Reverse telnet (2511) through NAT (871w) not working, help please ...

Answered Question

Hello,

I have been banging my head on the wall trying to get an access into my home lab (studying for CCNA/CCNP) through the Internet.  I would like to be able to access my lab equipment from remote location, work/hotel room/friends house, wherever.  I am running into some problems though, I have attached the picture of the setup to make it easier to explain.

I have a 2511 Access Router on the LAN which provides the access to the lab equipment via the ASYNC/console lines. While on the LAN I am able to telnet to it ports 2001-2016 (ex telnet 192.168.77.11:2001 ) and access all of the equipment in the lab without any problems. I wanted to extend that capability to be able to do so from outside of my house, through the WAN/Internet.  So I set up a NAT on my Internet Router, a Cisco 871w.  Whenever I telnet to the 871w from the outside my telnet session just sits there and eventuality times out, not working or connecting.

I did some debugs on the 871w and the 2511 as I was trying to telnet into the WAN (871w) to be passed to the Access Server (2511), also have configs from both devices.  If anybody has any suggestions it would be very helpful, thank you very much.  I am trying to enable this access so I can help some of my friends as well and let them use this equipment and practice for their CCCNA/CCNP certifications.

871w IP is - 87.16.52.45  , 2511 IP is - 192.168.77.11 , outside port on the 871w is 20001, on the 2511 port is 2001

home.jpg

871w NAT config

ip nat inside source static tcp 192.168.77.11 2001 interface FastEthernet4 20001

sh ip nat translations | inc 20001 on the 871 w as I attempted to telnet in

871W# sh ip nat tran | inc 20001


Pro Inside global               Inside local                Outside local               Outside global

tcp  87.16.52.45:20001     192.168.77.11:2001    165.205.23.197:42162  165.205.23.197:42162

Config on the 2511

!
interface Ethernet0
ip address 192.168.77.11 255.255.255.0
!
no ip http server
ip classless
!
line con 0
line 1 16
no exec
transport input all
transport output all
line aux 0
line vty 0 4
password cisco
login
transport input all
transport output all
!

Debug on the 2511 as the telnet was happening

2511_Access_Server# debug ip tcp packet 1

TCP Packet debugging is on for line number 1

2511_Access_Server#

*Mar  1 04:38:08.526: TCP0: bad seg from 165.205.23.197 -- IDB not up: port 2001 seq 543231002 ack 0 rcvnxt 0 rcvwnd 4128 len 0

*Mar  1 04:38:11.506: TCP0: bad seg from 165.205.23.197 -- IDB not up: port 2001 seq 543231002 ack 0 rcvnxt 0 rcvwnd 4128 len 0

*Mar  1 04:38:17.526: TCP0: bad seg from 165.205.23.197 -- IDB not up: port 2001 seq 543231002 ack 0 rcvnxt 0 rcvwnd 4128 len 0

*Mar  1 04:38:29.510: TCP0: bad seg from 165.205.23.197 -- IDB not up: port 2001 seq 543231002 ack 0 rcvnxt 0 rcvwnd 4128 len 0

*Mar  1 04:38:55.658: TCP0: bad seg from 165.205.23.197 -- IDB not up: port 2001 seq 543231002 ack 0 rcvnxt 0 rcvwnd 4128 len 0

Any help or pointers would be very much so appreciated, thanks in advance for any help.

Haris

I have this problem too.
0 votes
Correct Answer by tprendergast about 6 years 4 months ago

The problem may be:

"ip nat inside source static tcp 192.168.77.11 2001 interface FastEthernet4 20001"

Is your internet WAN interface on the 871w FA4?

The other option would also be make sure the 2511 knows how to reach the default gateway. If it sees a sourced IP of an internet host and has no default gateway, it has no idea how to return the packets.

Hope that helps,

-Tim

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
tprendergast Wed, 08/04/2010 - 15:41

The problem may be:

"ip nat inside source static tcp 192.168.77.11 2001 interface FastEthernet4 20001"

Is your internet WAN interface on the 871w FA4?

The other option would also be make sure the 2511 knows how to reach the default gateway. If it sees a sourced IP of an internet host and has no default gateway, it has no idea how to return the packets.

Hope that helps,

-Tim

Tim, Thank You Very Much !!  You are right on, the 2511 didn't not see how to get back, I always just assumed that the 2511 would see the session as coming from 192.168.77.1 so it never dawned on me.  I really appreciate it.

Sometimes I just need to step back and explore the simplest solutions.  I have been exploring all kinds of solutions and trying different configs, different NAT configurations, different ports, IPs, loopback addresses, different ways on the 2511 to do things, like I said all kinds of things, haha.  I feel really embarrassed that it was that simple and I missed it.

Thanks

Haris

tprendergast Wed, 08/04/2010 - 16:41

No problem! That's what we're all here for. If we all had a team of engineers to help us resolve issues, it would be much easier. Some of us are armies of 1.

I agree !!! Thanks again.  This is nice, will start using the forum a lot more, I usually comb through a lot of google pages which gets me most answers but sometimes it doesn't, posing a question to real people, real time sometimes probably works out better, like now.  This is great now I can have access to my lab from hotel and work so I can study and practice, and of course break stuff as well, haha.

Actions

This Discussion