We will do a global acl (IP

rjratliff · ‎01-28-2017

Hello all,

I am stuck. I have connected a QNAP TS-451+ NAS behind my router. I am trying to use it as my VPN, but when I set up port forwarding on the router I am not having any luck. It appears that I am forgetting something.

I have tried ip nat inside source static udp 192.168.xxx.xxx 500 interface Fa0/0 500 for all three ports (500/1701/4500) needed for L2TP, but I cannot seem to connect.

Any advice would be appreciated.

Georg Pauwen · ‎01-28-2017

Hello,

I assume the 192.168.xxx.xxx address is the fixed LAN IP address of the NAS ? As described in point 4 of the attached guide ?

https://www.qnap.com/en/tutorial/con_show.php?op=showone&cid=3

rjratliff · ‎01-28-2017

That is correct

Georg Pauwen · ‎01-28-2017

Hello,

try to add the 'extendable' keyword to your static NAT entries, e.g.:

ip nat inside source static udp 192.168.xxx.xxx 500 interface Fa0/0 500 extendable

rjratliff · ‎01-28-2017

The router would not accept the extendable command.

Georg Pauwen · ‎01-28-2017

Hello,

try and use the actual IP address of the Fa0/0 in your NAT statement.

ip nat inside source static udp 192.168.xxx.xxx. 500 xxx.xxx.xxx.xxx 500

rjratliff · ‎01-28-2017

I have a DHCP internet connection. Are you saying assign the second group the routers ip, or the ip assigned from the isp?

Francesco Molino · ‎01-28-2017

Hi,

I assume you've followed all QNAP steps for allowing VPN.

Do you have some logs on QNAP? Does the traffic arrives to the QNAP or not?

Have you checked the NAT on the router and did you do a debug ip packet to validate that traffic is routed to your QNAP device?

Is there any acl on the router? And what about the embedded firewall on your QNAP, did you opened all L2TP ports?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

rjratliff · ‎01-28-2017

I have followed all QNAP instructions and enabled everything. The logs on the QNAP list nothing.

To be honest, I am not familiar with how to debug with ip packet.

All ports should be opened. I am listing my current config below.

Thanks!

Using 1604 out of 245752 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$qYXt$LQzyFm1E0Rli6M2bFBsS91

enable password XXXXXXXXXX

!

no aaa new-model

dot11 syslog

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1

ip dhcp excluded-address 192.168.1.1 192.168.1.10

ip dhcp excluded-address 192.168.1.234

!

ip dhcp pool HOME_CLIENTS

import all

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

!

multilink bundle-name authenticated

!

voice-card 0

no dspfarm

!

archive

log config

hidekeys

!

interface GigabitEthernet0/0

ip address dhcp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

!

ip http server

no ip http secure-server

ip nat inside source list 101 interface GigabitEthernet0/0 overload

ip nat inside source static udp 192.168.1.5 500 interface GigabitEthernet0/0 500

ip nat inside source static udp 192.168.1.5 1701 interface GigabitEthernet0/0 1701

ip nat inside source static udp 192.168.1.5 4500 interface GigabitEthernet0/0 4500

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

control-plane

!

line con 0

line aux 0

line vty 0 4

password XXXXXXXXXXX

login

!

scheduler allocate 20000 1000

!

end

Francesco Molino · ‎01-28-2017

Hi

Ok thanks.

Can you paste the output of show ip nat transl ?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

rjratliff · ‎01-28-2017

Pro Inside global Inside local Outside local Outside global

udp 76.xxx.xx.xx:500 192.168.1.5:500 --- ---

udp 76.xxx.xx.xx:1701 192.168.1.5:1701 --- ---

udp 76.xxx.xx.xx:4500 192.168.1.5:4500 --- ---

Francesco Molino · ‎01-28-2017

We will do a global acl (IP mot just UDP) to see what traffic is going through that server.

access-list 100 permit ip any host 192.168.1.5

debug ip packet 100 detail

Then, try to connect and copy/paste to this forum the output you had. Please put it into a text file.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

rjratliff · ‎01-28-2017

Here we go

Francesco Molino · ‎01-28-2017

On your log file, there is a chat you had :-)

Seriously, did you tried to connect in L2TP? I see traffic forwarded to your NAS-Server.

Can you do the same test but add the statement below in your acl, to verify if it replies back:

access-list 100 permit ip host 192.168.1.5 any

I'm not very familiar with QNAP (I mostly use Synology) but could you check if you can enable some detailed logs ?

Does the firewall is enabled on QNAP?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Port Forwarding Using a QNAP as an L2TP server