cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
711
Views
0
Helpful
10
Replies

cisco 1841 port translation not working

matthewrosePI
Level 1
Level 1

Hi all, I have an 1841 for a test environment and I've been trying to get port translation to work and I just can't get it to work.  I can get to the router via Telnet or SSh no problem, but nothing internal.  My scrubbed config is below, thanks in advance for any help

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2013.10.21 12:27:30 =~=~=~=~=~=~=~=~=~=~=~=

show run

Building configuration...

Current configuration : 4858 bytes

!

! Last configuration change at 11:23:40 EDT Mon Oct 21 2013 by admin

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SandboxRT1

!

boot-start-marker

boot system flash:c1841-adventerprisek9-mz.151-4.M1.bin

boot-end-marker

!

!

logging buffered 50000

logging console informational

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication enable default none

!

!

!

!

!

aaa session-id common

!

clock timezone EST -5 0

clock summer-time EDT recurring

dot11 syslog

ip source-route

!

!

!

!

!

ip cef

no ip domain lookup

ip domain name entsand.local

ip name-server 4.2.2.2

ip name-server 8.8.8.8

ip inspect name Firewall tcp router-traffic

ip inspect name Firewall udp router-traffic

ip inspect name Firewall icmp router-traffic

login block-for 600 attempts 10 within 5

login delay 5

login on-failure log

login on-success log

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

!

!

!

license udi pid CISCO1841 sn FTX1228Y0YA

archive

log config

  logging enable

  hidekeys

username admin privilege 15 secret 5 $1$zJUp$cENJm525gTb0kxTu6kDMs.

!

redundancy

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 2

!

!

!

!

!

!

!

interface FastEthernet0/0

description To Internet

ip address x.x.x.x x.x.x.x

ip access-group fwall in

ip nat outside

ip inspect Firewall out

ip virtual-reassembly in

speed 100

full-duplex

!

interface FastEthernet0/1

description To LAN

ip address 172.16.1.2 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source list NAT-LIST interface FastEthernet0/0 overload

ip nat inside source static tcp 172.16.1.51 443 interface FastEthernet0/0 443

ip route 0.0.0.0 0.0.0.0 x.x.x.x

ip route 172.16.1.0 255.255.255.0 172.16.1.1

!

ip access-list standard ACL_VTY-In

permit x.x.x.x

!

ip access-list extended NAT-LIST

permit ip 172.16.1.0 0.0.0.255 any

ip access-list extended fwall

permit gre any any

permit tcp any any eq telnet

permit tcp any any eq 22

permit udp any any eq isakmp

permit esp any any

--More--                            permit tcp any any eq 443

!

logging trap debugging

access-list 1 permit 172.16.1.0 0.0.0.255

!

!

!

!

!

!

!

!

control-plane

!

!

banner exec ^C

!

line con 0

privilege level 15

logging synchronous

line aux 0

line vty 0 4

access-class ACL_VTY-In in

privilege level 15

logging synchronous

transport input telnet

line vty 5 15

access-class ACL_VTY-In in

privilege level 15

logging synchronous

transport input ssh

!

scheduler allocate 20000 1000

end

10 Replies 10

John Blakley
VIP Alumni
VIP Alumni

Hi Matthew,

You don't need a static route for a connected route, so you should be safe to remove that. I don't believe that's your problem here, but it's something I noticed. When you say that you can't get to anything, I'm assuming that you're trying to ssh into the static natted private address that you have listed in your config. Is that correct?

HTH,

John

HTH, John *** Please rate all useful posts ***

No, just for testing purposes, I'm trying to get to port 443 on 172.16.1.51 (per this statement

ip nat inside source static tcp 172.16.1.51 443 interface FastEthernet0/0 443)

from the outside

For testing, does it work if you remove the cbac config and acl on the outside?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

no it does not..... same thing.

From the router, can you ssh into the device? "ssh -l 172.16.1.51"

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

I have SSH currently turned off on that device.... I could turn them on, but its currently in another building that I won't be able to go to until at least tomorrow.  So at this point, no that doesn't work, but I know from a firewall standpoint, its open.  Its just an ESXi server.

I'm sorry...I was looking at something else when I posted that and obviously this is a web server. So, scratch the last thing that I mentioned.

As far as the configuration, I don't see anything wrong. Can you post "show ip nat trans"?

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Pro Inside global      Inside local       Outside local      Outside global

tcp x.x.x.x:443   172.16.1.51:443    ---                ---

x.x.x.x is my external address obviously

Okay, so the entry is there. I'm assuming that you can hit the site internally?

Try debugging nat, hit the site from the outside, and then post that debug here. "debug ip nat" (You may want to tie to an access-list for that single host)

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

getting a bunch of these

*Oct 21 17:55:36.398: NAT*: s=outsideip, d=localwanIP->172.16.1.51 [11734]

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco