Cisco 877 - Port forwarding by NAT not working

Discussion in 'Routing & Switching' started by jushin100, Apr 12, 2012.

  1. jushin100

    jushin100 Bit Poster

    15
    0
    2
    A friend asked me to help with this. It's no going to well at the moment as this is the second stumbling block we have come accross.
    The network is a basic single subnet to internet which needs to be setup for port forwarding to the email server, http, passthrough authentication to a MS RRAS server on 192.168.1.8 etc..

    At the moment no passthrough is working.
    I'm in the situation where we are trying to change over to a Cisco 877. The old router is still doing its job but we are trying to get the Cisco router fully functional before we do the final switch over.
    We have the statemants such as:-
    ip nat inside source static tcp 192.168.1.5 80 <external ip> 80 extendable
    Which do not seem to be working at all.
    NAT is enabled on dialer1: ip nat outside
    NAT is enabled on FastEthernet3 ip nat inside

    I have removed all access rules from the incoming access list (access-group 100) and set them to allow all to remove this from the equation.

    I am testing this just using the external ip address (from within the local network)
    eg. In internet explorer: <external ip>
    eg. Remote desktop connection: connection address as: <external ip>
    eg. Internet fails to be delivered to the SMTP
    etc...
    They all fail to connect apart from using <external ip> which seems to be trying to logon to the router as I get the message "The server <external ip> at level_15_access requires a username and password". HTTP is turned on at the router as I am sometimes using Cisco Configuration Professional.


    Any help would be much appreciated.

    Subnet is 192.168.1.0 255.255.255.0
    ip name-server 212.69.36.3
    ip name-server 212.69.40.3 these are the ISP's external DNS servers
    ip helper-address 192.168.1.5 this is the internal DHCP server address
    192.168.1.55 is the routers IP address assigned to VLAN 10 over FastEthernet3

    Here is my configuration:-
    Code:
    !
    ip source-route
    !
    ip cef
    ip domain name NLG.local
    ip name-server 212.69.36.3
    ip name-server 212.69.40.3
    ip name-server 192.168.1.5
    no ipv6 cef
    !
    license udi pid *******************************
    
    !
    controller VDSL 0
    !
    interface Ethernet0
     no ip address
     ip virtual-reassembly in
    !
    interface ATM0
     no ip address
     ip helper-address 192.168.1.5
     no atm ilmi-keepalive
     pvc 0/38
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
    !
    interface FastEthernet0
     no ip address
    !
    interface FastEthernet1
     no ip address
     shutdown
    !
    interface FastEthernet2
     no ip address
     shutdown
    !
    interface FastEthernet3
     switchport access vlan 10
     no ip address
    !
    interface Vlan1
     no ip address
     shutdown
    !
    interface Vlan10
     ip address 192.168.1.55 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
    !
    interface Dialer1
     ip address negotiated
     ip access-group 100 in
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     dialer pool 1
     dialer-group 1
     ppp chap hostname ******************
     ppp chap password 0 **********
     ppp pap sent-username ***************** password 0 *********
    !
    ip forward-protocol nd
    ip http server
    no ip http secure-server
    !
    ip dns server
    ip nat inside source list 1 interface Dialer1 overload
    ip nat inside source static tcp 192.168.1.5 25 <external ip> 25 extendable
    ip nat inside source static tcp 192.168.1.5 80 <external ip> 80 extendable
    ip nat inside source static tcp 192.168.1.5 443 <external ip> 443 extendable
    ip nat inside source static udp 192.168.1.8 500 <external ip> 500 extendable
    ip nat inside source static tcp 192.168.1.250 554 <external ip> 554 extendable
    ip nat inside source static udp 192.168.1.250 554 <external ip> 554 extendable
    ip nat inside source static tcp 192.168.1.5 987 <external ip> extendable
    ip nat inside source static tcp 192.168.1.2 1024 <external ip> 1024 extendable
    ip nat inside source static udp 192.168.1.2 1024 <external ip> 1024 extendable
    ip nat inside source static tcp 192.168.1.8 1723 <external ip> 1723 extendable
    ip nat inside source static tcp 192.168.1.2 3389 <external ip> 3389 extendable
    ip nat inside source static udp 192.168.1.2 3389 <external ip> 3389 extendable
    ip nat inside source static tcp 192.168.1.250 5000 <external ip> 5000 extendable
    ip nat inside source static udp 192.168.1.250 5000 <external ip> 5000 extendable
    ip nat inside source static tcp 192.168.1.250 8080 <external ip> 8080 extendable
    ip nat inside source static udp 192.168.1.250 8080 <external ip> 8080 extendable
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 100 permit ip any any
    dialer-list 1 protocol ip permit
    !
    line con 0
    line aux 0
    line vty 0 4
     password ********
     login
     transport input all
    !
     
    Last edited by a moderator: Apr 16, 2012
  2. jushin100

    jushin100 Bit Poster

    15
    0
    2
    I cant test it at the moment but should those NAT statements be "ip nat outside source static tcp <external ip> 80 <internal ip> 80 extendable" ?
    Outside coming in.
     
  3. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    I haven't ever used the 'extendable' command before. Are you trying to port forward using the same public IP? Or do you have a separate range from the ISP? If you are using the same public IP as is negotiated on you dialer1 interface i would simply use:

    ip nat inside source static tcp 192.168.1.5 25 interface dialer1 25
    ip nat inside source static tcp 192.168.1.5 80 interface dialer1 80
    ip nat inside source static tcp 192.168.1.5 443 interface dialer1 443
    ......
    ......

    etc
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  4. jushin100

    jushin100 Bit Poster

    15
    0
    2
    Yes we are trying to port forward using the same public IP?

    Thanks for your help... unfortunately everything is exactly the same. I changed all the entries as you suggested
    ip nat inside source static tcp 192.168.1.5 25 interface dialer1 25
    ip nat inside source static tcp 192.168.1.5 80 interface dialer1 80
    ip nat inside source static tcp 192.168.1.5 443 interface dialer1 443
    ......
    ......

    etc

    but exactly the same situation...

    Any other ideas would be gratefully appreciated.
     
  5. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    How are you testing?

    I presume PAT is working inside --> outside ?

    What does the command 'show ip nat translations' give when you issue it after attempting a connection?
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  6. jushin100

    jushin100 Bit Poster

    15
    0
    2
    I'm testing from within the local subnet just using the external IP address.

    PAT seems to be working fine, at least internet is up and running - all connections going out are fine.

    "show ip nat translations" shows:-

    Code:
    Pro Inside global      Inside local       Outside local      Outside global
    tcp EXTERNALIP:3389  192.168.1.2:3389   ---                ---
    udp EXTERNALIP:3389  192.168.1.2:3389   ---                ---
    tcp EXTERNALIP:80    192.168.1.5:80     ---                ---
    tcp EXTERNALIP:443   192.168.1.5:443    86.160.46.58:57514 86.160.46.58:57514
    tcp EXTERNALIP:443   192.168.1.5:443    86.160.46.58:57515 86.160.46.58:57515
    tcp EXTERNALIP:443   192.168.1.5:443    86.160.46.58:57516 86.160.46.58:57516
    tcp EXTERNALIP:443   192.168.1.5:443    86.160.46.58:57517 86.160.46.58:57517
    tcp EXTERNALIP:443   192.168.1.5:443    86.160.46.58:57522 86.160.46.58:57522
    tcp EXTERNALIP:443   192.168.1.5:443    86.160.46.58:57523 86.160.46.58:57523
    tcp EXTERNALIP:443   192.168.1.5:443    ---                ---
    icmp EXTERNALIP:512  192.168.1.60:512   212.97.55.136:512  212.97.55.136:512
    tcp EXTERNALIP:3187  192.168.1.60:3187  212.97.55.136:80   212.97.55.136:80
    tcp EXTERNALIP:3188  192.168.1.60:3188  212.97.55.136:80   212.97.55.136:80
    tcp EXTERNALIP:3189  192.168.1.60:3189  64.71.152.41:25    64.71.152.41:25
    tcp EXTERNALIP:3196  192.168.1.60:3196  178.236.4.29:80    178.236.4.29:80
    tcp EXTERNALIP:3197  192.168.1.60:3197  80.239.148.153:80  80.239.148.153:80
    tcp EXTERNALIP:3198  192.168.1.60:3198  216.137.61.22:80   216.137.61.22:80
    tcp EXTERNALIP:3199  192.168.1.60:3199  74.125.230.219:80  74.125.230.219:80
    tcp EXTERNALIP:3200  192.168.1.60:3200  205.251.205.55:80  205.251.205.55:80
    tcp EXTERNALIP:3201  192.168.1.60:3201  80.239.148.153:80  80.239.148.153:80
    tcp EXTERNALIP:3202  192.168.1.60:3202  216.137.61.128:80  216.137.61.128:80
    tcp EXTERNALIP:3203  192.168.1.60:3203  80.239.148.153:80  80.239.148.153:80
    Pro Inside global      Inside local       Outside local      Outside global
    tcp EXTERNALIP:3204  192.168.1.60:3204  205.251.205.55:80  205.251.205.55:80
    tcp EXTERNALIP:3205  192.168.1.60:3205  205.251.205.55:80  205.251.205.55:80
    tcp EXTERNALIP:3206  192.168.1.60:3206  205.251.205.55:80  205.251.205.55:80
    tcp EXTERNALIP:3207  192.168.1.60:3207  205.251.205.55:80  205.251.205.55:80
    tcp EXTERNALIP:3208  192.168.1.60:3208  89.207.18.81:80    89.207.18.81:80
    tcp EXTERNALIP:3209  192.168.1.60:3209  80.239.224.26:80   80.239.224.26:80
    tcp EXTERNALIP:3210  192.168.1.60:3210  80.239.148.153:80  80.239.148.153:80
    tcp EXTERNALIP:3211  192.168.1.60:3211  80.239.148.153:80  80.239.148.153:80
    tcp EXTERNALIP:3212  192.168.1.60:3212  80.239.148.153:80  80.239.148.153:80
    tcp EXTERNALIP:3213  192.168.1.60:3213  92.123.113.51:443  92.123.113.51:443
    tcp EXTERNALIP:3214  192.168.1.60:3214  92.123.113.51:443  92.123.113.51:443
    tcp EXTERNALIP:3215  192.168.1.60:3215  92.123.113.51:443  92.123.113.51:443
    tcp EXTERNALIP:3216  192.168.1.60:3216  92.123.113.51:443  92.123.113.51:443
    tcp EXTERNALIP:3217  192.168.1.60:3217  92.123.113.51:443  92.123.113.51:443
    udp EXTERNALIP:3218  192.168.1.60:3218  62.128.146.41:53   62.128.146.41:53
    udp EXTERNALIP:50524 192.168.1.60:50524 8.8.8.8:53         8.8.8.8:53
    udp EXTERNALIP:51210 192.168.1.60:51210 8.8.8.8:53         8.8.8.8:53
    udp EXTERNALIP:52688 192.168.1.60:52688 8.8.8.8:53         8.8.8.8:53
    udp EXTERNALIP:53688 192.168.1.60:53688 8.8.8.8:53         8.8.8.8:53
    udp EXTERNALIP:55096 192.168.1.60:55096 8.8.8.8:53         8.8.8.8:53
    udp EXTERNALIP:55285 192.168.1.60:55285 8.8.8.8:53         8.8.8.8:53
    udp EXTERNALIP:56332 192.168.1.60:56332 8.8.8.8:53         8.8.8.8:53
    udp EXTERNALIP:61735 192.168.1.60:61735 8.8.8.8:53         8.8.8.8:53
    Pro Inside global      Inside local       Outside local      Outside global
    udp EXTERNALIP:62169 192.168.1.60:62169 8.8.8.8:53         8.8.8.8:53
    udp EXTERNALIP:64559 192.168.1.60:64559 8.8.8.8:53         8.8.8.8:53
    192.168.1.60 is the client I was connecting from
    8.8.8.8 is googles DNS server


    any ideas?
     
