Link to home
Start Free TrialLog in
Avatar of noad
noadFlag for United States of America

asked on

RDP on 4321 Router

Hello everyone.

I asked this question a few days ago and it was answered and I was able to remote in, but now using a different router (Cisco 4321)

I'm doing a port forward using RDP and I get the following message after I input the below command
ip nat inside source static tcp 192.168.5.9 3389 50.73.7.209 3389 extendable
%Port 3389 is being used by system...

Thank You
Avatar of Tom Cieslik
Tom Cieslik
Flag of United States of America image

You need to do audit on all rules you have on your Cisco.
Probably one rule has this port already assigned.
Avatar of noad

ASKER

I just got this router, no rdp rule at all
any other ideas?
Avatar of noad

ASKER

is there a command to see if that port is being used other then sh run?
Is there any Pre-Defined rules installed ? Maybe is there
Avatar of noad

ASKER

how can I check

I did another drp using a diff port, took the command, but unable to remote in
Check your IOS version. you mayu need to upgrade. There's a known bug for some versions.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCus49353/?referring_site=bugquickviewclick
Avatar of noad

ASKER

jamc

looked into it here is the show after running the command


R0NWGS(config)#do sh ip nat portblock dynamic global
tcp:
  5120 -6143   4096 -5119   3072 -4095   2048 -3071   1024 -2047
  545  -617
udp:
  5525 -6548   4501 -5524   3072 -4095   2048 -3071   1024 -2047
  585  -648    512  -584
R0NWGS(config)#

I see that port 3389 is in the range of 3072 to 4095 ...
so I can't use port 3389?
Yeah you can. You have to configure the nating and then configure overload. Did you do that?

route-map NAT permit 5
 match ip address nating
ip nat inside source route-map NAT interface GigabitEthernet0/0/0 overload
Avatar of noad

ASKER

sorry new with Cisco

Not really sure what to do.

can you spell it out step by step?

Here is my config



login as: admin
Using keyboard-interactive authentication.
Password:

R0NWGS#sh run
Building configuration...

Current configuration : 2175 bytes
!
! Last configuration change at 22:04:37 UTC Thu Dec 22 2016 by admin
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no platform punt-keepalive disable-kernel-core
!
hostname R0NWGS
!
boot-start-marker
boot system bootflash:isr4300-universalk9.03.13.02.S.154-3.S2-ext.SPA.bin
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 $1$NkJt$Z.7t.g9DQlGEbu8bZ75HQ0
enable password 7 10460C150918
!
no aaa new-model
!
!
!
!
!
!
!
!
!


ip domain name nwgs.biz

ip dhcp excluded-address 192.168.5.1 192.168.5.100
ip dhcp excluded-address 192.168.4.1 192.168.4.10
!
ip dhcp pool NWGS
 network 192.168.5.0 255.255.255.0
 default-router 192.168.5.1
 dns-server 192.168.5.9 8.8.8.8
!
ip dhcp pool playroom
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.1
 dns-server 192.168.5.9
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4321/K9 sn FDO18451BXL
!
username admin privilege 15 secret 5 $1$YcHE$snwPRXA.KjudbaxJZgdvp1
!
redundancy
 mode none
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 ip address 50.73.7.209 255.255.255.252
 ip nat outside
 negotiation auto
!
interface GigabitEthernet0/0/1
 ip address 192.168.5.1 255.255.255.0
 ip nat inside
 negotiation auto
!
interface GigabitEthernet0/0/1.4
 encapsulation dot1Q 4
 ip address 192.168.4.1 255.255.255.0
 ip nat inside
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 negotiation auto
!
ip nat inside source list 103 interface GigabitEthernet0/0/0 overload
ip nat inside source static tcp 192.168.5.107 3389 50.73.7.209 3390 extendable
ip forward-protocol nd
no ip http server
no ip http secure-server50.73.7.209
!
!
access-list 103 permit ip 192.168.5.0 0.0.0.255 any
access-list 103 permit ip 192.168.4.0 0.0.0.255 any
!
!
!
control-plane
!
!
line con 0
 password 7 141F1707000B
 stopbits 1
line aux 0
 password 7 09444B05150A
 stopbits 1
line vty 0 4
 password 7 151C1C0B177C7C7C7F
 login local
 transport input all
!
!
end

R0NWGS#

Thank you
ASKER CERTIFIED SOLUTION
Avatar of jmac44
jmac44
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of noad

ASKER

OK...

i was able to do the clear command.
when I do the no ip nat inside soruce list 103 int g0/0/1 overload
I get the following
%Dynamic mapping in use, cannot remove

how do I turn off dynamic mapping?
The problem is that new NAT sessions open every microsecond, as soon as you delete NAT sessions new sessions are created.
You need to stop NAT by either:
 - shutdown interfaces that are participating in NAT
 - remove ip nat inside / ip nat outside from interfaces
 - denying traffic to be natted by temporary create ACL that will deny all traffic (preffered)
(so schedule downtime for this - internet will not work during change)

no access-list 103
access-list 103 deny ip any any

When new sessions are not opening you need to clear existing NAR translations by issue command:
clear ip nat trans *
no ip nat inside source list 103 int g0/0/1 overload          
 ! most likely you don't have to delete nat statement if natting is not performed, but anyway (the same could be with ACL that you can just delete it and there is no need to create one to deny all traffic :) ...

Then you should be able to issue:
ip nat inside source static tcp 192.168.5.9 3389 50.73.7.209 3389 extendable
ip nat inside source static tcp 192.168.5.107 3389 50.73.7.209 3390 extendable
ip nat inside source list 103 interface GigabitEthernet0/0/0 overload
!
no access-list 103
access-list 103 permit ip 192.168.4.0 0.0.1.255 any                 !optimized ACL :)
Predrag...

OK,
I got a better idea, I'm at the Fire Dept on duty today so I wil have to wait till I get home tomorrow to implement.

so it I understand correctly, I'm just changing the order int which things are being applied, correct?

Thank you for your reply.

Respectfully
J.Pineiro
You need to stop NAT, when natting is not working order should not be important.
During period that NAT is stopped internet for sure will not work.
I understand that i need to stop NAT.

but once stopped then i'm just reversing the order int which things are applied, correct?
What I'm asking is this

I have it in the config as of now like this

ip nat inside source list 103 interface GigabitEthernet0/0/0 overload
ip nat inside source static tcp 192.168.5.107 3389 50.73.7.209 3390 extendable

1-What you are saying is to stop NAT
2- do a (clear ip nat trans *)
3- Delete this statement (no ip nat inside source list 103 int g0/0/1 overload)
4- Then add the  (no ip nat inside source list 103 int g0/0/1 overload) again, this time is will be at the bottom so that it gets processed after the forwarding...

Is that correct?

Thank you for your help

Respectfully
J.Pineiro
What I expect that will do the trick (issued in this order)

no access-list 103
!
clear ip nat trans *
!
ip nat inside source static tcp 192.168.5.9 3389 50.73.7.209 3389 extendable
ip nat inside source static tcp 192.168.5.107 3389 50.73.7.209 3390 extendable
!
access-list 103 permit ip 192.168.4.0 0.0.1.255 any

Open in new window


Additional commands are just for the case that commands above are "not enough".
no access-list 103
access-list 103 deny ip any any
!
clear ip nat trans *
!
no ip nat inside source list 103 interface GigabitEthernet0/0/0 overload
ip nat inside source static tcp 192.168.5.9 3389 50.73.7.209 3389 extendable
ip nat inside source static tcp 192.168.5.107 3389 50.73.7.209 3390 extendable
ip nat inside source list 103 interface GigabitEthernet0/0/0 overload
!
no access-list 103
access-list 103 permit ip 192.168.4.0 0.0.1.255 any

Open in new window


I believe that the first list of commands is enough to do the trick, but since believing is not good enough...
The second list is to be ready for the case that I am wrong.
:)
I really thank you for all of your help.
Like I said, I'm on duty today at the Fire Dept, will do it as soon as I get in tomorrow.

Thank you so much for the simple steps...

To understand this better, doing this is b/c that is just the way the router is programmed or is it a bug on the router that is not allowing for the same config as for the 1941 router that I had before?

Again,
Thank you for all of your help

Respectfully
J.Pineiro
that is just the way the router is programmed
It is normal router behavior.
OK...

So I can expect different route to have different programming.

Understood.

I'll let you know how it goes in AM with the changes.

Respectfully
J.Pineiro
Predrage

So I did exactly as you suggested, but still can't get it to work.


R0NWGS(config)#en
% Incomplete command.

R0NWGS(config)#
R0NWGS(config)#no access-list 103
R0NWGS(config)#
R0NWGS(config)#exit
R0NWGS#
*Dec 24 19:31:59.841: %SYS-5-CONFIG_I: Configured from console by consoleclear i                        p nat trans
R0NWGS#clear ip nat translation *
R0NWGS#
R0NWGS#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R0NWGS(config)#$de source static tcp 192.168.5.9 3389 50.73.7.209 3389
%Port 3389 is being used by system min3389
R0NWGS(config)#
R0NWGS(config)#
R0NWGS(config)#no access-list 103
R0NWGS(config)#exit
R0NWGS#clear
*Dec 24 19:33:42.229: %SYS-5-CONFIG_I: Configured from console by consoleip nat rans
R0NWGS#clear ip nat rans
                    ^
% Invalid input detected at '^' marker.

R0NWGS#
R0NWGS#clear ip nat trans
R0NWGS#clear ip nat translation *
R0NWGS#
R0NWGS#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R0NWGS(config)#no access-lsit 103
                          ^
% Invalid input detected at '^' marker.

R0NWGS(config)#no access-list 103
R0NWGS(config)#access-list 103 deny ip any any
R0NWGS(config)#exit
R0NWGS#clea
*Dec 24 19:34:57.714: %SYS-5-CONFIG_I: Configured from console by consoler
% Type "clear ?" for a list of subcommands
R0NWGS#
R0NWGS#clear ip nat trans
R0NWGS#clear ip nat translation *
R0NWGS#
R0NWGS#
R0NWGS#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R0NWGS(config)#no ip nat inside source list 103 int g0/0/0 overload
%Dynamic mapping not found
R0NWGS(config)#
R0NWGS(config)#$de source static tcp 192.168.5.9 3389 50.73.7.209 3389
%Port 3389 is being used by system min3389
R0NWGS(config)#


R0NWGS(config)#R0NWGS(config)#exit


To ensure that I was not passing any NAT traffic I even disconnected the WAN cable.
                ^
This is problem
no ip nat inside source list 103 int g0/0/0 overload

%Dynamic mapping not found
Somehow command is not working
according to configuration above command should be there
ip nat inside source list 103 interface GigabitEthernet0/0/0 overload
And also  it could be that you run into Cisco Bug CSCuc79208
It is similar platform
Conditions:
ISR4351 running version 15.4(3)S1
So, it could be affected
The above ports are dynamically allocated to NAT when  more ports are needed for creating translations. So whenever the ports being requested in the the "static mapping" is not in the list above for 'sh ip nat portblock dynamic global', the configuration will be successful otherwise it will fail.
That is why it does not fail when you configure static mapping first and dynamic mapping second as the port is not already allocation for dynamic mapping.
So, looks like, static natting must be configured prior to configure NAT rule or bug will affect the system.
Predrag,

So  I should re-config the route and create static mapping before I create the NAT rule?

If that is the problem, I can re-config the router. Should no take long to do it.

so I would do something like this?

int g0/0/0
ip nat outside

int g0/0/1
ip nat inside

ip nat insdie source static tcp 192.168.5.9 3389 50.73.7.209 3389
ip nat insdie source static tcp 192.168.5.107 3389 50.73.7.209 3389

ip nat inside source list 103 interface int 0/0/0 overload

access-list 103 permit ip 192.168.5.0 0.0.0.255 any
access-list 103 permit ip 192.168.4.0 0.0.0.255 any


Would the above be correct?

Also what is down the road I want to open another port?
Do I have to re-config again the entire router or will it fall into the correct place?

Thank you
Respectfully
J.Pineiro
Try to issue # sh ip nat portblock dynamic global
if tcp port 3390 is not listed as in use than most likely it is Cisco bug from above.
So  I should re-config the route and create static mapping before I create the NAT rule?
Looks that way.
access-list 103 permit ip 192.168.5.0 0.0.0.255 any
access-list 103 permit ip 192.168.4.0 0.0.0.255 any
optimization for ACL 103 is
access-list 103 permit ip 192.168.4.0 0.0.1.255 any
One line instead of two lines. :)
Would the above be correct?
Yes.
Also what is down the road I want to open another port?
Looks like you can run into the same problem again, but I guess that it should be corrected in the next version of IOS (if bug is present in this one).
Do I have to re-config again the entire router or will it fall into the correct place?
Not sure what needs to be done, what is actually workaround in the case that is Cisco bug. My guess is (worst case scenario)- delete commands relevant to NAT reload device and after reload configure NAT again. But maybe bug is not present, but I guess that
no ip nat inside source list 103 int g0/0/0 overload
%Dynamic mapping not found
is a part of the bug, but cannot be sure. There is a way to change startup configuration and then reloading router should solve the problem, but generally I don't recommend that approach (if not done correctly can cause a lot of problems).
Predrag

Here is the showing of the sh ip nat portblock dynamic global

login as: admin
Using keyboard-interactive authentication.
Password:

R0NWGS#en
R0NWGS#sh ip nat portblock dynamic global
tcp:
  6144 -7167   5120 -6143   4096 -5119   3072 -4095   2048 -3071
  1024 -2047   545  -617
udp:
  5525 -6548   4501 -5524   3072 -4095   2048 -3071   1024 -2047
  585  -648    512  -584
R0NWGS#

Not sure how to read this are ports 3072 to 4095 open or set aside for use?


Thank you
Respectfully
J.Pineiro
Those suppose to be set aside for use.
You can use regex to filter sh ip nat translations to check if port is currently in use:
#sh ip nat translations | i :3389|:3390                 <-- ports that you want to check (3389, 3390)
or
#sh ip nat translations | i 209:3389|209:3390     <- 209 is last octet of WAN's IP address (50.73.7.209)

If nothing is listed (and regex is typed correctly) :) - port is not is use.
Got it,

I will check in AM, its mid night here and going to get some ZZZZZZZZZzzzzz

Merry Christmas

Thank you for all of your help

Respectfully
J.Pineiro
Perdrag,

Here is the out put of the commands you suggested I run.

login as: admin
Using keyboard-interactive authentication.
Password:

R0NWGS#sh ip nat translations | i :3389|:3390
R0NWGS#
R0NWGS#
R0NWGS#sh ip nat translations | i 209:3389|209:3390
R0NWGS#
R0NWGS#
R0NWGS#

That would suggest that its a bug, correct???
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
At this point I'll call Cisco to see if there is an update.

Thank you for all of your time and help with this issue.



Respectfully
J.Pineiro
Yes...
Thank you...

It should only be for Juan Pineiro...
NOAD should not even come up