cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1092
Views
0
Helpful
6
Replies

Port Forwarding on 881 doesn't work

Hello. I'm not into Cisco at all, but fate has decided that I ought to make some changes in my Cisco 881 router. I need to forward several ports to allow users to connect thru VPN tunnel to WinServer2019 which is behind NAT.

My public IP is x.x.171.5, router's local IP is 192.168.11.5 and destinated local server IP is 192.168.11.3.

So I guess, I needed to forward UDP 500 and UDP 4500 from x.x.171.5 leading to 192.168.11.3.

I've read whole lotta mans, managed to connect to router via Putty, made some changes according to docs (like "ip nat inside source static udp 192.168.11.3 500 x.x.171.5 500 extendable").

Now, if I execute command "show ip nat translation", I can see the changes I made, saying: 

udp x.x.171.5:500 192.168.11.3:500 --- ---
udp x.x.171.5:4500 192.168.11.3:4500 --- ---

 

BUT, the ports are still closed and I'm unable to connect to local server from outside net. What do I do?

Thanks.

1 Accepted Solution

Accepted Solutions

balaji.bandi
Hall of Fame
Hall of Fame

syntax look ok

 

other information required is :

 

1. can you post full configuriaton.

2. to check any other ACL stopping - traffic.

3. is the Server Listening on that ports ?

4. you can test locally telnet serverip 500 and 4500 ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

6 Replies 6

balaji.bandi
Hall of Fame
Hall of Fame

syntax look ok

 

other information required is :

 

1. can you post full configuriaton.

2. to check any other ACL stopping - traffic.

3. is the Server Listening on that ports ?

4. you can test locally telnet serverip 500 and 4500 ?

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Not sure about ACL rules. Firewall is temporarily down, but telnet ServerIp 500 says connection error. Hm...

 

Here is config:

 

 

 


cisco881#show run
Building configuration...

Current configuration : 3540 bytes
!
! Last configuration change at 15:00:43 UTC Wed Sep 9 2020 by admin
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco881
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $1$zzTw$YYGpi7ieLw12hFlCy0
!
aaa new-model
!
!
aaa authentication login default local
!
!
!
!
!
aaa session-id common
ppp packet throttle 30 1 30
memory-size iomem 10
!
!
!
!
!
!


!
!
!
!
ip domain name router.domain
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect name INSPECT_OUT dns
ip inspect name INSPECT_OUT ntp
ip inspect name INSPECT_OUT http
ip inspect name INSPECT_OUT https
ip inspect name INSPECT_OUT ftp
ip inspect name INSPECT_OUT icmp router-traffic
ip inspect name INSPECT_OUT tcp router-traffic
ip inspect name INSPECT_OUT udp router-traffic
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
!
!
!
!
license udi pid C881-K9 sn FGL192522FB
!
!
username admin privilege 15 secret 5 $1$s/43$NBIG00LV6h9i6COe/
!
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Vlan1
description INSIDE
ip address 192.168.11.5 255.255.255.0
ip accounting output-packets
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname v1830552
ppp chap password 7 0316531F52592A554A
ppp pap sent-username v18552 password 7 071D29581F121C13
no cdp enable
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat pool FTPSRV 192.168.11.3 192.168.11.3 netmask 255.255.255.0 type rotary
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.11.2 20 x.x.171.5 20 extendable
ip nat inside source static tcp 192.168.11.2 21 x.x.171.5 21 extendable
ip nat inside source static udp 192.168.11.3 500 x.x.171.5 500 extendable
ip nat inside source static udp 192.168.11.3 4500 x.x.171.5 4500 extendable
ip nat inside destination list FTPRULE pool FTPSRV
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended FTPRULE
permit tcp any any range ftp-data ftp
permit tcp any any range 50000 50100
ip access-list extended OUTSIDE-->IN
permit tcp any any eq ftp
permit tcp any any eq ftp-data
deny ip any any log
!
!
access-list 1 permit 192.168.11.0 0.0.0.255
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 103 permit ip any any
access-list 114 permit ip any host 192.168.11.2
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

balaji.bandi
Hall of Fame
Hall of Fame

how you got this IP addres - x.x.171.5 ? is this static IP.

 

below syntax will help you to test.

 

ip nat inside source static udp 192.168.11.3 500 In interface Dialer0 500 extendable
ip nat inside source static udp 192.168.11.3 4500 In interface Dialer0 4500 extendable

 

telnet ServerIp 500  << hope you have replaced SERVERIP with IP ?)

 

example : telnet 192.168.11.3 500 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Yeah, I've just manually hidden the correct IP with x symbols. For security reasons

Telnet won't show anything, since there ain't no clients listening to port 500 or 4500.

Anyway, your first reply pushed me into re-thinking some steps and I found out what was wrong about my VPN port forwarding. I had to additionally forward UDP 1701 for L2TP/IPsec, plus some minor changes in security settings. And VPN went up. Thanks, buddy

Glad all went well, good to hear all sorted? and thanks for marking as resolved.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello,

 

--> I need to forward several ports to allow users to connect thru VPN tunnel to WinServer2019 which is behind NAT.

 

Your VPDN configuration is incomplete. How are your users trying to access the server ?

Review Cisco Networking for a $25 gift card