cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3462
Views
20
Helpful
23
Replies

Port forwarding on 2800 series.

ChrisUK
Level 1
Level 1

Hi, i have a 2800 series router running ios 12.4 connected is a 3560 switch with a couple of servers attached to the switch. I can the server over the 10.0.2.x addresses but not by the single public facing IP address.

 

I am having trouble with port forwarding to the servers.


I have set up over loading on fa0/0 and an access list, this gets my appliances internet access but i can't seem to get access to the servers when i port forward.

 

Here is the relevant configuration section. What am i doing wrong?

 

interface FastEthernet0/0
 no ip address
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 10
!
interface FastEthernet0/1
 ip address 10.0.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface Serial0/3/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 10
 ppp authentication chap callin
 ppp chap hostname ******
 ppp chap password 0 *******
 ppp ipcp dns request
 ppp ipcp route default
 ppp ipcp address accept
!
ip classless
!
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 10.0.2.33 80 interface Dialer1 80
ip nat inside source static tcp 10.0.2.33 443 interface Dialer1 443
!
access-list 10 permit 10.0.2.0 0.0.0.255
dialer-list 10 protocol ip permit
!
!
!

 

 

1 Accepted Solution

Accepted Solutions

Hello,

 

that was a typo indeed:

 

--> ip tcp adjust-mass 1452

 

should be:

 

--> ip tcp adjust-mss 1452

View solution in original post

23 Replies 23

ChrisUK
Level 1
Level 1

I figured out that port forwarding is working as expected.

 

But it had lead me to a discovery that I know nothing about ACL's Well i didn't I now know enough to be dangerous.

So, I still have a problem. I have created an extended ACL, this has permitted access to the server on two ports, which is great.. But only from the WAN. I didn't think to check on a device outside of the network until 10 minutes ago.

 

This is where im at no: any help would be appreciated in resolving this issue.

interface FastEthernet0/0
 no ip address
 ip access-group WEBSITES in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 10
!
interface FastEthernet0/1
 ip address 10.0.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 10
 ppp authentication chap callin
 ppp chap hostname ***
 ppp chap password 7 ***
 ppp ipcp dns request
 ppp ipcp route default
 ppp ipcp address accept
!
ip classless
!
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 10.0.2.17 80 interface Dialer1 80
ip nat inside source static tcp 10.0.2.17 443 interface Dialer1 443
!
ip access-list extended INSIDEOUT
 permit tcp any any established
ip access-list extended WEBSITES
 permit tcp any host 10.0.2.17 eq www
 permit tcp any host 10.0.2.17 eq 443
!
access-list 10 permit 10.0.2.0 0.0.0.255

I have tried replacing the 10 list in the overload with the insideout acl, no joy there, it just blocked my internet.

 

Hello,

 

what are you trying to accomplish, allow access to the server on just these two ports ? Try the changes to the access list below:

 

ip access-list extended WEBSITES
 permit tcp any host 10.0.2.17 eq www
 permit tcp any host 10.0.2.17 eq 443
--> deny ip any host 10.0.2.17
--> permit ip any any

Thank you for the response, Yes that's one part of it and i will implement those.

My problem at the moment is that when i use the websites FQDN Either i'm blocked at the router getting to the server or the server is prevented from responding, I don't know which or how to find out.

If i try to manage the website by its lan IP address I get all sorts of error messages, SSL cert not valid for the IP address only for the FQDN so I need to fix the ACL.

 

I have a computer connected in the same lan that cannot connect to the server by its fqdn. dns is resolved.

It seems that there is something in the ACL blocking me from connecting to it at all, a review of the servers access logs show no sign of my attempting to connect so it must be that the acl is blocking the outbound connection to a local server?

I'm somewhat confused

Hello,

 

you can actually specify the FQDN in the access list. You need to have:

 

ip domain-lookup
ip name-server 8.8.8.8

 

enabled.

 

Try and add the below (marked in bold) to the access list:

 

ip access-list extended WEBSITES
permit tcp any host 10.0.2.17 eq www
permit tcp any host 10.0.2.17 eq 443
permit ip any host host.domain.com
--> deny ip any host 10.0.2.17
--> permit ip any any

Hello
What is your end goal here, do you wish only traffic initiated from your internal Lan to be allowed back into your network apart from external initiated traffic towards your internal web server?

If so, below is an example of a basic reflective access-list that would accomplish this.
It would allow any Lan traffic leaving the wan interface and then create a reflective access-list called ACL so the return traffic can be evaluated before being allowed in, The exception to this would be any external initiated web server traffic which would not be evaluated.


ip access-list extended Lan_traffic
permit ip any any reflect ACL

ip access-list extended Wan_websrv_traffic
permit tcp any any range www 443
evaluate ACL
I
Int x/x
description WAN Interface
ip access-group Lan_traffic out
ip access-group Wan_websrv_traffic in


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank you for your response paul.

When you put it in those terms, yes that is exactly what I am looking for. I guess this puts the servees into a sort of DMZ?

I can live with that, The hosts all have their own software firewalls and I will get a hardware appliance later down the road.

 

I am reworking my topology right now to break it up into vlans.

 

Update: Ive mocked up the topology as i can achieve it right now.

 



Servers

office

wifi

 

So this will be router on a stick,  router interface fa0/1.x with fa0/0 being the wan interface.

 

I will attempt your suggestion. One further step though, as the servers will be accepting ALL ip protocols I would want to prevent them from accessing other vlans unless initiated on said vlans as a safe guard.

Hello


@ChrisUK wrote:

I am reworking my topology right now to break it up into vlans.

Servers

office

wifi

 

So this will be router on a stick,  router interface fa0/1.x with fa0/0 being the wan interface.

One further step though, as the servers will be accepting ALL ip protocols I would want to prevent them from accessing other vlans unless initiated on said vlans as a safe guard.


Okay when you do this part you also have additional options, you could put the server vlan in its own VRF subnet so it would be excluded from the vlans, or you could apply a routed access-list on the server vlan to only allow initiated tcp established traffic and specific udp traffic to response


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I am working on it shortly. I have a small wired requirement with a larger wireless device pool, pretty standard I assume.

Ive added a diagram to my last post to visualise where I am headed with this.

 

 Ive just done the vlans and router configs in a text file.

 

Router 2801:

int fa0/1
 ip nat inside
 no shut

int fa0/1.2
 encapsulation dot1Q 2
 ip address 10.0.2.1 255.255.255.0

int fa0/1.10
 encapsulation dot1Q 10
 ip address 10.0.10.1 255.255.255.0

int fa0/1.20
 encapsulation dot1Q 20
 ip address 10.0.20.1 255.255.255.0

int fa0/1.30
 encapsulation dot1Q 30
 ip address 10.0.30.1 255.255.255.0

int fa0/1.48
 encapsulation dot1Q 48
 ip address 10.0.48.1 255.255.255.0

int fa0/1.99
  encapsulation dot1Q 99 native
  ip address 10.0.99.1 255.255.255.0

interface FastEthernet0/0
 description WAN Interface
 no ip address
 ip access-group LAN_Traffic out
 ip access-group WAN_Websrv in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 10

interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 10
 ppp authentication chap callin
 ppp chap hostname 
 ppp chap password 7 
 ppp ipcp dns request
 ppp ipcp route default
 ppp ipcp address accept

ip access-list extended LAN_Traffic
 permit tcp any any reflect ACL

ip access-list extended WAN_Websrv
 permit tcp any any range www 443
 evaluate ACL

line con 0
 logging synchronous
line aux 0
line vty 0 4
 privilege level 15
 password 7 
 logging synchronous
 login
line vty 5 15
 privilege level 15
 password 7 
 logging synchronous
 login
end

Switch: 3560 L3

vlan 2
 name servers

vlan 10
 name office

vlan 20
 name wifi

vlan 48
 name mgmt

vlan 99
 name native

int vlan 48
 ip address 10.0.48.1 255.255.255.0
 exit

ip default-gateway 10.0.0.1

int fa0/1
 switchport mode trunk
 switchport trunk allowed vlan 1,2,10,20,30,48
 switchport trunk native vlan 99

int fa0/2
 switchport mode access
 switcport access vlan 2
int fa0/3
 switchport mode access
 switcport access vlan 2
int fa0/4
 switchport mode access
 switcport access vlan 2
int fa0/5
 switchport mode access
 switcport access vlan 2
int fa0/6
 switchport mode access
 switcport access vlan 2
int fa0/7
 switchport mode access
 switcport access vlan 2
int fa0/8
 switchport mode access
 switcport access vlan 2
int fa0/9
 switchport mode access
 switcport access vlan 2
int fa0/10
 switchport mode access
 switcport access vlan 10
int fa0/10
 switchport mode access
 switcport access vlan 10
int fa0/10
 switchport mode access
 switcport access vlan 10
int fa0/10
 switchport mode access
 switcport access vlan 10
int fa0/11
 switchport mode access
 switcport access vlan 10
int fa0/12
 switchport mode access
 switcport access vlan 10
int fa0/13
 switchport mode access
 switcport access vlan 10
int fa0/14
 switchport mode access
 switcport access vlan 10
int fa0/15
 switchport mode access
 switcport access vlan 10
int fa0/16
 switchport mode access
 switcport access vlan 10
int fa0/17
 switchport mode access
 switcport access vlan 10
int fa0/18
 switchport mode access
 switcport access vlan 10
int fa0/19
 switchport mode access
 switcport access vlan 10
int fa0/20
 switchport mode access
 switchport access vlan 20
int fa0/21
 switchport mode access
 switchport access vlan 20
int fa0/22
 switchport mode access
 switchport access vlan 20
int fa0/23
 switchport mode access
 switchport access vlan 20
int fa0/24
 switchport mode access
 switchport access vlan 20
int fa0/25
 switchport mode access
 switchport access vlan 20
int fa0/26
 switchport mode access
 switchport access vlan 20
int fa0/27
 switchport mode access
 switchport access vlan 20
int fa0/28
 switchport mode access
 switchport access vlan 20
int fa0/29
 switchport mode access
 switchport access vlan 20

int fa0/48
 switchport mode access
 switchport access vlan 48

end

As you can see i've included your ACL's

My previous post is full of errors, i wanted to edit that to just snip it away but no such luck, too late i guess. anyway, these two files after a lot of silly corrections ran through clean.

I got the vlans setup, dhcp working. However I was unable to connect to the internet. took me a while to realise a rookie mistake, i forgot to no shut fa0/0 in the router.

 

Still, after turning the interface on, im stil not getting internet with the attached files so I have reverted my changes while I get this figured out.

 

Ive included the network map again to so its all here in this reply.

Hello,

 

make the changes/additions marked in bold to your configuration. I would remove the reflexive access list as well just to see if you can establish basic Internet connectivitiy first:

 

ip dhcp excluded-address 10.0.1.1 10.0.1.2
!
ip dhcp pool vlan1
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp excluded-address 10.0.2.1 10.0.2.2
ip dhcp pool vlan2
network 10.0.2.0 255.255.255.0
default-router 10.0.2.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp excluded-address 10.0.10.1 10.0.10.2
!
ip dhcp pool vlan10
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 8.8.8.8 8.8.4.4
lease 30
!
ip dhcp excluded-address 10.0.20.1 10.0.20.2
!
ip dhcp pool vlan20
network 10.0.20.0 255.255.255.0
default-router 10.0.20.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp excluded-address 10.0.30.1 10.0.30.2
!
ip dhcp pool vlan30
network 10.0.30.0 255.255.255.0
default-router 10.0.30.1
dns-server 8.8.8.8 8.8.4.4
!
ip dhcp excluded-address 10.0.48.1 10.0.48.2
!
ip dhcp pool vlan48
network 10.0.48.0 255.255.255.0
default-router 10.0.48.1
dns-server 8.8.8.8 8.8.4.4

