can't seem to forward ports

Unanswered Question
Aug 3rd, 2007
User Badges:

Hello,


I'm having problem getting the port forwarding to work. When testing my home router (851w) at work, using VNC, Telnet, SSH, nothing gets through. Cannot connect, so it's not an authentication issue, as I don't reach the username/password stage.


Please take a look at my config and see what the mistakes might be. Also, what is the command to mask the passwords in my configuration? The <password> I've typed in were original just plain text.


I tried to set most of the stuff up with the CLI, and some were helped by SDM.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
royalblues Fri, 08/03/2007 - 20:43
User Badges:
  • Green, 3000 points or more

Friend,


You have configured IP address on the VLAN interface (SVI). To telnet or SSH your SVI should be up.


To bring up this SVI you require atleast one port in vlan 1.


Check by configuring an IP address on the etherner interface and do a telnet. Though you will able to do SSH too, you should look at configuring this way

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122cgcr/fsecur_c/fothersf/scfssh.htm


HTH

Narayan

winstoncheng Sun, 08/05/2007 - 16:08
User Badges:

Hi Narayan,


I don't quite understand how to execute this. If I am to create a SVI interface on the router, I'm not seeing that as a choice under the commands.


Also, is there a way to go about this w/o an IP for VLAN1? I only put that address there because it was the only way to assign an IP to the router itself I could see.

paolo bevilacqua Sun, 08/05/2007 - 16:31
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


for one, you will need to move all the vlan1 config to bvi1 and configure no ip address and bridge-group 1 under vlan1. Else, you will never be able to use your wireless.


Then yes of course you need and IP for BVI1. It's your PC's default gateway address

The port forward seems correct and you should be able to connect from outside, but please remap 23 to something else if you still want to be able to telnet into the router. Finally, you don't need this:


ip nat pool nat1 192.168.1.1 192.168.1.254 netmask 255.255.255.0


Hope this helps, please rate post if it does!



winstoncheng Mon, 08/06/2007 - 06:38
User Badges:

Hmm, well, the wireless is working, but I'm still unable to VNC, telnet, or SSH into my home router from work.


If I PuTTY through telnet the black screen comes up with a "(inactive)" in the title bar.


If I SSH, I get PuTTY Fatal Error, "Network error: Connection refused".


For VNC, which is the 192.168.1.130 forward, "Failed to connect to server".

paolo bevilacqua Mon, 08/06/2007 - 07:18
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Strange, can you at least telnet into the router ?(require removing the port 23 forward).


Also pls send again the router config now.


winstoncheng Mon, 08/06/2007 - 07:41
User Badges:

I have to wait until I get home to send the router config again, unless I find time during lunch break.


Instead of using 23, i used 2300. I'm able

to telnet from inside the network, but not from outside.


I will also need to double-check and make sure dyndns.org is working so I know I'm not using the wrong IP address.

winstoncheng Mon, 08/06/2007 - 11:12
User Badges:

Apparently I don't know how to designate a different port to telnet yet, so I reverted the port forward lines back to port 23.


And sorry, I forgot to verify if the ddns is working properly or not.


The odd thing is, the 1811w at work I can telnet/SSH to with no problems, and that one doesn't even have the static tcp lines.



Attachment: 
paolo bevilacqua Mon, 08/06/2007 - 11:47
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Hi,


remove these:


ip nat inside source static tcp 192.168.1.1 23 interface Dialer0 23

ip nat inside source static tcp 192.168.1.1 22 interface Dialer0 22


and you should be able to telnet/ssh into router. Regarding the forwards, these should work as configured, not sure why they don't.

winstoncheng Mon, 08/06/2007 - 15:44
User Badges:

Yep, telnet and SSH appears to be working, however, I'm still unable to get VNC going. :(


paolo bevilacqua Mon, 08/06/2007 - 17:36
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

That is, you can telnet and ssh to the router, but no forward to hosts behind the router works ? Can you try something else than VNC for a test? Eg web server to an host behing the router, like port 8000 "outside" mepped to 80 "inside".

winstoncheng Tue, 08/07/2007 - 21:57
User Badges:

Sorry, currently working on upgrading the computer, and the only quick thing I could think of was to run an FTP server. However, the FileZilla Server kept saying it couldn't connect to the local server.


I'll see what else I can try.

winstoncheng Wed, 08/08/2007 - 08:44
User Badges:

OK, when trying this with the LAN at work, I'm able to get FTP to work, but not VNC. Cisco routers just don't like to pass through VNC data?

winstoncheng Wed, 08/08/2007 - 09:32
User Badges:

Not sure if I'm mistaken or not about previous result, but FTP is not currently working. :(

winstoncheng Thu, 08/09/2007 - 06:59
User Badges:

Using online ShieldUp service, all the ports I opened, are indeed open, so the problem appears to be that they aren't being directed to the internal PC's properly.



winstoncheng Thu, 08/09/2007 - 21:57
User Badges:

Still stuck on this. Would this provide any leads?

tcp 70.244.42.231:3724 192.168.1.130:3724 --- ---

tcp 70.244.42.231:5900 192.168.1.130:5900 --- ---

tcp 70.244.42.231:6112 192.168.1.130:6112 --- ---

tcp 70.244.42.231:14147 192.168.1.130:14147 --- ---

tcp 70.244.42.231:49306 192.168.1.130:49306 216.155.193.179:5050 216.155.193.179:5050

tcp 70.244.42.231:49307 192.168.1.130:49307 65.54.239.210:1863 65.54.239.210:1863

tcp 70.244.42.231:49308 192.168.1.130:49308 207.46.109.93:1863 207.46.109.93:1863

tcp 70.244.42.231:49309 192.168.1.130:49309 65.54.183.203:443 65.54.183.203:443

tcp 70.244.42.231:49310 192.168.1.130:49310 64.12.200.89:5191 64.12.200.89:5191

tcp 70.244.42.231:49311 192.168.1.130:49311 205.188.9.89:5191 205.188.9.89:5191

tcp 70.244.42.231:49312 192.168.1.130:49312 64.12.165.82:5191 64.12.165.82:5191

tcp 70.244.42.231:49313 192.168.1.130:49313 204.69.199.39:80 204.69.199.39:80

tcp 70.244.42.231:49314 192.168.1.130:49314 204.69.199.39:80 204.69.199.39:80

tcp 70.244.42.231:49315 192.168.1.130:49315 72.32.149.214:80 72.32.149.214:80

tcp 70.244.42.231:49317 192.168.1.130:49317 72.32.149.214:80 72.32.149.214:80


paolo bevilacqua Fri, 08/10/2007 - 03:13
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

It seems the config is correct. I have an 851w and I can forward ports without any problem. I use 12.4(11)XJ4, perhaps you may want to try that image as well.

winstoncheng Fri, 08/10/2007 - 06:21
User Badges:

Hmmm, I only have guest level access, can't seem to grab any software updates.

paolo bevilacqua Sat, 08/11/2007 - 05:57
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

In fact you can't. You will need a support contract, aka smartnet, in order to access the downloads. This should be available from your cisco reseller and the simpler level should be well below $100 forone year, that beside the download include hardware warranty and access to TAC support.


Correction, the IOS the I use is 12.4(11)T2.



Actions

This Discussion