Solved: Re: Configure 819 to forward ports for SQL and VNC

PricingKernel · ‎08-16-2012

Hi,

I'm trying to forward ports for SQL and VNC using these commands in the CLI:

ip nat inside source static tcp 192.168.1.150 5900 interface GigabitEthernet0 5900

ip nat inside source static tcp 192.168.1.150 5800 interface GigabitEthernet0 5800

ip nat inside source static tcp 192.168.1.150 1433 interface GigabitEthernet0 1433

where 192.168.1.150 is my server (that hosts SQL server and that I want to be able to connect to remotely using VNC) and GigabitEthernet0 is my configured WAN interface.

When I try to connect from an external client I get the error: "Failed to connect to server..." Is this a firewall issue? How do I get round it? The 819 is the only router/firewall in my network.

Thanks.

cadet alain · ‎08-16-2012

Joel,

Can you do following on the router:

terminal monitor

config t

logging console 7

logging monitor 7

service timestamp debug uptime

access-list 188 permit tcp any any eq 5900

do debug ip nat

do debug ip pack 188

then try to connect with VNC and post the output of the logs.

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎08-16-2012

Hi,

When connecting from outside with VNC or SQL client can you post the output of sh ip nat tra

Have you tried with software firewall disabled on the host ?

Are you sure the host is listening on these ports: netstat -an

Regards.

Alain

Don't forget to rate helpful posts.

PricingKernel · ‎08-16-2012

Hi Alain,

The sh ip nat tra output was very long indeed. Here is the bit that only relates to my question (I think):

tcp 88.211.8.138:5800 192.168.1.103:5800 --- ---

tcp 88.211.8.138:5900 192.168.1.103:5900 --- ---

tcp 88.211.8.138:1433 192.168.1.150:1433 --- ---

udp 88.211.8.138:5800 192.168.1.150:5800 --- ---

udp 88.211.8.138:5900 192.168.1.150:5900 --- ---

tcp 88.211.8.138:49213 192.168.1.150:49213 89.167.235.2:22700 89.167.235.2:22700

tcp 88.211.8.138:49249 192.168.1.150:49249 23.52.16.60:443 23.52.16.60:443

tcp 88.211.8.138:49697 192.168.1.150:49697 157.56.252.134:443 157.56.252.134:443

tcp 88.211.8.138:49698 192.168.1.150:49698 157.56.252.134:443 157.56.252.134:443

tcp 88.211.8.138:49699 192.168.1.150:49699 157.56.252.134:443 157.56.252.134:443

There is no software firewall on the host.

netstat is not recognised as a command on my CLI.

cadet alain · ‎08-16-2012

Hi,

there ain't no translation that is done but now we have to discover why.

Was this output taken while trying to access the .50 host with VNC ?

concerning the netstat command this has to be done on the 192.168.1.50 host

I notice in the output that you also port forward the vnc ports on another machine, have you got configured the extendable keyword at the end of these nat statements ?

Regards.

Alain.

Don't forget to rate helpful posts.

PricingKernel · ‎08-16-2012

Alain,

The .103 was the DHCP assigned address to this machine before I manually fixed it at .150. I have now fixed that and here is the relevant output of sh ip nat tra tcp:

tcp 88.211.8.138:1433 192.168.1.150:1433 --- ---

tcp 88.211.8.138:5800 192.168.1.150:5800 --- ---

tcp 88.211.8.138:5900 192.168.1.150:5900 --- ---

tcp 88.211.8.138:49213 192.168.1.150:49213 89.167.235.2:22700 89.167.235.2:22700

tcp 88.211.8.138:49249 192.168.1.150:49249 23.52.16.60:443 23.52.16.60:443

Appending "extendable" to the static tcp command results in "invalid input detected at '^' marker (pointing at "extendable"). The output was taken logged directly on .150 machine.

I have attached netstat from .150

cadet alain · ‎08-16-2012

Joel,

Can you do following on the router:

terminal monitor

config t

logging console 7

logging monitor 7

service timestamp debug uptime

access-list 188 permit tcp any any eq 5900

do debug ip nat

do debug ip pack 188

then try to connect with VNC and post the output of the logs.

Regards.

Alain

Don't forget to rate helpful posts.

PricingKernel · ‎08-16-2012

Alain,

I got as far as do debug ip nat. It has been running for over an hour now (ip addresses scrolling up the screen like something out of The Matrix!). Is this normal? Meanwhile I tried to VNC and failed. How do I get the log outputs?

Joel

cadet alain · ‎08-16-2012

Joel,

just copy-paste the output but as you've got plenty I would suggest to do following:

-undebug all

debug ip pack 188

connect with vnc from outside, this won't work from a host inside so you'll have to ask someone from outside to try to connect and then copy paste the output

Regards.

Alain.

Don't forget to rate helpful posts.

PricingKernel · ‎08-16-2012

Thanks, Alain. I am debugging 188. did you want to try to VNC for me? I think you know the fixed IP? (By the way, I presume you meant the first access-list 188 permit tcp any any eq 5900 to actually read 5800? I changed it. Joel

cadet alain · ‎08-16-2012

Joel,

yes this was a typo

I'm gonna VNC right now a few times so you've got some debugs going on.

Regards.

Alain.

Don't forget to rate helpful posts.

cadet alain · ‎08-16-2012

Hi,

Seems like it is working as it is asking me for authentication info.

Regards.

Alain.

Don't forget to rate helpful posts.

PricingKernel · ‎08-16-2012

Alain,

I got nothing on .150, just a whole load of stuff on .101. I can only capture a few pages before it scrolls off. I will attach.

Joel

PricingKernel · ‎08-16-2012

Really, that's good! I will pop out and try too. Why doesn't it work inside with the external static IP?

cadet alain · ‎08-16-2012

Hi,

because nat hairpinning is not implemented on these routers.

Regards.

Alain.

Don't forget to rate helpful posts.

cadet alain · ‎08-16-2012

Hi,

yep the debugs have nothing to do with the acl we linked it with but anyway it is working from outside so everything is ok.

Regards.

Alain.

Don't forget to rate helpful posts.