05-08-2020 01:01 PM
Hi, i have a 2800 series router running ios 12.4 connected is a 3560 switch with a couple of servers attached to the switch. I can the server over the 10.0.2.x addresses but not by the single public facing IP address.
I am having trouble with port forwarding to the servers.
I have set up over loading on fa0/0 and an access list, this gets my appliances internet access but i can't seem to get access to the servers when i port forward.
Here is the relevant configuration section. What am i doing wrong?
interface FastEthernet0/0 no ip address ip nat outside ip virtual-reassembly duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 10 ! interface FastEthernet0/1 ip address 10.0.2.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto no cdp enable no mop enabled ! interface Serial0/3/0 no ip address shutdown clock rate 2000000 ! interface Dialer1 ip address negotiated ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 10 ppp authentication chap callin ppp chap hostname ****** ppp chap password 0 ******* ppp ipcp dns request ppp ipcp route default ppp ipcp address accept ! ip classless ! ! no ip http server no ip http secure-server ip nat inside source list 10 interface Dialer1 overload ip nat inside source static tcp 10.0.2.33 80 interface Dialer1 80 ip nat inside source static tcp 10.0.2.33 443 interface Dialer1 443 ! access-list 10 permit 10.0.2.0 0.0.0.255 dialer-list 10 protocol ip permit ! ! !
Solved! Go to Solution.
05-10-2020 03:13 AM
Hello,
that was a typo indeed:
--> ip tcp adjust-mass 1452
should be:
--> ip tcp adjust-mss 1452
05-08-2020 11:32 PM
I figured out that port forwarding is working as expected.
But it had lead me to a discovery that I know nothing about ACL's Well i didn't I now know enough to be dangerous.
So, I still have a problem. I have created an extended ACL, this has permitted access to the server on two ports, which is great.. But only from the WAN. I didn't think to check on a device outside of the network until 10 minutes ago.
This is where im at no: any help would be appreciated in resolving this issue.
interface FastEthernet0/0 no ip address ip access-group WEBSITES in ip nat outside ip virtual-reassembly duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 10 ! interface FastEthernet0/1 ip address 10.0.2.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto no cdp enable no mop enabled ! interface Dialer1 ip address negotiated ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 10 ppp authentication chap callin ppp chap hostname *** ppp chap password 7 *** ppp ipcp dns request ppp ipcp route default ppp ipcp address accept ! ip classless ! ! no ip http server no ip http secure-server ip nat inside source list 10 interface Dialer1 overload ip nat inside source static tcp 10.0.2.17 80 interface Dialer1 80 ip nat inside source static tcp 10.0.2.17 443 interface Dialer1 443 ! ip access-list extended INSIDEOUT permit tcp any any established ip access-list extended WEBSITES permit tcp any host 10.0.2.17 eq www permit tcp any host 10.0.2.17 eq 443 ! access-list 10 permit 10.0.2.0 0.0.0.255
I have tried replacing the 10 list in the overload with the insideout acl, no joy there, it just blocked my internet.
05-08-2020 11:51 PM
Hello,
what are you trying to accomplish, allow access to the server on just these two ports ? Try the changes to the access list below:
ip access-list extended WEBSITES
permit tcp any host 10.0.2.17 eq www
permit tcp any host 10.0.2.17 eq 443
--> deny ip any host 10.0.2.17
--> permit ip any any
05-09-2020 12:34 AM
Thank you for the response, Yes that's one part of it and i will implement those.
My problem at the moment is that when i use the websites FQDN Either i'm blocked at the router getting to the server or the server is prevented from responding, I don't know which or how to find out.
If i try to manage the website by its lan IP address I get all sorts of error messages, SSL cert not valid for the IP address only for the FQDN so I need to fix the ACL.
I have a computer connected in the same lan that cannot connect to the server by its fqdn. dns is resolved.
It seems that there is something in the ACL blocking me from connecting to it at all, a review of the servers access logs show no sign of my attempting to connect so it must be that the acl is blocking the outbound connection to a local server?
