Static NAT failing

Unanswered Question
Apr 13th, 2010

Below are my complete configs. As you can probably see, I'm attempting to forward ports UDP 1194 and TCP 443 to my server (old desktop converted to openvpn server). But as far as I can tell the ports aren't being forwarded (IE openvpn is running on that server, all configs look good, but seeing no attempted connections, no logs from attempts to connect). Can anyone see any problems with my config that would cause this?

service password-encryption

hostname myrouter

enable secret XXXXX

aaa new-model

aaa session-id common

ip cef

!

ip dhcp excluded-address

ip dhcp excluded-address 192.168.0.1 192.168.0.60

ip dhcp pool HOMENET

   import all

   network 192.168.0.0 255.255.255.0

   default-router 192.168.0.1

   dns-server 192.168.0.4 68.87.85.102

!

ip domain name rtp.private.private

ip ssh time-out 60

username onyxwolf password XXXX

!

interface FastEthernet0/0

description Internal_Network

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

no cdp enable

no shutdown

!

interface FastEthernet0/1

description Web_Side

ip address dhcp

ip access-group inboundfilters in

ip access-group outboundfilters out

ip nat outside

ip virtual-reassembly

no ip route-cache cef

no ip route-cache

duplex auto

speed auto

no cdp enable

no shutdown

!

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1

!

no ip http server

no ip http secure-server

!

ip nat inside source list 102 interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.0.5 443 interface FastEthernet0/1 443

ip nat inside source static udp 192.168.0.5 1194 interface FastEthernet0/1 1194

!

ip access-list extended inboundfilters

permit udp any any eq bootps

permit udp any any eq bootpc

permit tcp any any eq 443

permit udp any any eq 1194

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 192.0.2.0 0.0.0.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 255.0.0.0 0.255.255.255 any

deny   ip host 0.0.0.0 any

evaluate udptraffic

evaluate tcptraffic

evaluate icmptraffic

!

ip access-list extended outboundfilters

permit udp any any eq bootps

permit udp any any eq bootpc

permit udp any any reflect udptraffic

permit tcp any any reflect tcptraffic

permit icmp any any reflect icmptraffic

!

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

no cdp run

line vty 0 4

transport input ssh

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
droeun141 Tue, 04/13/2010 - 10:38

Your config looks good, but I'm not too familiar with the evaluate commands though.  Have you tried removing the inbound filter (temporarily) for testing?

onyxwolf_x Tue, 04/13/2010 - 10:58

I haven't. I'll try that, I really need to set up ssh so I can do it remotely. That scares me to give access to my router like that. Is there a way that you can set the router's ssh to check a client's keys?

The evaluate command is telling it to run that traffic through the temporary access lists created by a connection that triggers the outbound access-list. For example when you make a outboundfilters rule permit tcp any any reflect tcptraffic makes a temporary list called tcptraffic when any tcp connections go through it. The inboundfilters rule evaluate tcptraffic it basically adds that tcptraffic list to the inboundfilters ACL. That connection is removed from the tcptraffic list as soon as a fin goes through it. UDP and ICMP works a little differently (the reflect list entries flip ports and do some weird stuff) but since there is no fin packet, it waits 300 seconds (default I changed it to 120) then deletes that entry from the lists.

I'll try removing the list access-group, but really it should see that permit before anything else right?

Federico Coto F... Tue, 04/13/2010 - 12:05

Seems your problem is with the outbound filter.

Anyway, please let us know if by removing the ACL from the interface it works.

Federico.

Jennifer Halim Tue, 04/13/2010 - 15:04

What you have configured is called reflexive access-list. It's the complicated old feature in IOS:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_ip_filter_ps6350_TSD_Products_Configuration_Guide_Chapter.html

I would suggest that you use CBAC for simplicity if you have both inbound and outbound ACL.

All you need to configure is the "ip inspect" for UDP and TCP if you would like to keep it simple for now:

ip inspect inbound-cbac tcp

ip inspect inbound-cbac udp

ip inspect outbound-cbac tcp

ip inspect outbound-cbac udp

interface FastEthernet0/1

     ip inspect inbound-cbac in

     ip inspect outbound-cbac out

Then tidy both your inbound and outbound access-list to just normal ACL permiting traffic inbound and outbound (without the evaluate and dynamic name).

More on CBAC:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_cfg_content_ac_ps6350_TSD_Products_Configuration_Guide_Chapter.html

Hope that helps

onyxwolf_x Tue, 04/13/2010 - 15:14

from what I understand, CBAC is only available with the security IOS. Or firewall addition on my router, an 1841, but I don't have nor will not be able to get it so reflexive rules will have to work for now. I am almost off work so I can test that and let you know

onyxwolf_x Fri, 04/16/2010 - 17:01

It turned out to be a server issue (the openvpn service needed reset). The reason I assumed it was router side is because it happened when I swapped my linksys out for my Cisco router. Damn coincidences! everything is working great now! ACLs were all fine and I confirmed that my router does not support CBAC so will live with reflexive. Its funny that they edit out the expletive that is a homophone to dam (like the beavers build).

Actions

This Discussion