Solved: Problem with NAT on 887w router

draveanon · ‎07-12-2011

Hi,

I am hoping that someone might be able to help me. I have recently purchased a Cisco 887w router for my small business to replace our Netgear DGN-3500. We have made the change to allow greater access to our internal IT infrastructure from remote locations. For the most part I have been able to work through the configuration but I have reached a point now where I can go no further. The WLAN, LAN and WAN all seem to be working well together as a basic setup but I cannot get any port forwarding/NAT to work.

So far I have attempted to configure two NATd services, both with the same result. I am trying to direct port 80 through to our web server, and port 444 to our VPN server. Both seem to undergo translation ok (if i am reading ip nat trans output correctly) but then the packets disappear. The VPN client annouces that the connection timed out, and the browser goes nowhere. Also, if i use an online port check it tells me that 80 and 444 are closed, with no packets returned.

I have spent a few days with no progress and so am hoping that someone can point me in the right direction. The output of the log (attached txt file) might be meaningfull to somone with a stronger background with Cisco routers... I have also included the config and some other output that might be usefull.

Regards,

Dave

Rozsa Illes · ‎07-12-2011

Hello Dave,

This seems like the packets are dropped by the firewall config. We are missing the zone-pair configuration for traffic coming from the outside toward the inside network. You could confirm by removing the "zone-member" commands from both the inside and outside interfaces.

Let me know if it helps.

Warm Regards,

Rose

View solution in original post

Latchum Naidu · ‎07-12-2011

Hi Dave,

The configuration looks fine.

Do the below things and see....

1. clear the nat translations on your 871 router "clear ip nat tra fo"
2. Try to telnet 203.59.99.999 on port 444 from outside and check.

HTH
Please click on the correct answer if this answered your question.
Regards,
Naidu.

Rozsa Illes · ‎07-12-2011

Hello Dave,

This seems like the packets are dropped by the firewall config. We are missing the zone-pair configuration for traffic coming from the outside toward the inside network. You could confirm by removing the "zone-member" commands from both the inside and outside interfaces.

Let me know if it helps.

Warm Regards,

Rose

draveanon · ‎07-13-2011

Hi Rozsa,

I think you are absolutely correct! I have performed a quick test by removing the zone memberships from the interfaces and I was able to see the ports open.

I was unable to try the OpenVPN service, but the port 80 redirection failed with the CP Express page loading instead of the intended web page. Not quite working, but a big step forward.

I am unable to fully test or implement the solution at this point as it is during business hours, but I will try to take this further tonight.

Thanks so much for putting me on the right track!!!

Dave

Rozsa Illes · ‎07-13-2011

Hi Dave,

Thanks for the update

I think the CP page loading would be because we have ip http server enabled. If you do not use GUI, disabling it should help. Otherwise, maybe configuring "ip http access-class" with an ACL to restrict the IPs to connect to the router via GUI could be tried.

Cheers,

Rose