Re: Port Forwarding (access-list) - Page 2

Erik Hennerfors · ‎06-02-2013

I'm having problem adding access to a NAS inside my network and I can't seem to understand why.

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source list 103 interface GigabitEthernet0/0 overload

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 1 permit 10.0.1.0 0.0.0.255

access-list 1 permit 10.0.2.0 0.0.0.255

access-list 1 permit 10.0.3.0 0.0.0.255

access-list 1 permit 10.0.4.0 0.0.0.255

access-list 103 permit tcp any host 10.0.3.3 eq 445

the 103 access-list is the one I can't seem to get working, I'm not quite sure if I got the access-list functionality right but I wan't to forward traffic on the external WAN interface (GigabitEthernet0/0) on port 445 (SMB) to the server that act as a NAS (10.0.3.3).

What is woring with my configuration in the top of this post?

Many regards

Erik

Erik Hennerfors · ‎06-03-2013

I'll try to respond to all tip.

I'm able to telnet the port from the inside (from the nas) but not from the outside (445). The interface GigabitEthernet0/0 is obtaining ip address from a DHCP (ip address dhcp).

I'm able to access the nas from all of my internal subnets by pinging and adding the shares on diferent devices on the diferent subnets.

And the static IP-address configuration on the server looks good. (tripple checked it).

Thanks for al tips.

Sindhu_kumar · ‎06-04-2013

Still you haven’t confirm about the Nat translation asked by Blau

Do you see NAT translation on router when you try to access NAS from internet?

show ip nat translation

Also from router are you able to do telnet.

gimli#telnet 10.0.3.3 445

Also make sure when you’re accessing that sever from outside/Internet use Ip address which is assigned via DHCP .

Erik Hennerfors · ‎06-04-2013

Ah sorry missed that part, I'm able to telnet the server on port 445 from the router:

"

gimli#telnet 10.0.3.3 445

Trying 10.0.3.3, 445 ... Open

"

There seems to be no connection in nat trans, but the remote desktop service can be used (3389).

gimli#sh ip nat tran | include 10.0.3.3

tcp 78.*.*.*:162 10.0.3.3:161 --- ---

tcp 78.*.*.*:445 10.0.3.3:445 --- ---

udp 78.*.*.*:445 10.0.3.3:445 --- ---

tcp 78.*.*.*:3389 10.0.3.3:3389 --- ---

udp 78.*.*.*:64206 10.0.3.3:64206 94.245.121.251:3544 94.245.121.251:3544

blau grana · ‎06-04-2013

Hello Erik,

Can you try telnet port from some internet server and then check nat translation?

server> telnet 78.X.X.X 445

gimli#sh ip nat tran | include 10.0.3.3

Also can you provide routing table of NAS server?

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Erik Hennerfors · ‎06-05-2013

Nothing elese then the nat translations that are there before I make a connection atempt and the atempt times out "

telnet: Unable to connect to remote host: Connection timed out"

gimli#sh ip nat tran | include 10.0.3.3

tcp 78.*.*.*:162 10.0.3.3:161 --- ---

tcp 78.*.*.*:445 10.0.3.3:445 --- ---

udp 78.*.*.*:445 10.0.3.3:445 --- ---

tcp 78.*.*.*:3389 10.0.3.3:3389 --- ---

udp 78.*.*.*:64206 10.0.3.3:64206 94.245.121.251:3544 94.245.121.251:3544

blau grana · ‎06-05-2013

OK, I assume that your WAN port configuration did not change.

interface GigabitEthernet0/0
 ip ddns update hostname *.se
 ip ddns update dyndns
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled

We will create test ACL to verify that packets are received by your router.

ip access-list extended test

permit tcp any host YOUR-CURRENT-PUBLIC-IP eq 445

permit ip any any

int Gi0/0

ip access-group test in

Now can you telnet on port from public server again and verify that packets arrived to your router?

server> telnet 78.X.X.X 445

gimli#sh ip nat tran | include 10.0.3.3
gimli#sh ip access test

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions

Erik Hennerfors · ‎09-13-2013

I've tested all sugested propositions but with no success, I've tried another "cheep" router with success so there have to be something I'm missing in the Cisco 1912 Router.

I can't see any connection from aserver located at another location to the router using "sh ip nat tran | include ".

Anyone with any more ideas?

Erik Hennerfors · ‎09-13-2013

So I called our ISP and they went trough my connection and it seeams that they've been blocking 445 the whole time even tough I called them 5 times allready asking the same questions.

Thanks for all replys and sorry for the mess made by my ISP.

Erkut Oztekin · ‎07-15-2014

hi eric i have the same problem did solutions?