0/0.110
description "Voice Network"
encapsulation dot1Q 110
ip address 10.110.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
ip tcp adjust-mss 1300
ip policy route-map clear-df
!
interface GigabitEthernet0/0.200
description "Wireless - Guest User Network"
encapsulation dot1Q 200
ip address 192.168.200.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
no ip route-cache
ip tcp adjust-mss 1300
ip policy route-map clear-df
!
interface GigabitEthernet0/1
description "VMWare Server Dell R620 Server 1"
ip address 192.168.51.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
ip tcp adjust-mss 1300
ip policy route-map clear-df
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/2
no ip address
no ip route-cache
shutdown
duplex auto
speed auto
!
interface FastEthernet0/0/0
description Connection to Verizon 4G Internet
ip address dhcp
ip nat outside
ip nat enable
ip virtual-reassembly in
shutdown
duplex auto
speed auto
!
interface Integrated-Service-Engine1/0
no ip address
shutdown
no keepalive
!
interface SM2/0
description Unity-Express-Service
ip unnumbered GigabitEthernet0/0.110
ip nat inside
ip virtual-reassembly in
service-module fail-open
service-module ip address 10.110.0.2 255.255.255.0
service-module ip default-gateway 10.110.0.1
!
interface SM2/1
description Internal switch interface connected to Service Module
no ip address
!
interface Cellular0/3/0
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer string ltescript
dialer watch-group 1
async mode interactive
pulse-time 0
!
interface Vlan1
no ip address
!
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer string 123456
dialer persistent
dialer-group 1
no cdp enable
!
!
router eigrp 1577
network 10.110.0.0 0.0.0.255
network 192.168.0.0
network 192.168.50.0
network 192.168.69.0
network 192.168.200.0
!
no ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip http path flash:CME_GUI
!
no ip nat service sip udp port 5060
ip nat inside source list 151 interface Cellular0/3/0 overload
ip nat inside source static tcp 192.168.69.223 6969 interface cellular 0/3/0 6969
ip route 0.0.0.0 0.0.0.0 Cellular0/3/0 track 10
ip route 0.0.0.0 0.0.0.0 192.168.0.254 10 track 20
ip route 4.2.2.2 255.255.255.255 Cellular0/3/0
ip route 10.110.0.2 255.255.255.255 SM2/0
!
ip sla auto discovery
ip sla 1
icmp-echo 4.2.2.2 source-interface Cellular0/3/0
threshold 750
timeout 900
frequency 1
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 192.168.0.254 source-ip 192.168.0.253
threshold 750
timeout 900
frequency 1
ip sla schedule 2 life forever start-time now
logging history size 500
access-list 20 remark Networks Allowed onto the Internet
access-list 20 permit 10.110.0.0 0.0.0.255
access-list 20 permit 192.168.0.0 0.0.0.255
access-list 20 permit 192.168.50.0 0.0.0.255
access-list 20 permit 192.168.51.0 0.0.0.255
access-list 20 permit 192.168.69.0 0.0.0.255
access-list 20 permit 192.168.200.0 0.0.0.255
access-list 20 permit 172.16.0.0 0.0.255.255
access-list 100 remark "Block Guest network to everything except the printers, ntp & the Internet
access-list 100 permit udp host 162.210.111.4 eq ntp host 192.168.200.1 eq ntp
access-list 100 permit ip any host 192.168.69.90
access-list 100 permit ip any host 192.168.69.91
access-list 100 permit ip any host 192.168.69.92
access-list 100 permit ip any 192.168.200.0 0.0.0.15
access-list 100 deny ip any 192.168.0.0 0.0.255.255
access-list 100 permit ip any any
access-list 151 permit ip any any
dialer watch-list 1 ip 5.6.7.8 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
dialer-list 1 protocol ip permit
!
nls resp-timeout 1
cpd cr-id 1
route-map clear-df permit 10
set ip df 0
!
