Solved

Cisco Blocks ALL Inbound Ports on Outside NAT Interface

Posted on 2012-03-26
12
409 Views
Last Modified: 2012-03-27
Hello,

     I have a T1 line that goes straight into a Cisco router, today it just started blocking all ports out of the blue, I've been trying to figure it out but i can't, i've even removed every resemblance of security on the router and made sure that there is nothing other than a permit any ACL assigned to the NAT.  its completely wide open, yet i can't get into anything.  I called the ISP and they said they never block ports, that its just an open pipe into our building.  So its gotta be an issue on the cisco.  I've attached a copy of the running config.  Let me know if there is any more info I can give, i'm afraid i'm running on empty as its 1:00 am and i've been up since 6:00 am yesterday lol, so i may have left something out.

hightechpastics-router-backup-st.log
0
Comment
Question by:ctagle
  • 6
  • 6
12 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37770160
Hi ctagle,

I took the liberty of sanitizing your config so the publics don't show completely.
I also see 3 default routes, perhaps that's the issue? Otherwise is the log showing you anything?
0
 

Author Comment

by:ctagle
ID: 37770229
i managed to figure out why ALL the ports were being blocked, i needed to set the nat up to redirect requests recieved on certain ports to the correct ip, it became obvious after some whataburger and coffee lol.  Now my problem is that i can't get certain ones to open, for example, port 25 refuses to open, i've tried everything, it was open less than a day ago, now i can't get it to open at all, whats odd is that some ports are not assigned to any well known services i don't think, like port 3394, it won't open either.  Help is greatly appreciated.

Oh and thanks for the edit, again, i've been up for way to long XD
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37770249
No problem :-)

So what does your config look like now?
Is it giving you any errors when configuring the ports or do they just don't work? Oh and try looking at the logs, it might tell you something.
0
 

Author Comment

by:ctagle
ID: 37770295
here is a copy of the running config thats on it right now, i don't know what some of those nat entries are for but i know none of them should limit traffic.
hitechpasticsrunningconfig.txt
0
 

Author Comment

by:ctagle
ID: 37770309
i perused the logs for the nat translation and there are some hosts with ports other than port 25 trying to connect, but to be honest i'm to familiar with the NAT readour
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37770361
Just did some testing but I am able to get through (?)
So nat seems to be working. But on port 25 (for example) I get an error which looks to be coming from the server, not the router:
421 Cannot connect to SMTP server 216.183.33.74 (216.183.33.74:25), connect time out

Perhaps you might want to have a look at the server(s) as well.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 

Author Comment

by:ctagle
ID: 37770479
well, at least that narrows it down, what tool did you use to get that error message btw
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37770492
Dosbox on windows then the command
Telnet x.x.x.74 25
So adding the port you wish to connect to behind the IP you connect to.
0
 

Author Comment

by:ctagle
ID: 37770501
huh, windows never outputs that for me, it just says connection failed, i'll see what happens, time for the wonderfully fun task troubleshooting groupwise....
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37770505
Ah, I remember groupwise...... Good luck ;)
0
 

Author Comment

by:ctagle
ID: 37770554
got it, thank you for help, if you hadn't have pointed me towards the server i would have still been fumbling with the router, i really do appreciate it. :D
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37770569
Glad I was able to help you out, now get some sleep :-)
And thx for the points.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now