Solved: Cisco ISR900 series - How to forward port x to port y

matthijsvr · ‎01-18-2024

Good day,

I am using a Cisco ISR921-4P to connect an OT-network (LAN side) to an IT-network (WAN side) using PAT. I want to forward traffic from the IT-network to a set op OPC UA servers on the OT side of the network. There are two server machines, but the OPC UA servers on those machines both use the same port (it is a redundant set, the settings for machine1 are copied to machine2, it is not possible to set them up with different ports).

So:
Machine 1 OPC UA: 172.16.0.1:51800
Machine 2 OPC UA: 172.16.0.2:51800

I have added the following line to the router to allow NAT and to forward the traffic:

ip nat inside source static tcp 172.16.0.1 51800 interface GigabitEthernet4 51800
ip nat inside source static tcp 172.16.0.2 51800 interface GigabitEthernet4 51801
ip nat inside source list 102 interface GigabitEthernet4 overload

I am able to browse the OPC UA server on the first machine from the IT network (using W.A.N.IP:51800). However, I am not able to browse the second machine's OPC UA server (using W.A.N.IP:51801, I see TCP packet retransmission).
From the LAN side there are no problems browsing either of them. (using 172.16.0.1:51800 and 172.16.0.2:51800)

To me it seems the port forward might not be able to remap the port, is that correct?
I am missing something?

balaji.bandi · ‎01-18-2024

High level i do not believe there is any Limitation here as per i know.

ip nat inside source static tcp 172.16.0.2 51800 interface GigabitEthernet4 51801

even though end server having same port - but your port forwarding using different port on the interface, i do not believe that is an issue at all

couple of things to test :

1. 172.16.0.2:51800 - is this port open and locally in the same network works ?

2. is there any FW on the device which stopping to connect ?

3. is there any ACL on the router which stopping to connect.

4. show ip nat translation ( do you see that translation when you initiate the traffic)

I see TCP packet retransmission - can you post the debug logs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎01-18-2024

High level i do not believe there is any Limitation here as per i know.

ip nat inside source static tcp 172.16.0.2 51800 interface GigabitEthernet4 51801

even though end server having same port - but your port forwarding using different port on the interface, i do not believe that is an issue at all

couple of things to test :

1. 172.16.0.2:51800 - is this port open and locally in the same network works ?

2. is there any FW on the device which stopping to connect ?

3. is there any ACL on the router which stopping to connect.

4. show ip nat translation ( do you see that translation when you initiate the traffic)

I see TCP packet retransmission - can you post the debug logs.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

matthijsvr · ‎01-18-2024

Thank you for your suggestions.

As most of the times, the error was between the keyboard and chair...

Turns out, there was no gateway set up on the second machine. So the machine was not able to respond to the request from outside the LAN network.

I found out by simply reversing the routed ports, so go from 51801 to 51800 on machine 1. Which was working fine.

Sometimes you just need to be asked to right questions to find the solution yourself. Thanks again.