!
line con 0
exec-timeout 0 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/3/0
script dialer ltescript
modem InOut
no exec
transport input telnet
rxspeed 100000000
txspeed 50000000
line 67
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
line 131
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
exec-timeout 0 0
privilege level 15
password cisco
logging synchronous
login local
terminal-type monitor
transport input telnet ssh
transport output telnet
line vty 5 15
privilege level 15
password cisco
logging synchronous
login local
transport input telnet
transport output telnet
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 2.north-america.pool.ntp.org
ntp server 0.north-america.pool.ntp.org
ntp server 3.north-america.pool.ntp.org
ntp server 103.105.51.156 minpoll 10
ntp server 1.north-america.pool.ntp.org
!
end
Solved! Go to Solution.
06-04-2019 07:19 AM
06-04-2019 09:45 AM
Thank you Michael.
You scan now for 166.168.999.999:3389 from the Internet and it shows open, correct?
Also, when you try to RDP this 166.168.999.999:3389 from the Internet you get the username / password request prompt. Meaning, you are hitting this other 192.168.69.61 server. Port forwarding on the Router is working just fine.
When testing your original Static NAT from the Internet (for host 192.168.69.223 TCP 6969), it should be when this .223 do not have its tunnel established with PureVPN. The issue is that since when 192.168.69.223 is connected to PureVPN, it probably has changed its default gateway from the Cisco Router to the PureVPN tunnel. And since most local processes are relying on the default gateway, once you attempt to access that device remotely over the Internet, Static NAT on the Router is forwarding fine but the Server replies are being sent back out the VPN, not to the Router.
Cheers.
06-04-2019 10:01 AM
06-05-2019 07:12 AM - edited 06-05-2019 07:18 AM
How are you testing from the Internet?
Scan 166.168.999.999:3389 (but to your real public IP) from the Internet (using this same website you mentioned before www.yougetsignal.com/tools/open-ports/) shows port is opened, right?
06-05-2019 07:41 AM
About your 4G connection not-working when you upgrade to IOS 15.7 release, it looks to be due to some incompatibility between this old card and IOS releases 15.6 and 15.7. This 4G card is 1st generation (EHWIC-4G-LTE-V). With this card, you can go up to 15.5 and it should work OK.
2nd generation cards EHWIC-4G-LTE-VZ (note the 'Z' at the end) should work fine on 15.6 and 15.7 releases.
06-05-2019 09:10 AM
Thank you for that information. I do not have any versions of the IOS between 15.2 and 15.7 and not support contract to get one. Also, I do not have the VZ version of the card.
Question, if I did have the VZ version, would there be a chance that my internet access speed improve? We are about 1.5 miles from the tower and get 5-11mbs download most of the day. Around 6pm it drops and around 4am is goes up to the 20's. However, My cell phone can get into the 60's at 4am. So, would it be worth getting the VZ version of the card?
06-05-2019 11:22 AM
Having up to date firmware (with up to date code patches) is usually good, however other factors like environmental conditions, number of other customers currently sharing the bandwidth (which usually depends by the time of the day as you mentioned), etc, etc have to be considered when talking about performance/throughput.
Theoretically both cards can perform up to 100/50 mpbs (Download/Upload) see Table 1 on links below.
Sincerely, I cannot guarantee you will get a better performance/signal/service if you make the effort to acquire the VZ card.
Going back to the original NAT question, you need to test from Internet (outside your local network).
NAT on the Router won't translate if you attempt to test 166.168.999.999:6969 or 166.168.999.999:3389 from the internal network.
As a conclusion:
- NAT on the Router is working just fine here.
- That "yougetsignal" tool should show 166.168.999.999:3389 currently opened and if you RDP from the Internet (not from your internal network) you should get username/password prompt.
- That "yougetsignal" tool should show 166.168.999.999:6969 port opened once you disconnect your 192.168.69.223 Server from PureVPN as explained in my earlier post.
Lastly, either NAT configuration approach on the Router is OK to configure port forwarding.
ip nat inside source static tcp 192.168.69.223 6969 interface cellular 0/3/0 6969 ip nat inside source static tcp 192.168.69.61 3389 interface cellular 0/3/0 3389
or
ip nat source static tcp 192.168.69.223 6969 166.168.999.999 6969 extendable ip nat source static tcp 192.168.69.61 3389 166.168.999.999 3389 extendable
Cheers!
06-05-2019 11:53 AM
06-05-2019 12:44 PM
06-05-2019 09:06 AM
I open RDP and enter 166.168.999.999:6969 on my desktop from inside my network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide