Solved: Re: Cisco 1900 NAT port forwarding - only working from WAN (not LAN)

WouterMahieu · ‎05-26-2020

I have Cisco 1900 Series, with NAT and port forwarding configured.

And port Forwarding works from internet, using the WAN IP and related port forwarding.

And I also want to use the port forwarding from the LAN, by using the WAN IP.

But from LAN, reaching the WAN port forwarding connections are refused.

I assume that "ip nat enable" only (without the "ip nat inside/outside") on both interfaces Gi 0/0 and Gi 0/1 should be the solution.
But setting accordingly "ip nat source list 102 interface GigabitEthernet0/0 overload" (without "inside"); NAT is no longer working (empty NAT table with "show ip nat translations").

All help would be appreciated!

The running config can be found below:

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Home-Cisco
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ...
enable password 7 ...
!
no aaa new-model
clock timezone CET 1 0
clock summer-time CDT recurring
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.99
!
ip dhcp pool 1
utilization mark high 80 log
utilization mark low 70 log
network 192.168.0.0 255.255.255.0
dns-server 1.1.1.3 1.0.0.3
default-router 192.168.0.1
!
!
ip domain name rtp.cisco.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn ...
!
!
username admin privilege 15 password 7 ...
!
!
ip ssh time-out 60
!
!
!
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source static tcp 192.168.0.5 5000 interface GigabitEthernet0/0 5000
ip nat source static tcp 192.168.0.4 8443 interface GigabitEthernet0/0 8443
ip nat source static tcp 192.168.0.5 5001 interface GigabitEthernet0/0 5001
ip nat inside source list 102 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 102 permit ip any any
access-list 102 permit tcp any any
access-list 102 permit udp any any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
login local
transport input ssh
!
scheduler allocate 20000 1000
end

WouterMahieu · ‎06-02-2020

Hi Paul,

So I have 2 DNS records, set via a public DNS server:

nas.dnsname.com to the same WAN IP
controller.dnsname.com to the same WAN IP

On the CISCO router a DNS server is configured and the following entries set for the LAN:

nas.dnsname.com to the LAN IP: 192.168.0.5
controller.dnsname.com to LAN IP: 192.168.0.4

Port forwarding from the WAN to the 2 different LAN IP for specific ports:

ip nat inside source static tcp 192.168.0.4 8443 interface GigabitEthernet0/0 8443
ip nat inside source static tcp 192.168.0.5 5000 interface GigabitEthernet0/0 5000
ip nat inside source static tcp 192.168.0.5 5001 interface GigabitEthernet0/0 5001

This way the same ip & ports (nas.dnsname.com:5000, nas.dnsname.com:5001 & controller.dnsname.com:8443) can be used from the LAN & the WAN.

Also the (cleaned) running config attached.
Where I switched back to nat inside/outside. As the static port forwarding was coming again not in the nvi translations, but in the nat translations.

Kind regards,
Wouter

View solution in original post

paul driver · ‎05-26-2020

Hello
You need to remove any referance to domain nat and amend the nat access-list for this to work then test again ?

no ip nat inside source list 102 interface GigabitEthernet0/0 overload
ip nat source list 102 interface GigabitEthernet0/0 overload

interface GigabitEthernet0/0
no ip nat outside

interface GigabitEthernet0/1
no ip nat inside

no access-list 102
access-list 102 permit ip 192.168.0.0 0.0.0.255 any

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

WouterMahieu · ‎05-26-2020

Hi Paul,

Already a big step forward, as NAT is now working with "ip nat enable" only on both interfaces (without "ip nat inside/outside").

But the port forwarding stopped working:

No longer available from internet via WAN IP
Never worked from LAN (Gi 0/1) via WAN IP.

For your ease of reference, you can find below the related port forwarding config (nothing changed on this part):

ip nat source static tcp 192.168.0.5 5000 interface GigabitEthernet0/0 5000
ip nat source static tcp 192.168.0.4 8443 interface GigabitEthernet0/0 8443
ip nat source static tcp 192.168.0.5 5001 interface GigabitEthernet0/0 5001

Kind regards,

Wouter

paul driver · ‎05-26-2020

Hello

Those static nat statements look okay however your dhcp pool doesnt for your lan hosts.

Please post the following
sh ip nat nvi translations

Also
ip dhcp pool 1
no dns-server 1.1.1.3 1.0.0.3
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.0.1
exit

no ip name-server 8.8.8.8
no ip name-server 8.8.4.4

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

WouterMahieu · ‎05-26-2020

Hi Paul,

The changes are applied as you suggested (removing the 2 ip name servers + changing the dns servers in the dhcp pool + adding the default-router again), but no change in the situation.

Strangely the port forwarding rules aren't show in the output "sh ip nat nvi translations", only in the output "sh ip nat translations".
Both outputs can be found below.

show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp W.A.N.IP:8443 192.168.0.4:8443 --- ---
tcp W.A.N.IP:5000 192.168.0.5:5000 --- ---
tcp W.A.N.IP:5001 192.168.0.5:5001 --- ---

show ip nat nvi translations
Pro Source global Source local Destin local Destin global
udp W.A.N.IP:35925 192.168.0.2:35925 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:36562 192.168.0.2:36562 8.8.8.8:53 8.8.8.8:53
tcp W.A.N.IP:42428 192.168.0.2:42428 18.195.145.6:443 18.195.145.6:443
udp W.A.N.IP:44058 192.168.0.2:44058 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:46650 192.168.0.2:46650 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:49566 192.168.0.2:49566 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:53480 192.168.0.2:53480 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:3478 192.168.0.3:3478 148.251.243.162:3478 148.251.243.162:3478
udp W.A.N.IP:1024 192.168.0.3:5060 94.75.247.45:5060 94.75.247.45:5060
udp W.A.N.IP:11 192.168.0.5:137 192.168.0.255:137 192.168.0.255:137
udp W.A.N.IP:138 192.168.0.5:138 192.168.0.255:138 192.168.0.255:138
udp W.A.N.IP:34020 192.168.0.5:34020 220.130.197.210:443 220.130.197.210:443
udp W.A.N.IP:44181 192.168.0.5:44181 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:46925 192.168.0.5:46925 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:47725 192.168.0.5:47725 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:58112 192.168.0.5:58112 8.8.8.8:53 8.8.8.8:53
...

