|
[Config] Cisco IOS: Can't access forwarded ports on local networkHi all.
I have an 1811 router running IOS c181x-advipservicesk9-m 12.4(9)T5. I have a cable modem connected to Fa0 and computers connected to ports Fa2-9 (switch ports). I forwarded port 80 to my HTTP server. I can't connect to it through my WAN IP address from my local network. However, I can connect to it if I'm at a remote network.
I'm assuming this is the correct command (I have a DHCP IP address from my ISP, so I can't use a static address): ip nat inside source static tcp 10.0.0.10 80 interface FastEthernet0 80
If I nmap scan my WAN IP (pretend it's 1.1.1.1) from a computer connected to the 1811: nmap -p 80 1.1.1.1 80/tcp closed http
However, if I go into my VPS (hosted far away, not on my network): nmap -p 80 1.1.1.1 80/tcp open http
To make sure it wasn't something with nmap, I also tried telnetting to port 80 (telnet 1.1.1.1 80) on a local computer and again on my VPS. I can't connect to it on a local computer, but I can connect from the VPS.
Why can't I access port 80 when I'm on my local network? Could someome shed some light on this strange issue?
Any help is appreciated. |
|
|
...a full copy of your config, minus passwords and other sensitive information, would be a place to start.
Also, if I'm reading this right, you're trying to NAT hairpin -- hit your public IP address on the 1811 from your LAN, and have the 1811 redirect back into your LAN, is that correct?
Regards |
|
|
After reading about hairpinning on Wikipedia, yes. That sounds correct.
Here's my config: ! version 12.4 no service slave-log no service pad no service timestamps debug uptime no service timestamps log uptime service password-encryption ! hostname Router ! boot-start-marker boot-end-marker ! no logging console enable secret 5 (hidden) ! no aaa new-model ! resource policy ! ! ip cef no ip dhcp use vrf connected ip dhcp excluded-address 10.0.0.0 10.0.0.50 ! ip dhcp pool Pool-1 network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 8.8.8.8 8.8.4.4 ! ! ip name-server 8.8.8.8 ip name-server 8.8.4.4 ! ! ! ! ! ! ! ! ! interface FastEthernet0 ip address dhcp ip access-group Block_Inbound_Ports in ip nat outside no ip virtual-reassembly duplex auto speed auto ! interface FastEthernet1 no ip address shutdown duplex auto speed auto ! interface FastEthernet2 spanning-tree portfast ! interface FastEthernet3 spanning-tree portfast ! interface FastEthernet4 spanning-tree portfast ! interface FastEthernet5 spanning-tree portfast ! interface FastEthernet6 spanning-tree portfast ! interface FastEthernet7 spanning-tree portfast ! interface FastEthernet8 spanning-tree portfast ! interface FastEthernet9 spanning-tree portfast ! interface Vlan1 ip address 10.0.0.1 255.255.255.0 ip nat inside no ip virtual-reassembly ! interface Async1 no ip address encapsulation slip shutdown ! no ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 dhcp ! ! no ip http server no ip http secure-server ip nat inside source list 1 interface FastEthernet0 overload ip nat inside source static tcp 10.0.0.3 53 interface FastEthernet0 53 ip nat inside source static udp 10.0.0.3 53 interface FastEthernet0 53 ip nat inside source static tcp 10.0.0.3 80 interface FastEthernet0 80 ! ip access-list extended Block_Inbound_Ports deny udp any any eq bootps deny udp any any eq 1701 permit ip any any ! access-list 1 permit 10.0.0.0 0.0.0.255 no cdp run ! ! ! ! ! ! control-plane ! ! line con 0 exec-timeout 0 0 password 7 (hidden) login line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 exec-timeout 0 0 password 7 (hidden) login line vty 0 4 access-class 1 in exec-timeout 0 0 password 7 (hidden) login line vty 5 193 access-class 1 in exec-timeout 0 0 password 7 (hidden) login ! end
Thanks |
|
|
to devon7523
Just as a suggestion : said by devon7523:interface FastEthernet0 ip address dhcp said by devon7523:ip route 0.0.0.0 0.0.0.0 dhcp remove the 2nd line -- if you're going to put DHCP on the FE0 ISP facing interface, you don't need the "ip route" line as DHCP will install a default route into the routing table. If it is indeed NAT hairpinning you're trying to do, IIRC IOS doesn't do it very well, or not at all; the ASA will do it handidly. There's also NAT on a stick, but I'm kinda rusty on what it does and if it's applicable to what you want to do. My 00000010bits Regards |
|
|
Thanks for the info. I'll look into NAT on a stick, but it seems kind of complicated. I'm wondering if I can redirect [DHCP WAN IP]:80 to 10.0.0.3:80. Is there a way to redirect traffic based on IP address and port? Maybe with an ACL or NAT statement? |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
to devon7523
said by devon7523:I can't connect to it through my WAN IP address from my local network. That's exactly how it's supposed to work. NAT applies to packets entering and leaving interfaces. Internal packets don't. As the packet didn't arrive on the outside interface, it doesn't get translated -- and as the source address isn't being rewritten, the reply wouldn't go through the router to be un-natted. (10.x is the local network, so the server would send the traffic directly to the client instead of the router.) (While there are complicated tricks to get it to work, you really don't want to go there.) |
|
|
Hi Cramer. Thanks for the info. I might have another solution, but it isn't working like I thought. My WAN IP address has a domain name (pretend it's example.com):
ip dhcp pool Pool-1 network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 10.0.0.1
ip dns server ip host example.com 10.0.0.3 ip host www.example.com 10.0.0.3 ip name-server 8.8.8.8 ip name-server 8.8.4.4
So, what I'm trying to do is make the router into a DNS server. If I dig or nslookup example.com and www.example.com, I want to see an A record for 10.0.0.3, but I'd also like it to forward other requests (eg google.com, facebook.com) to 8.8.8.8 and 8.8.4.4 since their DNS records aren't defined on the router. It seems simple, I've done it before, but it seems to be looking up AAAA (IPv6) records only.
On the router, I ping google.com:
Translating "google.com"...domain server (8.8.8.8) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2607:F8B0:4006:807::1005, timeout is 2 seconds: % No valid source address for destination
Google has an AAAA record.
But when I try a website which has only A records:
Translating "craigslist.org"...domain server (8.8.8.8) Translating "craigslist.org"...domain server (8.8.8.8) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 208.82.238.129, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 88/90/92 ms
It works fine. (Could it have something to do with it translating to domain server twice?)
I'm able to connect to the router from other computers on my network, but it has the same problem. I can look up A-record-only websites, so AAAA-and-A websites like google.com don't work. Strangely, I worked with another 1811 router in the past, and with the config commands above, it worked fine. Are there any IPv6 DNS settings in the router or something to set A record preference?
Thanks |
|
|
to devon7523
said by devon7523:So, what I'm trying to do is make the router into a DNS server. said by devon7523:Are there any IPv6 DNS settings in the router or something to set A record preference? IOS router != DNS server / resolver. Just don't. ...I can't make it any shorter than this. Regards |
|
|
Seconded... |
|
|
I appreciate your posts and I understand that IOS isn't meant to be a DNS server, but I don't have much option. We have to access the server 10.0.0.3:80 via a domain name from the local network. I'd like to resolve my issue, and setting up a DNS server on the router seems like the only practical option. I used to have another 1811 which worked perfectly for resolving Internet domains like google.com and a local machines on the .local TLD. I was hoping to figure out why I'm having this strange IPv6/AAAA record issue on this 1811. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC |
to devon7523
ping ip google.com
Yes, the router will attempt IPv6 by default, and you have no IPv6 setup. It will resolve your client requests with whatever they ask for - v4 or v6. |
|
|
|
to devon7523
Hello.. Similitude. Bear , etc.
Why does my device contain double everything? Virtual sd, sd 0 / 1 , Phone dates are dated: Dec 31 , 1969
And for some reason my cidr Resolves to Boulder Colorado?
Cisco based user files. ? |
|
|
to cramer
It makes sense that the router would attempt IPv6 by default, but here's the strange thing:
Router-1>ping google.com Translating "google.com"...domain server (8.8.8.8) [OK]
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2607:F8B0:4006:806::1001, timeout is 2 seconds:
% No valid source address for destination
I located another 1811 router, used the same DNS config, and pinged google.com:
Router-2#ping google.com
Translating "google.com"...domain server (8.8.8.8) [OK]
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 74.125.226.38, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 20/20/20 ms
Notice that Router-1 attempts AAAA record lookup, but Router-2 goes with the A record. Both are 1811's running C181X-ADVENTERPRISEK9-M. However, Router-1 has 12.4(9)T5 while Router-2 has 12.4(24)T4. Could this behavior relate to IOS version? |
|
devon7523 |
to Bogo
said by Bogo :Why does my device contain double everything? said by Bogo :Cisco based user files. I'm not sure what you're talking about. I think you should start a new thread. |
|
|
to devon7523
said by devon7523:We have to access the server 10.0.0.3:80 via a domain name from the local network. a) get a DNS server / daemon going -or- b) use DDNS for your DNS services -or- c) get a hostfile going. If you've no internal DNS server, have your NAT inside hosts resolve to the internal 10.x.x.x address, while NAT outside resolves to the public address. As to the resolution behavior of your other 1811, is it possible that one had "no ip domain lookup" enabled? By default IOS takes unrecognized commands entered into CLI and interprets them as domain / host names. My 00000010bits Regards |
|
|
said by HELLFIRE:If you've no internal DNS server, have your NAT inside hosts resolve to the internal 10.x.x.x address, while NAT outside resolves to the public address. That's what I'm trying to do with the DNS server in IOS. I just have to figure out why it's only looking up AAAA records when a client requests a domain. I have a feeling it has to do with IOS version. I'm going to copy the IOS to the other 1811 to see if it works. 12.4(9)T5 is newer than 12.4(24)T4, right? |
|
cramer Premium Member join:2007-04-10 Raleigh, NC |
cramer
Premium Member
2014-Jul-11 12:36 pm
That's NOT what it's doing. Whatever the client asks for, it looks up. If a client asks for an A record and gets back a AAAA answer, the IOS resolver is broken. All you've shown is the router itself defaulting to ipv6. |
|
|
to devon7523
said by devon7523:12.4(9)T5 is newer than 12.4(24)T4, right? No, 12.4(24)T4 is newer than 12.4(9)T5 Regards |
|
cramer Premium Member join:2007-04-10 Raleigh, NC |
cramer
Premium Member
2014-Jul-11 2:16 pm
By build date, maybe. By version, no. (look at the release notes to know what was added/fixed/broken between 9 and 24) |
|
|
...ahh, thanks for reminding me about the release notes, cramer Regards |
|
|
to cramer
When I go to a computer which has the router set as the DNS server, and I open Firefox craigslist.org works fine (craigslist.org has NO AAAA records) but google.com shows "Server not found" (google.com has AAAA records). It's the same behavior for other websites. IPv4-only works, and IPv4-and-IPv6 doesn't work. It's strange because with my other 1811, I'm able to go to any websites. |
|
cramer Premium Member join:2007-04-10 Raleigh, NC Westell 6100 Cisco PIX 501
|
cramer
Premium Member
2014-Jul-11 3:34 pm
Granted, I'm using 15.1(4)M7 on my 1811 -- with ipv6 connectivity. What a hosts asks for, it gets an answer for. If your hosts are asking for v6 addresses, and think they have v6 connectivity, they may not be failing back to v4. [root:pts/5{4}]debian1:~/[12:32 AM]:host -v -d -t any www.google.com 192.168.55.8
Trying "www.google.com"
Using domain server:
Name: 192.168.55.8
Address: 192.168.55.8#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29299
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN ANY
;; ANSWER SECTION:
www.google.com. 299 IN A 173.194.37.82
www.google.com. 299 IN A 173.194.37.83
www.google.com. 299 IN A 173.194.37.81
www.google.com. 299 IN A 173.194.37.80
www.google.com. 299 IN A 173.194.37.84
www.google.com. 299 IN AAAA 2607:f8b0:4002:802::1014
Received 140 bytes from 192.168.55.8#53 in 52 ms
[root:pts/5{4}]debian1:~/[03:29 PM]:host -v -d -t a www.google.com 192.168.55.8
Trying "www.google.com"
Using domain server:
Name: 192.168.55.8
Address: 192.168.55.8#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19006
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN A
;; ANSWER SECTION:
www.google.com. 289 IN A 173.194.37.82
www.google.com. 289 IN A 173.194.37.83
www.google.com. 289 IN A 173.194.37.81
www.google.com. 289 IN A 173.194.37.80
www.google.com. 289 IN A 173.194.37.84
Received 112 bytes from 192.168.55.8#53 in 2 ms
[root:pts/5{4}]debian1:~/[03:29 PM]:host -v -d -t aaaa www.google.com 192.168.55.8
Trying "www.google.com"
Using domain server:
Name: 192.168.55.8
Address: 192.168.55.8#53
Aliases:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25082
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.google.com. IN AAAA
;; ANSWER SECTION:
www.google.com. 299 IN AAAA 2607:f8b0:4002:802::1013
Received 60 bytes from 192.168.55.8#53 in 34 ms
|
|
|
Thank you all for your help. I replaced IOS 12.4(9)T5 with 12.4(24)T4 and it's working the way I want it to now. |
|