Re: Port forwarding not working on 2900 router - Page 2

hirani89 · ‎02-13-2021

Please find my config below:

hostname R1

boot-start-marker
boot-end-marker

no aaa new-model

ip cef

ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 192.168.3.1

ip dhcp pool HOME
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 1.1.1.1 1.0.0.1

ip dhcp pool WIN
 host 192.168.0.22 255.255.255.0
 client-identifier 01d4.3d7e.18d9.ce

ip dhcp pool PC
 host 192.168.0.247 255.255.255.0
 client-identifier 0108.0027.3bd7.70

ip dhcp pool Solar
 host 192.168.0.253 255.255.255.0
 client-identifier 01c8.9346.3250.e8

ip dhcp pool Tank-Level
 host 192.168.0.243 255.255.255.0
 client-identifier 018c.aab5.8b8e.40

ip dhcp pool PIP
 host 192.168.0.229 255.255.255.0
 client-identifier 01dc.a632.2ce3.8c

ip domain name somedomain
no ipv6 cef

multilink bundle-name authenticated

license udi pid CISCO2921/K9 sn FGL1813118M

username admin privilege 15 secret 4 GRTVBsdfv/1VtTta/OeXqUIqQROubxT/D40OGFs0c

redundancy

ip ssh version 2

interface Embedded-Service-Engine0/0
 no ip address
 shutdown

interface GigabitEthernet0/0
 description -Ethernet WAN-
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto

interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto

interface GigabitEthernet0/1.1
 encapsulation dot1Q 101
 ip address 192.168.1.1 255.255.255.0
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip cgmp

interface GigabitEthernet0/2
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto

ip forward-protocol nd

no ip http server
no ip http secure-server

ip dns server
ip nat inside source list IoT interface GigabitEthernet0/2 overload
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389
ip nat inside source static udp 192.168.0.222 3389 interface GigabitEthernet0/0 13389
ip route 192.168.2.0 255.255.255.0 192.168.3.2
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp

ip access-list standard IoT
 permit 192.168.2.0 0.0.0.255
ip access-list standard NAT
 permit 192.168.0.0 0.0.0.255

control-plane

line con 0
 logging synchronous
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 5 0
 login local
 transport input ssh

scheduler allocate 20000 1000

end

I want to forward port 13389 coming through my public ip to 192.168.0.222:3389

Georg Pauwen · ‎02-13-2021

Hello,

what if you just add the static entry, and no dynamic NAT ? So just these two entries ?

--> ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389

--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp

Also, when you say it is not forwarding, what are you actually doing, where (and how) are you connecting to ?

hirani89 · ‎02-14-2021

Made no difference. As expected, I lost internet. That's all.

MHM Cisco World · ‎02-14-2021

Static with dynamic need three thing

1- acl

deny traffic which will Static nat

ip access-list extended NAT

deny tcp host 192.168.0.222 eq 3389 any

permit ip 192.168.0.0 0.0.0.255 any

2- Static nat

ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389

3- dynamic nat

ip nat inside source list NAT interface GigabitEthernet0/0 overload

in your config above you config two of three

where is Static NAT?

and again check routing pointing to correct next hop

complete config

hirani89 · ‎02-14-2021

Upon doing some research, nmap will only list a port as open if something is listening on that port. I tried a few online tools such as https://www.yougetsignal.com/tools/open-ports/ and a few mobile apps. These show that the ports are indeed open. And they show closed when I disable port forwarding for that port. I am able to remote desktop via local IP. So I suppose RDP is setup correctly. What might be happening here?

paul driver · ‎02-15-2021

Hello
I think we are going around in circles, you have now reverted back to the config you had origninally?

no ip nat inside source list IoT interface GigabitEthernet0/2 overload
no ip access-list standard IoT
no ip access-list standard NAT
ip access-list extended NAT
deny tcp host 192.168.0.222 any eq 13389
deny udp host 192.168.0.222 any eq 13389
permit ip 192.168.0.0 0.0.0.255 any

Once you have completed this, Do you have reachability to host 192.168.0.222 from the rtr itself.
telnet 192.168.0.222 3389

if that is successful, the next step is to test from the internet from any external internet host
telnet <public ip> 13389

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

hirani89 · ‎02-16-2021

Mostly some good news.

based on the config below, I can access the port from an outside network(internet). But if I am in the same LAN I can not access the port using public IP. And I would really like that.

ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.0.222 3389 1.2.3.4 13389 extendable
ip nat inside source static udp 192.168.0.222 3389 1.2.3.4 13389 extendable
ip nat inside source static tcp 192.168.0.22 3389 1.2.3.4 23389 extendable
ip nat inside source static udp 192.168.0.22 3389 1.2.3.4 23389 extendable
ip route 192.168.2.0 255.255.255.0 192.168.3.2
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.0.255 any

(1.2.3.4 is being my public IP)

LikeMyFloydPink · ‎02-16-2021

interface GigabitEthernet0/1.1
encapsulation dot1Q 101

Is the above a typo or is that configuration intentional regarding the VLAN #? Disregard question if intentional.