Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
456
Views
0
Helpful
4
Replies

port forwarding from the Internet

ronshuster
Level 1
Level 1

‎08-13-2008 12:11 PM - edited ‎03-11-2019 06:31 AM

I am trying to grant access from the Internet to one single IP address but have 3 port forwarders, for some reason I cannot open these ports from the Internet, here's what I mean:

here are the acl's to open the ports

access-list outside_incoming extended permit tcp any host 216.a.b.c eq smtp

access-list outside_incoming extended permit tcp any host 216.a.b.c eq https

access-list outside_incoming extended permit tcp any host 216.a.b.c eq www

Here are the static nats:

static (inside,outside) tcp 216.a.b.c www 10.20.4.161 www netmask 255.255.255.255

static (inside,outside) tcp 216.a.b.c https 10.20.4.161 https netmask 255.255.255.255

static (dmz,outside) tcp 216.a.b.c smtp 172.20.0.35 smtp netmask 255.255.255.255

here's the access-group

access-group outside_incoming in interface outside

But when I telnet to port 25, 80, 443 from the Internet on 216.a.b.c I cannot open that port.

Any idea???

Labels:
0 Helpful
4 Replies 4

acomiskey
Level 10
Level 10

‎08-13-2008 12:17 PM

Is 216.a.b.c your outside interface address? If so then you must use the "interface" keyword in your statics.

static (inside,outside) tcp interface www 10.20.4.161 www netmask 255.255.255.255

static (inside,outside) tcp interface https 10.20.4.161 https netmask 255.255.255.255

static (dmz,outside) tcp interface smtp 172.20.0.35 smtp netmask 255.255.255.255

0 Helpful

ronshuster
Level 1
Level 1
In response to acomiskey

‎08-13-2008 12:29 PM

Yes, 216.a.b.c is my public Internet IP address.

In your static nat example, where is the public address? Note that 216.a.b.c is not the PAT'd address and not the outside interface IP address, it is a dedicated address for this port forwarding.

So I don't think putting "interface" will not do the trick. I am pretty confident that the config I have is correct, but for some reason it is not working.

Here's an example online, it's the same as what I have:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

question still remains, why cannot I not open the 3 ports from the Internet.

Note that I can open the ports from the private\internal address so I know the services are running

0 Helpful

acomiskey
Level 10
Level 10
In response to ronshuster

‎08-13-2008 12:31 PM

I asked "if 216.a.b.c was your outside interface address". Since it is not, then yes, the interface keyword is not your solution.

Try a show xlate and make sure the translations are there.

0 Helpful

ronshuster
Level 1
Level 1
In response to acomiskey

‎08-14-2008 05:50 AM

Still no luck.

I ran a capture on the firewall:

access-list testt permit ip any host tcp 216.a.b.c eq 25

capture rontestt access-list testt interface outside

here is some of the output I am seeing from the capture

show cap rontestt

22: 19:20:17.741462 123.204.0.86.4635 > 216.a.b.c.25: . ack 3517948072 win 65535

23: 19:20:18.483266 123.204.0.86.4635 > 216.a.b.c.25: . ack 3517948072 win 65535

24: 19:20:18.484121 123.204.0.86.4635 > 216.a.b.c.25: . ack 3517948308 win 65300

I am not sure if the output of the capture is saying some outside\Internet IP address was able to open port 25 on 216.a.b.c or simply attempted to open the port. What I do know, when I try to telnet to port 25 from the Internet (or port 80 or 443) I am unable to open the port.

It is worth noting that I can ping 216.a.b.c from the Internet, so it looks like the static NAT is working to some extent, but I am unable to open the three ports.

Is there another way to determining the root cause of this issue in addition to "capture"?

I have posted the config in the first message of this thread. Again, I am followed the same example as here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml

Any idea why this is not working?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card