Kind regards,
Wouter

paul driver · ‎05-26-2020

Hello

okay try removing those static statements force a clear of any nat translation then re-apply them just with nvi domainless nat enabled on the wan/lan interfaces ( ip nat enable)

clear ip nat translation force

clear ip nat nvi translation force

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

WouterMahieu · ‎05-28-2020

Hi Paul,

I removed and added the port forwarding (with only "ip nat enable"), and the port forwarding is working from the WAN!
But a test from the LAN to use the port forwarding via the WAN IP, was still negative.

Related output of "show ip nat nvi translations" after triggering the port forwarding from a LAN ip & a WAN ip:

Pro Source global Source local Destin local Destin global
tcp W.A.N.IP:60934 192.168.0.101:60934 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.10.196:26596 94.109.10.196:26596 W.A.N.IP:8443 192.168.0.4:8443

Kind regards,
Wouter

paul driver · ‎05-28-2020

Hello

Sounds like you almost there - Can you make sure you have icmp redirects turned off on the wan interface

int x/x
no ip redirects

Lastly would you post the running config of your rtr please in an attached file and share it.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

WouterMahieu · ‎05-29-2020

Hi Paul,

No change after adding the "no ip redirects" on the WAN interface.
Instead the nat translations are no longer present when using the port forwarding via WAN IP from the LAN.
Related output of "show ip nat nvi translations" below, for one of the port forwardings.

Home-Cisco#show ip nat nvi translations
Pro Source global Source local Destin local Destin global
tcp 94.109.94.165:26628 94.109.94.165:26628 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26631 94.109.94.165:26631 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26640 94.109.94.165:26640 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26641 94.109.94.165:26641 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26661 94.109.94.165:26661 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26674 94.109.94.165:26674 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26676 94.109.94.165:26676 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26691 94.109.94.165:26691 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26701 94.109.94.165:26701 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26719 94.109.94.165:26719 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26728 94.109.94.165:26728 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26739 94.109.94.165:26739 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26767 94.109.94.165:26767 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26803 94.109.94.165:26803 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26805 94.109.94.165:26805 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26809 94.109.94.165:26809 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26819 94.109.94.165:26819 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26832 94.109.94.165:26832 W.A.N.IP:8443 192.168.0.4:8443
tcp W.A.N.IP:8443 192.168.0.4:8443 --- ---

Also attached the (cleaned) running config in attachment.

Kind regards,
Wouter

paul driver · ‎05-29-2020

Hello

Your configuration looks okay aprt i would suggest you change the default static route

no ip route 0.0.0.0 0.0.0.0 dhcp
ip route 0.0.0.0 0.0.0.0 gig0/0 dhcp

Then just to confirm your only issue now is that you cannot access your internal hosts via thier PAT public ip address and port?
If so how are you trying to accees these hosts - ip address/port or FQDN/port

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

WouterMahieu · ‎05-29-2020

Hi Paul,

The change on the default route was applied.

Indeed, the issue is only that I can't reach the internal hosts via the public IP and port from the LAN.

The 2 different services behind the port forwarding:

The port 8443 is forwarded to a unify controller.
There are 2 ways to test: via specific app, and webpage via the same port.
The port 5000 & 5001 are forwarded to a Synology NAS, specifically the login web page.

The way of testing:

Mobile phone connect via Wifi LAN or via 4G, to switch between LAN/WAN
Office laptop connected via Wifi LAN, or via Office VPN for WAN test (double checked via traceroute).

Actual test in web-browser:

"https://W.A.N.IP:5001" from LAN and WAN (working via WAN, not via LAN) (same result via Mobile phone and laptop)
"https://W.A.N.IP:8443" from LAN and (working via WAN, not via LAN) (same result via Mobile phone and laptop)

Actual test via Unify app:

use W.A.N.IP:8443 via WAN connection is working
use W.A.N.IP:8443 via LAN connection is not working

Kind regards,
Wouter

paul driver · ‎05-29-2020

Hello @WouterMahieu

Apologies for this but It seems this isn't going work using NVI nat, may i suggest you try domain nat instead.

Please review the attached alternative solution using domain NAT.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

WouterMahieu · ‎05-31-2020

Hi Paul,

The changes were applied as you suggested, but the overall NAT is not working with this config.
"show ip nat translations" only shows the static portforwarding (of course "show ip nat nvi translations" shows no output).

With only following differences applied (as some commands weren't accepted).

set ip next-hop 169.254.255.254
!Instead of 
set ip next-hop loopback 99

ip policy route-map HP 
!Instead of
ip policy-route HP

Kind regards,
Wouter

paul driver · ‎05-31-2020

Hello

Yes both were typos

change the interface policy to point to the loopback 99 interface

set interface loopback 99

Attach your current config please (in a file)

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

WouterMahieu · ‎06-02-2020

Hi Paul,

I changed the overall approach, setting up a dns server on the Cisco router for the LAN clients.
On the DNS 2 different subdomains are set to the 2 different local LAN ip.
In parallel the 2 subdomains are set via public dns to the same WAN ip.
This way the port forwarding works from the WAN & the LAN, using the 2 seperate subdomains.

Thank you for your troubleshooting efforts!
Kind regards,
Wouter