dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
881
devon7523
join:2014-07-09

devon7523

Member

[Config] Cisco IOS: Can't access forwarded ports on local network

Hi all.

I have an 1811 router running IOS c181x-advipservicesk9-m 12.4(9)T5. I have a cable modem connected to Fa0 and computers connected to ports Fa2-9 (switch ports). I forwarded port 80 to my HTTP server. I can't connect to it through my WAN IP address from my local network. However, I can connect to it if I'm at a remote network.

I'm assuming this is the correct command (I have a DHCP IP address from my ISP, so I can't use a static address):
ip nat inside source static tcp 10.0.0.10 80 interface FastEthernet0 80

If I nmap scan my WAN IP (pretend it's 1.1.1.1) from a computer connected to the 1811:
nmap -p 80 1.1.1.1
80/tcp closed http

However, if I go into my VPS (hosted far away, not on my network):
nmap -p 80 1.1.1.1
80/tcp open http

To make sure it wasn't something with nmap, I also tried telnetting to port 80 (telnet 1.1.1.1 80) on a local computer and again on my VPS. I can't connect to it on a local computer, but I can connect from the VPS.

Why can't I access port 80 when I'm on my local network? Could someome shed some light on this strange issue?

Any help is appreciated.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

...a full copy of your config, minus passwords and other sensitive information, would be a place to start.

Also, if I'm reading this right, you're trying to NAT hairpin -- hit your public IP address on the 1811
from your LAN, and have the 1811 redirect back into your LAN, is that correct?

Regards
devon7523
join:2014-07-09

devon7523

Member

After reading about hairpinning on Wikipedia, yes. That sounds correct.

Here's my config:
!
version 12.4
no service slave-log
no service pad
no service timestamps debug uptime
no service timestamps log uptime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 (hidden)
!
no aaa new-model
!
resource policy
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.0 10.0.0.50
!
ip dhcp pool Pool-1
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 8.8.8.8 8.8.4.4
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
!
!
!
!
!
!
interface FastEthernet0
ip address dhcp
ip access-group Block_Inbound_Ports in
ip nat outside
no ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
spanning-tree portfast
!
interface FastEthernet5
spanning-tree portfast
!
interface FastEthernet6
spanning-tree portfast
!
interface FastEthernet7
spanning-tree portfast
!
interface FastEthernet8
spanning-tree portfast
!
interface FastEthernet9
spanning-tree portfast
!
interface Vlan1
ip address 10.0.0.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
shutdown
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0 overload
ip nat inside source static tcp 10.0.0.3 53 interface FastEthernet0 53
ip nat inside source static udp 10.0.0.3 53 interface FastEthernet0 53
ip nat inside source static tcp 10.0.0.3 80 interface FastEthernet0 80
!
ip access-list extended Block_Inbound_Ports
deny udp any any eq bootps
deny udp any any eq 1701
permit ip any any
!
access-list 1 permit 10.0.0.0 0.0.0.255
no cdp run
!
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password 7 (hidden)
login
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
exec-timeout 0 0
password 7 (hidden)
login
line vty 0 4
access-class 1 in
exec-timeout 0 0
password 7 (hidden)
login
line vty 5 193
access-class 1 in
exec-timeout 0 0
password 7 (hidden)
login
!
end

Thanks
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to devon7523

MVM

to devon7523
Just as a suggestion :
said by devon7523:

interface FastEthernet0
ip address dhcp

said by devon7523:

ip route 0.0.0.0 0.0.0.0 dhcp

remove the 2nd line -- if you're going to put DHCP on the FE0 ISP facing interface, you don't need the "ip route" line as DHCP will install a default route into the routing table.

If it is indeed NAT hairpinning you're trying to do, IIRC IOS doesn't do it very well, or not at all; the ASA will do it handidly.
There's also NAT on a stick, but I'm kinda rusty on what it does and if it's applicable to what you want to do.

My 00000010bits

Regards
devon7523
join:2014-07-09

devon7523

Member

Thanks for the info. I'll look into NAT on a stick, but it seems kind of complicated. I'm wondering if I can redirect [DHCP WAN IP]:80 to 10.0.0.3:80. Is there a way to redirect traffic based on IP address and port? Maybe with an ACL or NAT statement?
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer to devon7523

Premium Member

to devon7523
said by devon7523:

I can't connect to it through my WAN IP address from my local network.

That's exactly how it's supposed to work. NAT applies to packets entering and leaving interfaces. Internal packets don't. As the packet didn't arrive on the outside interface, it doesn't get translated -- and as the source address isn't being rewritten, the reply wouldn't go through the router to be un-natted. (10.x is the local network, so the server would send the traffic directly to the client instead of the router.)

