Solved: From anywhere, if I'm

keithlin.7321 · ‎06-27-2016

Edited: Resolve via teamviwer session it turns out to be a firewall issue at my end blocking strange port.

1)
Cisco router using ios 15.5. I am trying to setup static port address translation so anywhere in the internet can ssh into my pub ip address and it will go into a linux box in my network. The guides online is really straight forward, asking me to do the following `ip nat inside source static tcp <private_ip> 22 <public_ip> <$any port>`, but it didn't work I got a connection time out. I have a very minimal configuration too, nothing complicated. Iptables in the box is flushed. The windows box that's hosting the vm also have firewall disabled.

interface GigabitEthernet0/0/0
description public facing internet port
no ip dhcp client request dns-nameserver
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
description the box hosted a vm with ip address 192.168.38.225
switchport access vlan 200
!
interface Vlan200
ip address 192.168.38.1 255.255.255.0
ip nat inside
!
ip nat inside source list PRIVATE interface GigabitEthernet0/0/0 overload
interface GigabitEthernet0/0/0
description public facing internet port
no ip dhcp client request dns-nameserver
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
description the box I want ssh to with ip .225
switchport access vlan 200
!
interface Vlan200
ip address 192.168.38.1 255.255.255.0
ip nat inside
!
p nat inside source static tcp 192.168.38.225 22 14.7.122.44 13822 extendable
ip nat inside source list PRIVATE interface GigabitEthernet0/0/0 overload
ip access-list extended PRIVATE
permit ip 192.168.38.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
!

Francesco Molino · ‎06-28-2016

Ok let me recap just to be sure I'm understanding your concern.

From anywhere, if I'm reaching your public ip with any tcp ports it should redirect the traffic out to your internal linux machine?

Am I right?

There is no nat range command. You can use some acls and route-map, however if someone reaches the port tcp 1000 it will redirect to your internal on port 1000 not on port 22, but I maybe misunderstood your requirements.

When you say port 22 is being used, is it a linux alert or ios?

Could you do a sh ip nat translation and also a debug ip packet to see that packets are forwarded to your linux machine? If this the case, then this is an issue with your linix machine.

If I understood correctly your concern, it could be accomplished by using a firewall but I can do a test on a router and come back to you (even if I'm quite sure there will be no ways to do that, but let me test it).

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎06-27-2016

Hi

the nat command should be:

Ip nat inside source static tcp 192.168.38.225 22 14.7.122.44 22

OR (as your public interface is on dhcp)

Ip nat inside source static tcp 192.168.38.225 22 interface g0/0/0 22

Because you"ll do ssh on your public that will redirect it to your internal ip. The random port will be on your side not on your public ip you're trying to reach.

Also the extendable keywords isn't needed unless you want to have 2 nat for the same source.

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

keithlin.7321 · ‎06-27-2016

It seems there's a confusion. I want to fire up putty anywhere in the world. type in my public ip address and port 13822. then my router will redirect it to port 22 of 192.168.38.225 (one of my machine in the network). Also I tried that command before, when I try that it said "%Port 22 is being used by system"

Francesco Molino · ‎06-28-2016

Ok let me recap just to be sure I'm understanding your concern.

From anywhere, if I'm reaching your public ip with any tcp ports it should redirect the traffic out to your internal linux machine?

Am I right?

There is no nat range command. You can use some acls and route-map, however if someone reaches the port tcp 1000 it will redirect to your internal on port 1000 not on port 22, but I maybe misunderstood your requirements.

When you say port 22 is being used, is it a linux alert or ios?

Could you do a sh ip nat translation and also a debug ip packet to see that packets are forwarded to your linux machine? If this the case, then this is an issue with your linix machine.

If I understood correctly your concern, it could be accomplished by using a firewall but I can do a test on a router and come back to you (even if I'm quite sure there will be no ways to do that, but let me test it).

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

keithlin.7321 · ‎06-28-2016

From anywhere, if I'm reaching your public ip with any tcp ports it should redirect the traffic out to your internal linux machine? No. What I want is to be able to ssh into port 13822 from anywhere in the world and my router will direct that to port 22 of one of my machine inside my network. So if I do `ssh -p 13822 root@14.7.122.44`, it will as if it's ssh(ssh use port 22) into a machine inside my network, which is the machine with the ip 1982.168.38.225 in my case.

Francesco Molino · ‎06-28-2016

Ok sorry for that, now I get your point.

In your NAT you're referencing the IP 14.7.122.44. Does this IP belongs to your WAN interface?

to test, you can try to set the nat command as follow:

ip nat inside source static tcp 192.168.38.225 22 interface g0/0/0 13822

Anyway, if the public IP used is the one on your WAN interface it should work as well. The only thing is that your WAN is DHCP served and in case the IP changes, then you'll never have access remotely to your Linux machine.

Could you run a debug ip nat while you're trying to access remotely?

You should see something like:

*Jun 28 16:37:24.512: NAT*: s=PUBLIC_HOST, d=YOUR_PUBLIC_IP_RTR->192.168.38.225 [28710]

*Jun 28 16:37:24.513: NAT*: TCP s=22->13822, d=40607

Thanks

PS: Please don't forget to rate and mark as correct answer if this solved your issue

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

keithlin.7321 · ‎06-28-2016

Actually my public interface is dhcp, but the ip rarely changes. Yes I did use the following command ip nat inside source static tcp 192.168.38.225 22 interface g0/0/0 13822, nothing changes though, I am still unable to ssh into my box using port 13822. What I pass after the debug ip nat ? it's an incomplete command.

Francesco Molino · ‎06-28-2016

Which router are you using and IOS? You can add the detailed keyword at the end.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

keithlin.7321 · ‎06-28-2016

I have a isr4331

Cisco IOS XE Software, Version 03.16.01a.S - Extended Support Release
Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S1a, RELEASE SOFTWARE (fc1)

core1#debug ip nat detail
IP NAT debugging is on for access list detail

When I try to ssh into the pub ip on port 13822, i got nothing from the router. no debug code. Am I suppose to open up something?

core1#show ip nat translations | i 13822
tcp 24.6.202.75:13822 192.168.38.225:22 --- ---

Francesco Molino · ‎06-28-2016

You're connected on the router through ssh or console?

Just a stupid remark, you have activated terminal monitor on enable mode?

With debug, you must see the nat traffic coming on the router itself.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

keithlin.7321 · ‎06-28-2016

Right now is via ssh. I did "term mon" and I did `sh logging`, didn't see anything new when I try to ssh into port 13822.

Francesco Molino · ‎06-28-2016

Could you paste your config?

Could you tell what are the possibilities of debug ip nat? Type debug ip nat with interrogation mark and send the output.

It's strange that debug ip nat only is not working.

Are you able to ping your wan router?

After that, if you can issue a debug ip packet to see if something is coming.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

keithlin.7321 · ‎06-28-2016

Could you paste your config?

http://pastebin.com/xYYwYJQn

Could you tell what are the possibilities of debug ip nat?

Type debug ip nat with interrogation mark and send the output.

core1#debug ip nat ?
<1-99> Access list forced
WORD Access list name
ha High Availability debugging

Are you able to ping your wan router?

Yes I am sshed into the router remotely and working on it right now.

After that, if you can issue a debug ip packet to see if something is coming.

How to do that? what parameter you want me to pass instead of the interrogation mark?

core1#debug ip packet ?
<1-199> Access list
<1300-2699> Access list (expanded range)
detail Print more debugging detail
<cr>

Francesco Molino · ‎06-28-2016

Hi

ISR 4331 is more likely ASR config. I don't have it right now in lab for testing.

debug ip packet that's it should be enough. Otherwise you can use monitor capture feature to see if something arrives to your router.

Could you change your nat config with the config below:

ip nat inside source statice 192.168.38.225 22 interface 13822

Some stuff have changed between IOS and IOS XE.

Or do you have a possibility to do a team viewer or webex?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

keithlin.7321 · ‎06-28-2016

thanks a lot for the private teamviwer session you have bee a great help.

Static port address translation