Got it

AR169 - Static Address Mapping

Created: Apr 11, 2021 10:14:44Latest reply: Apr 11, 2021 19:12:23 254 12 2 0 0
  Rewarded HiCoins: 0 (problem resolved)

Hi everyone is the first time I write :)

Router in operation:
Huawei AR169
Startup System Software: Flash: /ar160-v200r007c02.cc
Startup Patch Package: Flash: /ar160-v200r007cp0063.pat

WAN ADSL internet


For customer needs, it is necessary to do NAT of all the well known ports to the IP of the firewall, the solution adopted and functioning is as follows:

interface Virtual-Ethernet0/0/90
nat static protocol tcp global current-interface any inside <ip firewall> any netmask 255.255.255.255



But as a side effect some remote services no longer work, first of all the telnet.

Is there a way to map all the ports except 20, 21, 22, 23, 69, 123, 161, 162, 179 ?



Thank you

Greetings

Simone

  • x
  • convention:

Featured Answers
chenhui
Admin Created Apr 11, 2021 15:47:57

Posted by supergems at 2021-04-11 15:04 <public-IP-address> is the public address of the cpe AR169<ip firewall> is the private address of th ...
So, you are trying to telnet the AR169 while the nat static is enabled on the CPE router?
If yes, ylplease use the acl to exclude these ports from the nat function.
View more
  • x
  • convention:

supergems
supergems Created Apr 11, 2021 16:20:27 (0) (0)
Yes,

acl should be similar to this?

acl 3000
rule deny tcp destination-port eq 22 source <ip firewall>  
chenhui
chenhui Reply supergems  Created Apr 13, 2021 07:32:03 (0) (0)
Correct.  
All Answers
chenhui
chenhui Admin Created Apr 11, 2021 10:19:11

Hi,
You mean telnet the firewall doesn't work?
View more
  • x
  • convention:

supergems
supergems Created Apr 11, 2021 11:19:18 (0) (0)
Hi,

no, I mean the CPE telnet from the PE of the telecommunications company, as well as other CPE services don't work like SNMP  
chenhui
chenhui Reply supergems  Created Apr 11, 2021 14:08:53 (0) (0)
Is the telnet service enabled on the firewall already?  
chenhui
chenhui Reply supergems  Created Apr 11, 2021 14:09:35 (0) (0)
I tried on the LAB enviroment, it worked fine.  
supergems
supergems Created Apr 11, 2021 14:57:26

I am the telecommunications company operator, the firewall is of the customer.
My goal is to be able to telnet the CPE from the PE

[pe-fastweb]---[cpe-fastweb]---[firewall]

With the applied rule it is unable to telnet because the ports 22 and 23 are mapped:

[pe-fastweb]#telnet <public-IP-address> /so Loopbackxxx
Trying <public-IP-address> ...
% Connection refused by remote host


If I remove the "nat static protocol tcp global current-interface any inside <ip firewall> any netmask 255.255.255.255" then I can do the telnet:


[pe-fastweb]#telnet <public-IP-address> /so Loopbackxxx
Trying <public-IP-address> ... Open

Login authentication

Username:
Password:


View more
  • x
  • convention:

supergems
supergems Created Apr 11, 2021 15:04:55

<public-IP-address> is the public address of the cpe AR169

<ip firewall> is the private address of the firewall


I have no interest and in any case I don't have permissions to telnet the firewall.

View more
  • x
  • convention:

hemin88
hemin88 Created Apr 11, 2021 15:45:36 (0) (0)
You should never telnet customer's CPE, he have the control to give permissions.
By default most of incoming ports from the ISP to the CPE side are blocked.  
chenhui
chenhui Admin Created Apr 11, 2021 15:47:57

Posted by supergems at 2021-04-11 15:04 <public-IP-address> is the public address of the cpe AR169<ip firewall> is the private address of th ...
So, you are trying to telnet the AR169 while the nat static is enabled on the CPE router?
If yes, ylplease use the acl to exclude these ports from the nat function.
View more
  • x
  • convention:

supergems
supergems Created Apr 11, 2021 16:20:27 (0) (0)
Yes,

acl should be similar to this?

acl 3000
rule deny tcp destination-port eq 22 source <ip firewall>  
chenhui
chenhui Reply supergems  Created Apr 13, 2021 07:32:03 (0) (0)
Correct.  
chenhui
chenhui Admin Created Apr 11, 2021 15:49:14

Posted by supergems at 2021-04-11 15:04 <public-IP-address> is the public address of the cpe AR169<ip firewall> is the private address of th ...
BTW, please DO make sure you have the permission to telnet the customer's products.
View more
  • x
  • convention:

andersoncf1
andersoncf1 Moderator Created Apr 11, 2021 19:12:23

Great
View more
  • x
  • convention:

Comment

You need to log in to comment to the post Login | Register
Comment

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."

My Followers

Login and enjoy all the member benefits

Login

Block
Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Reminder
Please bind your phone number to obtain invitation bonus.