cisco port forward challenge

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › cisco port forward challenge

millst

26 posts

Geek

#123190 27-Jun-2013 16:24

I'm in need of a little IOS help on a problem that has me stumped on my home network.

I have a Cisco 887 ADSL modem / router / firewall.
I have the modem working fine and can get on the net.

I have several servers on the inside of my network which I need to get traffic to from the net. 4 different web servers which will each run on different ports, plus some cameras and home automation gear on some oddball ports. All in all, nothing special.

Now here is the strange part, I can port forward to some of the internal IP addresses but not others.
My internal network is 192.168.0.0/24

My 887 is on 192.168.0.3
I have webservers on 192.168.0.1, 192.168.0.2 and 192.168.40 on port 80.
Then 192.168.0.41 has two https sites listening on port 7443 and 8443

Now, I can set up a NAT port forward absolutely fine that goes from my dynamic internet IP address on to 192.168.0.1 port 80.
I can also change in internet listening port to 81, 8080, 7443 and 8443 and these all work fine.
This tells me the firewall is fine and there are no issues with the port ACLs.

I can also setup a forward to the web admin of the 887 (192.168.0.3) listening on port 80, or 81 etc and that works fine also. So thats two internal addresses working fine.

However when I change the rule to point to any one of the other servers ie 192.168.0.40 or 192.168.0.2 or 192.168.0.41 it does not get through to the server. The port appears closed from the internet.

As soon as I put it back to 192.168.0.1 or 3, it works again.
I can ping both servers from the CLI on the router.
All the webservers are running inside the same virtual host on the same piece of cat5.
Its running through a cisco switch with nothing special in the config.

I have tried adding pretty loose NAT ACL's
I have pretty much disabled the firewall

My full router config is here :
http://pastebin.com/SzCNQMN1

The lines of interest are here:

router rip

version 2
network 192.168.0.0
no auto-summary
!
no ip classless
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.2 80 interface Dialer0 7443
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended DNS
remark CCP_ACL Category=128
permit ip any any
ip access-list extended DNS1
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended filter_incoming
remark CCP_ACL Category=17
permit tcp any any eq 81
permit tcp any any eq www
permit udp host 202.27.156.72 eq domain any
permit udp host 202.27.158.40 eq domain any
remark Auto generated by CCP for NTP (123) 130.123.2.98
permit udp host 130.123.2.98 eq ntp any eq ntp
remark Auto generated by CCP for NTP (123) 192.168.0.1
permit udp host 192.168.0.1 eq ntp any eq ntp
remark 7443
permit tcp any eq 7443 any eq 7443
permit ip any any
ip access-list extended terminal_access
remark CCP_ACL Category=17
permit tcp 120.136.4.96 0.0.0.15 any eq 22
permit tcp any any eq 22
deny tcp any any
!
logging esm config
logging trap debugging
access-list 1 remark CCP_ACL Category=18
access-list 1 permit 192.168.0.1
access-list 1 permit 192.168.0.2
access-list 1 permit any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list CCP_ACL Category=0
access-list 101 permit ip any host 192.168.0.1
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.0.2
no cdp run

Any suggestions on what to try next, its had me going round and round in circles for several weeks now and I'm sure when I figure out what it is, I'll be able to get all the other bits working.
Thanks in advance.

muppet

2570 posts

Uber Geek

Trusted

#846322 27-Jun-2013 17:19

Couple of things

Why do you have "no ip classless"

Also, what lines are you adding changing? Are you modifying the access lists at the same time to do this?

millst

26 posts

Geek

#846327 27-Jun-2013 17:32

Thanks heaps for your suggestions...

I'm using cisco config professional which inserts a fair amount of stuff, I'm not a command line guru but have a rough idea, still learning my way with IOS.

Just looked up no ip classless and can see how that may be an issue, will turn if off now and try.

This line works:
ip nat inside source static tcp 192.168.0.1 80 interface Dialer0 7443
so does this
ip nat inside source static tcp 192.168.0.1 80 interface Dialer0 80

But this line does not not:
ip nat inside source static tcp 192.168.0.2 80 interface Dialer0 80

Just tried ip classless and still the same.
also added
ip route 192.168.0.0 255.255.255.0 Vlan1 permanent
just to make sure it wasn't a route issue.

updated config is here:
http://pastebin.com/1XZEQwTm

muppet

2570 posts

Uber Geek

Trusted

#846333 27-Jun-2013 18:04

I don't do much Cisco these days either, certainly I've never done NAT on one. So forgive me, I'm flying a bit blind myself. No doubt someone with some clue will come along and spot the obvious problem, but until then I'll offer a few more suggestions and we'll see what happens...

