Meraki

Community

Need help with Port Forwarding or 1:1 NAT

Dinky
Comes here often
‎Aug 6 2024 6:24 PM
‎Aug 6 2024 6:24 PM

Need help with Port Forwarding or 1:1 NAT

Hi Folks,

 

Been having trouble making the Port Forwarding or 1:1 NAT mapping on the MX firewall work.

I have a /29 public subnet available at my disposal, but I cannot establish an ssh connection to my ubuntu server from the outside.

 

For Port Forwarding here are the parameters:

Uplink: Internet 1

Protocol: TCP

Public Port: 1022

LAN IP: x.x.x.x

Local Port: 22

Remote IPs: Any

 

For 1:1 NAT

Public IP: y.y.y.y

LAN IP: x.x.x.x

Uplink: Internet 1

Protocol: TCP

Port: 22

Remote IPs: 0.0.0.0/0 or any

 

I added an inbound firewall rule to allow inbound traffic to the VLAN containing the Ubuntu server on port 22.

0 Kudos
6 Replies 6
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 7 2024 2:18 AM
‎Aug 7 2024 2:18 AM

Any firewall running on the Ubuntu host?

 

Some ISPs filter inbound traffic.  Test for this by doing a packet capture on the MX Internet interface (filter="port 22"), and make sure the traffic is at least making it to the MX.

In response to PhilipDAth
Dinky
Comes here often
‎Aug 7 2024 1:28 PM
‎Aug 7 2024 1:28 PM

We did a trace route from a remote user, and the traffic is able to reach the MX.

0 Kudos
In response to Dinky
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Aug 8 2024 1:02 PM
‎Aug 8 2024 1:02 PM

A traceroute does not reveal if a port is being filtered.

 

First do a packet capture on the MX Internet interface.  Do you see the traffic arriving?  If no - issue with the ISP.

 

Do a packet capture on the MX LAN interface.  Do you see the traffic arriving?  If no - issue with MX configuration.

 

Do a packet capture on the Ubuntu instance (using tcpdump).  Do you see the traffic arriving?  If no - issue Ubuntu configuration.

0 Kudos
Rob2041
Here to help
‎Aug 7 2024 1:50 PM
‎Aug 7 2024 1:50 PM

Can The ubuntu server ping the Meraki?

Does the ubuntu server have a default Gateway that is pointing to the Meraki?

What External IP is the ubuntu server leaving on the internet, is it showing the IP that you set in the 1:1 NAT?

Do you have both a Forwarding Rule and a 1:1 NAT rule pointing to the same device, If so try removing the forwarding rule and just keep the 1:1.

Any Layer 7 Firewall rules blocking the connection?

Any IPS logs show blocks on SSH?

Did you confirm this second public IP is working?

0 Kudos
Rob2041
Here to help
‎Aug 8 2024 8:11 AM
‎Aug 8 2024 8:11 AM

Can The ubuntu server ping the Meraki?

Does the ubuntu server have a default Gateway that is pointing to the Meraki?

What External IP is the ubuntu server leaving on the internet, is it showing the IP that you set in the 1:1 NAT?

Do you have both a Forwarding Rule and a 1:1 NAT rule pointing to the same device, If so try removing the forwarding rule and just keep the 1:1.

Any Layer 7 Firewall rules blocking the connection?

Any IPS logs show blocks on SSH?

Did you confirm this second public IP is working?

0 Kudos
mavked
Conversationalist
‎Aug 9 2024 2:37 AM
‎Aug 9 2024 2:37 AM

Do you have Umbrella enabled ?

if so you need to create VPN exclusion rules in Local internet breakout.

 

otherwise traffic vom the NAT-Client will be send into umbrella and will be blocked.

this is however only configurable in SDWAN hub-mode.

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.