pcANYWHERE connections through a Cisco 1604

[ForceTen]

Hello...

I'm fairly new to configuring Cisco routers and I've run into a jam on my first job...DOH!

The system I'm working with has an ISDN connection to their ISP. They have a LAN with a private IP scheme, 192.168.1.x, and they use NAT on a Cisco 1604 router in order for their LAN to have Internet access. This part was already configured before I started working with it and everything with this works fine.

Here's the issue: I need to have some clients on the outside, who use registered IP addresses, establish a pcANYWHERE connection to a PC on the private LAN - the IP address of that station is 192.168.1.37. They use the latest version of pcANYWHERE, 9.x, and so the ports used are 5631 and 5632. So far, I have been unsuccessful in getting this to work, even when temporarily disabling all access lists that are running.

So in english, I need all traffic coming into the router's public IP address on the BRI0 interface using ports 5631 and 5632 to be directed to the station on the LAN having the private IP address 192.168.1.37.

Unfortunately, I can't tell the Cisco router this in English, and all combinations of commands that I've tried so far have failed. I will post the current running config of this router and hopefully someone can point me in the right direction. I have been reading the documentation that I've gotten from the Cisco website, and the solution is probably right there in front of my face, but like I said, this is my first job configuring a Cisco router and I'm just not seeing it.

If anyone can shed some light on this for me, I'd really be grateful. Sorry for the long-winded post, but I wanted to make sure that I provided enough background info for this to make sense! The config follows...
-----------------------------------------------------------

!
version 12.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname xxxxx
!
logging buffered 4096 informational
!
ip subnet-zero
ip name-server 207.112.128.2
ip name-server 206.54.224.1
ip inspect name internet ftp
ip inspect name internet tcp
ip inspect name internet udp
ip inspect name internet smtp
ip inspect name internet http java-list 1
isdn switch-type basic-ni
isdn tei-negotiation first-call
!
!
!
interface Ethernet0
ip address 192.168.1.1 255.255.255.0
ip access-group 102 in
ip access-group 101 out
no ip directed-broadcast
ip nat inside
no ip route-cache
no ip mroute-cache
!
interface BRI0
description ISDN Ckt IBZD233340 (Connection to ISP)
ip address 209.100.92.245 255.255.255.0
ip access-group 111 in
ip access-group 110 out
no ip directed-broadcast
ip nat outside
ip inspect internet out
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer map ip 207.112.131.226 name tc5.chi 97140061
dialer load-threshold 70 outbound
dialer-group 1
isdn switch-type basic-ni
isdn spid1 21986446500111 8644650
isdn spid2 21986446510111 8644651
ppp authentication chap pap callin
ppp pap sent-username xxxxx password 7 041A4A0B0E335F0D4A
ppp multilink
!
ip nat inside source list 121 interface BRI0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 207.112.131.226
ip route 207.112.131.226 255.255.255.255 BRI0
!
access-list 1 permit any
access-list 101 permit tcp host 199.172.146.114 eq

http://www host

192.168.1.32 eq 1464
access-list 101 permit tcp host 199.172.146.114 eq

http://www host

192.168.1.32 eq 1421
access-list 101 permit tcp 208.132.215.0 0.0.0.255 host 192.168.1.37 eq 5631
access-list 101 permit udp 208.132.215.0 0.0.0.255 host 192.168.1.37 eq 5632
access-list 101 permit tcp 208.132.215.0 0.0.0.255 host 192.168.1.37 eq 5632
access-list 101 permit udp 208.132.215.0 0.0.0.255 host 192.168.1.37 eq 5631
access-list 101 permit icmp any any
access-list 101 permit ip any any
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 110 permit tcp 209.100.92.0 0.0.0.255 any
access-list 110 permit udp 209.100.92.0 0.0.0.255 any
access-list 110 permit icmp 209.100.92.0 0.0.0.255 any
access-list 110 deny ip any any
access-list 111 permit tcp host 207.112.128.12 eq pop3 host 209.100.92.245 eq 1713
access-list 111 permit tcp host 216.34.209.10 eq

http://www host

209.100.92.245 eq 1611
access-list 111 permit tcp host 64.58.76.68 eq

http://www host

209.100.92.245 eq 1580
access-list 111 permit tcp host 4.22.174.163 eq

http://www host

209.100.92.245 eq 1358
access-list 111 permit tcp host 207.246.136.141 eq

http://www host

209.100.92.245 eq 1472
access-list 111 permit tcp host 207.246.136.141 eq

http://www host

209.100.92.245 eq 1450
access-list 111 permit tcp host 207.246.136.141 eq

http://www host

209.100.92.245 eq 1424
access-list 111 permit tcp host 207.211.39.119 eq

http://www host

209.100.92.245 eq 1454
access-list 111 permit tcp host 207.211.39.119 eq

http://www host

209.100.92.245 eq 1442
access-list 111 permit tcp host 207.211.39.119 eq

http://www host

209.100.92.245 eq 1427
access-list 111 permit tcp host 207.211.39.119 eq

http://www host

209.100.92.245 eq 1412
access-list 111 permit tcp host 207.246.136.130 eq

http://www host

209.100.92.245 eq 1470
access-list 111 permit tcp host 207.246.136.130 eq

http://www host

209.100.92.245 eq 1410
access-list 111 permit tcp host 207.246.136.213 eq

http://www host

209.100.92.245 eq 1453
access-list 111 permit tcp host 207.112.128.12 eq pop3 host 209.100.92.245 eq 1765
access-list 111 permit tcp host 199.172.146.114 eq

http://www host

209.100.92.245 eq 1464
access-list 111 permit tcp host 199.172.146.114 eq

http://www host

209.100.92.245 eq 1421
access-list 111 permit ip 208.132.215.0 0.0.0.255 host 209.100.92.245
access-list 111 deny ip 209.100.92.0 0.0.0.255 any
access-list 111 deny ip any any
access-list 121 permit icmp any any
access-list 121 permit ip any any
dialer-list 1 protocol ip list 121
!
line con 0
exec-timeout 0 0
password 7 033A1806071D32720D
login
transport input none
line vty 0 4
password 7 10704A14040501354F
login
!
end

 

[wybnormal]

Thats one ugly access list

You are missing the static mapping through NAT for the ports. Something like this:
!
ip nat inside source static tcp 192.1.1.235(inside target) 80 63.196.195.108(outside real IP) 80; this was to pass web traffic port 80 to a specific box on the inside network. Replace IPs and ports as needed


Mike S

 

[ForceTen]

Thanks wybnormal...

I'll give that a try as soon as I can. One other question (thanks for being patient with me). Do I add that statement in addition to the "ip nat inside source list 121 interface BRI0 overload", or does the statement you gave me replace the old one?

It seems like the two of them would work together, but I just want to make sure.

Thanks again!

Dan

 

[ForceTen]

Hi wybnormal...

Sorry, there was one other thing I had meant to ask in my previous reply. Since pcANYWHERE requires 2 different ports, do I need to create two additional statements or just one statement with two different port references?

Thanks again!

Dan

 

[wybnormal]

The statement you already have in place sets up the NAT. You need the second statement to hard code a path and port through NAT so they do work together.

Mike S

 

[ForceTen]

wybnormal:

Okay, I tried those commands on the 1604, but I could not get anything to go through. Here's the NAT statement that was already there:

ip nat inside source list 121 interface BRI0 overload


And here are the lines that I entered. I tried entries for pcANYWHERE and for tftp:

ip nat inside source static udp 192.168.1.37 69 4.54.125.221 69 extendable
ip nat inside source static tcp 192.168.1.40 69 4.54.125.221 69 extendable
ip nat inside source static udp 192.168.1.37 5632 4.54.125.221 5632 extendable
ip nat inside source static udp 192.168.1.37 5631 4.54.125.221 5631 extendable
ip nat inside source static tcp 192.168.1.37 5632 4.54.125.221 5632 extendable
ip nat inside source static tcp 192.168.1.37 5631 4.54.125.221 5631 extendable

Before trying all of this, I did turn off the access lists on all interfaces. I didn't clear the lists themselves, but I did dis-associate them from their respective interfaces.

Can you see anything that I am overlooking? Some more info: The 4.54.125.221 address is an address that was dynamically assigned to my laptop by my ISP. Since that's a dynamically assigned address, would that have any bearing on my problem?

Also, when I couldn't get the pcANYWHERE connection to go through, I tried it the opposite direction. I set up my laptop, 4.54.125.221, as a pcANYWHERE host, and I used my private IP machine, 192.168.1.37, as remote and I was able to connect going in that direction. That leads me to believe that the 4.54.125.221 address is a true public address and not the source of my problem, but that's just my best guess.

Again, if you can provide any more help, I would appreciate it greatly!

Dan

 

[wybnormal]

While I mull this over, try turning off the no ip directed-broadcast on the interfaces being used. Also, do a :show ip nat translation and a : show ip nat statistic and past in the results. Do this before you try accessing PCA and after. Lets see if the router even builds one leg of the connection we need.

Mike S

 

[ForceTen]

Okay, I just got back from there and I probably won't be getting back over there until early next week. But I'll try that stuff ASAP and post the results.

The no ip directed-broadcast line was already there, so I have no idea what it does. Sounds like you do, so I'll ditch it.

I can't thank you enough for taking the time to give me a hand with this...it's really starting to get to me and I'm a very patient person!

Dan

 

[wybnormal]

Just tempory ditch.. you want to keep it if you since it helps prevent smurf attacks against your router. But it can interfere with troubleshooting of something unknown like this. So just rem it out or make a note of it before you delete it. If we can, it should go back in.

Mike S

 

[ForceTen]

Okay, I tried that and here's the results. I made sure that each interface stated "ip directed-broadcast" instead of "no ip directed-broadcast" before I began.

Here's the results of the "show ip nat trans" and "show ip nat stat" BEFORE trying the PCA connection.

seminary#show ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp 4.54.126.27:5631 192.168.1.37:5631 --- ---
udp 4.54.126.27:5631 192.168.1.37:5631 --- ---
tcp 4.54.126.27:5632 192.168.1.37:5632 --- ---
udp 4.54.126.27:5632 192.168.1.37:5632 --- ---
tcp 4.54.126.27:69 192.168.1.40:69 --- ---
udp 4.54.126.27:69 192.168.1.37:69 --- ---
tcp 4.54.126.27:80 192.168.1.37:80 --- ---
tcp 209.100.92.245:1259 192.168.1.20:1259 207.112.128.12:110 207.112.128.12:110
udp 209.100.92.245:137 192.168.1.37:137 208.132.215.120:137 208.132.215.120:13
7

seminary#show ip nat statistic
Total active translations: 9 (7 static, 2 dynamic; 9 extended)
Outside interfaces:
BRI0, BRI0:1, BRI0:2, Virtual-Access1
Inside interfaces:
Ethernet0
Hits: 15 Misses: 2
Expired translations: 0
Dynamic mappings:
-- Inside Source
access-list 121 interface BRI0 refcount 2


And here's what it gave me after I tried once with PCA.

seminary#show ip nat translation
Pro Inside global Inside local Outside local Outside global
tcp 4.54.126.27:5631 192.168.1.37:5631 --- ---
udp 4.54.126.27:5631 192.168.1.37:5631 --- ---
tcp 4.54.126.27:5632 192.168.1.37:5632 --- ---
udp 4.54.126.27:5632 192.168.1.37:5632 --- ---
tcp 4.54.126.27:69 192.168.1.40:69 --- ---
udp 4.54.126.27:69 192.168.1.37:69 --- ---
tcp 4.54.126.27:80 192.168.1.37:80 --- ---
tcp 209.100.92.245:1260 192.168.1.20:1260 207.112.128.12:110 207.112.128.12:110
tcp 209.100.92.245:1261 192.168.1.20:1261 207.112.128.12:110 207.112.128.12:110
udp 209.100.92.245:137 192.168.1.37:137 208.132.215.120:137 208.132.215.120:13

seminary#show ip nat statistic
Total active translations: 10 (7 static, 3 dynamic; 10 extended)
Outside interfaces:
BRI0, BRI0:1, BRI0:2, Virtual-Access1
Inside interfaces:
Ethernet0
Hits: 62 Misses: 4
Expired translations: 1
Dynamic mappings:
-- Inside Source
access-list 121 interface BRI0 refcount 3


So, hopefully you'll be able to make some sense of that. To me, it doesn't seem like it really tried to build anything, and I suppose that where my problem lies.

Sorry for these long posts, but I'm just posting what the router gives me.

Thanks again for any help you can provide!

Dan

 

[wybnormal]

Hits: 62  Misses: 4

This incremented counter tells us that you are hitting it... now the trick is to figure out why.. I will dummy up something tnight or tomorrow and run a sniff on it to see just what it's expecting. Unless someone has the magic bullet

Mike S

 

[ForceTen]

Hey wybnormal...

Do you think it might be in my best interest to save off the current startup config, and then create a new one that is more "bare bones?" Maybe something that would give me the ISDN connection, plus set up the basic NAT, but leave out all of the extra access list stuff?

Let me know what you think...

Thanks!

Dan

 

[wybnormal]

Dan-

In troubleshooting something like this, it's almost alway better to clear the board and start with the bare amount required. Assuming you can. You are correct by putting only the interfaces up you need and run the basic NAT. In fact, if you can set up a safe link, set it up without the NAT, test it and make sure you can get the PCAnywhere across the router without anything configured. Then NAT it and try it. If it wont work, fix the NAT and then move on to the accesslists and so on.

Mike S

PS- I have not had the time to set up a lab to test this problem.. hopefully tonight

 

[ForceTen]

Mike,

Okay, the next time I get a chance, I'll see if I can create a new config that's a little more basic.

If you can find the time to set up that lab, that would be great...maybe that would eliminate the possibility that the 1604 I'm working with is messed up in some way. You've already given me a lot of of insight on this problem, though, so if you don't have the time to mess with that lab, don't worry about it!

It looks like the next chance I'll have to work with that is on Saturday, so I'll post what I come up with then.

Thanks again...

Dan