Cisco 2811 Port Forwarding

[morinookuni123]

I have a cisco 2811 router I have been trying to configure past month or two. My set up is this, Comcast modem (10.1.10.1) leads to 2811 router (FA0/0 10.1.10.2) (FA0/1 192.168.1.1), leads to Cisco catalyst switch and spreads out to the offices from there. I have a server and a NAS storage devices connected to the switch. (NAS storage 192.168.1.6) (server 192.168.1.5). I am trying to access the NAS remotely using port 9443. I have researched and applied what I thought to be the correct command to forward the port, the port IS forwarded in the Comcast modem, and locally it all talks together just when I get to one side of the router does it not talk anymore. I have also NEVER configured NAT before, I graduated college and we done some cisco classes and touched on NAT but never in this depth that I need now. I have also been trying to do VPN with port 1723, but once I figure out this port issue I will know how to do both.

Here is my Cisco 2811 router configuration:

Router#show run
Building configuration...

*Jan 19 16:16:59.277: %SYS-5-CONFIG_I: Configured from console by console
Current configuration : 2606 bytes
!
! Last configuration change at 16:16:59 UTC Thu Jan 19 2017
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
!
dot11 syslog
ip source-route
!
!
ip cef
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.3.1 192.168.3.5
ip dhcp excluded-address 192.168.1.1 192.168.1.5
ip dhcp excluded-address 192.168.2.1 192.168.2.5
!
ip dhcp pool Clients
import all
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.5 192.168.1.3 75.75.75.75 75.75.76.76
default-router 192.168.1.1
!
ip dhcp pool Guests
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
dns-server 192.168.1.5 192.168.1.3 75.75.75.75 75.75.76.76
!
ip dhcp pool PRINTERS
network 192.168.2.0 255.255.255.0
dns-server 75.75.75.75 75.75.76.76
default-router 192.168.2.1 255.255.255.0
!
!
!
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
!
!
!
license udi pid CISCO2811 sn FTX1225A4DD
!
redundancy
!
!
!
!
!
!
!
!
!
interface FastEthernet0/0 (This goes to Comcast modem)
ip address 10.1.10.2 255.0.0.0
ip access-group 101 out
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1 (This goes to local network)
no ip address
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.2
encapsulation dot1Q 2
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0/1.3
encapsulation dot1Q 3
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat source static tcp 10.1.10.2 9443 192.168.1.6 9443 extendable
ip nat inside source list TRAFFIC-2-NAT interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 50.252.68.6 (Static IP provided by Comcast to company)
ip route 0.0.0.0 0.0.0.0 10.1.10.1
ip route 192.168.1.1 255.255.255.255 10.1.10.1
!
ip access-list extended TRAFFIC-2-NAT
remark Specify all networks to NAT inside-2-outside
permit ip 192.168.1.0 0.0.0.255 any
permit ip 192.168.3.0 0.0.0.255 any
permit ip 50.252.68.0 0.0.0.255 any
permit ip any any
permit ip 10.1.10.0 0.0.0.255 any
permit tcp any eq 9443 any
permit udp any eq 9443 any
permit tcp any any
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
login
transport input all
!
scheduler allocate 20000 1000
end

Router#

 

[bill001g]

You need to use a IP INSIDE SOURCE STATIC TCP command using the interface and port just like you did on the primary nat but specify the inside ip and port in the command.

Your access list is not valid...it doesn't really matter but it does the same as a single permit ip any any.


Looking at this farther I am confused. Unless fa 0/0 is getting the actual static IP via dhcp or you have it configured the nat will not work properly. You will translate all your IP to 10.1.10.2

 

[morinookuni123]

You need to use a IP INSIDE SOURCE STATIC TCP command using the interface and port just like you did on the primary nat but specify the inside ip and port in the command.

Your access list is not valid...it doesn't really matter but it does the same as a single permit ip any any.


Looking at this farther I am confused. Unless fa 0/0 is getting the actual static IP via dhcp or you have it configured the nat will not work properly. You will translate all your IP to 10.1.10.2

So your saying that it should be IP inside source static tcp 192.168.1.1 9443 192.168.1.6 9443 ??

Yeah all those permit IP commands there I added in as a desperate attempt to get port forwarding to work because I couldn't figure out what was happening. FA0/0 (10.1.10.2) is set to static in the Comcast modem. I don't guess the static IP is coming through as dhcp, that would defeat the purpose of static IP address if it was dhcp wouldn't it? As far as I know, I am not able to configure the static IP address in the Comcast modem. Where it is located in the modem config, it is greyed out. The Comcast agent that set up the modem originally had to call in to "push the static IP to the modem", which I guess meant that they configured it on their end.

As of right now the network does work, employees are able to browse the internet and send emails just fine and don't have any network crashes (lately). once I change one of the interfaces from outside to inside and vice versa, the whole network goes down until I change it back.

 

[morinookuni123]

You need to use a IP INSIDE SOURCE STATIC TCP command using the interface and port just like you did on the primary nat but specify the inside ip and port in the command.

Your access list is not valid...it doesn't really matter but it does the same as a single permit ip any any.


Looking at this farther I am confused. Unless fa 0/0 is getting the actual static IP via dhcp or you have it configured the nat will not work properly. You will translate all your IP to 10.1.10.2

Ok so update from my last reply to you, I done the command IP NAT INSIDE SOURCE STATIC TCP 192.168.1.6 9443 10.1.10.2 9443.
I ran a port scanner and it came back with the 9443 port "Timed out" instead of closed, not quite open but progress is progress. What would cause the "timed out"??

 

[bill001g]

I would change the ip statement on the interface going to the modem to DHCP and see if that works. The isp in general will assign the IP to whatever the first mac that attaches to the modem.

The statement is
ip nat inside source static tcp 192.166.1.6 9443 interface fa0/0 9443

Note if somehow the ISP does forward the traffic to 10.1.10.2 then you have to do a very nasty configuration called nat on a stick. By the time you learn to do that you will be a expert on cisco nat. It forces traffic via a loopback interface.

 

[morinookuni123]

I would change the ip statement on the interface going to the modem to DHCP and see if that works. The isp in general will assign the IP to whatever the first mac that attaches to the modem.

The statement is
ip nat inside source static tcp 192.166.1.6 9443 interface fa0/0 9443

Note if somehow the ISP does forward the traffic to 10.1.10.2 then you have to do a very nasty configuration called nat on a stick. By the time you learn to do that you will be a expert on cisco nat. It forces traffic via a loopback interface.

I had put in the command you suggested above and it did work to a extent. like the command I had done earlier it made the port 9443 go from closed to "timed out" I am looking at the modem itself to see if there is anything I need to adjust or change, as of right now though in the port forward config for it, seems sound.

NAT on a stick sounds like something I am far from doing yet, I had a hard enough time with loopback interfaces by them selves, let alone with NAT

would there be anything in my current router config that would counter the command you suggested and cause packets to be dropped maybe giving the timed out error I am getting?

 

[bill001g]

You need to start out simple. Use a ping command to some common address like 8.8.8.8. You may have to use the option to source it from of your ip you assigned to a inside interface. This will test your nat.

Still if this even partially works it means the static ip is assigned to another device. If your modem is acting as a router and it is doing the port mapping.

I still would change the ip address on the outside interface to DHCP. Most modems only have a management IP it does not good to route traffic to their management ip.

 

[morinookuni123]

You need to start out simple. Use a ping command to some common address like 8.8.8.8. You may have to use the option to source it from of your ip you assigned to a inside interface. This will test your nat.

Still if this even partially works it means the static ip is assigned to another device. If your modem is acting as a router and it is doing the port mapping.

I still would change the ip address on the outside interface to DHCP. Most modems only have a management IP it does not good to route traffic to their management ip.

I took your advice and started small. I started with ping commands and tracerts to 8.8.8.8 75.75.75.75 and facebook...all came back perfectly, I used a port scanner to check what ports were open (specifically 9443, 1723, 443, 80), I first connected via cable to switch so id go through 2811 router, Comcast modem, outside world and the ports were "timing out". I then connected directly to the Comcast modem bypassing the 2811 router, same story, the ports were "timing out". I double and triple checked the port forwarding and making sure they were pointing the right way and they were, I turned off firewall on my PC and disabled panda AV. still no luck....I made the 10.1.10.2 interface (fa0/0) DHCP on both sides (modem and 2811 router) and still same story.

I am beginning to think this isn't a problem with the 2811 router but more on the ISP side. I looked up a list of Comcast business closed port list and the ports I am trying to access are not in those lists. I am going to call them today to see if they can open it up on their side, if it isn't already. Ill post back with an update with my finding

UPDATE: so I called Comcast and they assured me the ports were in fact open, so they say anyways. I went back to the 2811 router and did a show ip nat translations command and this is what I got...
Router#show ip nat translations tcp
Pro Inside global Inside local Outside local Outside global
tcp 10.1.10.2:9443 192.166.1.6:9443 --- ---
tcp 10.1.10.2:50887 192.168.1.4:50887 52.7.147.51:443 52.7.147.51:443
I then got curious and did a show ip nat statistics command and counted the number of hits I had which was 464107 and did a ping test from the router to the modem and re-ran the show command and got 465644 with 0 misses. so nat is working, ive checked everything I can think of. what have I missed?

 

[bill001g]

There has to be another device doing nat someplace for this to work. Your router is translating the ip to 10.1.10.2. So something else is translating that ip to the actual internet routable IP. You need the actual routable ip address assigned to your router. You either must hard code that ip on the fa0/0 interface or somehow learn it via dhcp.

It will never work if there is another router in the path doing NAT.

Now if we ignore that there are a lot of debug commands you can use. The NAT ones are normally the better ones but when you have a very low traffic connection you can use the brute force debug ip packet or even debug all. "U all" will save you if it gets out of hand.

Since you also have a managed switch you could plug the modem to the router via a separate vlan with just those 2 ports. You could then put in a port mirror/monitor so you could actually capture all the traffic going and coming from your router.

Still I think your main problem is there is another router in the path.

 

[morinookuni123]

There has to be another device doing nat someplace for this to work. Your router is translating the ip to 10.1.10.2. So something else is translating that ip to the actual internet routable IP. You need the actual routable ip address assigned to your router. You either must hard code that ip on the fa0/0 interface or somehow learn it via dhcp.

It will never work if there is another router in the path doing NAT.

Now if we ignore that there are a lot of debug commands you can use. The NAT ones are normally the better ones but when you have a very low traffic connection you can use the brute force debug ip packet or even debug all. "U all" will save you if it gets out of hand.

Since you also have a managed switch you could plug the modem to the router via a separate vlan with just those 2 ports. You could then put in a port mirror/monitor so you could actually capture all the traffic going and coming from your router.

Still I think your main problem is there is another router in the path.

When you were talking about another device doing NAT that go me thinking about the Comcast modem. It is a modem/router in one, it provides WIFI but I have it disabled because we supply our own APs. With that said, you got me thinking double NAT problem. I am going to try and set the modem into bridge mode and see what happens with it. hopefully setting it into bridge mode will disable the gateway and give single NAT. fingers crossed anyways.

I have some Vlans sets up (vlans 1,2,3) but they are not being used, except obviously for the native vlan 1, I have tried debug commands in the routers CML before, and boy oh boy was that a nasty mistake. mainly junior it admin mistakes, I had configured the router but didn't do a write memory command and I had done a debug command, (was just playing around with the router) and that just messed everything up, had to turn it off and back on to fix the problem but also had to reconfigure everything. small price to pay for a lifetime of "remember write mem, write mem"

Once I place the modem/router into bridge mode later this afternoon I will send back an update. I do appreciate all your help!

UPDATE: it has been a few days, but I placed the modem into bridge mode and so now the only router that is on the network is the 2811 cisco router. I have applied the port forwarding yet I am still not having any luck. What else can I try to do? The command I used to open 9443 port was. ip nat source static tcp 192.168.1.12 9443 50.XX.XX.151 9443

The 50.XX.XX.151 is the public IP address given by ISP

 

[bill001g]

So did you also manually assign the ip to the outside interface also.

If you issue
ping 8.8.8.8 source 192.168.1.1
does it work and do you get nat entries

Your statement is still wrong though it must be

ip nat INSIDE source static

The other format of the command is used for a different form of nat configuration