Solved: Port problems

mikerocom1 · ‎02-28-2015

I have a 2851 and a 3750. I have several IP cameras. I can see them inside my network just fine. However i cannot view my server remotely. I am using Blue Iris software. The app connects over port 81. I cannot connect through the app. When i go to the port scanner sites almost all are blocked.

Any ideas?

Router:

mikerorouter#sho run
Building configuration...

Current configuration : 2342 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname mikerorouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging console
enable secret 5 $1$WC5M$b2bgySF8XI.MqeufJzi2O/
!
no aaa new-model
!
dot11 syslog
ip source-route
!
ip cef
ip dhcp excluded-address 10.10.17.1
ip dhcp excluded-address 10.10.17.2
ip dhcp excluded-address 10.10.17.3
ip dhcp excluded-address 10.10.17.4
ip dhcp excluded-address 10.10.17.5
!
ip dhcp pool mikero
import all
network 10.10.17.0 255.255.255.0
default-router 10.10.17.1
dns-server 68.105.28.12 68.105.29.12 68.105.28.11
!
ip dhcp pool mikero_guest
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 68.105.28.12 68.105.29.12 68.105.28.11
!
!
ip domain name mikero.com
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
username admin secret 5 $1$snHZ$/D6wf/iVK7ii6js.RloA80
archive
log config
hidekeys
!
ip ssh version 2
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1
description LAN
no ip address
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 10
ip address 10.10.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.20
encapsulation dot1Q 20
ip address 10.12.15.1 255.255.255.240
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/1.30
encapsulation dot1Q 30
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!
access-list 101 permit ip 10.10.17.0 0.0.0.255 any
access-list 102 permit ip 10.12.15.0 0.0.0.255 any
access-list 103 permit ip 10.10.10.0 0.0.0.255 any
!
control-plane
!
mgcp fax t38 ecm
mgcp behavior g729-variants static-pt
!
line con 0
line aux 0
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
scheduler allocate 20000 1000
end

Switch:

mikeroswitch#sho run
Building configuration...

Current configuration : 4747 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname mikeroswitch
!
no logging console
enable secret 5 $1$q48p$GHvmx5zju53WBx/7UncGD.
!
username admin secret 5 $1$2dnq$aA2/XzzIatORrobHFoYzc0
no aaa new-model
switch 1 provision ws-c3750-48p
ip subnet-zero
ip domain-name mikero.com
!
ip ssh version 2
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet1/0/1
shutdown
!
interface FastEthernet1/0/2
description DESKTOP MIKERO
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/3
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/4
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/5
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/6
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/7
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/8
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/9
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/10
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/11
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/12
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/13
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/14
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/15
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/16
switchport access vlan 10
switchport mode access
!
interface FastEthernet1/0/17
switchport access vlan 20
switchport mode access
!
interface FastEthernet1/0/18
switchport access vlan 20
switchport mode access
!
interface FastEthernet1/0/19
switchport access vlan 20
switchport mode access
shutdown
!
interface FastEthernet1/0/20
switchport access vlan 20
switchport mode access
shutdown
!
interface FastEthernet1/0/21
switchport access vlan 20
switchport mode access
shutdown
!
interface FastEthernet1/0/22
switchport access vlan 20
switchport mode access
shutdown
!
interface FastEthernet1/0/23
switchport access vlan 20
switchport mode access
shutdown
!
interface FastEthernet1/0/24
switchport access vlan 20
switchport mode access
shutdown
!
interface FastEthernet1/0/25
switchport access vlan 20
switchport mode access
shutdown
!
interface FastEthernet1/0/26
switchport access vlan 20
switchport mode access
shutdown
!
interface FastEthernet1/0/27
switchport access vlan 20
switchport mode access
shutdown
!
interface FastEthernet1/0/28
switchport access vlan 20
switchport mode access
shutdown
!
interface FastEthernet1/0/29
switchport access vlan 20
switchport mode access
shutdown
!
interface FastEthernet1/0/30
switchport access vlan 20
switchport mode access
shutdown
!
interface FastEthernet1/0/31
switchport access vlan 20
switchport mode access
shutdown
!
interface FastEthernet1/0/32
switchport access vlan 20
switchport mode access
!
interface FastEthernet1/0/33
shutdown
!
interface FastEthernet1/0/34
shutdown
!
interface FastEthernet1/0/35
shutdown
!
interface FastEthernet1/0/36
shutdown
!
interface FastEthernet1/0/37
shutdown
!
interface FastEthernet1/0/38
shutdown
!
interface FastEthernet1/0/39
shutdown
!
interface FastEthernet1/0/40
shutdown
!
interface FastEthernet1/0/41
shutdown
!
interface FastEthernet1/0/42
shutdown
!
interface FastEthernet1/0/43
shutdown
!
interface FastEthernet1/0/44
shutdown
!
interface FastEthernet1/0/45
shutdown
!
interface FastEthernet1/0/46
shutdown
!
interface FastEthernet1/0/47
shutdown
!
interface FastEthernet1/0/48
switchport access vlan 30
shutdown
!
interface GigabitEthernet1/0/1
description UPLINK
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/2
shutdown
!
interface GigabitEthernet1/0/3
description WAP
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet1/0/4
shutdown
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
description MIKERO
ip address 10.10.17.2 255.255.255.0
!
interface Vlan20
description CAMERAS
ip address 10.12.15.2 255.255.255.240
!
interface Vlan30
description MIKERO_GUEST
ip address 10.10.10.2 255.255.255.0
!
ip default-gateway 10.10.17.1
ip classless
ip http server
ip http secure-server
!
control-plane
!
line con 0
speed 115200
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
end

Peter Paluch · ‎03-01-2015

Hi,

I believe I see a couple of issues with the configuration of your router.

Your default route on the router is currently configured as

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

This is a very dangerous way of configuring a default route. It causes your router to rely on the ProxyARP functionality on your ISPs router so if the ISP ever decides to deactivate the ProxyARP, your default route will simply stop working. In addition, this configuration forces your router to issue an ARP request for each and every destination IP address your Internet-bound packets go to. This inevitably results into huge ARP traffic and excessively long ARP table (just try running show ip arp on your router - I am fairly sure you are going to have tens, if not hundreds entries for public IP addresses listed, all pointing to the same MAC address of your ISP's router). We have had another issue here on this very forum where someone had the default route configured the same way you have, and his router ended up reloading every now and then because the ARP cache grew so large that the router simply ran out of memory.

Because your Gi0/0 uses DHCP to obtain its own IP address, you do not actually need to configure any default route manually. This will be assigned to your router automatically. Therefore, I strongly suggest removing your current static default route entirely from the configuration. Alternatively, you could enter your default route statically but tell the router that it is going to be obtained from DHCP (just paste the commands below into your config):

no ip route 0.0.0.0 0.0.0.0 Gi0/0
ip route 0.0.0.0 0.0.0.0 Gi0/0 dhcp
Your ACL that is used for NAT purposes is not right. You have actually created three distinct and independent ACLs with numbers 101, 102 and 103, each of them having just a single entry. Your ip nat inside source command refers to ACL 101 which in turn references the IP network 10.10.17.0/24 only. This means that all your other networks are unable to access Internet because they are not NATted. Correctly, you should create a single ACL that has a single number and three entries, one for each of your internal networks (just paste the commands below into your config):

access-list 101 permit ip 10.12.15.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
no access-list 102
no access-list 103
If I understand you correctly, you are saying you want to reach an internal server from outside, using TCP port 81 as the destination. Is that correct? The problem I see currently is that your Gi0/0 interface is assigned its IP address via DHCP, and unless your ISP makes sure that you always get the same stable IP address, it is going to be a guesswork to know your outside IP address so that you can connect to it. Nevertheless, what you want to have is a static mapping between the outside TCP port 81 and the particular internal IP address and its port 81. Currently, there is no such mapping created. Without knowing your precise outside IP address, you can only configure this mapping using the following command:

ip nat inside source static tcp A.A.A.A 81 interface Gi0/0 81

Replace A.A.A.A with the internal IP address where the internal server is running. This command should create a mapping between whatever outside IP address your Gi0/0 is currently using and the internal server at A.A.A.A port 81. Now it should theoretically be possible to connect to this IP address and port from outside.

You have to keep in mind that your own ISP may be doing some kind of firewalling, preventing outside world from opening TCP sessions to you. Therefore, if the connection to the outside IP address and port 81 fails, it may be possible that the ISP is blocking it. There is no quick way to tell.

Best regards,
Peter

View solution in original post

Peter Paluch · ‎03-01-2015

Hi,

I believe I see a couple of issues with the configuration of your router.

Your default route on the router is currently configured as

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

This is a very dangerous way of configuring a default route. It causes your router to rely on the ProxyARP functionality on your ISPs router so if the ISP ever decides to deactivate the ProxyARP, your default route will simply stop working. In addition, this configuration forces your router to issue an ARP request for each and every destination IP address your Internet-bound packets go to. This inevitably results into huge ARP traffic and excessively long ARP table (just try running show ip arp on your router - I am fairly sure you are going to have tens, if not hundreds entries for public IP addresses listed, all pointing to the same MAC address of your ISP's router). We have had another issue here on this very forum where someone had the default route configured the same way you have, and his router ended up reloading every now and then because the ARP cache grew so large that the router simply ran out of memory.

Because your Gi0/0 uses DHCP to obtain its own IP address, you do not actually need to configure any default route manually. This will be assigned to your router automatically. Therefore, I strongly suggest removing your current static default route entirely from the configuration. Alternatively, you could enter your default route statically but tell the router that it is going to be obtained from DHCP (just paste the commands below into your config):

no ip route 0.0.0.0 0.0.0.0 Gi0/0
ip route 0.0.0.0 0.0.0.0 Gi0/0 dhcp
Your ACL that is used for NAT purposes is not right. You have actually created three distinct and independent ACLs with numbers 101, 102 and 103, each of them having just a single entry. Your ip nat inside source command refers to ACL 101 which in turn references the IP network 10.10.17.0/24 only. This means that all your other networks are unable to access Internet because they are not NATted. Correctly, you should create a single ACL that has a single number and three entries, one for each of your internal networks (just paste the commands below into your config):

access-list 101 permit ip 10.12.15.0 0.0.0.255 any
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
no access-list 102
no access-list 103
If I understand you correctly, you are saying you want to reach an internal server from outside, using TCP port 81 as the destination. Is that correct? The problem I see currently is that your Gi0/0 interface is assigned its IP address via DHCP, and unless your ISP makes sure that you always get the same stable IP address, it is going to be a guesswork to know your outside IP address so that you can connect to it. Nevertheless, what you want to have is a static mapping between the outside TCP port 81 and the particular internal IP address and its port 81. Currently, there is no such mapping created. Without knowing your precise outside IP address, you can only configure this mapping using the following command:

ip nat inside source static tcp A.A.A.A 81 interface Gi0/0 81

Replace A.A.A.A with the internal IP address where the internal server is running. This command should create a mapping between whatever outside IP address your Gi0/0 is currently using and the internal server at A.A.A.A port 81. Now it should theoretically be possible to connect to this IP address and port from outside.

You have to keep in mind that your own ISP may be doing some kind of firewalling, preventing outside world from opening TCP sessions to you. Therefore, if the connection to the outside IP address and port 81 fails, it may be possible that the ISP is blocking it. There is no quick way to tell.

Best regards,
Peter

mikerocom1 · ‎03-01-2015

Thank you!! You solved a few issues for me. My internet has been running slow when connecting to new sites on each computer. The ARP issue would explain this. My Vlan 30 would not connect to the internet and the access list explains that. So thank you for that!

You also solved the port issue. I still cant access the server remotely but at least i know its not a port issue.