Port Forwarding

CarlosCoque
Here to help

Port Forwarding

Hi,

 

We have a MX-64 with 2 internet links, each one having an external static IP address.

 

We're currently doing a project where we need to make a web server on our LAN available to the internet.

 

I was reading about that and found that I couldn't do NAT 1:1 because we just have the 2 static IP's on the MX-64 WAN interfaces and Meraki won't allow those to be used in that case.

 

Then, I decided to go with the port forwarding option, which seemed to be fairly simple.

 

My configuration is shown below:

 

CarlosCoque_0-1611604907924.png

After configuring it I've just saved it and started testing.

 

The web server (192.168.0.130) can be normally accessed within our LAN, but when I try http://[static_IP]:8080 or https://[static_IP]:8443 with any of the 2 IP's on our WAN interfaces it times out and doesn't open anything.

 

Any clues on what I'm doing wrong?

 

Thanks,

 

Carlos

14 REPLIES 14
Bruce
Kind of a big deal

When you try to access the servers by the public IP address are you on the LAN still, or are you accessing them from external via the internet (i.e. the traffic is going directly to the WAN port)? The MX won’t hairpin flows from the LAN ports to the WAN IP address, so if you are on a LAN port that is the most likely reason for the timeout.

Hi Bruce,

Thanks for the quick reply.

When I'm on the LAN, I can normally access the server by name and it opens the expected website.

When I access that using the internal IP address though. I get "HTTP Error 404. The requested resource is not found." but I believe it's expected and it also means I'm reaching the server.

However, when I'm from outside the LAN and try to access with the ports configured in the firewall rule using the external IP address, it times out.

 
 

Untitled33.png

It seems it simply doesn't work because I believe the configuration is correct...

It's worth to mention that the external IP addresses I'm binding to this server are the same I have bound to the WAN interfaces in the security appliance.

I found I wouldn't be able to use them for this purpose if I was using NAT 1:1 but it should work when I'm using Port Forwarding instead.

 

Bruce
Kind of a big deal

Wondering if it’s something to do with the server configuration. I’m not a web server expert but maybe the virtual host configuration is the problem? Since the web server is being accessed from the external IP address on ports 8443 and 8080 (in the URL element), maybe the virtual hosts need to be configured for those ports. (As I said, not a web server expert... just theorising).

CptnCrnch
Kind of a big deal
Kind of a big deal

There's nice document that could help you with further troubleshooting:

https://documentation.meraki.com/MX/NAT_and_Port_Forwarding/Troubleshooting_Port_Forwarding_and_NAT_...

 

Have you tried to do a Packet Capture to see if the packets destined to that server are arriving on the MX's inside interface?

Hi CptnCrnch,

 

I read that link you sent me when I was starting the configuration.

 

The Port Forwarding should be a pretty simple setup.

 

Then, for troubleshooting purposes, I decided to use the IIS Default Website.

 

CarlosCoque_0-1612302882491.png

 

IP address is 192.168.0.30 and the website listens to port 8080.

 

I can access that by IP address from both the localhost and any host on the LAN.

 

Then, I set the firewall rule accordingly and allowed any remote IP access.

 

CarlosCoque_1-1612303019821.png

 

Below it's the packet capture when I tried accessing from outside:

 

--- Start Of Stream ---
reading from file -, link-type EN10MB (Ethernet)
21:00:38.873811 IP [My_Home_IP].49556 > [Static_IP].8080: Flags [S], seq 4169732469, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:00:38.875411 IP [My_Home_IP].49557 > [Static_IP].8080: Flags [S], seq 1638634888, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:00:42.934329 IP [Static_IP].4500 > [My_Home_IP].4500: isakmp-nat-keep-alive
21:00:46.884274 IP [My_Home_IP].49556 > [Static_IP].8080: Flags [S], seq 4169732469, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:00:46.886153 IP [My_Home_IP].49557 > [Static_IP].8080: Flags [S], seq 1638634888, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:00:53.968322 IP [My_Home_IP].49560 > [Static_IP].8080: Flags [S], seq 987829868, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:00:53.968372 IP [My_Home_IP].49561 > [Static_IP].8080: Flags [S], seq 26056157, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
--- End Of Stream ---

 

It still times out and opens nothing inside the browser.

 

That's insane...

Bruce
Kind of a big deal

@CarlosCoque double check your protocol on the port forwarding rule. HTTP uses TCP not UDP, the screen grab you provided shows it configured as UDP.

Well observed.

I believe I did that to test something but got back to TCP and also disabled the firewall on the internal server, just in case.

I still get the same timeout screen.

I can access both from the localhost and from any computer in our LAN, but it still times out when coming from outside.

I don't know what else I can try at this point...

Is the packet trace you're showing done on the outside interface or inside?

I did that from the Meraki cloud access and I was using that on a LAN computer but I believe there wouldn't have any difference if I accessed that from outside as well.

OK, to go further: did you packet trace that traffic on the internet facing or the Inside interface?

 

If this was done on the inside interface, it looks like MX is doing everything correctly but doesn't see returning traffic from that server.

 

All in all, this is guessing here becuase we don't know what's sitting between yozr external facing MX and that server.

Here are my latest tests.

 

From the LAN:

 

CarlosCoque_0-1612389136109.png

 

From outside:

 

CarlosCoque_1-1612389287077.png

 

Surprisingly for me they are different.

 

From the LAN I didn't get anything while from outside I got something.

 

It still times out on both, though.

Could you then please tell us a little bit about your setup? Is the webserver placed in the same subnet than your client?

 

Apart from that: is your default gateway for that server really 192.168.0.2?

It's a pretty simple setup.

LAN is 192.168.0.0/24 and the Web Server is there.

I can access the Web Server from both itself and from any host in the LAN, as expected.

I have 2 WAN ports, one is the original from the MX-64 and the other is one of the LAN ports converted into WAN2.

Then, I configured a Port Forwarding from the WAN ports (I used the setting "both", but tried with "Internet 1" as well in the testing process) to the Web server in the LAN.

Everything seems to be properly set, but it simply doesn't work.

Bruce
Kind of a big deal

@CarlosCoquecan you get yourself set up as you did for your outside capture which provided results, check that it still provides results again, and then change the packet capture interface to LAN (rather than Internet 1) to see if the traffic is making it to the LAN-side of the MX

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels