Cisco router not passing ports.

[ardude]

I installed a Cisco 2621XM router with a 2900XL switch going to three different servers. I have several public IP's off of my ISP's class A network. Those IP's are tied to the fa0/0 interface as secondary's. I am using NAT to tie the public IP's to the internal 192.168.1.1 network and the three servers. This is required since I have web and email running on each of the boxes.

The problem I have is that web, telnet, remote desktop seem to be working on my first machine but some required services are not able to be reached on any of the servers. Specifically, DNS on port 53 is not able to be queried from the outside but it works on the LAN. I also have a web POP3 checking service that is not working from the outside but it works from the inside. I have an ACL defined but I have it disabled as you will see in the config below.

Any help as to what is causing this would be greatly appreciated. My config is below as well as troubleshooting:

Web to POP3 Check:

-------- SNIP ------------
WSAGetLastError() returned 10061, Connection refused Connecting to:

http://www.mysite.com:110

-------- END SNIP --------------

NSLOOKUP:

--- SNIP ---
c:\nslookup

http://www.mysite.com

12.34.67.98
*** Can't find server name for address 12.34.67.98: Server failed
Server: UnKnown
Address: 12.34.67.98

DNS request timed out.
timeout was 2 seconds.
--- END SNIP ---

Router Config:

----------- SNIP --------------
Building configuration...

Current configuration : 3165 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router-wp
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp pool webport
network 192.168.1.0 255.255.255.0
dns-server 12.34.67.13 12.34.67.15
domain-name mysite.com
default-router 192.168.1.1
!
!
no ip domain lookup
ip name-server 12.34.67.13
ip name-server 12.34.67.15
ip name-server 192.168.1.105
ip name-server 192.168.1.99
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
interface FastEthernet0/0
description Connection to WAN
ip address 12.34.67.98 255.255.252.0 secondary
ip address 12.34.67.99 255.255.252.0 secondary
ip address 12.34.67.100 255.255.252.0 secondary
ip address 12.34.67.101 255.255.252.0 secondary
ip address 12.34.67.97 255.255.252.0
ip access-group FILTER-WAN-IN in
ip access-group FILTER-WAN-OUT out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Connection to LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
router rip
version 2
network 12.0.0.0
network 192.168.1.0
no auto-summary
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 12.34.67.1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static udp 192.168.1.105 53 12.34.67.98 53 extendable
ip nat inside source static 192.168.1.105 12.34.67.98 extendable
ip nat inside source static 192.168.1.99 12.34.67.99 extendable
ip nat inside source static 192.168.1.100 12.34.67.100 extendable
!
ip access-list extended FILTER-LAN-IN
permit ip any any
permit tcp any host 12.34.67.97 eq pop3
permit tcp any host 12.34.67.97 eq smtp
permit tcp any host 12.34.67.97 eq ftp
permit tcp any host 12.34.67.97 eq ftp-data
permit tcp any host 12.34.67.97 eq 443
permit tcp any host 12.34.67.97 eq 22
permit udp any host 12.34.67.97 eq 22
permit udp any host 12.34.67.97 eq domain
permit tcp any host 12.34.67.97 eq domain
permit udp any host 12.34.67.97 eq 23
permit tcp any host 12.34.67.97 eq telnet
permit udp any host 12.34.67.97 eq 25
permit udp any host 12.34.67.97 eq 50
permit tcp any host 12.34.67.97 eq 50
permit tcp any host 12.34.67.97 eq www
permit udp any host 12.34.67.97 eq 80
permit udp any host 12.34.67.97 eq 110
permit udp any host 12.34.67.97 eq 220
permit tcp any host 12.34.67.97 eq 220
permit udp any host 12.34.67.97 eq 443
permit udp any host 12.34.67.97 eq 3389
permit tcp any host 12.34.67.97 eq 3389
ip access-list extended FILTER-LAN-OUT
permit ip any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 12.34.67.0 0.0.0.255
access-list 1 permit any
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password xxxxxxxx
login
!
!
end

router-wp#
----------- END SNIP ----------

 

[Minue]

Hello
First of all can you confirm that the web server and remote desktop is reacheable from the outside.
For the POP,try using the port number in the nat statement:

ip nat inside source static 192.168.1.105 25 12.34.67.98 25 extendable

If this doesn't work maybe there's a problem natting secondary addresses.I have never really seen such a NAT implementation.
To troubleshoot try natting all the services to Fastethernet 0/0 to see if it works.I will pull out my books and get back to you.
Regards

 

[ardude]

Thanks for your efforts.

Yeah, strange enough port 25,110 both work even without the port specific NAT statement. The problem is port 53 (DNS) and port 110 over port 80 (webpage checking POP3).

How do people normally route multiple public IP's to internal IP's?

 

[burtsbees]

This ACL entry

access-list 1 permit 12.34.67.0 0.0.0.255

in conjunction with this

ip nat inside source list 1 interface FastEthernet0/0 overload

is making the public IP NAT to itself...you're confusing your poor router.

Burt

 

[ardude]

Really, I did not notice. Where did I go wrong? Should I just take one of the statements out or ammend it? Forgive my ignorance but it has been a long time since I touched a Cisco router.

 

[Minue]

Hello
Can you explain which addresses are doing what.

192.168.1.99 =
192.168.1.100 =
192.168.1.105 =

If 192.168.1.105 is giving two services you must do the port mapping for both.
The mail server will work because the mapping is global.You have more than one public address and it gives you the possibility to avoid port mapping.
Regards

 

[ardude]

Sure, thanks...

192.168.1.97 - fa0/1
192.168.1.99 - server (

http://www,ns2-external,ftp,smtp,pop3,imap)

192.168.1.100 - server -(

http://www,smtp,pop3,imap)

192.168.1.105 - server -(

http://www,smtp,pop3,exchange,ftp,ns1-external)

 

[Minue]

Hello
So you have many services running on the same machine.Is the 192.168.1.105 the one that's giving problems.If so is the FTP and WEB working.
This could be an application problem if the router are forwarding all ports correctly.
Regards

 

[ardude]

No I know it is not passing all of the ports correctly. For example, the 105 machine when I try to FTP from Lan-Wan-Lan it gives me the following:

STATUS:> [02/02/2009 6:07:35 AM] Connecting to FTP server... 12.34.56.98:21 (ip = 12.34.56.98)...
ERROR:> [02/02/2009 6:07:36 AM] The remote host actively refused the attempt to connect to it.

And when I try to connect to it using the .105 internal address it works fine.

 

[Minue]

I think the best thing to do is to start troubleshooting more seriously.Install a FTP server on just a single machine and test to see if you can get in.Let me know how it goes.

Regards