thanks Mike,

there is no acl on Router for port 6000, and no Firewall in the network.

I am using the NAT overload with the command such as

ip nat inside source static tcp 10.10.0.36 5000 59.6.8.7 6000 extendable

and I have tried to make a NAT to an new Public IP address, for example,

the outside interface Public ip address is 59.6.8.6, and I setup the OA system NATed Public IP address to 59.6.8.7(it is not the PAT public ip address, this IP address is the first time to use)

so I think this port TCP 6000 is not been used while I config the NAT, so I think maybe it is the Port tcp 6000 problem.

thanks.

Yu.

Yu,

Can you post the output for 'show ip nat translations inside 10.10.0.36'? Can you also put an ACL on your public interface so we can see if the traffic is at least hitting the router?

ip access-list extended outside_in

     permit tcp any host eq 6000

     permit tcp any any established

     permit ip any any

interface

     ip access-group outside_in in

I would wait until you have a maintenance window to apply the ACL. Once you have it applied, please test the NAT again and post the output of the 'show access-lists outside_in' and 'show ip nat translations inside 10.10.0.36' commands.

Regards,

Mike

Hello Mike,

thanks for your kindly help, I will try your command later,

and in my condition,

the public PAT ip address in the ousite interface is 59.6.8.6(for example)

if I do the static NAT with the following command,

ip nat inside source static tcp 10.10.0.36 5000 59.6.8.6 6000 extendable

all function can work well, except upload an attached file.

if I do the static NAT with the following command,

ip nat inside source static tcp 10.10.0.36 5000 59.6.8.6 65000 extendable

all function can work well, include upload an attached file.

if I do the static NAT with the following command,

ip nat inside source static tcp 10.10.0.36 5000 59.6.8.7 6000 extendable

all function can work well, except upload an attached file.

I will paste all the configuration about outside interface and ACL later, thanks.

BR.

Yu.

configuration for outside interface, no firewall.

interface GigabitEthernet0/1/3

description wan

ip address 59.6.8.6 255.255.255.248

ip nat outside

negotiation auto

crypto map cisco

end

the "crypto map cisco" conmand is associated with an EZvpn, I have tried to remove this command from the ourside interface, and it is still can not work for uploading the attached files.

thanks.

Yu.

I cannot find the root cause for this problem, is there any one can help me?

any advise will be appreciated!

thanks in advance!

Yu.

Can you please post the output of "show ip nat translations" when you have this configured for port 6000? Can you also debug ip nat and post the relevant debug output when trying to hit the NAT? And did you do the outside ACL test I recommended?

Mike,

thanks for your aways kindly help, I want to provide as more as I can information, but I do not have a maintenance window for this router, I will try to do the debug and ACL now.

thanks.

Yu.

hello Mike,

pelease take reference for the following output, thanks.

ip access-list extended outside_in

permit tcp any host 59.6.8.6 eq 6000

permit tcp any any established

permit ip any any

router# sh access-list outside_in              

Extended IP access list outside_in

    10 permit tcp any host 59.6.8.6 eq 6000 (2467 matches)

    20 permit tcp any any established (8745 matches)

    30 permit ip any any (82562 matches)

router#

router#show ip nat translations inside 10.10.0.36

Pro  Inside global         Inside local          Outside local         Outside global

udp  59.6.8.6:60000     10.10.0.36:89         ---                   ---

tcp  59.6.8.6:60000     10.10.0.36:89         ---                   ---

tcp  59.6.8.6:55000     10.10.0.36:21         ---                   ---

tcp  59.6.8.6:6000      10.10.0.36:5000       ---                   ---

tcp  59.6.8.6:6000      10.10.0.36:5000       175.160.118.126:28448 175.160.118.126:28448

tcp  59.6.8.6:6000      10.10.0.36:5000       58.83.254.181:44096   58.83.254.181:44096

tcp  59.6.8.6:6000      10.10.0.36:5000       175.160.118.126:7313  175.160.118.126:7313

tcp  59.6.8.6:10618     10.10.0.36:54216      124.115.0.185:5002    124.115.0.185:5002

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.70:13091    218.65.60.70:13091

tcp  59.6.8.6:6000      10.10.0.36:5000       58.83.254.181:44111   58.83.254.181:44111

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.70:13105    218.65.60.70:13105

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.70:12748    218.65.60.70:12748

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.70:13616    218.65.60.70:13616

tcp  59.6.8.6:6000      10.10.0.36:5000       175.160.118.126:7602  175.160.118.126:7602

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.70:12348    218.65.60.70:12348

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.70:13016    218.65.60.70:13016

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.70:12693    218.65.60.70:12693

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.70:13333    218.65.60.70:13333

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.70:13597    218.65.60.70:13597

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.72:12735    218.65.60.72:12735

tcp  59.6.8.6:6000      10.10.0.36:5000       175.169.65.101:1493   175.169.65.101:1493

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.70:14060    218.65.60.70:14060

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.70:12749    218.65.60.70:12749

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.70:12337    218.65.60.70:12337

tcp  59.6.8.6:6000      10.10.0.36:5000       218.65.60.70:14219    218.65.60.70:14219

tcp  59.6.8.6:6000      10.10.0.36:5000       175.169.65.101:2211   175.169.65.101:2211

tcp  59.6.8.6:6000      10.10.0.36:5000       58.83.254.181:44110   58.83.254.181:44110

router#debug ip nat

router#debug ip nat ?

  <1-99>  Access list forced

  WORD    Access list name

  ha      High Availability debugging

router#debug ip nat

% Incomplete command.

router#

That output indicates to me that it is translating the port correctly and creating NAT sessions. The ACL shows me the requests are hitting the router.

Can you be a little more specific about the issue you are having. As far as I can tell, this appears to be an application problem and not a network/NAT problem.

thanks for your result for the debug, I really appreciate it.

please let me try to say the issue more detail.

there is an OA system(it is a B/S systems, we access to it via browser http://10.10.0.36:5000) in the company IT room, it provide some functions, for example news and upload files and so on.

everyone in the company internal network can access the OA system with its internal IP address, all functions works well.

we have made a static port NAT from 10.10.0.36:5000 to 59.6.8.6:6000(59.6.8.6 is the IP address of WAN interface)

everyone in the public INTERNET now can access to the OA system with is Public IP address(http://59.6.8.6:6000), all functions can work well, except upload files.

then, I changed the static port NAT and make it maped to port 65000 of the WAN ip address(from 10.10.0.36:5000 to 59.6.8.6:65000).

everyone in the public INTERNET now can access to the OA system with is Public IP address(http://59.6.8.6:65000), all functions can work well, include upland files.

then, I changed the static NAT and make it maped to port 6000 of another public IP address 59.6.8.7(this ip address is the first time to be use and it is not the ip address in the WAN interface).

everyone in the public INTERNET now can access to the OA system with is Public IP address(http://59.6.8.7:6000), all functions can work well, except upload files.

no obvious error when the upload failed, and no any support from the OA systems developer.

I think it may be a pre-reserved TCP port 6000 problem, and I do not known how to proof or test it is an software problem(I think both the mapping port 6000 and 65000 are same to the software).

thanks.

Yu.