12-03-2017 09:06 PM - edited 03-05-2019 09:35 AM
Hi, I have been trying to find an answer around, and tried instructions posted around here, but I can't still make this work. I have the router working with my cable modem, and a server to which I want to make public on port 443 and others. So far, there is no way I can accomplish this the same way I used to. Here is my config:
ot11 syslog
ip source-route
!
!
ip cef
!
ip dhcp excluded-address 172.21.0.18
ip dhcp excluded-address 172.21.0.17
ip dhcp excluded-address 172.21.0.19
ip dhcp excluded-address 172.21.0.20
!
ip dhcp pool HOUSE
network 172.21.0.0 255.255.255.0
dns-server 75.75.75.75 75.75.76.76
default-router 172.21.0.1
lease 7
!
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
!
!
password encryption aes
!
!
!
!
!
!
voice-card 0
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2851 sn FTX0953C3BE
!
redundancy
!
!
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 172.21.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex full
speed auto
no cdp enable
!
interface GigabitEthernet0/1
ip address dhcp
ip access-group 111 in
ip nat outside
ip virtual-reassembly in
duplex full
speed auto
no cdp enable
!
ip forward-protocol nd
ip http server
no ip http secure-server
!
!
ip nat inside source list 102 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 172.21.0.18 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 172.21.0.18 5900 interface GigabitEthernet0/1 5900
ip nat inside source static tcp 172.21.0.18 5800 interface GigabitEthernet0/1 5800
ip route 172.21.0.0 255.255.255.0 GigabitEthernet0/1
ip route 0.0.0.0 0.0.0.0 dhcp
!
logging trap debugging
access-list 101 permit tcp any any
access-list 102 permit ip any any
access-list 111 permit tcp any any eq 443
access-list 111 permit ip any any
access-list 111 permit udp any any eq 443
no cdp run
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
gatekeeper
shutdown
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end
Here is what sh ip route is listing:
Gateway of last resort is 98.208.224.1 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 98.208.224.1
69.0.0.0/32 is subnetted, 1 subnets
S 69.252.196.203 [254/0] via 98.208.224.1, GigabitEthernet0/1
98.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 98.208.224.0/22 is directly connected, GigabitEthernet0/1
L 98.208.xxx.xxx/32 is directly connected, GigabitEthernet0/1
172.21.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.21.0.0/24 is directly connected, GigabitEthernet0/0
L 172.21.0.1/32 is directly connected, GigabitEthernet0/0
Thank you in advance!
Solved! Go to Solution.
12-05-2017 12:55 PM
Hello
Okay - lets take a breath!
1) Please confirm your topology and connectivity.
2) can you ping the server internally - i assume you can?
4) are all other lan clients getting natted correctly when exiting the lan ?
4) Are the ports open server?
5) Most importantly - is you modem already performing nat , meaning is your wan ip address on the rtr a non routeable address - rfc1918?
res
Paul
12-04-2017 03:40 AM
Which direction of traffic do you a problem with ? Server to Internet or Internet to Server ?
I recommend to use an access-list on your G0/0 and G0/1 ports to see if you have a traffic on them. In addition, please remove the following line in you configuration as well:
ip route 172.21.0.0 255.255.255.0 GigabitEthernet0/1
HTH
Mahdi
12-04-2017 09:41 AM
12-04-2017 04:52 AM - edited 12-04-2017 04:53 AM
Hello
Could you try this please:
conf t
no ip source-route
no ip route 172.21.0.0 255.255.255.0 GigabitEthernet0/1
no access-list 102
access-list 102 permit ip 172.21.0.0 0.0.0.255
interface GigabitEthernet0/1
no ip access-group 111 in
res
Paul
12-04-2017 09:45 AM
Hi Paul, I tried removing all that, but it was an attempt to make it work. I am still unable to forward any ports to my server. It used to be a pretty straightforward process with the command ip nat inside source ..etc. I don't know if with router 2851 ios 15.1 they added extra layers of security
12-05-2017 12:55 PM
Hello
Okay - lets take a breath!
1) Please confirm your topology and connectivity.
2) can you ping the server internally - i assume you can?
4) are all other lan clients getting natted correctly when exiting the lan ?
4) Are the ports open server?
5) Most importantly - is you modem already performing nat , meaning is your wan ip address on the rtr a non routeable address - rfc1918?
res
Paul
12-05-2017 01:48 PM
Hi Paul,
My current topology with that router is as simple as bridged modem --> 2851 Router --> unmanned Switch -->Clients
I can ping the server internally and connect to it using VNC, as well as access its web pages internally. I think is important to note that if I swap this router for the one that used to be in service (RV082) and configure it, everything works fine. Server receives and sends emails, and users can access OWA through https.
Clients are not experiencing any problems accessing the internet after performing configuring NAT. Speed was low (about half of that of the connection supplied by the ISP) but this was fixed enabling CEF on the router.
Modem was bridged and supplies the Router with IP via DHCP.
Interesting I find when I check open sockets using command: "show control-panel host open"
Only shows these ports:
Router# show control-plane host open-ports Active internet connections (servers and established) Prot Local Address Foreign Address Service State tcp *:23 *:0 Telnet LISTEN tcp *:80 *:0 HTTP CORE LISTEN
Thank you for your help!
12-07-2017 04:27 PM
Ok I finally got it working. It was a server configuration error. I get it, the guy who was configuring the server was doing it remotely, there was some delay with every key pressed, .. Bottom line, he had the default gateway of the server configured to .11 instead of what planned .01. I did not have access to the server, so all I could do was ping the server from the router, which would obviously reply because it is on the same subnet.
Thank you for sticking with me through this, it is a real pain when more than one person is working on a project, and none has full access to everything.
12-04-2017 10:55 AM
This is what "sh ip nat translations" tells me if it helps to identify the problem. Those listed are the 3 ports I am currently trying to forward to server.
Pro Inside global Inside local Outside local Outside global EDITED ----- tcp 98.208.xxx.xxx:443 172.21.0.18:443 --- --- tcp 98.208.xxx.xxx:5800 172.21.0.18:5800 --- --- tcp 98.208.xxx.xxx:5900 172.21.0.18:5900 --- ---
12-06-2017 01:11 PM - edited 12-06-2017 01:13 PM
Hello
Okay from what you are saying all is well apart from the PF..
Externally how are you trying to connect to the internal servers ( FQDN or ip address)
Try connecting again and apply a debug at the same time.
Debug ip nat
12-04-2017 11:08 AM - edited 12-04-2017 11:10 AM
Hello,
on a side note, try to configure the static entry with the actual IP address of the outside interface (do a 'show ip interface brief' to find the address, it is probably something like 98.208.224.2):
--> no ip nat inside source static tcp 172.21.0.18 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 172.21.0.18 443 98.208.224.2 443 extendable
This is obviously not a permanent solution and just to test if it works that way. Also, make sure that the server itself is not blocking 443...
12-04-2017 11:23 AM
I just tried that too and nothing. Server was accepting 443 before and I can still telnet it internally to that port and connect to it. I think the problem here is is ACLs but the command ip nat translations is showing that the port is being mapped
12-05-2017 09:11 AM
Following up on this issue. I've tried any possible configuration I've found around google, and the ones provided me by users here. So far, no luck opening ports. At this point I am curious if this has anything to do with Cisco IOS Software release 12.4(4)T, Control Plane Protection (CPPr). Routers I had were prior this version. Any comment would be appreciated
12-05-2017 10:55 AM
Hello,
check if there are any crypto keys configured on your router:
show crypto key
If so, try and zeroize them.
07-04-2019 02:21 PM
for this case i think you need to make your router HTTPS server first by this command:
ip http secure-server
and after that it will working fine
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide