Cisco 1941 Router NAT Problem

Erkut Oztekin · ‎07-16-2014

Hi,

Just to give one example on my local web server ip 192.168.1.237 from outside the web server on port 80 with port 80 i want to be redirected to

"ip nat inside source static tcp 192.168.1.237 80 interface GigabitEthernet0/0 80"

and

"ip nat inside source static tcp 192.168.1.237 80 interface x.x.x.x 80 extendable"

i tried as, opened ports but not not redirected

believes that caused server. But both of these existing linksys E4200 router port forwarding is working with. In the same way as I did for the camera does not reach the DVR.

Firstly, I think you need to resolve the DNS server. I'm nat inside her like this;

"ip nat inside source static tcp 192.168.1.227 53 interface GigabitEthernet0/0 53"

Port 53 opened but not redirected

Do you think that might cause or DNS server needs to be done for something different?

My config file is;

http://pastie.org/9395740#

ghostinthenet · ‎07-17-2014

If you're forwarding DNS via NAT for queries, you need to forward 53/udp and not 53/tcp. 53/tcp is used for DNS zone transfers between servers.

Try this:

ip nat inside source static udp 192.168.1.227 53 interface GigabitEthernet0/0 53

If you want to test the actual NAT for the web server, try connecting via GigabitEthernet0/0's IPv4 address with either a web browser or a telnet client using port 80/tcp. That will test the web server forwarding without relying on DNS.

Erkut Oztekin · ‎07-17-2014

I've tried everything did not work

ghostinthenet · ‎07-17-2014

I found one more problem.

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

With broadcast interfaces, this should point to your default gateway from your ISP rather than the interface. Pointing to the interface relies on the ISP's device performing proxy ARP, which most don't do.

Try this, substituting the default gateway assigned by your ISP for x.x.x.x.

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 x.x.x.x

Erkut Oztekin · ‎07-17-2014

Thanks for your help, i'll try it tomorrow

ghostinthenet · ‎07-17-2014

What result did you get when you attempted to telnet to the outside IP address on port 80/tcp from an outside network?

Erkut Oztekin · ‎07-21-2014

thank you from outside connection its ok, NAT's is work, I noticed when trying to telnet but by using the domain name in local not connected, using from local ip address "192.168.1.237" connection is provided

ghostinthenet · ‎07-21-2014

This is a limitation of standard NAT configurations on IOS. You can't establish a connection from the inside NAT network to the outside NAT IP address and have it come back inside to the inside NAT network again. This is called "hairpin NAT" and doesn't work (without some fairly advanced hacking) with standard NAT.

If you need this to work, you can replace your standard NAT configuration with a NAT Virtual Interface (NVI) configuration that supports hairpinning.

To do this, you would change your configuration as follows:

interface GigabitEthernet0/0
 no ip nat outside
 ip nat enable
!
interface GigabitEthernet0/1
 no ip nat inside
 ip nat enable
!
no ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat source list 1 interface GigabitEthernet0/0 overload
no ip nat inside source static tcp 192.168.1.237 80 interface GigabitEthernet0/0 80
ip nat source static tcp 192.168.1.237 80 interface GigabitEthernet0/0 80

Erkut Oztekin · ‎07-23-2014

I can not connect to the internet in this way change...

how to configuration interface loopback...

ghostinthenet · ‎07-23-2014

It looks like your ACL for NAT may be getting in the way by applying NAT rules to more traffic than it should. Sorry for missing that.

Let's address this with the NVI configuration:

no access-list 1 permit any
no ip nat source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended ACL_NAT
 permit ip 192.168.1.0 0.0.0.255 any
ip nat source list ACL_NAT interface GigabitEthernet0/0 overload

I don't see any loopback interface in your configuration, so I'm not quite understanding what you mean by that portion of your comment. Can you please clarify?