Need help with Port Forwarding or 1:1 NAT

Dinky
Comes here often

Need help with Port Forwarding or 1:1 NAT

Hi Folks,

 

Been having trouble making the Port Forwarding or 1:1 NAT mapping on the MX firewall work.

I have a /29 public subnet available at my disposal, but I cannot establish an ssh connection to my ubuntu server from the outside.

 

For Port Forwarding here are the parameters:

Uplink: Internet 1

Protocol: TCP

Public Port: 1022

LAN IP: x.x.x.x

Local Port: 22

Remote IPs: Any

 

For 1:1 NAT

Public IP: y.y.y.y

LAN IP: x.x.x.x

Uplink: Internet 1

Protocol: TCP

Port: 22

Remote IPs: 0.0.0.0/0 or any

 

I added an inbound firewall rule to allow inbound traffic to the VLAN containing the Ubuntu server on port 22.

6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal

Any firewall running on the Ubuntu host?

 

Some ISPs filter inbound traffic.  Test for this by doing a packet capture on the MX Internet interface (filter="port 22"), and make sure the traffic is at least making it to the MX.

Dinky
Comes here often

We did a trace route from a remote user, and the traffic is able to reach the MX.

PhilipDAth
Kind of a big deal
Kind of a big deal

A traceroute does not reveal if a port is being filtered.

 

First do a packet capture on the MX Internet interface.  Do you see the traffic arriving?  If no - issue with the ISP.

 

Do a packet capture on the MX LAN interface.  Do you see the traffic arriving?  If no - issue with MX configuration.

 

Do a packet capture on the Ubuntu instance (using tcpdump).  Do you see the traffic arriving?  If no - issue Ubuntu configuration.

Rob2041
Here to help

Can The ubuntu server ping the Meraki?

Does the ubuntu server have a default Gateway that is pointing to the Meraki?

What External IP is the ubuntu server leaving on the internet, is it showing the IP that you set in the 1:1 NAT?

Do you have both a Forwarding Rule and a 1:1 NAT rule pointing to the same device, If so try removing the forwarding rule and just keep the 1:1.

Any Layer 7 Firewall rules blocking the connection?

Any IPS logs show blocks on SSH?

Did you confirm this second public IP is working?

Rob2041
Here to help

Can The ubuntu server ping the Meraki?

Does the ubuntu server have a default Gateway that is pointing to the Meraki?

What External IP is the ubuntu server leaving on the internet, is it showing the IP that you set in the 1:1 NAT?

Do you have both a Forwarding Rule and a 1:1 NAT rule pointing to the same device, If so try removing the forwarding rule and just keep the 1:1.

Any Layer 7 Firewall rules blocking the connection?

Any IPS logs show blocks on SSH?

Did you confirm this second public IP is working?

mavked
Conversationalist

Do you have Umbrella enabled ?

if so you need to create VPN exclusion rules in Local internet breakout.

 

otherwise traffic vom the NAT-Client will be send into umbrella and will be blocked.

this is however only configurable in SDWAN hub-mode.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels