cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2567
Views
95
Helpful
17
Replies

Cisco 1900 NAT port forwarding - only working from WAN (not LAN)

WouterMahieu
Level 1
Level 1

I have Cisco 1900 Series, with NAT and port forwarding configured.

And port Forwarding works from internet, using the WAN IP and related port forwarding.

And I also want to use the port forwarding from the LAN, by using the WAN IP.

But from LAN, reaching the WAN port forwarding connections are refused.

 

I assume that "ip nat enable" only (without the "ip nat inside/outside") on both interfaces Gi 0/0 and Gi 0/1 should be the solution.
But setting accordingly "ip nat source list 102 interface GigabitEthernet0/0 overload" (without "inside"); NAT is no longer working (empty NAT table with "show ip nat translations").

 

All help would be appreciated!

 

The running config can be found below:

version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Home-Cisco
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ...
enable password 7 ...
!
no aaa new-model
clock timezone CET 1 0
clock summer-time CDT recurring
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.99
!
ip dhcp pool 1
utilization mark high 80 log
utilization mark low 70 log
network 192.168.0.0 255.255.255.0
dns-server 1.1.1.3 1.0.0.3
default-router 192.168.0.1
!
!
ip domain name rtp.cisco.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn ...
!
!
username admin privilege 15 password 7 ...
!
!
ip ssh time-out 60
!
!
!
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip nat enable
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat source static tcp 192.168.0.5 5000 interface GigabitEthernet0/0 5000
ip nat source static tcp 192.168.0.4 8443 interface GigabitEthernet0/0 8443
ip nat source static tcp 192.168.0.5 5001 interface GigabitEthernet0/0 5001
ip nat inside source list 102 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 dhcp
!
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 102 permit ip any any
access-list 102 permit tcp any any
access-list 102 permit udp any any
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
login local
transport input ssh
!
scheduler allocate 20000 1000
end

 

17 Replies 17

Hello


@WouterMahieu wrote:

Hi Paul,

 

I changed the overall approach, setting up a dns server on the Cisco router for the LAN clients.
On the DNS 2 different subdomains are set to the 2 different local LAN ip.
In parallel the 2 subdomains are set via public dns to the same WAN ip.
This way the port forwarding works from the WAN & the LAN, using the 2 seperate subdomains.


Glad to hear you have now got it working however not so sure i understand your approach regards DNS, TBH DNS shouldn’t not have come into this regards the overall connectivity as you were testing via ip address not FQDN.

 

For clarity and to assist others that may come across this post in the future can you confirm what nat you eventually used - Domain or NVI, Possibly attach in a file the working running configuration


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi Paul,

 

So I have 2 DNS records, set via a public DNS server:

  • nas.dnsname.com to the same WAN IP
  • controller.dnsname.com to the same WAN IP

 

On the CISCO router a DNS server is configured and the following entries set for the LAN:

  • nas.dnsname.com to the LAN IP: 192.168.0.5
  • controller.dnsname.com to LAN IP: 192.168.0.4

 

Port forwarding from the WAN to the 2 different LAN IP for specific ports:

  • ip nat inside source static tcp 192.168.0.4 8443 interface GigabitEthernet0/0 8443
  • ip nat inside source static tcp 192.168.0.5 5000 interface GigabitEthernet0/0 5000
  • ip nat inside source static tcp 192.168.0.5 5001 interface GigabitEthernet0/0 5001

 

This way the same ip & ports (nas.dnsname.com:5000, nas.dnsname.com:5001 & controller.dnsname.com:8443) can be used from the LAN & the WAN.

 

Also the (cleaned) running config attached.
Where I switched back to nat inside/outside. As the static port forwarding was coming again not in the nvi translations, but in the nat translations.

 

Kind regards,
Wouter

Hello

thanks for the update however it doesn't look like your connecting from the internal subnet to those internal hosts via their public natted ip address but their internal ip address? 

What you've done is just created dns A host entries on your dns servers  - would this be correct?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco