Re: Port Forwarding (access-list)

Erik Hennerfors · ‎06-02-2013

I'm having problem adding access to a NAS inside my network and I can't seem to understand why.

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source list 103 interface GigabitEthernet0/0 overload

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 1 permit 10.0.2.0 0.0.0.255

access-list 1 permit 10.0.3.0 0.0.0.255

access-list 1 permit 10.0.4.0 0.0.0.255

access-list 103 permit tcp any host 10.0.3.3 eq 445

the 103 access-list is the one I can't seem to get working, I'm not quite sure if I got the access-list functionality right but I wan't to forward traffic on the external WAN interface (GigabitEthernet0/0) on port 445 (SMB) to the server that act as a NAS (10.0.3.3).

What is woring with my configuration in the top of this post?

Many regards

Erik

blau grana · ‎06-03-2013

Hello,

You need to actually configure port forward on your router.

ip nat inside source static 10.0.3.3 445 interface Gi0/0 445

delete this line and ACL 103, it is not necessary:

no ip nat inside source list 103 interface GigabitEthernet0/0 overload

no access-list 103 permit tcp any host 10.0.3.3 eq 445

Try this, if you have some inbound ACL on Gi0/0 interface, you have add line to permit traffic toward your NAS.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Erik Hennerfors · ‎06-03-2013

Thank you for your reply, I've added:

ip nat inside source static tcp 10.0.3.3 445 interface GigabitEthernet0/0 445

But can't connect, it just times out. I can access the NAS from inside the network but not from the outside.

Any ideas why?

blau grana · ‎06-03-2013

Hello,

Is it possible to upload entire config of your router?

You can erase keys, passwords and substitute public IPs with some other, but be sure that public IPs will be substituted with some other IPs 1:1.

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Erik Hennerfors · ‎06-03-2013

Yes ofcourse, here is the entire config:

http://pastie.org/7999546

cadet alain · ‎06-03-2013

Hi,

Your router config is correct, you should verify the server for firewall or default gw problem.

Regards

Alain

Don't forget to rate helpful posts.

Erik Hennerfors · ‎06-03-2013

Thanks for your time, I'll look into our firewall and see if there is something there

mfurnival · ‎06-03-2013

Erik, one thing I find useful when working on these kind of things it an open port checker (just google "open port checker"). These are websites which will probe your router address to see if the port is reachable from the internet. If you do this and it fails you know there is definitely a firewall issue. You don't say anything about your WAN connectivity but if this a standard DSL type service providers will sometimes block inbound access.

samiraa02 · ‎12-17-2014

You could also have done a Port scan on the networks to determine which ports are open and closed.

Erik Hennerfors · ‎06-03-2013

I can't get this to work, I've added the port used for RDP and that works, but not the SMB. I've tried a portscanner which says that the port was blocket (used http://www.whatsmyip.org/port-scanner/).

I allso disabled the firewall on the server but with no effect.

Any ideas?

blau grana · ‎06-03-2013

Hello,

As Alain wrote, router config looks good, there has to be problem with your NAS.

Your NAS is on subnet 10.0.3.0/24 can you access it from different subnet, or just same subnet. Maybe default gateway is not properly configured.

Also doublecheck if:

- IP/ports are correct, some typo could be in configuration

- do you see NAT translation on router when you try to access NAS from internet #show ip nat translation

- check GW on NAS, try ping some device on different subnet/internet

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Sindhu_kumar · ‎06-03-2013

Configuration shared by you in that I am not seeing any default route towards ISP.

http://pastie.org/7999546

blau grana · ‎06-03-2013

Hello,

I think default route is obtained via DHCP.

interface GigabitEthernet0/0
 ip address dhcp

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Sindhu_kumar · ‎06-03-2013

Thanks Blau.

Form that server 10.0.3.3 are you able to make self telnet on port number 445 ?.

Ravi Singh · ‎06-03-2013

First of all you should use static NAT because with dynamic NAT no one can make connection form outside untill unless Translation table is not created. It is created only when some one inititae the connection from inside. And you also have to check that you are able to telnet on the same port which you are using (i.e. 445) from outside.