Solved: Cisco 1841: port forwarding issue and router unavailability via telnet fron Internet

DmityMarkelov · ‎07-27-2020

Hello all,

when I'm configuring the router (I'm still new to this), I encountered the following problem:
the router is accessible via telnet from local network computers, and I can also use RDP to connect to local network computers from the local network.
But if I try to connect to the router at an external static address (WAN), the router rejects the connection. And I can't configure port forwarding from Internet to local machine 10.1.2.6.
Please advise where to look for the problem.

Thank you in advance

I attached the router configuration:

Building configuration...

Current configuration : 1557 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname UC-router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$c3Ts$RdCpFynnaSoENXaSpzwry1
!
aaa new-model
!
!
aaa authentication login default local
!
aaa session-id common
ip cef
!
!
!
!
ip domain name unitechannel.ru
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
username UC-user privilege 15 secret 5 $1$Gshr$PqMrgioix1SJ9IRxy9lFs0
!
!
ip ssh rsa keypair-name ssh
ip ssh version 1
!
!
!
!
interface FastEthernet0/0
ip address 176.xxx.xxx.80 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1/0
!
interface FastEthernet0/1/1
!
interface FastEthernet0/1/2
!
interface FastEthernet0/1/3
!
interface Serial0/0/0
no ip address
shutdown
clock rate 2000000
!
interface Vlan1
ip address 10.1.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 176.xxx.xxx.1
!
!
ip http server
no ip http secure-server
ip nat inside source list ACL_NAT interface FastEthernet0/0 overload
ip nat inside source static tcp 10.1.2.6 3389 interface FastEthernet0/0 3389
!
ip access-list standard ACL_NAT
permit 10.1.2.0 0.0.0.255
permit any
!
access-list 100 permit tcp host 176.xxx.xxx.80 any eq telnet
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
transport input telnet
!
scheduler allocate 20000 1000
end

Georg Pauwen · ‎07-27-2020

Hello,

try the config below:

ip nat pool INTERNET 176.xxx.xxx.80 -176.xxx.xxx.80 prefix-length 24
ip nat inside source route-map NAT pool INTERNET reversible
!
access-list 1 permit 10.1.2.0 0.0.0.255
!
route-map NAT
match ip address 1

View solution in original post

Georg Pauwen · ‎07-27-2020

Hello,

there is a difference in the configuration for forwarding a range of TCP, and for forwarding a range of UDP ports. For UDP, you need, unfortunately, a single line like the one below:

ip nat inside source static udp 10.1.2.10 3389 176.xxx.xxx.80 3389 extendable

For TCP ports, you can use this:

ip nat pool INTERNET 176.xxx.xxx.80 -176.xxx.xxx.80 netmask 255.255.255.0 type rotary
ip nat inside destination list TCP_PORTS pool INTERNET
!
ip access-list extended TCP_PORTS
permit tcp any any range 1970 1989

View solution in original post

Georg Pauwen · ‎07-27-2020

Hello,

try the config below:

ip nat pool INTERNET 176.xxx.xxx.80 -176.xxx.xxx.80 prefix-length 24
ip nat inside source route-map NAT pool INTERNET reversible
!
access-list 1 permit 10.1.2.0 0.0.0.255
!
route-map NAT
match ip address 1

DmityMarkelov · ‎07-27-2020

Hi @Georg Pauwen thank you very very much!!!! I'm grateful to you for the solution. The RDP connection from outside works very well.

The only thing I have to finish is to make to work the connection to the router via telnet (port 23) from outside. It isn't alive yet.

Georg Pauwen · ‎07-27-2020

Hello,

try and configure:

line vty 0 4
--> transport input all

--> transport output all

DmityMarkelov · ‎07-27-2020

@Georg Pauwen unfortunately I didn't succeed after adding it to line vty 0 4:

transport input all

transport output all

no connection to router from outside via telnet. I used both the putty and the windows telnet client with the same result.

One more additional question from me. Please, don't think me Intrusive.

How can I make a port range forwarding from the Internet to a specific computer on the local network.

I need to forward the range (1970-1989) in addition to 3389 port from Internet to 10.1.2.6 local computer

Great thanks in advance!!!

Georg Pauwen · ‎07-27-2020

Hello,

there is a difference in the configuration for forwarding a range of TCP, and for forwarding a range of UDP ports. For UDP, you need, unfortunately, a single line like the one below:

ip nat inside source static udp 10.1.2.10 3389 176.xxx.xxx.80 3389 extendable

For TCP ports, you can use this:

ip nat pool INTERNET 176.xxx.xxx.80 -176.xxx.xxx.80 netmask 255.255.255.0 type rotary
ip nat inside destination list TCP_PORTS pool INTERNET
!
ip access-list extended TCP_PORTS
permit tcp any any range 1970 1989

DmityMarkelov · ‎07-28-2020

Hi @Georg Pauwen,
yes it works if I set the pool next way:
ip nat pool INTERNET 10.1.2.6 -10.1.2.6 netmask 255.255.255.0 type rotary
10.1.2.6 - ip address of the destination computer for forwarding
Thank you again, friend. I'm very grateful for your help. I wasted 2 weeks trying to find a solution by reading manuals and articles.