I'm somewhat confused
05-09-2020 01:01 AM
Hello,
you can actually specify the FQDN in the access list. You need to have:
ip domain-lookup
ip name-server 8.8.8.8
enabled.
Try and add the below (marked in bold) to the access list:
ip access-list extended WEBSITES
permit tcp any host 10.0.2.17 eq www
permit tcp any host 10.0.2.17 eq 443
permit ip any host host.domain.com
--> deny ip any host 10.0.2.17
--> permit ip any any
05-09-2020 06:12 AM
Hello
What is your end goal here, do you wish only traffic initiated from your internal Lan to be allowed back into your network apart from external initiated traffic towards your internal web server?
If so, below is an example of a basic reflective access-list that would accomplish this.
It would allow any Lan traffic leaving the wan interface and then create a reflective access-list called ACL so the return traffic can be evaluated before being allowed in, The exception to this would be any external initiated web server traffic which would not be evaluated.
ip access-list extended Lan_traffic
permit ip any any reflect ACL
ip access-list extended Wan_websrv_traffic
permit tcp any any range www 443
evaluate ACL
I
Int x/x
description WAN Interface
ip access-group Lan_traffic out
ip access-group Wan_websrv_traffic in
05-09-2020 10:40 AM - edited 05-09-2020 02:38 PM
Thank you for your response paul.
When you put it in those terms, yes that is exactly what I am looking for. I guess this puts the servees into a sort of DMZ?
I can live with that, The hosts all have their own software firewalls and I will get a hardware appliance later down the road.
I am reworking my topology right now to break it up into vlans.
Update: Ive mocked up the topology as i can achieve it right now.
Servers
office
wifi
So this will be router on a stick, router interface fa0/1.x with fa0/0 being the wan interface.
I will attempt your suggestion. One further step though, as the servers will be accepting ALL ip protocols I would want to prevent them from accessing other vlans unless initiated on said vlans as a safe guard.
05-09-2020 01:29 PM
Hello
@ChrisUK wrote:
I am reworking my topology right now to break it up into vlans.
Serversoffice
wifi
So this will be router on a stick, router interface fa0/1.x with fa0/0 being the wan interface.
One further step though, as the servers will be accepting ALL ip protocols I would want to prevent them from accessing other vlans unless initiated on said vlans as a safe guard.
Okay when you do this part you also have additional options, you could put the server vlan in its own VRF subnet so it would be excluded from the vlans, or you could apply a routed access-list on the server vlan to only allow initiated tcp established traffic and specific udp traffic to response
05-09-2020 03:03 PM - edited 05-09-2020 03:30 PM
I am working on it shortly. I have a small wired requirement with a larger wireless device pool, pretty standard I assume.
Ive added a diagram to my last post to visualise where I am headed with this.
Ive just done the vlans and router configs in a text file.
Router 2801:
int fa0/1 ip nat inside no shut int fa0/1.2 encapsulation dot1Q 2 ip address 10.0.2.1 255.255.255.0 int fa0/1.10 encapsulation dot1Q 10 ip address 10.0.10.1 255.255.255.0 int fa0/1.20 encapsulation dot1Q 20 ip address 10.0.20.1 255.255.255.0 int fa0/1.30 encapsulation dot1Q 30 ip address 10.0.30.1 255.255.255.0 int fa0/1.48 encapsulation dot1Q 48 ip address 10.0.48.1 255.255.255.0 int fa0/1.99 encapsulation dot1Q 99 native ip address 10.0.99.1 255.255.255.0 interface FastEthernet0/0 description WAN Interface no ip address ip access-group LAN_Traffic out ip access-group WAN_Websrv in ip nat outside ip virtual-reassembly duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 10 interface Dialer1 ip address negotiated ip mtu 1492 ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 10 ppp authentication chap callin ppp chap hostname ppp chap password 7 ppp ipcp dns request ppp ipcp route default ppp ipcp address accept ip access-list extended LAN_Traffic permit tcp any any reflect ACL ip access-list extended WAN_Websrv permit tcp any any range www 443 evaluate ACL line con 0 logging synchronous line aux 0 line vty 0 4 privilege level 15 password 7 logging synchronous login line vty 5 15 privilege level 15 password 7 logging synchronous login end
Switch: 3560 L3
vlan 2 name servers vlan 10 name office vlan 20 name wifi vlan 48 name mgmt vlan 99 name native int vlan 48 ip address 10.0.48.1 255.255.255.0 exit ip default-gateway 10.0.0.1 int fa0/1 switchport mode trunk switchport trunk allowed vlan 1,2,10,20,30,48 switchport trunk native vlan 99 int fa0/2 switchport mode access switcport access vlan 2 int fa0/3 switchport mode access switcport access vlan 2 int fa0/4 switchport mode access switcport access vlan 2 int fa0/5 switchport mode access switcport access vlan 2 int fa0/6 switchport mode access switcport access vlan 2 int fa0/7 switchport mode access switcport access vlan 2 int fa0/8 switchport mode access switcport access vlan 2 int fa0/9 switchport mode access switcport access vlan 2 int fa0/10 switchport mode access switcport access vlan 10 int fa0/10 switchport mode access switcport access vlan 10 int fa0/10 switchport mode access switcport access vlan 10 int fa0/10 switchport mode access switcport access vlan 10 int fa0/11 switchport mode access switcport access vlan 10 int fa0/12 switchport mode access switcport access vlan 10 int fa0/13 switchport mode access switcport access vlan 10 int fa0/14 switchport mode access switcport access vlan 10 int fa0/15 switchport mode access switcport access vlan 10 int fa0/16 switchport mode access switcport access vlan 10 int fa0/17 switchport mode access switcport access vlan 10 int fa0/18 switchport mode access switcport access vlan 10 int fa0/19 switchport mode access switcport access vlan 10 int fa0/20 switchport mode access switchport access vlan 20 int fa0/21 switchport mode access switchport access vlan 20 int fa0/22 switchport mode access switchport access vlan 20 int fa0/23 switchport mode access switchport access vlan 20 int fa0/24 switchport mode access switchport access vlan 20 int fa0/25 switchport mode access switchport access vlan 20 int fa0/26 switchport mode access switchport access vlan 20 int fa0/27 switchport mode access switchport access vlan 20 int fa0/28 switchport mode access switchport access vlan 20 int fa0/29 switchport mode access switchport access vlan 20 int fa0/48 switchport mode access switchport access vlan 48 end
As you can see i've included your ACL's
05-09-2020 09:31 PM - edited 05-09-2020 09:43 PM
My previous post is full of errors, i wanted to edit that to just snip it away but no such luck, too late i guess. anyway, these two files after a lot of silly corrections ran through clean.
I got the vlans setup, dhcp working. However I was unable to connect to the internet. took me a while to realise a rookie mistake, i forgot to no shut fa0/0 in the router.
Still, after turning the interface on, im stil not getting internet with the attached files so I have reverted my changes while I get this figured out.
Ive included the network map again to so its all here in this reply.
05-09-2020 11:40 PM
Hello,
make the changes/additions marked in bold to your configuration. I would remove the reflexive access list as well just to see if you can establish basic Internet connectivitiy first:
ip dhcp excluded-address 10.0.1.1 10.0.1.2
!
ip dhcp pool vlan1
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp excluded-address 10.0.2.1 10.0.2.2
ip dhcp pool vlan2
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp excluded-address 10.0.10.1 10.0.10.2
!
ip dhcp pool vlan10
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 8.8.8.8 8.8.4.4
lease 30
!
ip dhcp excluded-address 10.0.20.1 10.0.20.2
!
ip dhcp pool vlan20
network 10.0.20.0 255.255.255.0
default-router 10.0.20.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp excluded-address 10.0.30.1 10.0.30.2
!
ip dhcp pool vlan30
network 10.0.30.0 255.255.255.0
default-router 10.0.30.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp excluded-address 10.0.48.1 10.0.48.2
!
ip dhcp pool vlan48
network 10.0.48.0 255.255.255.0
default-router 10.0.48.1
dns-server 8.8.8.8 8.8.4.4
!
int fa0/1
ip nat inside
no shut
!
int fa0/1.1
encapsulation dot1Q 1
ip address 10.0.1.1 255.255.255.0
--> ip nat inside
!
int fa0/1.2
encapsulation dot1Q 2
ip address 10.0.2.1 255.255.255.0
--> ip nat inside
!
int fa0/1.10
encapsulation dot1Q 10
ip address 10.0.10.1 255.255.255.0
--> ip nat inside
!
int fa0/1.20
encapsulation dot1Q 20
ip address 10.0.20.1 255.255.255.0
--> ip nat inside
!
int fa0/1.30
encapsulation dot1Q 30
ip address 10.0.30.1 255.255.255.0
--> ip nat inside
!
int fa0/1.48
encapsulation dot1Q 48
ip address 10.0.48.1 255.255.255.0
--> ip nat inside
!
int fa0/1.99
encapsulation dot1Q 99 native
ip address 10.0.99.1 255.255.255.0
--> ip nat inside
!
interface FastEthernet0/0
description WAN Interface
no ip address
--> no ip access-group LAN_Traffic out
--> no ip access-group WAN_Websrv in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 10
no shut
!
interface Dialer1
ip address negotiated
--> ip nat outside
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 10
--> ip tcp adjust-mass 1452
ppp authentication chap callin
ppp chap hostname snipped
ppp chap password 7 snipped
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
!
--> ip nat inside source list 1 int Dialer1 overload
--> ip route 0.0.0.0 0.0.0.0 Dialer 1
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
ip access-list extended LAN_Traffic
permit tcp any any reflect ACL
!
ip access-list extended WAN_Websrv
permit tcp any any range www 443
evaluate ACL
end
05-10-2020 01:54 AM
Okay looks like things are working on the internet front, ive just dropped the ACL's back into place and I have connectivity. Thank you for your help on those, I presumed having nat inside on the interface it wouldnt be needed on the sub interfaces. and i totally forgot to overload.
The mtu line didnt work, maybe a typo mass? i have one with mss
05-10-2020 03:13 AM
Hello,
that was a typo indeed:
--> ip tcp adjust-mass 1452
should be:
--> ip tcp adjust-mss 1452
05-10-2020 04:51 AM - edited 05-10-2020 05:05 AM
No problem, i figured it might be.
In any case I am back to where i started to a fashion. I now have vlans in place which wasn't how this started, I had intended to move in that direction later but its a win for me all the same.
I have internet on the lans which is great.
Ive also found out that there is nothing blocking me but im having a problem with this section:
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.0.2.3 993 interface Dialer1 993
ip nat inside source static tcp 10.0.2.3 587 interface Dialer1 587
ip nat inside source static tcp 10.0.2.3 25 interface Dialer1 25
ip nat inside source static tcp 10.0.2.142 443 interface Dialer1 443
ip nat inside source static 10.0.2.142 interface Dialer1
ip nat inside source static tcp 10.0.2.142 80 interface Dialer1 80
I can get to the website just fine with this but the mail mail ports are routing to the wrong server, and im unable to remove the bold line, static router in use.
Well what do you know, being banned served a purpose.
2020-05-10 12:57:09,849 fail2ban.actions [1459]: NOTICE [dovecot] Ban 10.0.10.3
Its logged my local address which I am not sure is correct, I am using the fqdn but it seems I get rerouted before i hit the wan. Im getting mail in as expected on the correct server, i can see that in the mail logs but I can't read them.
This seems to be the same issue I had with the website. getting routed locally.
05-10-2020 05:10 AM
Hello,
try and remove all other statements related to that IP address first, in this order:
--> no ip nat inside source static tcp 10.0.2.142 443 interface Dialer1 443
--> no ip nat inside source static tcp 10.0.2.142 80 interface Dialer1 80
and then:
--> no ip nat inside source static 10.0.2.142 interface Dialer1
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide