08-16-2012 02:23 AM - edited 03-07-2019 08:22 AM
Hi,
I'm trying to forward ports for SQL and VNC using these commands in the CLI:
ip nat inside source static tcp 192.168.1.150 5900 interface GigabitEthernet0 5900
ip nat inside source static tcp 192.168.1.150 5800 interface GigabitEthernet0 5800
ip nat inside source static tcp 192.168.1.150 1433 interface GigabitEthernet0 1433
where 192.168.1.150 is my server (that hosts SQL server and that I want to be able to connect to remotely using VNC) and GigabitEthernet0 is my configured WAN interface.
When I try to connect from an external client I get the error: "Failed to connect to server..." Is this a firewall issue? How do I get round it? The 819 is the only router/firewall in my network.
Thanks.
Solved! Go to Solution.
08-16-2012 04:21 AM
Joel,
Can you do following on the router:
terminal monitor
config t
logging console 7
logging monitor 7
service timestamp debug uptime
access-list 188 permit tcp any any eq 5900
access-list 188 permit tcp any any eq 5900
do debug ip nat
do debug ip pack 188
then try to connect with VNC and post the output of the logs.
Regards.
Alain
Don't forget to rate helpful posts.
08-16-2012 02:53 AM
Hi,
When connecting from outside with VNC or SQL client can you post the output of sh ip nat tra
Have you tried with software firewall disabled on the host ?
Are you sure the host is listening on these ports: netstat -an
Regards.
Alain
Don't forget to rate helpful posts.
08-16-2012 03:10 AM
Hi Alain,
The sh ip nat tra output was very long indeed. Here is the bit that only relates to my question (I think):
tcp 88.211.8.138:5800 192.168.1.103:5800 --- ---
tcp 88.211.8.138:5900 192.168.1.103:5900 --- ---
tcp 88.211.8.138:1433 192.168.1.150:1433 --- ---
udp 88.211.8.138:5800 192.168.1.150:5800 --- ---
udp 88.211.8.138:5900 192.168.1.150:5900 --- ---
tcp 88.211.8.138:49213 192.168.1.150:49213 89.167.235.2:22700 89.167.235.2:22700
tcp 88.211.8.138:49249 192.168.1.150:49249 23.52.16.60:443 23.52.16.60:443
tcp 88.211.8.138:49697 192.168.1.150:49697 157.56.252.134:443 157.56.252.134:443
tcp 88.211.8.138:49698 192.168.1.150:49698 157.56.252.134:443 157.56.252.134:443
tcp 88.211.8.138:49699 192.168.1.150:49699 157.56.252.134:443 157.56.252.134:443
There is no software firewall on the host.
netstat is not recognised as a command on my CLI.
08-16-2012 03:17 AM
Hi,
there ain't no translation that is done but now we have to discover why.
Was this output taken while trying to access the .50 host with VNC ?
concerning the netstat command this has to be done on the 192.168.1.50 host
I notice in the output that you also port forward the vnc ports on another machine, have you got configured the extendable keyword at the end of these nat statements ?
Regards.
Alain.
Don't forget to rate helpful posts.
08-16-2012 03:41 AM
Alain,
The .103 was the DHCP assigned address to this machine before I manually fixed it at .150. I have now fixed that and here is the relevant output of sh ip nat tra tcp:
tcp 88.211.8.138:1433 192.168.1.150:1433 --- ---
tcp 88.211.8.138:5800 192.168.1.150:5800 --- ---
tcp 88.211.8.138:5900 192.168.1.150:5900 --- ---
tcp 88.211.8.138:49213 192.168.1.150:49213 89.167.235.2:22700 89.167.235.2:22700
tcp 88.211.8.138:49249 192.168.1.150:49249 23.52.16.60:443 23.52.16.60:443
Appending "extendable" to the static tcp command results in "invalid input detected at '^' marker (pointing at "extendable"). The output was taken logged directly on .150 machine.
I have attached netstat from .150
08-16-2012 04:21 AM
Joel,
Can you do following on the router:
terminal monitor
config t
logging console 7
logging monitor 7
service timestamp debug uptime
access-list 188 permit tcp any any eq 5900
access-list 188 permit tcp any any eq 5900
do debug ip nat
do debug ip pack 188
then try to connect with VNC and post the output of the logs.
Regards.
Alain
Don't forget to rate helpful posts.
08-16-2012 06:01 AM
Alain,
I got as far as do debug ip nat. It has been running for over an hour now (ip addresses scrolling up the screen like something out of The Matrix!). Is this normal? Meanwhile I tried to VNC and failed. How do I get the log outputs?
Joel
08-16-2012 06:26 AM
Joel,
just copy-paste the output but as you've got plenty I would suggest to do following:
-undebug all
debug ip pack 188
connect with vnc from outside, this won't work from a host inside so you'll have to ask someone from outside to try to connect and then copy paste the output
Regards.
Alain.
Don't forget to rate helpful posts.
08-16-2012 06:51 AM
Thanks, Alain. I am debugging 188. did you want to try to VNC for me? I think you know the fixed IP? (By the way, I presume you meant the first access-list 188 permit tcp any any eq 5900 to actually read 5800? I changed it. Joel
08-16-2012 06:54 AM
Joel,
yes this was a typo
I'm gonna VNC right now a few times so you've got some debugs going on.
Regards.
Alain.
Don't forget to rate helpful posts.
08-16-2012 07:06 AM
Hi,
Seems like it is working as it is asking me for authentication info.
Regards.
Alain.
Don't forget to rate helpful posts.
08-16-2012 07:08 AM
08-16-2012 07:10 AM
Really, that's good! I will pop out and try too. Why doesn't it work inside with the external static IP?
08-16-2012 07:21 AM
Hi,
because nat hairpinning is not implemented on these routers.
Regards.
Alain.
Don't forget to rate helpful posts.
08-16-2012 07:24 AM
Hi,
yep the debugs have nothing to do with the acl we linked it with but anyway it is working from outside so everything is ok.
Regards.
Alain.
Don't forget to rate helpful posts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide