Port mapping on Cisco 1841

[Dalillama]

Hello all.

I have an 1841 router I'm attempting to setup an FTP port mapping through on a T1 circuit I recently acquired and setup. The circuit is working fine however my port mapping refuses to work and I'm not sure what exactly I'm missing.

I've setup the proper interfaces as inside and outside for NAT, setup static mappings for ports 20 and 21 to the appropriate internal address. For testing I have base permit IP any any ACLs setup on both the external serial interface and the internal interface where FTP traffic will flow. Based on all this it seems to me it should work. However when I attempt an FTP connection from the outside, all I receive is an error message stating "unknown error". Pertinent config details follow below:

interface Serial0/0/0:0
bandwidth 1536
ip address <external IP> 255.255.255.252
ip access-group serial in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
no cdp enable

interface FastEthernet0/1
description Test Network$ETH-LAN$
ip address 192.168.1.75 255.255.255.0
ip access-group lan in
ip nat inside
ip virtual-reassembly
speed 100
full-duplex

ip nat pool T1 <external IP> <external IP> netmask 255.255.255.252
ip nat inside source list temporary interface Serial0/0/0:0 overload
ip nat inside source static tcp 192.168.1.20 20 <external IP> 20 extendable
ip nat inside source static tcp 192.168.1.20 21 <external IP> 21 extendable
!
ip access-list extended lan
permit ip any any
ip access-list extended serial
permit ip any any

ip access-list extended temporary
permit ip 192.168.1.0 0.0.0.255 any

Is there something painfully obvious I'm missing here? Granted it's been awhile since I've done router security but this seems right to me.

Any help would be greatly appreciated.

 

[burtsbees]

Get rid of all of this...

ip nat inside source static tcp 192.168.1.20 20 <external IP> 20 extendable
ip nat inside source static tcp 192.168.1.20 21 <external IP> 21 extendable
!
ip access-list extended lan
permit ip any any
ip access-list extended serial
permit ip any any

and do this

ip nat inside source static tcp 192.168.1.20 21 int s0/0/0:0 21

You can only statically NAT one port per IP, so 20 is what the router is allowing. You only need 21.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Dalillama]

Thanks for your reply, burt.

I ripped out the existing mapping and removed the ACLs for the serial and internal interfaces. Port 21 is statically mapped to the serial interface pointing back to the correct internal IP. However, I'm still unable to access the server through the external IP over which 21 is mapped.

Is there something else I'm missing?

 

[burtsbees]

Let's start with the basics. Can you ping the serial interface from the internet? Can you ping the internal server from the router? Can the internal server get out to the internet?

If you have verified layer1-3, then please post a config. The static NAT will be L4...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[Dalillama]

Let me give some background on the situation:

This T1 circuit we have will replace our current DSL line in our production system. Right now we have several systems that FTP data through the DSL line to an FTP server in our DMZ. As there are some systems that cannot be remotely managed, to minimize the downtime that those systems would effectively be cutoff when the circuit is switched over, I wanted to setup a second router with the T1 circuit and have those systems moved over to the new circuit without disrupting the production system. Essentially I would have two different paths to the same host in my DMZ.

I have configured the T1 circuit on the secondary router and confirmed that it is passing traffic normally. Both the production and secondary router are configured to drop all ICMP traffic from the outside. And while pinging the FTP server in the DMZ from the router does not work, it is available as the production FTP port forward functions normally.

On the secondary router I configured FTP port forwards similar to what I have in production but have had no joy in reaching FTP through the T1 circuit on this router.

I can post full configs of both routers.

 

[unclerico]

What gateway is the FTP server pointing to; DSL or T1??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Dalillama]

I thought the gateway might be an issue. The FTP server is also currently hosting an RRAS server for incoming VPN clients. The gateways on the FTP server are configured to point to the DSL line with a metric of one and to itself with a metric of 20.

 

[unclerico]

The issue really is asymmetric routing. Try changing the gateway on the FTP server to point to the T1 router. If you don't want to disrupt service to the FTP server then just throw an XP box or a linux box in your DMZ with FTP services started, alter your static NAT statements on the T1 router to point to this test box, and see what happens.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Dalillama]

I setup a laptop running a small FTP server and adjusted the static NAT statements to match the laptop's IP. No joy regarding FTP port forwarding.

So what else am I missing?

 

[unclerico]

Can that laptop make it out to the Internet??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Dalillama]

Yep, no problems browsing the net from the laptop.

 

[unclerico]

ok, can you post your entire config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Dalillama]

Here's the current config. Fluff items (such as the login banner) have been removed:

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TestExternal
!
boot-start-marker
boot system flash:c1841-adventerprisek9-mz.124-11.XW6.bin
boot-end-marker
!
card type t1 0 0
logging buffered 51200 warnings
!
no aaa new-model
clock timezone Chicago -6
clock summer-time Chicago date Apr 6 2003 2:00 Oct 26 2003 2:00
ip cef
!
!
no ip dhcp conflict logging
!
!
ip ips config location flash:128MB.sdf/ retries 1
ip ips notify SDEE
ip ips name TEIPS
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-3390092716
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3390092716
revocation-check none
rsakeypair TP-self-signed-3390092716
!
!
crypto pki certificate chain TP-self-signed-3390092716
certificate self-signed 01
30820245 308201AE A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33333930 30393237 3136301E 170D3038 30323135 31363538
35375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33393030
39323731 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D8C3 C1930CAD D796BFEB 7A43F86A A6D006CA FE584921 23C4BB98 FEC3E97C
3D17FC0D BDB6F6AC 84849D06 3ECDB18C 141C0D6F 7F2F5182 54D7FB59 32730ACF
687F0B5D EE63FC4F 388B75C8 F1808EEB 8E6D1C4C 52C7114B 81955C25 1416F16C
B7E54C8C 820B6486 3EC4F6E0 5107C44E 44588366 F107E21D 7AE6CB56 BC629917
8F530203 010001A3 6D306B30 0F060355 1D130101 FF040530 030101FF 30180603
551D1104 11300F82 0D546573 74457874 65726E61 6C2E301F 0603551D 23041830
16801481 4A3E26CB A3214610 1734C1E8 6FB93A29 8E326130 1D060355 1D0E0416
0414814A 3E26CBA3 21461017 34C1E86F B93A298E 3261300D 06092A86 4886F70D
01010405 00038181 00380E80 79265074 63C7C033 D4878985 520BA206 3A9831FC
23E1DAD6 E86FD3D3 C6146FE3 0EBEEFD1 B95BCB3A 214BF1EA 683EAB35 79A2D070
55841859 1E8EB4B3 A738761F 8C13959D 4E27A755 C95DDE09 08503624 07B5EAD4
60665885 0D0FE03E 2B991DC0 90D4570E 73C32F3F 3D316A87 0AE7DB5A 6A5C4896
666CFC05 2DFF2067 A3
quit
!
!
!
!
username <login account> privilege 15 password 7 1425320F22473E
archive
log config
hidekeys
!
!
controller T1 0/0/0
framing esf
fdl both
linecode b8zs
channel-group 0 timeslots 1-24
!
!
!
!
interface FastEthernet0/0
description Test DMZ
ip address 192.168.2.70 255.255.255.0
ip virtual-reassembly
shutdown
speed 100
full-duplex
!
interface Serial0/0/0:0
bandwidth 1536
ip address <T1 external IP> 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
no cdp enable
!
interface Cable-Modem0/1/0
ip address dhcp
ip ips TEIPS in
ip ips TEIPS out
ip virtual-reassembly
shutdown
service-module ip address <modem external IP> 255.255.255.252
no fair-queue
!
interface FastEthernet0/1
description Test Network$ETH-LAN$
ip address 192.168.1.75 255.255.255.0
ip nat inside
ip virtual-reassembly
speed 100
full-duplex
!
ip route 0.0.0.0 0.0.0.0 <next hop from router>
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool T1 <external IP> <external IP> netmask 255.255.255.252
ip nat inside source list temporary interface Serial0/0/0:0 overload
ip nat inside source static tcp 192.168.1.130 20 interface Serial0/0/0:0 20
ip nat inside source static tcp 192.168.1.130 21 interface Serial0/0/0:0 21
!
ip access-list extended standard
remark default allow
remark SDM_ACL Category=2
remark Standard
permit ip 192.168.5.0 0.0.0.255 any
ip access-list extended temporary
remark T1 temporary
remark SDM_ACL Category=2
remark T1 temp access
permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
!
!
control-plane
!
disable-eadi
!
!
line con 0
login local
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet
line vty 5 15
privilege level 15
login local
transport input telnet
!
scheduler allocate 20000 1000

!
webvpn cef
end

 

[Dalillama]

I found the reason why I couldn't hit the FTP server on the laptop. Windows Firewall apparently has three separate profiles under Vista that wreak all manner of havoc. Once I turned those off, the FTP pass through worked like a champ.

However, my problem remains of setting up two separate external paths to a single FTP server. Is this just not possible?

 

[Dalillama]

I think I finally figured it out.

I didn't know of a way to do it all within the router but using RRAS on the FTP server (which was present for VPN clients anyway) I was able to statically bind the specific gateway for each NIC. As a result, the FTP server now successfully answers on both public IPs without issue.

Thanks to all of you for your assistance. I am very appreciative for all your help .