  7. danielno8

    danielno8 Gigabyte Poster

    1,306
    49
    92
    You need to do this from the outside of your network......
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  8. jushin100

    jushin100 Bit Poster

    15
    0
    2
    I plugged the Cisco router in for the weekend so I could test it, have to plug the netgear cheapy back in on Monday morning.

    Test from outside the company:-
    no http
    no https
    no rdp
    no remote web work place
    all dead

    I can ping the external IP address though.

    Any further help would be greatly appreciated.
    I can't help thinking that there must be something in my configuration - see above - that is blocking this.

    Pulling my hair out (might have to explain to some people on Monday why no-one received an email over the weekend - I can't see SMTP working either)
     
  9. jushin100

    jushin100 Bit Poster

    15
    0
    2
    any help with this would save my life...
     
  10. Simonvm

    Simonvm Kilobyte Poster

    472
    13
    41
    I have it working at home, but can't access it at the moment.
    Will try to check the config tonight.
     
    Certifications: MCITP: EST, MCDST, MCTS, A+, N+, CCNP, CCNA Wireless
  11. Simonvm

    Simonvm Kilobyte Poster

    472
    13
    41
    Could you try forwarding from a different source port to your inside host?

    For example, set port 2525 on your dialer interface to redirect to port 25 on the inside?

    ip nat inside source static tcp 192.168.1.5 25 interface Dialer1 2525 extendable

    By the way, are you testing from inside that very same network?
     
    Certifications: MCITP: EST, MCDST, MCTS, A+, N+, CCNP, CCNA Wireless
  12. jushin100

    jushin100 Bit Poster

    15
    0
    2
    thanks for your reply.
    normally I'm testing from inside the subnet.
    At the weekend though, I left the new Cisco router plugged in to test it from home. Nothing.

    I will try what you suggest and see what happens maybe mapping something like port 81 to port 80 is easier to test eg. http://<external IP>:81
     
  13. Simonvm

    Simonvm Kilobyte Poster

    472
    13
    41
    I'm asking because I know some ISP's block certain ports in the well-known port range to prevent customers from setting up web/mail/ftp servers without paying extra for that. My old ISP certainly did :)
    But if it's working on the Netgear this won't be case...

    Try running Shiels Up against the public IP and see if it hits any open ports: https://www.grc.com/x/ne.dll?bh0bkyd2
    Or search for an online nmap tool
     
    Last edited: Apr 16, 2012
    Certifications: MCITP: EST, MCDST, MCTS, A+, N+, CCNP, CCNA Wireless
  14. Simonvm

    Simonvm Kilobyte Poster

    472
    13
    41
    If you want to know what's going on you can also try enabling logging on your ACL:

    access-list 100 permit ip any any log
     
    Certifications: MCITP: EST, MCDST, MCTS, A+, N+, CCNP, CCNA Wireless
  15. jushin100

    jushin100 Bit Poster

    15
    0
    2
    thanks for your help.
    Ye, the cheapy old Netgear router is doing the port forwarding fine!
    I'll enable the logging.
    Is there anything funny in my config?
    What is the exact function of the Ethernet0 interface? should this be configured differently? It does not correspond to a physical interface.
    I'm taking the whole company internet down in 2 minutes for half an hour to test again
     
  16. Simonvm

    Simonvm Kilobyte Poster

    472
    13
    41
    No idea about Ethernet0 - my 857 certainly doesn't have it.

    Here's a couple of people that have the same question as you: Google
    Maybe you can find someone with a working config?
     
    Certifications: MCITP: EST, MCDST, MCTS, A+, N+, CCNP, CCNA Wireless
  17. jushin100

    jushin100 Bit Poster

    15
    0
    2
    I did the port scan with ShieldsUP
    Telnet is up
    All the other ports listed in those NAT assignments are in stealth mode. Is that part of the problem?

    I did another test, still no joy.
    I ran show ip nat translations

    Pro Inside global Inside local Outside local Outside global
    tcp 212.69.50.27:1024 192.168.1.2:1024 --- ---
    udp 212.69.50.27:1024 192.168.1.2:1024 --- ---
    tcp 212.69.50.27:3389 192.168.1.2:3389 --- ---
    udp 212.69.50.27:3389 192.168.1.2:3389 --- ---
    tcp 212.69.50.27:25 192.168.1.5:25 193.162.24.81:16612 193.162.24.81:16612
    tcp 212.69.50.27:25 192.168.1.5:25 194.217.242.207:40668 194.217.242.207:40668
    tcp 212.69.50.27:25 192.168.1.5:25 --- ---
    tcp 212.69.50.27:80 192.168.1.5:80 --- ---
    tcp 212.69.50.27:443 192.168.1.5:443 --- ---
    tcp 212.69.50.27:987 192.168.1.5:987 --- ---
    tcp 212.69.50.27:4125 192.168.1.5:4125 --- ---
    udp 212.69.50.27:4125 192.168.1.5:4125 --- ---
    udp 212.69.50.27:500 192.168.1.8:500 --- ---
    tcp 212.69.50.27:1723 192.168.1.8:1723 --- ---
    icmp 212.69.50.27:512 192.168.1.60:512 212.97.55.136:512 212.97.55.136:512
    tcp 212.69.50.27:1276 192.168.1.60:1276 212.97.55.136:80 212.97.55.136:80
    tcp 212.69.50.27:1278 192.168.1.60:1278 212.97.55.136:80 212.97.55.136:80
    tcp 212.69.50.27:1420 192.168.1.60:1420 64.71.152.41:25 64.71.152.41:25
    udp 212.69.50.27:1422 192.168.1.60:1422 62.128.146.41:53 62.128.146.41:53
    tcp 212.69.50.27:554 192.168.1.250:554 --- ---
    Pro Inside global Inside local Outside local Outside global
    udp 212.69.50.27:554 192.168.1.250:554 --- ---
    tcp 212.69.50.27:5000 192.168.1.250:5000 82.132.138.235:16537 82.132.138.235:16537
    tcp 212.69.50.27:5000 192.168.1.250:5000 --- ---
    udp 212.69.50.27:5000 192.168.1.250:5000 --- ---
    tcp 212.69.50.27:8080 192.168.1.250:8080 --- ---
    udp 212.69.50.27:8080 192.168.1.250:8080 --- ---
    tcp 212.69.50.27:50000 192.168.1.250:50000 --- ---
    udp 212.69.50.27:50000 192.168.1.250:50000 --- ---

    it looks like it should be working but nothing....
     
  18. Simonvm

    Simonvm Kilobyte Poster

    472
    13
    41
    Have you tried the logging on the ACL?
     
    Certifications: MCITP: EST, MCDST, MCTS, A+, N+, CCNP, CCNA Wireless
  19. ThomasMc

    ThomasMc Gigabyte Poster

    1,507
    49
    111
    Just to chip in :) am a bit rusty when it comes to the 877 or Cisco in general but I do know that all the 877 I've worked with never had Ethernet0, they had 4 FastEthernet, 1 pots and a console port, another thing, is the ip any any supported on a outside interfaces?
     
    Certifications: MCDST|FtOCC
    WIP: MCSA(70-270|70-290|70-291)
  20. jushin100

    jushin100 Bit Poster

    15
    0
    2
    I did a complete reconfig before the last test taking out any kind of security and putting in just the basics:-

    Code:
    ip source-route
    !
    !
    ip cef
    no ipv6 cef
    !
    !
    license udi pid CISCO887VA-K9 sn FCZ1607C3ZV
    !
    !
    controller VDSL 0
    !
    !
    interface Ethernet0
     no ip address
     shutdown
    !
    interface ATM0
     no ip address
     no atm ilmi-keepalive
     pvc 0/38
      encapsulation aal5mux ppp dialer
      dialer pool-member 1
     !
    !
    interface FastEthernet0
     no ip address
    !
    interface FastEthernet1
     no ip address
    !
    interface FastEthernet2
     no ip address
    !
    interface FastEthernet3
     switchport access vlan 10
     no ip address
    !
    interface Vlan1
     no ip address
    !
    interface Vlan10
     ip address 192.168.1.55 255.255.255.0
     ip nat inside
     ip virtual-reassembly in
    !
    interface Dialer1
     ip address negotiated
     ip nat outside
     ip virtual-reassembly in
     encapsulation ppp
     dialer pool 1
     ppp chap hostname *****************
     ppp chap password 0 *********
     ppp pap sent-username ************8 password 0 **********
    !
    ip forward-protocol nd
    no ip http server
    no ip http secure-server
    !
    ip nat inside source list 1 interface Dialer1 overload
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    access-list 1 permit 192.168.1.0 0.0.0.255
    ip nat inside source static tcp 192.168.1.5 443 interface Dialer1 443
    ip nat inside source static tcp 192.168.1.5 80 interface Dialer1 80
    ip nat inside source static tcp 192.168.1.2 3389 interface Dialer1 3389
    ip nat inside source static udp 192.168.1.2 3389 interface Dialer1 3389
    ip nat inside source static tcp 192.168.1.5 25 interface Dialer1 25
    ip nat inside source static tcp 192.168.1.250 554 interface Dialer1 554
    ip nat inside source static udp 192.168.1.250 554 interface Dialer1 554
    ip nat inside source static tcp 192.168.1.5 987 interface Dialer1 987
    ip nat inside source static tcp 192.168.1.2 1024 interface Dialer1 1024
    ip nat inside source static udp 192.168.1.2 1024 interface Dialer1 1024
    ip nat inside source static tcp 192.168.1.8 1723 interface Dialer1 1723
    ip nat inside source static tcp 192.168.1.250 5000 interface Dialer1 5000
    ip nat inside source static udp 192.168.1.250 5000 interface Dialer1 5000
    ip nat inside source static tcp 192.168.1.250 8080 interface Dialer1 8080
    ip nat inside source static udp 192.168.1.250 8080 interface Dialer1 8080
    ip nat inside source static udp 192.168.1.8 500 interface Dialer1 500
    ip nat inside source static udp 192.168.1.5 4125 interface Dialer1 4125
    ip nat inside source static tcp 192.168.1.5 4125 interface Dialer1 4125
    ip nat inside source static tcp 192.168.1.250 50000 interface Dialer1 50000
    ip nat inside source static udp 192.168.1.250 50000 interface Dialer1 50000
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
     login
     transport input all
    !
    end
    the NAT translation list above is with this configuration.

    Shall I put the access list back in, allow all and setup logging?
    And, as suggested, shall I re-add the "dialer-list 1 protocol ip permit"?

    The ethernet0 interface is not a physical interface, there are just 4 fastethernet, 1 pots and 1 console. So I dont know what the ethernet0 interface is for (which worries me). Anyway its there even after I have reset my configuration.

    I've already taken the company internet down 2 times today for a total of one hour for testing. I'll do more testing tomorrow.

    Suggestions for the next round of tests would be greatly appreciated.
     
    Last edited by a moderator: Apr 17, 2012

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.