Connecting to Home Lab from Outside

[bwm]

Hello,

I am having difficulty reaching my home lab over the internet from outside of my house. I have tried using telnet on port 23 and ports 3000+. In both instances I am able to connect from the inside of my network using the IP address of the interface connected to my cable modem, but cannot connect from an alternate location.

If I try to telnet to 68.69.70.71 (not real address) from a client inside with a private 10.0.0.x ip it works flawlessly.

I am able to ping to my external IP from outside, but cannot establish a telnet session.

The problem seems to be my ISP blocking inbound connections. If I use a web based port scanner they all say that port 23 (or 3001) does not respond.

My ISP is completely unresponsive on this issue. Can anyone suggest a way to verify with 100% certainty that the problem is occurring on the provider side of my router, and if this is in fact the case can anyone suggest a workaround so that I may connect to my home router from outside?

 

[Minue]

Can you please post a scrub conf?Also do have the static NAT configured correctly?

Regards

 

[North323]

what type of device are you telnetting to? what devices are in front of that host?

 

[lerdalt]

Do you have a firewall that's not forwarding port 23 to your devices?

 

[bwm]

The device is a 2621 router running IOS 12.2(37)

The config is below.

I have my cable modem hooked directly into F0/0. F0/1 is connected to my main switch but the interface is subbed. F0/1.1 is on the vlan where my non-lab devices connect.

I am able to to get in an out fine from all network devices so the nat is working properly.

The inbound connections on 43689 and 43789 work fine so I am going to try to setup a port 23 to 40000 translation when I get home. I hadn't considered that until now. It still doesn't explain why 23 and 3001 (3002, 3003, etc) would be blocked though....


Gateway#sh run
Building configuration...

Current configuration : 2199 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Gateway
!
enable secret 5 $1$XqCs$Mhczl9widIrWj4UkCDHwI/
!
ip subnet-zero
!
!
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface Loopback0
ip address 10.0.1.1 255.255.255.0
!
interface FastEthernet0/0
description Physically connected to MainSwitch F0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface FastEthernet0/1
description Physically connected to switch3560
no ip address
duplex auto
speed auto
!
interface FastEthernet0/1.1
encapsulation dot1Q 1 native
ip address 10.0.0.1 255.255.255.0
ip nat inside
!
router ospf 1
log-adjacency-changes
network 10.0.0.0 0.0.0.255 area 0
network 10.0.1.0 0.0.0.255 area 0
!
ip nat inside source list 1 interface FastEthernet0/0 overload
ip nat inside source static tcp 10.0.4.22 43689 interface FastEthernet0/0 43689
ip nat inside source static tcp 10.0.0.204 43789 interface FastEthernet0/0 43789
ip classless
ip http server
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit any
!
dial-peer cor custom
!
!
!
!
line con 0
password [redacted]
login
line aux 0
password [redacted]
login
line vty 0 4
password [redacted]
login
rotary 1
line vty 5 15
password [redacted]
login
!
end

 

[burtsbees]

no access-list 1
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
ip nat inside source list 101 int fa0/0 over

Also, you should NIX the RoaS idea and let the 3560 route the VLAN(s).

Likely, the ISP is blocking 23. Have you considered ssh, which is MUCH safer? Better yet, a VPN?

Post a sh ver por favor...

/

 

[bwm]

I tried setting up a port forwarding and it worked, so at least I can connect from outside now...

I would love to setup SSH or a VPN. When I try to setup an SSH I get this:

Gateway(config)#ip domain-name test.home
Gateway(config)#cry
Gateway(config)#crypto ?
% Unrecognized command

I'm afraid setting up a VPN is out of my skill set - at least for the time being. Working on remedying that though

sh ver below

Gateway#sh ver
Cisco Internetwork Operating System Software
IOS (tm) C2600 Software (C2600-IS-M), Version 12.2(37), RELEASE SOFTWARE (fc1)
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Thu 15-Jun-06 20:48 by pwade
Image text-base: 0x8000808C, data-base: 0x8111D2B4

ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)

Gateway uptime is 3 days, 20 hours, 44 minutes
System returned to ROM by reload
System image file is "flash:c2600-is-mz.122-37.bin"

cisco 2621 (MPC860) processor (revision 0x200) with 60416K/5120K bytes of memory
.
Processor board ID JAD050309VG (2886660437)
M860 processor: part number 0, mask 49
Bridging software.
X.25 software, Version 3.0.0.
2 FastEthernet/IEEE 802.3 interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

 

[lerdalt]

You need a different IOS image in order to enable ssh.

 

[bwm]

Can you tell me offhand what version I would need? I should be able to get pretty much any IOS from work.

 

[bwm]

Also, you should NIX the RoaS idea and let the 3560 route the VLAN(s)
Could you expand on why you suggest this? The only constant in my network is the 2621 acting as the gateway - I am using all other equipment for lab purposes at the moment. BSCI is what I'm working on currently.

 

[Minue]

Hello
You will need and IOS that support IPSEC.

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

Please post your update conf,with the work around so as to help other with the same problem.

Regards

 

[burtsbees]

It is redundant (in a bad way) to have router on a stick AND a switch that can route vlans. If this is a lab, I could understand, but router on a stick was covered in CCNA, and you say you are studying for BSCI...weird, since vpn's are covered pretty well in CCNA, I thought...

Just figured a CCNA going for CCNP would know why router on a stick is not very smart when you have a 3560...

/

 

[bwm]

The 3560 is a very temporary loaner. Moved out of a building that is being renovated and I get to borrow it until the work is done. I understand that I can accomplish vlan routing with it but I see no need to reconfigure everything for such a short time.


I guess I wasn't clear on the VPN thing. My boss wouldn't let me setup a VPN between the sites. Even if I was clueless how to do it I could google it.