Cisco ISR 4321 port forward not working

j947561905 · ‎01-26-2021

Hello,

I have recently gotten into Cisco and I am struggling to open a few ports on my Cisco ISR 4321 router.

Port forward of 8920 does not forward however 3389 does work. Any ideas what is wrong?

Currently I have tried the commands:

ip nat inside source static tcp 192.168.16.240 8920 zzz.zzz.zzz.zzz 8920 extendable

But I have also tried:

ip nat inside source static tcp 192.168.16.240 8920 interface Dailer1 8920

and

ip nat inside source static tcp 192.168.16.240 8920 interface GigabitEthernet 0/0/1 8920

!

interface GigabitEthernet0/0/0

ip address 192.168.16.254 255.255.255.0

ip nat inside

negotiation auto

spanning-tree portfast disable

!

interface GigabitEthernet0/0/1

description Primary_

no ip address

ip mtu 1492

ip nat outside

ip tcp adjust-mss 1412

media-type rj45

negotiation auto

pppoe enable group global

pppoe-client dial-pool-number 1

spanning-tree portfast disable

!

interface GigabitEthernet0

vrf forwarding Mgmt-intf

no ip address

negotiation auto

!

interface Dialer1

ip address negotiated

ip nat outside

encapsulation ppp

ip tcp adjust-mss 1412

dialer pool 1

dialer idle-timeout 0

dialer persistent

dialer-group 1

ppp mtu adaptive

ppp authentication chap pap callin

ppp chap hostname zzzzzz@zzzzz

ppp chap password 0 zzzzzzzzz

ppp pap sent-username zzzz@zzz password 0 zzz

ppp ipcp dns request

!

ip forward-protocol nd

no ip http server

ip http authentication local

ip http secure-server

ip nat inside source static tcp 192.168.16.240 8920 zzz.zzz.zzz.zzz 8920 extendable

ip nat inside source list 100 interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.16.0 255.255.255.0 Dialer1

!

ip access-list extended 100

30 permit ip 192.168.16.0 0.0.0.255 any

ip access-list extended 197

dialer-list 1 protocol ip permit

!

route-map track-primary-if permit 1

match ip address 197

set interface Dialer1

!

TJ-20933766 · ‎01-26-2021

You say that 3389/tcp is working just fine? I'm assuming that you only did it for testing and then removed the configuration?

Can you verify that 8920/tcp is allowed on whatever that host on the inside is? Sometimes the host firewall is the culprit and not the actual configuration of the router. You can verify that the translation is working by performing the following command:

show ip nat statistics

Look for increasing numbers on the "Hits".

j947561905 · ‎01-26-2021

Hello, than you for helping. Yes TCP 3389 does work when I open the port.

I have run that command. Below is the output

r1#show ip nat statistics
Total active translations: 576 (2 static, 574 dynamic; 576 extended)
Outside interfaces:
GigabitEthernet0/0/1, Dialer1, Virtual-Access2
Inside interfaces:
GigabitEthernet0/0/0
Hits: 93773923 Misses: 501476
Expired translations: 500889
Dynamic mappings:
-- Inside Source
[Id: 3] access-list 100 interface Dialer1 refcount 577
nat-limit statistics:
max entry: max allowed 0, used 0, missed 0
In-to-out drops: 0 Out-to-in drops: 131955
Pool stats drop: 0 Mapping stats drop: 0
Port block alloc fail: 0
IP alias add fail: 0
Limit entry add fail: 0
Outside global interfaces count: 2

I check the hits bit and the number is going up.

Georg Pauwen · ‎01-26-2021

Hello,

you could try and block the port from being used for overloading:

ip nat settings interface-overload block port tcp 8920

paul driver · ‎01-27-2021

Hello
Is the nat device open for tcp 8920?
Try removing the static route pointing your lan subnet via it wan interface and also remove that specific host from the global NAT

no ip route 192.168.16.0 255.255.255.0 Dialer1
ip access-list extended 100
10 deny tcp host 192.168.16.240 any eq 8920

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul