05-26-2020 01:17 PM
I have Cisco 1900 Series, with NAT and port forwarding configured.
And port Forwarding works from internet, using the WAN IP and related port forwarding.
And I also want to use the port forwarding from the LAN, by using the WAN IP.
But from LAN, reaching the WAN port forwarding connections are refused.
I assume that "ip nat enable" only (without the "ip nat inside/outside") on both interfaces Gi 0/0 and Gi 0/1 should be the solution.
But setting accordingly "ip nat source list 102 interface GigabitEthernet0/0 overload" (without "inside"); NAT is no longer working (empty NAT table with "show ip nat translations").
All help would be appreciated!
The running config can be found below:
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Home-Cisco
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ...
enable password 7 ...
!
no aaa new-model
clock timezone CET 1 0
clock summer-time CDT recurring
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.99
!
ip dhcp pool 1
utilization mark high 80 log
utilization mark low 70 log
network 192.168.0.0 255.255.255.0
dns-server 1.1.1.3 1.0.0.3
default-router 192.168.0.1
!
!
ip domain name rtp.cisco.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn ...
!
!
username admin privilege 15 password 7 ...
!
!
ip ssh time-out 60
!
!
!
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source static tcp 192.168.0.5 5000 interface GigabitEthernet0/0 5000
ip nat source static tcp 192.168.0.4 8443 interface GigabitEthernet0/0 8443
ip nat source static tcp 192.168.0.5 5001 interface GigabitEthernet0/0 5001
ip nat inside source list 102 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 102 permit ip any any
access-list 102 permit tcp any any
access-list 102 permit udp any any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
login local
transport input ssh
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
06-02-2020 07:18 AM
Hi Paul,
So I have 2 DNS records, set via a public DNS server:
On the CISCO router a DNS server is configured and the following entries set for the LAN:
Port forwarding from the WAN to the 2 different LAN IP for specific ports:
This way the same ip & ports (nas.dnsname.com:5000, nas.dnsname.com:5001 & controller.dnsname.com:8443) can be used from the LAN & the WAN.
Also the (cleaned) running config attached.
Where I switched back to nat inside/outside. As the static port forwarding was coming again not in the nvi translations, but in the nat translations.
Kind regards,
Wouter
05-26-2020 01:44 PM - edited 05-26-2020 02:44 PM
Hello
You need to remove any referance to domain nat and amend the nat access-list for this to work then test again ?
no ip nat inside source list 102 interface GigabitEthernet0/0 overload
ip nat source list 102 interface GigabitEthernet0/0 overload
interface GigabitEthernet0/0
no ip nat outside
interface GigabitEthernet0/1
no ip nat inside
no access-list 102
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
05-26-2020 02:20 PM - edited 05-26-2020 02:21 PM
Hi Paul,
Already a big step forward, as NAT is now working with "ip nat enable" only on both interfaces (without "ip nat inside/outside").
But the port forwarding stopped working:
For your ease of reference, you can find below the related port forwarding config (nothing changed on this part):
ip nat source static tcp 192.168.0.5 5000 interface GigabitEthernet0/0 5000
ip nat source static tcp 192.168.0.4 8443 interface GigabitEthernet0/0 8443
ip nat source static tcp 192.168.0.5 5001 interface GigabitEthernet0/0 5001
Kind regards,
Wouter
05-26-2020 02:39 PM
Hello
Those static nat statements look okay however your dhcp pool doesnt for your lan hosts.
Please post the following
sh ip nat nvi translations
Also
ip dhcp pool 1
no dns-server 1.1.1.3 1.0.0.3
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.0.1
exit
no ip name-server 8.8.8.8
no ip name-server 8.8.4.4
05-26-2020 02:54 PM - edited 05-26-2020 03:14 PM
Hi Paul,
The changes are applied as you suggested (removing the 2 ip name servers + changing the dns servers in the dhcp pool + adding the default-router again), but no change in the situation.
Strangely the port forwarding rules aren't show in the output "sh ip nat nvi translations", only in the output "sh ip nat translations".
Both outputs can be found below.
show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp W.A.N.IP:8443 192.168.0.4:8443 --- ---
tcp W.A.N.IP:5000 192.168.0.5:5000 --- ---
tcp W.A.N.IP:5001 192.168.0.5:5001 --- ---
show ip nat nvi translations
Pro Source global Source local Destin local Destin global
udp W.A.N.IP:35925 192.168.0.2:35925 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:36562 192.168.0.2:36562 8.8.8.8:53 8.8.8.8:53
tcp W.A.N.IP:42428 192.168.0.2:42428 18.195.145.6:443 18.195.145.6:443
udp W.A.N.IP:44058 192.168.0.2:44058 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:46650 192.168.0.2:46650 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:49566 192.168.0.2:49566 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:53480 192.168.0.2:53480 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:3478 192.168.0.3:3478 148.251.243.162:3478 148.251.243.162:3478
udp W.A.N.IP:1024 192.168.0.3:5060 94.75.247.45:5060 94.75.247.45:5060
udp W.A.N.IP:11 192.168.0.5:137 192.168.0.255:137 192.168.0.255:137
udp W.A.N.IP:138 192.168.0.5:138 192.168.0.255:138 192.168.0.255:138
udp W.A.N.IP:34020 192.168.0.5:34020 220.130.197.210:443 220.130.197.210:443
udp W.A.N.IP:44181 192.168.0.5:44181 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:46925 192.168.0.5:46925 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:47725 192.168.0.5:47725 8.8.8.8:53 8.8.8.8:53
udp W.A.N.IP:58112 192.168.0.5:58112 8.8.8.8:53 8.8.8.8:53
...
Kind regards,
Wouter
05-26-2020 03:20 PM
Hello
okay try removing those static statements force a clear of any nat translation then re-apply them just with nvi domainless nat enabled on the wan/lan interfaces ( ip nat enable)
clear ip nat translation force
clear ip nat nvi translation force
05-28-2020 12:37 PM
Hi Paul,
I removed and added the port forwarding (with only "ip nat enable"), and the port forwarding is working from the WAN!
But a test from the LAN to use the port forwarding via the WAN IP, was still negative.
Related output of "show ip nat nvi translations" after triggering the port forwarding from a LAN ip & a WAN ip:
Pro Source global Source local Destin local Destin global
tcp W.A.N.IP:60934 192.168.0.101:60934 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.10.196:26596 94.109.10.196:26596 W.A.N.IP:8443 192.168.0.4:8443
Kind regards,
Wouter
05-28-2020 04:38 PM
Hello
Sounds like you almost there - Can you make sure you have icmp redirects turned off on the wan interface
int x/x
no ip redirects
Lastly would you post the running config of your rtr please in an attached file and share it.
05-29-2020 02:18 AM
Hi Paul,
No change after adding the "no ip redirects" on the WAN interface.
Instead the nat translations are no longer present when using the port forwarding via WAN IP from the LAN.
Related output of "show ip nat nvi translations" below, for one of the port forwardings.
Home-Cisco#show ip nat nvi translations
Pro Source global Source local Destin local Destin global
tcp 94.109.94.165:26628 94.109.94.165:26628 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26631 94.109.94.165:26631 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26640 94.109.94.165:26640 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26641 94.109.94.165:26641 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26661 94.109.94.165:26661 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26674 94.109.94.165:26674 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26676 94.109.94.165:26676 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26691 94.109.94.165:26691 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26701 94.109.94.165:26701 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26719 94.109.94.165:26719 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26728 94.109.94.165:26728 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26739 94.109.94.165:26739 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26767 94.109.94.165:26767 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26803 94.109.94.165:26803 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26805 94.109.94.165:26805 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26809 94.109.94.165:26809 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26819 94.109.94.165:26819 W.A.N.IP:8443 192.168.0.4:8443
tcp 94.109.94.165:26832 94.109.94.165:26832 W.A.N.IP:8443 192.168.0.4:8443
tcp W.A.N.IP:8443 192.168.0.4:8443 --- ---
Also attached the (cleaned) running config in attachment.
Kind regards,
Wouter
05-29-2020 03:38 AM
Hello
Your configuration looks okay aprt i would suggest you change the default static route
no ip route 0.0.0.0 0.0.0.0 dhcp
ip route 0.0.0.0 0.0.0.0 gig0/0 dhcp
Then just to confirm your only issue now is that you cannot access your internal hosts via thier PAT public ip address and port?
If so how are you trying to accees these hosts - ip address/port or FQDN/port
05-29-2020 08:38 AM
Hi Paul,
The change on the default route was applied.
Indeed, the issue is only that I can't reach the internal hosts via the public IP and port from the LAN.
The 2 different services behind the port forwarding:
The way of testing:
Actual test in web-browser:
Actual test via Unify app:
Kind regards,
Wouter
05-29-2020 11:59 AM
Hello @WouterMahieu
Apologies for this but It seems this isn't going work using NVI nat, may i suggest you try domain nat instead.
Please review the attached alternative solution using domain NAT.
05-31-2020 03:42 AM
Hi Paul,
The changes were applied as you suggested, but the overall NAT is not working with this config.
"show ip nat translations" only shows the static portforwarding (of course "show ip nat nvi translations" shows no output).
With only following differences applied (as some commands weren't accepted).
set ip next-hop 169.254.255.254
!Instead of
set ip next-hop loopback 99
ip policy route-map HP
!Instead of
ip policy-route HP
Kind regards,
Wouter
05-31-2020 04:36 AM
Hello
Yes both were typos
change the interface policy to point to the loopback 99 interface
set interface loopback 99
Attach your current config please (in a file)
06-02-2020 01:59 AM
Hi Paul,
I changed the overall approach, setting up a dns server on the Cisco router for the LAN clients.
On the DNS 2 different subdomains are set to the 2 different local LAN ip.
In parallel the 2 subdomains are set via public dns to the same WAN ip.
This way the port forwarding works from the WAN & the LAN, using the 2 seperate subdomains.
Thank you for your troubleshooting efforts!
Kind regards,
Wouter
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide