Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
320
Views
1
Helpful
4
Replies

TCP Packets being refused in bound

exulan
Level 1
Level 1

‎03-10-2024 07:22 PM

I'm a bit of a newbie with this Cisco stuff, so bear with me. I have set up port forwarding as follows:

ip nat inside source static tcp 10.38.48.21 28919 159.196.177.138 28919 extendable

I do know that UDP works since I can connect to all applications using UDP externally, but TCP just gives a "Connection Refused" error. It seems like it's blocking all TCP ports because any port I test gives me a connection refused. The interesting bit, though, is that sites that allow you to test your ports show them being open. What I'm trying to connect to externally are my server's SSH and my HTTP/HTTPS on the servers. I'm able to access them using their LAN IPs, but any attempts to connect to them using the outside IP give me a "Connection Refused" message.

I have attached my full running config if that helps.


Labels:
0 Helpful
4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

‎03-12-2024 02:36 PM

The post says full running config is attached but I am not seeing anything.

HTH

Rick
0 Helpful

exulan
Level 1
Level 1
In response to Richard Burts

‎03-12-2024 02:39 PM

Hmm I attached it to the post directly where it says to attach files, i dont know why it didnt do it, anyway heres the fully running config.

Building configuration...

Current configuration : 4994 bytes
!
! Last configuration change at 23:23:36 UTC Sun Mar 10 2024 by exulan
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname exulanit-router
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 BtnMltOwIfYHlzulDoaEYtAGcWlUtJo3OVGmm0xMeZA
!
no aaa new-model
!
ip cef
!
!
!
ip dhcp excluded-address 10.199.15.1 10.199.15.99
ip dhcp excluded-address 10.38.48.1 10.38.48.99
!
ip dhcp pool VLAN1
network 10.199.15.0 255.255.255.0
default-router 10.199.15.1
dns-server 1.1.1.1
!
ip dhcp pool VLAN88
network 10.38.48.0 255.255.255.0
default-router 10.38.48.1
dns-server 1.1.1.1
!
!
!
ip domain name exulanit.root
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
license udi pid CISCO1941/K9 sn FGL174128XM
!
!
username exulan secret 4 BtnMltOwIfYHlzulDoaEYtAGcWlUtJo3OVGmm0xMeZA
!
redundancy
!
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
!
!
!
!
!
!
!
interface Loopback1
no ip address
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip access-group 101 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address dhcp
!
interface GigabitEthernet0/1
ip address 10.199.15.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1.88
encapsulation dot1Q 88
ip address 10.38.48.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool 203-0 203.129.29.0 203.129.29.0 netmask 255.255.255.248
ip nat pool 203-1 203.129.29.1 203.129.29.1 netmask 255.255.255.248
ip nat pool 203-2 203.129.29.2 203.129.29.2 netmask 255.255.255.248
ip nat pool 203-3 203.129.29.3 203.129.29.3 netmask 255.255.255.248
ip nat pool 203-4 203.129.29.4 203.129.29.4 netmask 255.255.255.248
ip nat pool 203-5 203.129.29.5 203.129.29.5 netmask 255.255.255.248
ip nat pool 203-6 203.129.29.6 203.129.29.6 netmask 255.255.255.248
ip nat pool 203-7 203.129.29.7 203.129.29.7 netmask 255.255.255.248
ip nat pool 180-92 180.150.15.92 180.150.15.92 netmask 255.255.255.252
ip nat pool 180-93 180.150.15.93 180.150.15.93 netmask 255.255.255.252
ip nat pool 180-94 180.150.15.94 180.150.15.94 netmask 255.255.255.252
ip nat pool 180-95 180.150.15.95 180.150.15.95 netmask 255.255.255.252
ip nat inside source list 10 pool 203-5 overload
ip nat inside source list Main_Network interface GigabitEthernet0/0 overload
ip nat inside source list Server_Network interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.38.48.2 80 159.196.177.138 80 extendable
ip nat inside source static tcp 10.38.48.2 443 159.196.177.138 443 extendable
ip nat inside source static udp 10.38.48.21 3389 159.196.177.138 3389 extendable
ip nat inside source static tcp 10.38.48.19 9001 159.196.177.138 9001 extendable
ip nat inside source static tcp 10.38.48.17 11955 159.196.177.138 11955 extendable
ip nat inside source static udp 10.38.48.17 11955 159.196.177.138 11955 extendable
ip nat inside source static tcp 10.38.48.2 28919 159.196.177.138 28919 extendable
ip nat inside source static tcp 10.38.48.5 28920 159.196.177.138 28920 extendable
ip nat inside source static tcp 10.38.48.22 80 180.150.15.92 80 extendable
ip nat inside source static tcp 10.38.48.22 443 180.150.15.92 443 extendable
ip nat inside source static 10.38.48.4 180.150.15.94 route-map POWER8_ALL_PORTS_MAP
ip nat inside source static tcp 10.38.48.16 80 203.129.29.1 80 extendable
ip nat inside source static tcp 10.38.48.16 443 203.129.29.1 443 extendable
ip nat inside source static tcp 10.38.48.23 80 203.129.29.3 80 extendable
ip nat inside source static tcp 10.38.48.23 443 203.129.29.3 443 extendable
ip nat inside source static udp 10.38.48.23 443 203.129.29.3 443 extendable
ip nat inside source static tcp 10.38.48.20 9001 203.129.29.5 9001 extendable
ip nat inside source static 10.38.48.24 203.129.29.6 route-map ALL_PORTS_EMAIL_SERVER_MAP
ip route 0.0.0.0 0.0.0.0 159.196.176.1
!
ip access-list extended ALL_PORTS_EMAIL_SERVER
permit tcp any host 10.38.48.24 range 1 65535
permit udp any host 10.38.48.24 range 1 65535
ip access-list extended Main_Network
permit ip 10.199.15.0 0.0.0.255 any
ip access-list extended POWER8_ALL_PORTS
permit tcp any host 10.38.48.4 range 1 65535
permit udp any host 10.38.48.4 range 1 65535
ip access-list extended Server_Network
permit ip 10.38.48.0 0.0.0.255 any
!
!
route-map ALL_PORTS_EMAIL_SERVER_MAP permit 10
match ip address ALL_PORTS_EMAIL_SERVER
!
route-map POWER8_ALL_PORTS_MAP permit 10
match ip address POWER8_ALL_PORTS
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
scheduler allocate 20000 1000
!
end



0 Helpful

MHM Cisco World
VIP
VIP
In response to exulan

‎03-12-2024 03:17 PM

interface GigabitEthernet0/0
ip address dhcp
ip access-group 101 in <<- this ACL can cause the issue 
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
ipv6 address dhcp

0 Helpful

exulan
Level 1
Level 1
In response to MHM Cisco World

‎03-12-2024 05:08 PM - edited ‎03-12-2024 05:15 PM

I have removed the ACL and im still having the issue. Another interesting thing I found out if I enable the proxy on cloudfare for my domains, Im able to access the websites no problem, but externally, using the IP and Domain without the proxy gives me the connection refused error.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card