Solved: Allow access to LAN hosts from outside the LAN - Page 2

broberto82 · ‎02-05-2020

Hi,
I would need some help with a NAT problem.
With some previous help from this community I configured a Cisco ISR 1113-8p, but I cannot allow users from outside my LAN to access to some hosts inside my LAN. They're getting a "connection refused". message
I don't have a public IP but a dynamically given from ISP. For this reason I've a Dynamic DNS (it's working correctly and pointing to my actual public IP).
RoutingRouting
Based on my running-config shown at the end of this post, I basically would like that:
- requests from external users on port 80 could be sent to 192.168.178.109:80
- requests from external users on port 81 could be sent to 192.168.178.200:81

version 16.10
!
hostname Router
!
boot-start-marker
boot-end-marker
!
ip name-server 8.8.8.8
ip dhcp excluded-address 192.168.178.1 192.168.178.2
ip dhcp excluded-address 192.168.178.109
ip dhcp excluded-address 192.168.178.110
ip dhcp excluded-address 192.168.178.25
ip dhcp excluded-address 192.168.178.30
ip dhcp excluded-address 192.168.178.38
ip dhcp excluded-address 192.168.178.200
!
ip dhcp pool CASA_POOL
network 192.168.178.0 255.255.255.0
default-router 192.168.178.1
dns-server 8.8.8.8
!
controller VDSL 0/2/0
!
!
vlan internal allocation policy ascending
!
!
interface GigabitEthernet0/0/0
no ip address
negotiation auto
!
interface GigabitEthernet0/1/0
!
interface GigabitEthernet0/1/1
!
interface GigabitEthernet0/1/2
!
interface GigabitEthernet0/1/3
!
interface GigabitEthernet0/1/4
!
interface GigabitEthernet0/1/5
!
interface GigabitEthernet0/1/6
!
interface GigabitEthernet0/1/7
!
interface ATM0/2/0
no ip address
atm oversubscribe factor 2
no atm enable-ilmi-trap
!
interface Ethernet0/2/0
no ip address
no negotiation auto
!
interface Ethernet0/2/0.835
encapsulation dot1Q 835
ip nat inside
pppoe enable group global
pppoe-client dial-pool-number 1
ip virtual-reassembly
!
interface Vlan1
ip address 192.168.178.1 255.255.255.0
ip nat inside
!
interface Dialer0
!
interface Dialer1
ip address negotiated
ip nat outside
encapsulation ppp
dialer pool 1
ppp authentication pap chap callin
ppp chap hostname timadsl
ppp chap password 0 timadsl
ppp pap sent-username timadsl password 0 timadsl
ppp ipcp dns request accept
!
ip forward-protocol nd
no ip http server
ip http secure-server
ip http secure-port 8080
ip nat translation udp-timeout 600
ip nat translation max-entries 40000
ip nat inside source static tcp 192.168.178.109 80 interface Dialer1 80
ip nat inside source static udp 192.168.178.109 80 interface Dialer1 80
ip nat inside source static tcp 192.168.178.109 443 interface Dialer1 443
ip nat inside source static udp 192.168.178.109 443 interface Dialer1 443
ip nat inside source static tcp 192.168.178.200 81 interface Dialer1 81
ip nat inside source static udp 192.168.178.200 81 interface Dialer1 81
ip nat inside source static udp 192.168.178.200 5060 interface Dialer1 5060
ip nat inside source list 1 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
access-list 1 permit 192.168.178.0 0.0.0.255
!
!
!
!
control-plane
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
login
!
!
!
!
!
!
end

Thanks in advance to everyone that could help me!

broberto82 · ‎02-10-2020

It works, guys!!!
Thank you very much for your support!!
...and just to share with you a feedback information: the "ip nat inside" under the sub-interface is useful for the VoIP communication: if I try to replace it with "ip nat outside" I get one-side voice on VoIP calls.

paul driver · ‎02-10-2020

@broberto82

Glad to see your issue is now resolved, thanks for marking your OP as solved, please also rate if you deem it applicable to do so.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

broberto82 · ‎02-11-2020

Hi Paul,
with pleasure I rated your post. Thanks again.
Kind regards,
Roberto