Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

[NAT]Ports Filtered on C2503

Hello,

We've a C2503 on which I have set NAT rules as following :

...

ip nat inside source static tcp 192.168.1.51 21 x.x.x.x 21 extendable

ip nat inside source static tcp 192.168.1.51 22 x.x.x.x 22 extendable

ip nat inside source static tcp 192.168.1.51 25 x.x.x.x 25 extendable

...

==> FTP, SSH and SMTP are forwarded on a local server in order to reach it from the Internet.

But sometimes we cannot initialize a FTP or a SSH connection on it.

I used the "nmap" tool from a linux in order to test the router ports and it appears that FTP and/or SSH ports are filtered.

Only a reboot of the router can help it but it doesn't work all the time, and it is not bearable to do this each time the ports are filtered...

Any help would be appreciated

Thanks

R. B-G

  • Other Network Infrastructure Subjects
6 REPLIES
New Member

Re: [NAT]Ports Filtered on C2503

Do you have a NAT pool set up? is x.x.x.x in your pool?

If so, another host may be using it. When the problem occurs, try doing:

show ip nat translations

It will show you if the mapping you think you should be getting is what you are actually getting.

New Member

Re: [NAT]Ports Filtered on C2503

Hi Renaud,

Is it possible for you to post the complete show run of your router.

In the meantime I have a working configuration here in our laboratory but this one only allows SSH traffic.

Topology:

PIX515E_Firewall---(fa0/1)2621_Router(fa0/0)---Switch---PC

PIX=> Ethernet0 ip address= 192.168.0.2

2621=> Fa0/1 ip address= 192.168.0.1

=> Fa0/0 ip address= 10.199.249.254

PC=> ip address= 10.199.249.113

####

"show run" of 2621 Router

interface FastEthernet0/0

ip address 10.199.249.254 255.255.255.0

ip nat outside

speed auto

full-duplex

!

interface FastEthernet0/1

ip address 192.168.0.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static tcp 192.168.0.2 22 10.199.249.254 22 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 10.199.249.1

no ip http server

!

access-list 101 deny tcp host 192.168.0.2 eq 22 any

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

####

####

"show ip nat translation" of 2621 Router

Pro Inside global Inside local Outside local Outside global

tcp 10.199.249.254:22 192.168.0.2:22 --- ---

####

Here is how I tested it.

1) The PIX firewall will act as the server(the one that you have on your network) and I configured

the PIX to allow SSH session.

2) The 2621 router is configured almost the same as your SOHO91 device the only difference is I

didn't use DHCP and I assigned an IP address to the outside interface of the 2621 router rather than

using ip address negotiated.

3) Here is the output when I tried connecting to the PIX firewall from my PC using PUTTY (SSH client

software) with an IP address of 10.199.249.113.

login as: ansley

Sent username "ansley"

ansley@10.199.249.254's password:

Type help or '?' for a list of available commands.

pixfirewall>

pixfirewall> en

Password: *****

Invalid password

Password:

pixfirewall# login as: ansley

4) As you can see I was able to connect successfully connect to the PIX firewall in which its

outside interface has an IP address of 192.168.0.2 and is statically translated to 10.199.249.254.

Please see below the 'show ssh session' on my pix firewall.

pixfirewall# sh ssh session

Session ID Client IP Version Encryption State Username

0 10.199.249.113 1.5 3DES 6 ansley

I hope these helps.

Best Regards,

Ansley R. Verzosa

New Member

Re: [NAT]Ports Filtered on C2503

Hi there,

My config looks like to Ansley's one.

At The moment the SSH port is filtered, and I've checked the "IP NAT TRANSLATIONS" table. I Found this :

tcp x.x.x.x:22 192.168.1.61:139 192.168.245.1:1082 192.168.245.1:1082

It appears that port 22 is used... by what exactly ? I don't understand clearly because the IP address 192.168.245.1 is unknown in my company.

x.x.x.x is my public address and it is in a nat pool (only this IP is in) :

ip nat pool test x.x.x.x x.x.x.x prefix-length 30

Should I remove this nat pool ?

Thx,

Renaud

New Member

Re: [NAT]Ports Filtered on C2503

I suspect that your problem is the pool. Here's an example of a problem I had somewhat like this. Notice there are 2 addresses in the pool:

ip nat pool NATPOOL a.b.c.1 a.b.c.2 netmask 255.255.255.0

ip nat inside source list 1 pool NATPOOL overload

ip nat inside source static tcp 10.1.1.1 25 a.b.c.1 23 extendable

access-list 1 permit 10.1.1.0 0.255.255.255

Notice that a.b.c.1 is in the pool AND is also in the static translation statement.

When the router starts, if someone on the inside on a host other than 10.1.1.1 begins a connection, they will be assigned the public address a.b.c.d.1 - and ALL ports associated with that address. Thus when you try to connect to your host on a.b.c.1:23, it doesn't work. If you clear the translation table, then re-try, you might get connected.

The same result will happen with a single address in the pool if you omit the "overload" keyword.

Try adding the "overload" to your pool.

As for removing the pool, you need it if you want outbound traffic to be translated without static entries. for example, from other hosts on this network.

Good luck.

Steve

New Member

Re: [NAT]Ports Filtered on C2503

Well I see the problem... But I've already set the "overload" keyword. here's my config :

ip nat pool MASQ a.b.c.182 a.b.c.182 prefix-length 30

ip nat inside source list 7 MASQ test overload

ip nat inside source static tcp 192.168.1.51 21 a.b.c.182 21 extendable

ip nat inside source static tcp 192.168.1.51 22 a.b.c.182 22 extendable

ip nat inside source static tcp 192.168.1.51 25 a.b.c.182 25 extendable

ip nat inside source static tcp 192.168.1.51 80 a.b.c.182 8080 extendable

access-list 7 permit 192.168.1.0 0.0.0.255

New Member

Re: [NAT]Ports Filtered on C2503

I have a question I did not think to ask earlier.

Is the IP address in your pool the same address you have on the outside interface?

If so, you might try

ip nat inside source list 7 MASQ interface Serial0/0 overload

(I'm assuming here the interface outside is Serial 0/0 - change as needed)

Posting as much of your config as you can would help.

142
Views
0
Helpful
6
Replies