!

int fa0/1
ip nat inside
no shut
!
int fa0/1.1
encapsulation dot1Q 1
ip address 10.0.1.1 255.255.255.0
--> ip nat inside
!
int fa0/1.2
encapsulation dot1Q 2
ip address 10.0.2.1 255.255.255.0
--> ip nat inside
!
int fa0/1.10
encapsulation dot1Q 10
ip address 10.0.10.1 255.255.255.0
--> ip nat inside
!
int fa0/1.20
encapsulation dot1Q 20
ip address 10.0.20.1 255.255.255.0
--> ip nat inside
!
int fa0/1.30
encapsulation dot1Q 30
ip address 10.0.30.1 255.255.255.0
--> ip nat inside
!
int fa0/1.48
encapsulation dot1Q 48
ip address 10.0.48.1 255.255.255.0
--> ip nat inside
!
int fa0/1.99
encapsulation dot1Q 99 native
ip address 10.0.99.1 255.255.255.0
--> ip nat inside
!
interface FastEthernet0/0
description WAN Interface
no ip address
--> no ip access-group LAN_Traffic out
--> no ip access-group WAN_Websrv in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 10
no shut
!
interface Dialer1
ip address negotiated
--> ip nat outside
ip mtu 1492
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 10
--> ip tcp adjust-mass 1452
ppp authentication chap callin
ppp chap hostname snipped
ppp chap password 7 snipped
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
!
--> ip nat inside source list 1 int Dialer1 overload
--> ip route 0.0.0.0 0.0.0.0 Dialer 1
!
access-list 1 permit 10.0.0.0 0.255.255.255
!
ip access-list extended LAN_Traffic
permit tcp any any reflect ACL
!
ip access-list extended WAN_Websrv
permit tcp any any range www 443
evaluate ACL
end

 

Okay looks like things are working on the internet front, ive just dropped the ACL's back into place and I have connectivity. Thank you for your help on those, I presumed having nat inside on the interface it wouldnt be needed on the sub interfaces. and i totally forgot to overload.

 

The mtu line didnt work, maybe a typo mass? i have one with mss

Hello,

 

that was a typo indeed:

 

--> ip tcp adjust-mass 1452

 

should be:

 

--> ip tcp adjust-mss 1452

No problem, i figured it might be.

 

In any case I am back to where i started to a fashion. I now have vlans in place which wasn't how this started, I had intended to move in that direction later but its a win for me all the same.

I have internet on the lans which is great.

Ive also found out that there is nothing blocking me but im having a problem with this section:

ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.0.2.3 993 interface Dialer1 993
ip nat inside source static tcp 10.0.2.3 587 interface Dialer1 587
ip nat inside source static tcp 10.0.2.3 25 interface Dialer1 25
ip nat inside source static tcp 10.0.2.142 443 interface Dialer1 443
ip nat inside source static 10.0.2.142 interface Dialer1
ip nat inside source static tcp 10.0.2.142 80 interface Dialer1 80

 

I can get to the website just fine with this but the mail mail ports are routing to the wrong server, and im unable to remove the bold line, static router in use.

 

Well what do you know, being banned served a purpose.

2020-05-10 12:57:09,849 fail2ban.actions [1459]: NOTICE [dovecot] Ban 10.0.10.3

 

Its logged my local address which I am not sure is correct, I am using the fqdn but it seems I get rerouted before i hit the wan. Im getting mail in as expected on the correct server, i can see that in the mail logs but I can't read them.

This seems to be the same issue I had with the website. getting routed locally.

Hello,

 

try and remove all other statements related to that IP address first, in this order:

 

--> no ip nat inside source static tcp 10.0.2.142 443 interface Dialer1 443
--> no ip nat inside source static tcp 10.0.2.142 80 interface Dialer1 80

 

and then:

 

--> no ip nat inside source static 10.0.2.142 interface Dialer1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco