04-13-2010 09:46 AM - edited 03-04-2019 08:08 AM
Below are my complete configs. As you can probably see, I'm attempting to forward ports UDP 1194 and TCP 443 to my server (old desktop converted to openvpn server). But as far as I can tell the ports aren't being forwarded (IE openvpn is running on that server, all configs look good, but seeing no attempted connections, no logs from attempts to connect). Can anyone see any problems with my config that would cause this?
service password-encryption
hostname myrouter
enable secret XXXXX
aaa new-model
aaa session-id common
ip cef
!
ip dhcp excluded-address
ip dhcp excluded-address 192.168.0.1 192.168.0.60
ip dhcp pool HOMENET
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.4 68.87.85.102
!
ip domain name rtp.private.private
ip ssh time-out 60
username onyxwolf password XXXX
!
interface FastEthernet0/0
description Internal_Network
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
no shutdown
!
interface FastEthernet0/1
description Web_Side
ip address dhcp
ip access-group inboundfilters in
ip access-group outboundfilters out
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
no shutdown
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
no ip http server
no ip http secure-server
!
ip nat inside source list 102 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.5 443 interface FastEthernet0/1 443
ip nat inside source static udp 192.168.0.5 1194 interface FastEthernet0/1 1194
!
ip access-list extended inboundfilters
permit udp any any eq bootps
permit udp any any eq bootpc
permit tcp any any eq 443
permit udp any any eq 1194
deny ip 192.168.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 255.0.0.0 0.255.255.255 any
deny ip host 0.0.0.0 any
evaluate udptraffic
evaluate tcptraffic
evaluate icmptraffic
!
ip access-list extended outboundfilters
permit udp any any eq bootps
permit udp any any eq bootpc
permit udp any any reflect udptraffic
permit tcp any any reflect tcptraffic
permit icmp any any reflect icmptraffic
!
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
line vty 0 4
transport input ssh
04-13-2010 09:57 AM
i just have a very similar problem, i've did a little bit of debugging, you may check: NAT port forwarding not working (WAN, NAT, VLAN, WWW internal server)
if you find the solution let me know !
thx
04-13-2010 10:38 AM
Your config looks good, but I'm not too familiar with the evaluate commands though. Have you tried removing the inbound filter (temporarily) for testing?
04-13-2010 10:58 AM
I haven't. I'll try that, I really need to set up ssh so I can do it remotely. That scares me to give access to my router like that. Is there a way that you can set the router's ssh to check a client's keys?
The evaluate command is telling it to run that traffic through the temporary access lists created by a connection that triggers the outbound access-list. For example when you make a outboundfilters rule permit tcp any any reflect tcptraffic makes a temporary list called tcptraffic when any tcp connections go through it. The inboundfilters rule evaluate tcptraffic it basically adds that tcptraffic list to the inboundfilters ACL. That connection is removed from the tcptraffic list as soon as a fin goes through it. UDP and ICMP works a little differently (the reflect list entries flip ports and do some weird stuff) but since there is no fin packet, it waits 300 seconds (default I changed it to 120) then deletes that entry from the lists.
I'll try removing the list access-group, but really it should see that permit before anything else right?
04-13-2010 12:05 PM
Seems your problem is with the outbound filter.
Anyway, please let us know if by removing the ACL from the interface it works.
Federico.
04-13-2010 03:04 PM
What you have configured is called reflexive access-list. It's the complicated old feature in IOS:
I would suggest that you use CBAC for simplicity if you have both inbound and outbound ACL.
All you need to configure is the "ip inspect" for UDP and TCP if you would like to keep it simple for now:
ip inspect inbound-cbac tcp
ip inspect inbound-cbac udp
ip inspect outbound-cbac tcp
ip inspect outbound-cbac udp
interface FastEthernet0/1
ip inspect inbound-cbac in
ip inspect outbound-cbac out
Then tidy both your inbound and outbound access-list to just normal ACL permiting traffic inbound and outbound (without the evaluate and dynamic name).
More on CBAC:
Hope that helps
04-13-2010 03:14 PM
from what I understand, CBAC is only available with the security IOS. Or firewall addition on my router, an 1841, but I don't have nor will not be able to get it so reflexive rules will have to work for now. I am almost off work so I can test that and let you know
04-16-2010 05:01 PM
It turned out to be a server issue (the openvpn service needed reset). The reason I assumed it was router side is because it happened when I swapped my linksys out for my Cisco router. Damn coincidences! everything is working great now! ACLs were all fine and I confirmed that my router does not support CBAC so will live with reflexive. Its funny that they edit out the expletive that is a homophone to dam (like the beavers build).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide