Port forwarding to multiple inside ip's?

fonestar1978

Hi there

I have a few different boxes running various services behind my newly purchased 2611XM.


I thought this would be as simple as:

ip nat inside source list 1 interface FastEthernet0/0 overload

(where source list 1 is "access-list 1 permit ip 192.168.100.0 0.0.0.255 any"
"access-list 1 permit ip 192.168.200.0 0.0.0.255 any")


and then some......

ip nat source static tcp 192.168.100.95 22 interface FastEthernet0/0 22
ip nat source static tcp 192.168.100.45 5900 interface FastEthernet0/0 5900

As an example, but consistently port 23 (which I have not chosen) is my only open wan-facing port.
Any ideas????

kalebksp

Try:

ip nat inside source static tcp 192.168.100.95 22 interface FastEthernet0/0 22
ip nat inside source static tcp 192.168.100.45 5900 interface FastEthernet0/0 5900

Also, make sure that your firewall (if any) on the router and the end devices are configured to allow the traffic.

hexem

May of been overlooked but also make sure you put 'ip nat outside' under the Fa0/0 config and 'ip nat inside' under appropriate interface.

fonestar1978

I do have the appropriate outbound/inbound NAT statements on the right interfaces. Here is my config if it helps. If it works the way I want it to I should get FTP access prompt from my public WAN IP. I can access the FTP server from within my LAN so I do know that it is working. Thanks for the help!

Current configuration : 1789 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 XXXXXXXXXXXXXXXXXXXX
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.100.1 192.168.100.99
!
ip dhcp pool DATA_POOL
network 192.168.100.0 255.255.255.0
!
!
ip name-server XXX.XXX.XXX.XXX
ip name-server XXX.XXX.XXX.XXX
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
interface FastEthernet0/0
description WAN_INTERFACE
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.100
description DATA
encapsulation dot1Q 100
ip address 192.168.100.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.200
description VOICE
encapsulation dot1Q 200
ip address 192.168.200.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.100.95 21 interface FastEthernet0/0 21
!
access-list 100 permit ip 192.168.100.0 0.0.0.255 any
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
! !
control-plane
!
line con 0
password 7 XXXXXXXXXXXXXXXX
login
line aux 0
password 7 XXXXXXXXXXXXXXXX
login
line vty 0 4
password 7 XXXXXXXXXXXXXXXX
login
line vty 5 15
password 7 135441445D5B5C2B2D
login
!
!
end

Forsaken_GA

You're correct in that it should work that way.

Here's my nat configuation for home (I'm also doing some port redirection):


ip nat pool mypool 192.168.1.13 192.168.1.13 prefix-length 30
ip nat inside source list 101 pool mypool overload
ip nat inside source static tcp 192.168.3.8 22 interface FastEthernet0/1 33655
ip nat inside source static udp 192.168.3.7 53 interface FastEthernet0/1 53
ip nat inside source static tcp 192.168.3.7 53 interface FastEthernet0/1 53
ip nat inside source static tcp 192.168.3.9 22 interface FastEthernet0/1 33654
ip nat inside source static tcp 192.168.3.8 80 interface FastEthernet0/1 80
ip nat inside source static tcp 192.168.3.7 21 interface FastEthernet0/1 21
ip nat inside source static tcp 192.168.2.50 3389 interface FastEthernet0/1 3389
ip nat inside source static tcp 192.168.3.7 20 interface FastEthernet0/1 20
ip nat inside source static tcp 192.168.3.8 443 interface FastEthernet0/1 443
ip nat inside source static tcp 192.168.3.7 22 interface FastEthernet0/1 33656

access-list 101 permit ip any any

It's entirely possible that your provider is filtering the common inbound service ports to prevent you from running any servers.


Try changing your config line to something like this:

ip nat inside source static tcp 192.168.100.95 21 interface FastEthernet0/0 40000

And then ftp'ing into your global IP on port 40000 instead. If that works, then your provider isn't allowing those ports inbound. If it doesn't, then you've got another problem

Forsaken_GA

btw, I know it's not directly related to your question... but I would seriously consider disabling telnet access from the world. Your router should be capable of doing SSH, so I would get all of those vty's off of telnet and accept ssh only. I also wouldn't accept any ssh or telnet connections bound for the WAN IP address, only allow those connections coming from behind the router.

and you left one type 7 password in the config you posted, I recommend you change that asap (and additionally, don't use type 7 passwords!)

fonestar1978

I know for a fact that it is not my ISP filtering. Why? Because I run DynDNS, FTP, SSH, VNC through a WRT-54G and D-Link DIR-615 and it works fine. Setup the Cisco and nothing is there besides Telnet on port 23 open. Could this be CEF? Any other ideas? I don't think an access list should be needed to perform what I am trying to do. This should just be a simple static NAT statement, should it not? Is my 'overload' statement somehow conflicting the static statement?

Thanks again...

Forsaken_GA

How are you checking what ports are open? Are you doing it from behind the NAT to your global IP or are you doing it from the outside world?

Let me give you an example -

tyrion:~ root# nmap 192.168.1.13
Starting Nmap 4.20 ( Insecure.Org - Nmap Free Security Scanner, Tools & Hacking resources ) at 2010-02-06 11:09 EST

PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
443/tcp open https

This is from a host on the same subnet as the routers global IP. Those are the services I expect to see open from the outside world perspective

porthos:~# nmap 192.168.1.13

Starting Nmap 4.62 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2010-02-06 11:20 EST
Interesting ports on dorne.targaryen.local (192.168.1.13):
Not shown: 1713 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https

That is from a host that's behind the NAT. Bit of a difference isn't it?

If you're only seeing port 23 open, I suspect your running your port scans from behind your NAT, as port 23 should be the only port open, since you've disabled http server and http secure-server.

Try running your port scan from a machine outside of your network, and you'll probably see that port 21 is open

mikej412

I don't see a default route in your configuration. Do you have internet connectivity from a host behind your router?

hexem

As above.

You can also verify you're configuration with 'show ip nat translations' you should see the static entry in there.

fonestar1978

Forsaken_GA wrote: »

How are you checking what ports are open? Are you doing it from behind the NAT to your global IP or are you doing it from the outside world?

Let me give you an example -

tyrion:~ root# nmap 192.168.1.13
Starting Nmap 4.20 ( Insecure.Org - Nmap Free Security Scanner, Tools & Hacking resources ) at 2010-02-06 11:09 EST

PORT STATE SERVICE
21/tcp open ftp
53/tcp open domain
80/tcp open http
443/tcp open https

This is from a host on the same subnet as the routers global IP. Those are the services I expect to see open from the outside world perspective

porthos:~# nmap 192.168.1.13

Starting Nmap 4.62 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2010-02-06 11:20 EST
Interesting ports on dorne.targaryen.local (192.168.1.13):
Not shown: 1713 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https

That is from a host that's behind the NAT. Bit of a difference isn't it?

If you're only seeing port 23 open, I suspect your running your port scans from behind your NAT, as port 23 should be the only port open, since you've disabled http server and http secure-server.

Try running your port scan from a machine outside of your network, and you'll probably see that port 21 is open

I should still be able to FTP into my WAN IP address and I cannot. I see what you're saying but NAT'd nmap scans have always been reliable for me from behind and outside my NAT'd LAN. Yes, I currently have internet connectivity.

#show ip nat translations

- does show NAT is occuring, just overload NAT though, again not the static NAT's I want.


Thanks again

Forsaken_GA

fonestar1978 wrote: »

I see what you're saying but NAT'd nmap scans have always been reliable for me from behind and outside my NAT'd LAN.

With a Cisco router? Or with a Linksys? If you nmap a linksys from behind the nat to the outside global address, it will show you all the ports it has open. If you do the same with an IOS router (as I demonstrated above), it will not.

Have you tried to nmap your outside global from outside of your network? If you have, is it still showing only the telnet port?

fonestar1978

Forsaken_GA wrote: »

With a Cisco router? Or with a Linksys? If you nmap a linksys from behind the nat to the outside global address, it will show you all the ports it has open. If you do the same with an IOS router (as I demonstrated above), it will not.

Have you tried to nmap your outside global from outside of your network? If you have, is it still showing only the telnet port?

Well I guess you learn something new each year I'm going to VNC into my mom's computer 2,000 miles away reverse scan myself and test that theory. Thanks....

mikej412

fonestar1978 wrote: »

I should still be able to FTP into my WAN IP address and I cannot.

Is that your complete config above? Or just part of it? It looks like you have the ftp command port configured, but not the data port. Or should we just assume that you have everything correctly configured and that's it's a hardware issue?

Are you saying you don't even see the static NAT translation for port 21 when you check the NAT translations?

fonestar1978

mikej412 wrote: »

Is that your complete config above? Or just part of it? It looks like you have the ftp command port configured, but not the data port. Or should we just assume that you have everything correctly configured and that's it's a hardware issue?

Are you saying you don't even see the static NAT translation for port 21 when you check the NAT translations?

Yes, I have 20, 21 and 22 all open.

Here is some debug, obviously it is choosing to go with it's own dynamic PAT and ignoring my config:

R1#debug ip nat port
IP NAT PORT debugging is on
R1#
*Mar 3 21:05:03.341: NAT: [0] Allocated Port for 192.168.100.95 -> 24.69.183.90: wanted 35080 got 35080
*Mar 3 21:05:03.433: NAT - SYSTEM PORT for 24.69.183.90: allocated port 0, refcount 5, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 5, proto 6
R1#undebug all
All possible debuggi


That was me trying to connect via FTP to my DynDns.

Forsaken_GA

I think you're barking up the wrong tree and you have some other issues going on.

Since you were kind enough to provide your global public IP in the last post, this is what happens when I try to FTP to the IP:

tyrion:~ forsaken$ ftp 24.69.183.90
Connected to 24.69.183.90.
220 (vsFTPd 2.1.2)
Name (24.69.183.90:forsaken):


And pardon my rudeness, but I port scanned you as well:

tyrion:~ forsaken$ sudo nmap 24.69.183.90
Password:

Starting Nmap 4.20 ( Insecure.Org - Nmap Free Security Scanner, Tools & Hacking resources ) at 2010-02-06 22:22 EST
Not shown: 1692 closed ports
PORT STATE SERVICE
20/tcp filtered ftp-data
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
5900/tcp filtered vnc


So you're showing your ports open to the world, but it looks like you have some internal network issues.


And you need to fix this


tyrion:~ forsaken$ telnet 24.69.183.90
Trying 24.69.183.90...
Connected to S0106000f907d5ba0.gv.shawcable.net.
Escape character is '^]'.


User Access Verification

Password:

fonestar1978

Forsaken_GA wrote: »

I think you're barking up the wrong tree and you have some other issues going on.

Since you were kind enough to provide your global public IP in the last post, this is what happens when I try to FTP to the IP:

tyrion:~ forsaken$ ftp 24.69.183.90
Connected to 24.69.183.90.
220 (vsFTPd 2.1.2)
Name (24.69.183.90:forsaken):


And pardon my rudeness, but I port scanned you as well:

tyrion:~ forsaken$ sudo nmap 24.69.183.90
Password:

Starting Nmap 4.20 ( Insecure.Org - Nmap Free Security Scanner, Tools & Hacking resources ) at 2010-02-06 22:22 EST
Not shown: 1692 closed ports
PORT STATE SERVICE
20/tcp filtered ftp-data
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
5900/tcp filtered vnc


So you're showing your ports open to the world, but it looks like you have some internal network issues.


And you need to fix this


tyrion:~ forsaken$ telnet 24.69.183.90
Trying 24.69.183.90...
Connected to S0106000f907d5ba0.gv.shawcable.net.
Escape character is '^]'.


User Access Verification

Password:

Well, I was not aware before the other poster informed me that a nmap scan done within my lan was unreliable when working with IOS (as opposed to other routers). Thank-you for scanning my network, I was actually trying to VNC into my mom's computer to do the same thing but couldn't (lost her IP).

I know much is made about "don't use telnet, it's plain text" (scarry music in background). But honestly, this router is patched and do you or others you know or have the ability to deploy a sniffer on an ISP's wan??? Don't get me wrong, I've run ettercap, Back|Track, snort, Wireshark and the rest. But capturing plain text passwords on a lan and on a wan are two totally different things! Maybe if you capture an ISP's router and put it into promiscuous capture mode??

I've changed my vty password after I accidentally didn't blank all of them out of my first post and will go to sleep quite comfortably.

Forsaken_GA

fonestar1978 wrote: »

Well, I was not aware before the other poster informed me that a nmap scan done within my lan was unreliable when working with IOS (as opposed to other routers). Thank-you for scanning my network, I was actually trying to VNC into my mom's computer to do the same thing but couldn't (lost her IP).

Yeah, I'm the same guy who told you you can't trust nmap from inside the network in all cases, hehe

I know much is made about "don't use telnet, it's plain text" (scarry music in background). But honestly, this router is patched and do you or others you know or have the ability to deploy a sniffer on an ISP's wan??? Don't get me wrong, I've run ettercap, Back|Track, snort, Wireshark and the rest. But capturing plain text passwords on a lan and on a wan are two totally different things! Maybe if you capture an ISP's router and put it into promiscuous capture mode??

I've changed my vty password after I accidentally didn't blank all of them out of my first post and will go to sleep quite comfortably.

Actually, I don't really care that it's plaintext. The same problem exists with FTP, and you're right, it's fairly difficult to sniff wan traffic.

My problem with that is the fact that you've got a login prompt facing the world. It's bad enough that servers are susceptible to brute force attacks, but you should never ever ever present a management login to the world. You should only be able to access your routers from inside your network. The bigger risk is that your own box will be compromised and keylogged (and if you don't think it can happen on a mass scale, I suggest you google for gumblar.cn.... we are *STILL* dealing with the fallout from that fiasco at work). If that ever happens, then anything you have publicly accessible from the internet becomes fair game. Sure, it's not too big of a deal with your home internet connection, but you might think differently if you ever find yourself working for a major financial institution.

So I would lock out incoming telnet traffic from the WAN side (at least, telnet traffic destined for the router), and only allow it from the inside. I'm sure one of the security nuts can give you better reasons for it though.

And I know the natural question is 'well what if I can't reach inside my network and I need to get on the router?'. That's what OOB management is for.

But yeah, it's your router, and I'm not preaching a gospel, just trying to nudge you into some good habits in order to avoid bad ones later on!

hexem

At least put a motd banner on there saying it's a private system and unauthorized access is prohibited....gives you slightly more legal right's if someone was to break in.

but at least it's working ey