(While there are complicated tricks to get it to work, you really don't want to go there.)
devon7523
join:2014-07-09

devon7523

Member

Hi Cramer. Thanks for the info. I might have another solution, but it isn't working like I thought. My WAN IP address has a domain name (pretend it's example.com):

ip dhcp pool Pool-1
network 10.0.0.0 255.255.255.0
default-router 10.0.0.1
dns-server 10.0.0.1

ip dns server
ip host example.com 10.0.0.3
ip host www.example.com 10.0.0.3
ip name-server 8.8.8.8
ip name-server 8.8.4.4

So, what I'm trying to do is make the router into a DNS server. If I dig or nslookup example.com and www.example.com, I want to see an A record for 10.0.0.3, but I'd also like it to forward other requests (eg google.com, facebook.com) to 8.8.8.8 and 8.8.4.4 since their DNS records aren't defined on the router. It seems simple, I've done it before, but it seems to be looking up AAAA (IPv6) records only.

On the router, I ping google.com:

Translating "google.com"...domain server (8.8.8.8) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2607:F8B0:4006:807::1005, timeout is 2 seconds:
% No valid source address for destination

Google has an AAAA record.

But when I try a website which has only A records:

Translating "craigslist.org"...domain server (8.8.8.8)
Translating "craigslist.org"...domain server (8.8.8.8) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 208.82.238.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 88/90/92 ms

It works fine. (Could it have something to do with it translating to domain server twice?)

I'm able to connect to the router from other computers on my network, but it has the same problem. I can look up A-record-only websites, so AAAA-and-A websites like google.com don't work. Strangely, I worked with another 1811 router in the past, and with the config commands above, it worked fine. Are there any IPv6 DNS settings in the router or something to set A record preference?

Thanks
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to devon7523

MVM

to devon7523
said by devon7523:

So, what I'm trying to do is make the router into a DNS server.

said by devon7523:

Are there any IPv6 DNS settings in the router or something to set A record preference?

IOS router != DNS server / resolver. Just don't.

...I can't make it any shorter than this.

Regards
markysharkey
Premium Member
join:2012-12-20
united kingd

markysharkey

Premium Member

Seconded...
devon7523
join:2014-07-09

devon7523

Member

I appreciate your posts and I understand that IOS isn't meant to be a DNS server, but I don't have much option. We have to access the server 10.0.0.3:80 via a domain name from the local network. I'd like to resolve my issue, and setting up a DNS server on the router seems like the only practical option. I used to have another 1811 which worked perfectly for resolving Internet domains like google.com and a local machines on the .local TLD. I was hoping to figure out why I'm having this strange IPv6/AAAA record issue on this 1811.
cramer
Premium Member
join:2007-04-10
Raleigh, NC

cramer to devon7523

Premium Member

to devon7523
ping ip google.com

Yes, the router will attempt IPv6 by default, and you have no IPv6 setup. It will resolve your client requests with whatever they ask for - v4 or v6.

Bogo
@24.25.132.x

Bogo to devon7523

Anon

to devon7523
Hello.. Similitude. Bear , etc.

Why does my device contain double everything?
Virtual sd, sd 0 / 1 ,
Phone dates are dated:
Dec 31 , 1969

And for some reason my cidr
Resolves to Boulder Colorado?

Cisco based user files.
?
devon7523
join:2014-07-09

devon7523 to cramer

Member

to cramer
It makes sense that the router would attempt IPv6 by default, but here's the strange thing:

Router-1>ping google.com
Translating "google.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2607:F8B0:4006:806::1001, timeout is 2 seconds:

% No valid source address for destination

I located another 1811 router, used the same DNS config, and pinged google.com:

Router-2#ping google.com

Translating "google.com"...domain server (8.8.8.8) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 74.125.226.38, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms

Notice that Router-1 attempts AAAA record lookup, but Router-2 goes with the A record. Both are 1811's running C181X-ADVENTERPRISEK9-M. However, Router-1 has 12.4(9)T5 while Router-2 has 12.4(24)T4. Could this behavior relate to IOS version?
devon7523

devon7523 to Bogo

Member

to Bogo
said by Bogo :

Why does my device contain double everything?

said by Bogo :

Cisco based user files.

I'm not sure what you're talking about. I think you should start a new thread.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to devon7523

MVM

to devon7523
said by devon7523:

We have to access the server 10.0.0.3:80 via a domain name from the local network.

a) get a DNS server / daemon going -or-

b) use DDNS for your DNS services -or-

c) get a hostfile going.

If you've no internal DNS server, have your NAT inside hosts resolve to the internal 10.x.x.x address,
while NAT outside resolves to the public address.

As to the resolution behavior of your other 1811, is it possible that one had "no ip domain lookup" enabled?
By default IOS takes unrecognized commands entered into CLI and interprets them as domain / host names.

My 00000010bits

Regards
devon7523
join:2014-07-09

devon7523

Member

said by HELLFIRE:

If you've no internal DNS server, have your NAT inside hosts resolve to the internal 10.x.x.x address,
while NAT outside resolves to the public address.

That's what I'm trying to do with the DNS server in IOS. I just have to figure out why it's only looking up AAAA records when a client requests a domain. I have a feeling it has to do with IOS version. I'm going to copy the IOS to the other 1811 to see if it works. 12.4(9)T5 is newer than 12.4(24)T4, right?
cramer
Premium Member
join:2007-04-10
Raleigh, NC

cramer

Premium Member

That's NOT what it's doing. Whatever the client asks for, it looks up. If a client asks for an A record and gets back a AAAA answer, the IOS resolver is broken. All you've shown is the router itself defaulting to ipv6.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to devon7523

MVM

to devon7523
said by devon7523:

12.4(9)T5 is newer than 12.4(24)T4, right?

No, 12.4(24)T4 is newer than 12.4(9)T5

Regards
cramer
Premium Member
join:2007-04-10
Raleigh, NC

cramer

Premium Member

By build date, maybe. By version, no. (look at the release notes to know what was added/fixed/broken between 9 and 24)
HELLFIRE
MVM
join:2009-11-25

HELLFIRE

MVM

...ahh, thanks for reminding me about the release notes, cramer See Profile

Regards
devon7523
join:2014-07-09

devon7523 to cramer

Member

to cramer
When I go to a computer which has the router set as the DNS server, and I open Firefox craigslist.org works fine (craigslist.org has NO AAAA records) but google.com shows "Server not found" (google.com has AAAA records). It's the same behavior for other websites. IPv4-only works, and IPv4-and-IPv6 doesn't work. It's strange because with my other 1811, I'm able to go to any websites.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer

Premium Member

Granted, I'm using 15.1(4)M7 on my 1811 -- with ipv6 connectivity. What a hosts asks for, it gets an answer for.

If your hosts are asking for v6 addresses, and think they have v6 connectivity, they may not be failing back to v4.

[root:pts/5{4}]debian1:~/[12:32 AM]:host -v -d -t any www.google.com 192.168.55.8
Trying "www.google.com"
Using domain server:
Name: 192.168.55.8
Address: 192.168.55.8#53
Aliases: 
 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29299
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;www.google.com.                        IN      ANY
 
;; ANSWER SECTION:
www.google.com.         299     IN      A       173.194.37.82
www.google.com.         299     IN      A       173.194.37.83
www.google.com.         299     IN      A       173.194.37.81
www.google.com.         299     IN      A       173.194.37.80
www.google.com.         299     IN      A       173.194.37.84
www.google.com.         299     IN      AAAA    2607:f8b0:4002:802::1014
 
Received 140 bytes from 192.168.55.8#53 in 52 ms
[root:pts/5{4}]debian1:~/[03:29 PM]:host -v -d -t a www.google.com 192.168.55.8
Trying "www.google.com"
Using domain server:
Name: 192.168.55.8
Address: 192.168.55.8#53
Aliases: 
 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19006
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;www.google.com.                        IN      A
 
;; ANSWER SECTION:
www.google.com.         289     IN      A       173.194.37.82
www.google.com.         289     IN      A       173.194.37.83
www.google.com.         289     IN      A       173.194.37.81
www.google.com.         289     IN      A       173.194.37.80
www.google.com.         289     IN      A       173.194.37.84
 
Received 112 bytes from 192.168.55.8#53 in 2 ms
[root:pts/5{4}]debian1:~/[03:29 PM]:host -v -d -t aaaa www.google.com 192.168.55.8
Trying "www.google.com"
Using domain server:
Name: 192.168.55.8
Address: 192.168.55.8#53
Aliases: 
 
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25082
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
 
;; QUESTION SECTION:
;www.google.com.                        IN      AAAA
 
;; ANSWER SECTION:
www.google.com.         299     IN      AAAA    2607:f8b0:4002:802::1013
 
Received 60 bytes from 192.168.55.8#53 in 34 ms
 
devon7523
join:2014-07-09

devon7523

Member

Thank you all for your help. I replaced IOS 12.4(9)T5 with 12.4(24)T4 and it's working the way I want it to now.