Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
389
Views
0
Helpful
3
Replies

Lost DDNS after forwarding all ports to internal device

tranquilon
Level 1
Level 1

‎03-10-2018 10:47 PM - edited ‎03-08-2019 02:12 PM

I had NOIP configured successfully. Two days ago we needed to forward all ports to our new firewall in order to setup some services. So, we eliminated all static nat and place a new static nat that forwards all ports to our firewall. It worked perfectly, however, we noticed that ddns stopped working. How can I fix this?

 

 

Building configuration...

Current configuration : 2343 bytes
!
! Last configuration change at 05:51:15 UTC Sun Mar 11 2018
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TEST
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$.iWd$s5pkDnBSqb1ZQoC.gbKx4.
!
no aaa new-model
!
!
!
!
!
!
!
!
!
!


!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1
ip dhcp excluded-address 10.0.0.2
!
!
!
ip name-server 196.3.81.5
ip name-server 196.3.81.132
ip name-server 200.88.127.22
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip ddns update method NOIP
HTTP
add http://******:******@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
interval maximum 0 0 4 0
!
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C887VA-K9 sn FTX185082NN
!
!
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
!
!
!
!
interface ATM0
bandwidth 3000
no ip address
no atm ilmi-keepalive
pvc 0/33
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 100.100.100.1 255.255.255.252
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip ddns update hostname ******.ddns.net
ip ddns update NOIP
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username ******** password 0 *********
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static 100.100.100.2 interface Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended web
permit ip 100.100.100.0 0.0.0.3 any
!
!
access-list 1 permit 100.100.100.0 0.0.0.3
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
!
line con 0
password ******
login
no modem enable
line aux 0
line vty 0 4
password ******
login
transport input all
!
scheduler allocate 20000 1000
!
!
!
end

1 person had this problem
Labels:
0 Helpful
3 Replies 3

tranquilon
Level 1
Level 1

‎03-18-2018 10:14 PM

Anyone?
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-18-2018 10:22 PM - edited ‎03-18-2018 10:24 PM

Hi, 

I faced the same issue. We are working on it. I will update you.

Can you try to ping any public IP from the router?

 

 

Regards,

Deepak Kumar

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎03-18-2018 11:28 PM - edited ‎03-18-2018 11:53 PM

Hi, 

As the primary tshoot the issue, we need to change the NAT ACL by allowing any.

Change ACL 1  from 

access-list 1 permit 100.100.100.0 0.0.0.3 

to

access-list 1 permit any

 

Why did we require?

 

I found that any packet which is sent by the router to the destination (WAN) and a wan device replying to the same packet. But router sending that packet to the port forwarder device.

 

Maybe I cant explain very well in words (didn't get technical words).

 

------------------------------

R1#ping 172.16.0.1  <My WAN Gateway-LAB>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.0.1, timeout is 2 seconds:

*Mar 19 06:40:20.543: NAT: Entry assigned id 13
*Mar 19 06:40:20.543: NAT*: s=172.16.0.1, d=172.16.0.2->192.168.1.2 [45].
*Mar 19 06:40:22.547: NAT*: s=172.16.0.1, d=172.16.0.2->192.168.1.2 [46].
*Mar 19 06:40:24.539: NAT*: s=172.16.0.1, d=172.16.0.2->192.168.1.2 [47].
*Mar 19 06:40:26.543: NAT*: s=172.16.0.1, d=172.16.0.2->192.168.1.2 [48].
*Mar 19 06:40:28.531: NAT*: s=172.16.0.1, d=172.16.0.2->192.168.1.2 [49].
Success rate is 0 percent (0/5)

 

-

Here, We can see that 172.16.0.1 <WAN gateway> is replying the packet to 172.16.0.2 <WAN interface IP> but router sending all packets to NAT <Internal server 192.168.1.2>.

 

But after making changes in the NAT ACL, it is working fine. 

 

I hope it will help you.

 

 

 

Regards,

Deepak Kumar

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card