You have this policy map:

policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-http-2
pass
class class-default
pass

It's referenced here:

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn

What's interesting is you reference http twice. Now I don't know cisco, but I wonder if, because sdm-nat-http-1 only allows 0.1, if it's getting denied there, so never bothering to inspect it in the second stanza. The fact this was generated by a Cisco tool probably means it's perfectly valid, but try this and see if it helps

access-list 101 permit ip any host 192.168.0.2

millst

26 posts

Geek

#846337 27-Jun-2013 18:21

Thanks, yes, I'm a bit the same, I've done pix firewalls before but never an all in one device with NAT.
Its insanely powerful, but somewhat confusing as there are so many layers.

I wasn't sure if I needed one rule for each but I followed your recommendation and added the entry under the first http policy map but still no go.

now reads:

logging esm config
logging trap debugging
access-list 1 remark CCP_ACL Category=18
access-list 1 permit 192.168.0.1
access-list 1 permit 192.168.0.2
access-list 1 permit any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.0.1
access-list 101 permit ip any host 192.168.0.2
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.0.2
no cdp run

most of the examples I can find online are incomplete and there isn't a nice big picture guide on what you need to do to get NAT working on an 880 series.

Dinuir

41 posts

Geek

#846369 27-Jun-2013 19:39

Hi there,

If you want four websites available at the same time from the Internet, you must assign separate ports externally for each website (as it shares the same public ip). You should map each website with a separate Nat statement also.

If you use the same external port (I.e. port 80) for different internal websites, it will hit the first rule that matches on port 80 and never "hit" the second rule.

Please PM me if you need any more information.

muppet

2570 posts

Uber Geek

Trusted

#846371 27-Jun-2013 19:39

Join the geekzone chat (link up the top of the page, or if you know how to use IRC connect to irc.synirc.net channel #geekzone) and have a chat to me there. Easier than back and forth here.

millst

26 posts

Geek

#846375 27-Jun-2013 19:45

Dinuir: Hi there,

If you want four websites available at the same time from the Internet, you must assign separate ports externally for each website (as it shares the same public ip). You should map each website with a separate Nat statement also.

If you use the same external port (I.e. port 80) for different internal websites, it will hit the first rule that matches on port 80 and never "hit" the second rule.

Please PM me if you need any more information.

Hi thanks, yes, I am aware that this will not allow both to work at the same time yet.

I'm not up to that point yet, I just want to get each one working individually on the same port before putting each one on a different port.
The problem is that only two internal addresses work when I swap where the NAT rule points and three do not.

ie, when I point the rule to IP X it works, when I change that same rule to point to another routable address, it doesn't.

Quic Broadband

Move to New Zealand's best fibre broadband service (affiliate link). Free setup code: R587125ERQ6VE. Note that to use Quic Broadband you must be comfortable with configuring your own router.

millst

26 posts

Geek

#846426 27-Jun-2013 21:07

muppet: Join the geekzone chat (link up the top of the page, or if you know how to use IRC connect to irc.synirc.net channel #geekzone) and have a chat to me there. Easier than back and forth here.

Thanks for your help tonight guys, I've locked myself out of the router now trying to expose the management interface to the internet so I think thats me for the night. I'll reload it tomorrow and get back to this point again and read up on the links posted.

Dinuir, if you could track down that working config, that would be brilliant. I'm sure its something stupid and small and if I had a working config to compare to that might make it a bit easier.

Cheers Guys, greatly appreciate your expertise!!!

mmlakeman

106 posts

Master Geek

#846430 27-Jun-2013 21:12

Hi,

Can you telnet from the router to the webserver - eg. telnet 192.168.0.40 80

Also I always put a deny log at the end of any access lists so I can do a show log and see anything that is being blocked. eg. access-list 102 deny ip any any log

Also can you see the NAT translations when you do a
sh ip nat trans tcp

millst

26 posts

Geek

#846785 28-Jun-2013 15:27

Hi all,

just to report back, i have it going now.
It turned out to be a gateway issue on the destination servers, for some reason they were caching an old gateway entry. A reboot of the servers fixed it.

Many thanks for all your help with this. I'm going to try locking the config down now.

muppet

2570 posts

Uber Geek

Trusted

#846787 28-Jun-2013 15:29

Excellent, good to hear! Glad you got it sorted.