Solved

Port forwarding question

Posted on 2004-10-04
6
2,305 Views
Last Modified: 2012-08-13
Here is the situation:
We have a VPN set up and it works fine...for the most part
All machines on the network can connect to all other machines on the network on any port that is open without a problem.
We will call these 2 networks 192.168.2.0 255.255.255.0 and 10.16.193.0 255.255.255.0
At each end is a cisco 831 router and both have a public ip from a cable modem

Now we want to enable outside connections to port 81 on a server 192.168.2.5
We use the command: "ip nat inside source static tcp 192.168.2.5 81 interface Ethernet1 81" on the 192.168.2.1 router to accomplish this.
Outside addresses can access the 2.1 router's WAN IP:81 and it works great however now clients on the 10.16.193.0 subnet can not access 192.168.2.5:81 because it is attempting to NAT them even though we have a nonat ACL set up correctly. Note: all other ports on 192.168.2.5 still work fine from the 10.16.193.0 subnet.

My question is: How do I get it so both outside and inside clients can access port 81 on this server?

Here is the router's running config (minus PW's and wan IP's) if it'll help:
OBGATE#sh run
Building configuration...

Current configuration : 5748 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname OBGATE
!
boot-start-marker
boot system flash c831-k9o3y6-mz.123-8.T3.bin
boot-end-marker
!
no logging monitor
enable password 7 *****************
!
username ***** password 7 **********
clock timezone EST -5
clock summer-time EST recurring
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
ip domain name *********.com
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key ********** address 65.107.***.*** no-xauth
crypto isakmp key ********** address 68.209.***.*** no-xauth
crypto isakmp key ********** address 24.184.***.*** no-xauth
crypto isakmp key ********** address 24.47.***.*** no-xauth
crypto isakmp key ********** address 24.189.***.*** no-xauth
crypto isakmp key ********** address 207.247.***.*** no-xauth
crypto isakmp key ********** address 167.206.***.*** no-xauth
!
!
crypto ipsec transform-set gtelset esp-des esp-md5-hmac
!
crypto map gteltrans client authentication list userauthen
crypto map gteltrans isakmp authorization list groupauthor
crypto map gteltrans client configuration address respond
crypto map gteltrans 11 ipsec-isakmp
 description *********
 set peer 65.107.***.***
 set transform-set gtelset
 match address CPAN
crypto map gteltrans 15 ipsec-isakmp
 description *********
 set peer 68.209.***.***
 set transform-set gtelset
 match address ALEX
crypto map gteltrans 22 ipsec-isakmp
 description *********
 set peer 167.206.***.***
 set transform-set gtelset
 match address GTELCONT
crypto map gteltrans 26 ipsec-isakmp
 description *********
 set peer 24.47.***.***
 set transform-set gtelset
 match address HABBCORP
crypto map gteltrans 27 ipsec-isakmp
 description *********
 set peer 24.184.***.***
 set transform-set gtelset
 match address GREGT
crypto map gteltrans 29 ipsec-isakmp
 description *********
 set peer 24.189.***.***
 set transform-set gtelset
 match address HSTVPN
crypto map gteltrans 31 ipsec-isakmp
 description *********
 set peer 207.247.***.***
 set transform-set gtelset
 match address MDUFFY
!
!
!
interface Ethernet0
 description 192.168.2.x LAN
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface Ethernet1
 description CableVision - WAN
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 no ip mroute-cache
 duplex half
 no cdp enable
 crypto map gteltrans
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
no ip http server
ip http authentication aaa
no ip http secure-server
! Each of these ports (12345, 6000, 21, 81, 8081, 8082, 8085) doesn’t work internally to the VPN but they do work from outside addresses
! …because inside addresses from any of our routers appear to be incorrectly nat’d
! You can see this by doing a “show ip nat trans”
! Earlier I removed the static nat for port 81 and it then worked internally but not externally
! Need to find someway to make these ports accessible internally and externally, I’m pretty sure this method has worked for us in the past.
ip nat inside source static tcp 192.168.2.5 12345 interface Ethernet1 12345
ip nat inside source static tcp 192.168.2.6 6000 interface Ethernet1 6000
ip nat inside source static tcp 192.168.2.5 21 interface Ethernet1 21
ip nat inside source static tcp 192.168.2.5 81 interface Ethernet1 81
ip nat inside source static tcp 192.168.2.6 8081 interface Ethernet1 8081
ip nat inside source static tcp 192.168.2.6 443 interface Ethernet1 8082
ip nat inside source static tcp 192.168.2.21 3389 interface Ethernet1 8085
ip nat inside source route-map nonat interface Ethernet1 overload
!
!
ip access-list extended ALEX
 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
 deny   ip 192.168.2.0 0.0.0.255 any
ip access-list extended CPAN
 permit ip 192.168.2.0 0.0.0.255 192.168.60.0 0.0.0.255
 deny   ip 192.168.2.0 0.0.0.255 any
ip access-list extended GREGT
 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
 deny   ip 192.168.2.0 0.0.0.255 any
ip access-list extended GTELCONT
 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 192.168.2.0 0.0.0.255 any
ip access-list extended HABBCORP
 permit ip 192.168.2.0 0.0.0.255 10.16.0.0 0.0.255.255
 deny   ip 192.168.2.0 0.0.0.255 any
ip access-list extended HSTVPN
 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
 deny   ip 192.168.2.0 0.0.0.255 any
ip access-list extended MDUFFY
 permit ip 192.168.2.0 0.0.0.255 172.16.0.0 0.0.255.255
 deny   ip 192.168.2.0 0.0.0.255 any
ip access-list extended nonatACL
 deny   ip 192.168.2.0 0.0.0.255 192.168.60.0 0.0.0.255
 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
 deny   ip 192.168.2.0 0.0.0.255 10.16.193.0 0.0.0.255
 deny   ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
 deny   ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
 deny   ip 192.168.2.0 0.0.0.255 172.16.0.0 0.0.255.255
 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
 match ip address nonatACL
!
radius-server host 192.168.2.5 auth-port 1645 acct-port 1646
radius-server retransmit 2
radius-server key 7 ******************************
!
control-plane
!
!
line con 0
 exec-timeout 15 0
 logging synchronous
 no modem enable
 transport preferred all
 transport output all
 stopbits 1
line aux 0
 exec-timeout 5 0
 logging synchronous
 transport preferred all
 transport output all
 stopbits 1
line vty 0 4
 exec-timeout 30 0
 logging synchronous
 transport preferred ssh
 transport input ssh
 transport output telnet ssh
!
scheduler max-task-time 5000
end

OBGATE#
0
Comment
Question by:frieked
  • 3
  • 2
6 Comments
 
LVL 8

Expert Comment

by:holger12345
ID: 12217861
Hi,

well I can#t follow all of your config and my knowledge of cisco is pretty old... but from my point of view it seems, that your code
"ip nat inside source route-map nonat interface Ethernet1 overload"
comes behind
"ip nat inside source static tcp 192.168.2.5 81 interface Ethernet1 81"
so that - if my thoughts are correct - the router, which works the config just serial like a batch file, finds a matching rule of "nating" before you tell him to "nonat" the exceptions

Could you config the other way round? I know that access-list must follow these rules... so perhaps try it with the "nating" too

Good luck
Holger
0
 
LVL 8

Assisted Solution

by:holger12345
holger12345 earned 250 total points
ID: 12217902
note:
i think you will have to "no ip nat ..." first all of the nating config before you build it up again .. use notepad and copy&paste to simplify that task
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 12219108
Here's a Cisco reference doc that explains what you need to do:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Basically, you need to add a loopback interface and set the next hop to be this loopback ip..

"By doing so, the traffic comes from an interface marked as inside by issuing the ip Nat inside command, but goes out of an interface (the loopback) that is not marked as outside. The same reasoning applies when the packet is going from the loopback to the interface marked "outside" by issuing the ip Nat outside command. Consequently, the static mapping never takes place."

0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 3

Author Comment

by:frieked
ID: 12219174
Thanks for the suggestions though the order doesn't really matter...

I replaced each static port mapping as follows to fix:
no ip nat inside source static tcp 192.168.2.5 81 interface Ethernet1 81
ip nat inside source static tcp 192.168.2.5 81 24.189.***.*** 81 route-map nonat extendable

So basically I replaced the interface name with the IP address assigned to it and then applied the route-map directly to the mapping.

Will award you the points though for your time :)
0
 
LVL 3

Author Comment

by:frieked
ID: 12219193
lrmoore: looks like your fix would probably work as well but I'm gonna stick with what I got.
I'll split the points between you two
0
 
LVL 8

Expert Comment

by:holger12345
ID: 12219432
Thanks for your reward ;-)
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now