Re: Troubles with 857W NAT on port 21 -- calling all experts, im

billobob123 · ‎10-16-2010

Hi all and your answers will be much help i am sure as i am lost here, okay im no noob with routers, ive set up a few but my 857w is giving me a kick in the arse on this one.

why wont it let me do NAT on port 21???

other then that ive got it set up pretty much the way i want but if you see things that could be done better please let me know, i can say that the nat is working in that it gives me plenty of traffic on that high port number... from the debug ip nat but port 21 and i tried it on the lan interfaces as well as the wireless interface and nothing... nothing at all, argg. i tried it with a web server as well port 80 same results. nothing no nat. so pretty much until i crack this one all of my servers are not reachable to the world.... umm fun.

please find my config.

and thanks.

i found this link on the net which may help, im really starting to starve now so off to the local pizza shop as the router is killing my day, no time for cooking...

http://wiki.nil.com/NAT_caveats_in_IOS_release_12.4T

Logged into 192.168.1.254 at 2010-10-15 09:30:03 +0200

#show running-config
Building configuration...

Current configuration : 5715 bytes
!
! Last configuration change at 23:20:46 PCTime Thu Oct 14 2010 by
! NVRAM config last updated at 23:21:28 PCTime Thu Oct 14 2010 by
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 // my clock is correct?? why is this wrong
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.254
ip dhcp excluded-address 192.168.1.5 192.168.1.10
!
ip dhcp pool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   lease 0 2
!
!
ip cef
ip domain name yourdomain.com
ip name-server REMOVED
ip name-server REMOVED
ip ddns update method DynDNS
HTTP
add http://:@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://:@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
!
!
!
crypto pki trustpoint TP-self-signed-3079442374
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3079442374
revocation-check none
rsakeypair TP-self-signed-3079442374
!
!
crypto pki certificate chain TP-self-signed-3079442374
certificate self-signed 01
REMOVED
quit
username REMOVED privilege 15 secret 5 REMOVED
username REMOVED privilege 5 secret 5 REMOVED
!
!
!
bridge irb
!
!
interface ATM0
no ip address
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
hold-queue 224 in
!
interface ATM0.1 point-to-point
no snmp trap link-status
pvc 0/32
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid REMOVED
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 REMOVED
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Dialer0
ip ddns update hostname REMOVED.homeip.net
ip ddns update DynDNS host members.dyndns.org
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username
!
interface BVI1
ip address 192.168.1.254 255.255.255.0
ip nat inside // if i get rid of this i can access the internet from my computers
no ip virtual-reassembly
!
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.5 21 interface Dialer0 21 // does not work
ip nat inside source static tcp 192.168.1.5 20 interface Dialer0 20 // does not work
ip nat inside source static udp 192.168.1.5 56674 interface Dialer0 56674 // this works
ip nat inside source static tcp 192.168.1.5 56674 interface Dialer0 56674 // as does this ...
ip dns server
!
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^C
This router is private if you have no business here then get out!
^C
!
line con 0
password
login
no modem enable
line aux 0
privilege level 15
password
login
line vty 0 4
access-class 23 in
password
login local
transport input ssh
!
scheduler max-task-time 5000
end

#exit

Logged out at 2010-10-15 09:30:07 +0200

Message was edited by: Bertrand Chaillou

Federico Coto Fajardo · ‎10-16-2010

Let me see if I understand...

You want to be able to access an internal FTP server from the outside?

This is why you need to NAT on port 21?

ip nat inside source static tcp 192.168.1.5 21 interface Dialer0 21 // does not work

You should be able to telnet x.x.x.x 21 from the internet. (x.x.x.x is the IP of the Dialer0 interface).

If the above does not work, you can do the following:

ip access-list extended TEST_FTP

permit tcp any host x.x.x.x eq 21

permit ip any any

int Dialer0

ip access-group TEST_FTP in

What we are doing is create an ACL that permits TCP port 21 and then all other traffic.

The idea is to check the hitcounts with ''sh access-list TEST_FTP'' when you attempt to establish the FTP connection.

Two scenarios:

1. If you get hitcounts on the ACL, traffic is getting to the router.

2. If no hitcounts, traffic is not getting to the router.

Question.

If you connect via FTP to the server from the 192.168.1.0/24 does it work?

Federico.

billobob123 · ‎10-16-2010

thanks for getting back to me Federico.

Let me see if I understand...

You want to be able to access an internal FTP server from the outside?

This is why you need to NAT on port 21?

thats right

ip nat inside source static tcp 192.168.1.5 21 interface Dialer0 21 // does not work

You should be able to telnet x.x.x.x 21 from the internet. (x.x.x.x is the IP of the Dialer0 interface).

no that does not work i get a connection refused....

If the above does not work, you can do the following:

ip access-list extended TEST_FTP

permit tcp any host x.x.x.x eq 21

permit ip any any

ill try that but my dialer0 is on a dynamic ip....

int Dialer0

ip access-group TEST_FTP in

What we are doing is create an ACL that permits TCP port 21 and then all other traffic.

The idea is to check the hitcounts with ''sh access-list TEST_FTP'' when you attempt to establish the FTP connection.

Two scenarios:

1. If you get hitcounts on the ACL, traffic is getting to the router.

2. If no hitcounts, traffic is not getting to the router.

Extended IP access list TEST_FTP
10 permit tcp any host x.x.x.x eq ftp // no hits ??
20 permit ip any any (38 matches)

so its counting and getting there but rejected? as access to ftp does not work.... stilll

Question.

If you connect via FTP to the server from the 192.168.1.0/24 does it work?

yes that does work, than god.

Federico.

Federico Coto Fajardo · ‎10-16-2010

Make sure that the x.x.x.x is the same ip reported on ''sh ip int brief'' for the Dialer0 interface at the moment of the test.

Extended IP access list TEST_FTP
10 permit tcp any host x.x.x.x eq ftp // no hits ??
20 permit ip any any (38 matches)

If you still get no hitcounts on line 10 (FTP), then the traffic is not getting to the router.

If you get hitcounts but FTP won't work we can blame the router, but if the FTP traffic is not even reaching the router???

Please re-do the test and post back.

Federico.

billobob123 · ‎10-16-2010

if this is any help i can remote that is on the public ip address to the router in tel

net and ssh, but that is it. NAT is not working, ive checked my firewalls for

those ports 21 and 80 and they are clear i did a port scan and the router is not listening to

me on port 21 and 80......

but it is listing on port 56674?

Federico Coto Fajardo · ‎10-16-2010

We need to check that FTP (TCP 21) is indeed reaching the router with the ACL test I mentioned.

Please verify that because if FTP is not reaching the router, there's no point in continue troubleshooting the router itself.

Federico.

billobob123 · ‎10-16-2010

ive tried the acl test and each time i try an ftp to the publlic address i get a connection closed or refused by host?

billobob123 · ‎10-16-2010

i tried it again on port 2121 maybe isp blocked low ports? but same thing rejected

billobob123 · ‎10-16-2010

okay after a few tries i am seing trafic on the acl that you provided i changed the ftp port to 212

1

billobob123 · ‎10-17-2010

okay well i sorted this one out thanks for helping me out the trouble was that my isp was blocking these ports it tried port scans on high ports and it allowed traffic,,,,, really great of them to do so but in Belgium a lot of the internet is that way,,,, BLOCKED,,,,,,,, in the end there was never any thing wrong with my config,

i do have another project on the side well a few projects but the most pressing one is to setup a vpn gateway with this 857w which has a dynamic address but the dyndns is working as it should i have heard that it was possible to do this that is to have a dynamic ip address gateway and to connect from a laptop or whatever with a vpn client

coments and howtos would be helpfull

thanks again

Troubles with 857W NAT on port 21 -- calling all experts, im lost for words