Solved: Re: Port forwarding not working on Cisco 2851

liquidkode · ‎12-03-2017

Hi, I have been trying to find an answer around, and tried instructions posted around here, but I can't still make this work. I have the router working with my cable modem, and a server to which I want to make public on port 443 and others. So far, there is no way I can accomplish this the same way I used to. Here is my config:

ot11 syslog

ip source-route

!

ip cef

!

ip dhcp excluded-address 172.21.0.18

ip dhcp excluded-address 172.21.0.17

ip dhcp excluded-address 172.21.0.19

ip dhcp excluded-address 172.21.0.20

!

ip dhcp pool HOUSE

network 172.21.0.0 255.255.255.0

dns-server 75.75.75.75 75.75.76.76

default-router 172.21.0.1

lease 7

!

no ipv6 cef

!

multilink bundle-name authenticated

!

password encryption aes

!

voice-card 0

!

crypto pki token default removal timeout 0

!

license udi pid CISCO2851 sn FTX0953C3BE

!

redundancy

!

interface GigabitEthernet0/0

ip address 172.21.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex full

speed auto

no cdp enable

!

interface GigabitEthernet0/1

ip address dhcp

ip access-group 111 in

ip nat outside

ip virtual-reassembly in

duplex full

speed auto

no cdp enable

!

ip forward-protocol nd

ip http server

no ip http secure-server

!

ip nat inside source list 102 interface GigabitEthernet0/1 overload

ip nat inside source static tcp 172.21.0.18 443 interface GigabitEthernet0/1 443

ip nat inside source static tcp 172.21.0.18 5900 interface GigabitEthernet0/1 5900

ip nat inside source static tcp 172.21.0.18 5800 interface GigabitEthernet0/1 5800

ip route 172.21.0.0 255.255.255.0 GigabitEthernet0/1

ip route 0.0.0.0 0.0.0.0 dhcp

!

logging trap debugging

access-list 101 permit tcp any any

access-list 102 permit ip any any

access-list 111 permit tcp any any eq 443

access-list 111 permit ip any any

access-list 111 permit udp any any eq 443

no cdp run

!

control-plane

!

mgcp profile default

!

gatekeeper

shutdown

!

line con 0

line aux 0

line vty 0 4

login

transport input all

!

scheduler allocate 20000 1000

end

Here is what sh ip route is listing:

Gateway of last resort is 98.208.224.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 98.208.224.1
69.0.0.0/32 is subnetted, 1 subnets
S 69.252.196.203 [254/0] via 98.208.224.1, GigabitEthernet0/1
98.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 98.208.224.0/22 is directly connected, GigabitEthernet0/1
L 98.208.xxx.xxx/32 is directly connected, GigabitEthernet0/1
172.21.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.21.0.0/24 is directly connected, GigabitEthernet0/0
L 172.21.0.1/32 is directly connected, GigabitEthernet0/0

Thank you in advance!

paul driver · ‎12-05-2017

Hello

Okay - lets take a breath!

1) Please confirm your topology and connectivity.

2) can you ping the server internally - i assume you can?

4) are all other lan clients getting natted correctly when exiting the lan ?

4) Are the ports open server?

5) Most importantly - is you modem already performing nat , meaning is your wan ip address on the rtr a non routeable address - rfc1918?

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

mahditalebi · ‎12-04-2017

Which direction of traffic do you a problem with ? Server to Internet or Internet to Server ?

I recommend to use an access-list on your G0/0 and G0/1 ports to see if you have a traffic on them. In addition, please remove the following line in you configuration as well:

ip route 172.21.0.0 255.255.255.0 GigabitEthernet0/1

HTH

Mahdi

liquidkode · ‎12-04-2017

Internet to Server, I need to open ports for email, web etc. Still no luck
with the configuration I've used before to forward ports.

paul driver · ‎12-04-2017

Hello

Could you try this please:

conf t
no ip source-route
no ip route 172.21.0.0 255.255.255.0 GigabitEthernet0/1
no access-list 102

access-list 102 permit ip 172.21.0.0 0.0.0.255

interface GigabitEthernet0/1
no ip access-group 111 in

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

liquidkode · ‎12-04-2017

Hi Paul, I tried removing all that, but it was an attempt to make it work. I am still unable to forward any ports to my server. It used to be a pretty straightforward process with the command ip nat inside source ..etc. I don't know if with router 2851 ios 15.1 they added extra layers of security

paul driver · ‎12-05-2017

Hello

Okay - lets take a breath!

1) Please confirm your topology and connectivity.

2) can you ping the server internally - i assume you can?

4) are all other lan clients getting natted correctly when exiting the lan ?

4) Are the ports open server?

5) Most importantly - is you modem already performing nat , meaning is your wan ip address on the rtr a non routeable address - rfc1918?

res
Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

liquidkode · ‎12-05-2017

Hi Paul,

My current topology with that router is as simple as bridged modem --> 2851 Router --> unmanned Switch -->Clients

I can ping the server internally and connect to it using VNC, as well as access its web pages internally. I think is important to note that if I swap this router for the one that used to be in service (RV082) and configure it, everything works fine. Server receives and sends emails, and users can access OWA through https.

Clients are not experiencing any problems accessing the internet after performing configuring NAT. Speed was low (about half of that of the connection supplied by the ISP) but this was fixed enabling CEF on the router.

Modem was bridged and supplies the Router with IP via DHCP.

Interesting I find when I check open sockets using command: "show control-panel host open"

Only shows these ports:

Router# show control-plane host open-ports
Active internet connections (servers and established)
Prot        Local Address      Foreign Address                  Service    State
 tcp                 *:23                  *:0                   Telnet   LISTEN
 tcp                 *:80                  *:0                HTTP CORE   LISTEN

Thank you for your help!

liquidkode · ‎12-07-2017

Ok I finally got it working. It was a server configuration error. I get it, the guy who was configuring the server was doing it remotely, there was some delay with every key pressed, .. Bottom line, he had the default gateway of the server configured to .11 instead of what planned .01. I did not have access to the server, so all I could do was ping the server from the router, which would obviously reply because it is on the same subnet.

Thank you for sticking with me through this, it is a real pain when more than one person is working on a project, and none has full access to everything.

liquidkode · ‎12-04-2017

This is what "sh ip nat translations" tells me if it helps to identify the problem. Those listed are the 3 ports I am currently trying to forward to server.

Pro Inside global      Inside local       Outside local      Outside global
EDITED -----
tcp 98.208.xxx.xxx:443 172.21.0.18:443    ---                ---
tcp 98.208.xxx.xxx:5800 172.21.0.18:5800  ---                ---
tcp 98.208.xxx.xxx:5900 172.21.0.18:5900  ---                ---

paul driver · ‎12-06-2017

Hello

Okay from what you are saying all is well apart from the PF..

Externally how are you trying to connect to the internal servers ( FQDN or ip address)

Try connecting again and apply a debug at the same time.

Debug ip nat

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Georg Pauwen · ‎12-04-2017

Hello,

on a side note, try to configure the static entry with the actual IP address of the outside interface (do a 'show ip interface brief' to find the address, it is probably something like 98.208.224.2):

--> no ip nat inside source static tcp 172.21.0.18 443 interface GigabitEthernet0/1 443

ip nat inside source static tcp 172.21.0.18 443 98.208.224.2 443 extendable

This is obviously not a permanent solution and just to test if it works that way. Also, make sure that the server itself is not blocking 443...

liquidkode · ‎12-04-2017

I just tried that too and nothing. Server was accepting 443 before and I can still telnet it internally to that port and connect to it. I think the problem here is is ACLs but the command ip nat translations is showing that the port is being mapped

liquidkode · ‎12-05-2017

Following up on this issue. I've tried any possible configuration I've found around google, and the ones provided me by users here. So far, no luck opening ports. At this point I am curious if this has anything to do with Cisco IOS Software release 12.4(4)T, Control Plane Protection (CPPr). Routers I had were prior this version. Any comment would be appreciated

Georg Pauwen · ‎12-05-2017

Hello,

check if there are any crypto keys configured on your router:

show crypto key

If so, try and zeroize them.

ahaljara · ‎07-04-2019

for this case i think you need to make your router HTTPS server first by this command:

ip http secure-server

and after that it will working fine