07-23-2020 06:47 AM
I have a webserver with ip address 192.168.5.6 and it is running port 80 . I am able to access the webserver internally http://192.168.5.6/.
My Cisco 1921 router is having a ip address of 192.168.1.99 and it is connected to another router provided by the service provider on Gigabitport 0/1 port and the gateway address of the service provider router is 192.168.1.1 .
I have added
"ip nat inside source static tcp 192.168.5.6 80 interface GigabitEthernet0/1 9000" on the Cisco router with ip address of 192.168.1.99 . But when I try to access http://192.168.1.99:9000/. the port forwarding configuration is not working and the router is not forwarding to the webserver.
Below you can find my router configuration :
interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 ip address 192.168.2.100 255.255.255.0 ip nat inside ip nat enable ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/0.400 encapsulation dot1Q 400 ip address 192.168.4.100 255.255.255.0 ! interface GigabitEthernet0/0.500 encapsulation dot1Q 500 ip address 192.168.5.100 255.255.255.0 ! interface GigabitEthernet0/1 ip address 192.168.1.99 255.255.255.0 ip nat outside ip nat enable ip virtual-reassembly in duplex auto speed auto ! ip forward-protocol nd ! ip http server ip http authentication local ip http secure-server ! ip dns server ip nat source list 1 interface GigabitEthernet0/1 overload ip nat inside source list 10 interface GigabitEthernet0/1 overload ip nat inside source list 20 interface GigabitEthernet0/1 overload ip nat inside source static tcp 192.168.5.6 80 interface GigabitEthernet0/1 9000 ip route 0.0.0.0 0.0.0.0 192.168.1.1 ! ipv6 ioam timestamp ! ! access-list 1 permit 192.168.2.0 0.0.0.255 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 10 permit 192.168.5.0 0.0.0.255 access-list 20 permit 192.168.4.0 0.0.0.255 ! control-plane
thee router is connected to cisco catalyst switch on Gigabit port 0/0 and webserver is connected to switch with internal ip 192.168.5.6 and default gateway address 192.168.5.1 for the webserver. Please kindly help me to resolve the port forwarding issue on cisco router, I tried different configurations like by enabling nat on interfaces and remove "ip nat inside/outside" from interfaces but nothing seems to be working . I am able to do a telnet to websever on port 80 from router successfully, but a telnet to 192.168.1.99:9000 is not forwarding to webserver.
Solved! Go to Solution.
07-23-2020 10:28 PM
Yes I know that, The plan was to setup a port forwarding to Cisco 1921 router from the service provider router where it is assigned public IP.Before setting up port forwarding on Service provider router , I was verifying whether the routing rule I configured on the Cisco 1921 router is working . However I was checking whether the port forwarding is working from one another machine which was behind the router where the port forwarding has been setup by accessing http://192.168.1.99:9000/ and the traffic was not going through . I was going through some forums and found that my router will only be doing the port forwarding when the traffic lands from the external interface. So I attached the another laptop to the service provider router and accessed http://192.168.1.99:9000/. To my surpsise the forwarding worked as expected without any change to my existing configuration.
07-23-2020 10:56 PM - edited 07-23-2020 11:25 PM
Hello
I would suggest you still tidy up your nat configuration.
You have both domain and domailess nat enabled which may not be impeading connection but it isn’t viable Also as your are aware your missing nat on the sub interface of gig0/0 500.
Suggest:
no nat source list 1 interface GigabitEthernet0/1 overload
no ip nat inside source list 10 interface GigabitEthernet0/1 overload
no ip nat inside source list 20 interface GigabitEthernet0/1 overload
no access-list 1
no access-list 10
no access-list 20
access-list 1 permit 192.168.1.0
access-list1 permit 192.168.2.0
access-list1 permit 192.168.4,0
access-list1 permit 192.168.5.0
ip nat inside source-list 1 interface GigabitEthernet0/1 overload
Lasly remove IP NAT ENABLE from all the interfaces and apply IP NAT INSIDE to gig0/0.500
07-23-2020 10:27 AM
Where are you trying to access this from ?
You understand that 192.168.1.x is a private IP range so will not route over the internet ?
Jon
07-23-2020 10:28 PM
Yes I know that, The plan was to setup a port forwarding to Cisco 1921 router from the service provider router where it is assigned public IP.Before setting up port forwarding on Service provider router , I was verifying whether the routing rule I configured on the Cisco 1921 router is working . However I was checking whether the port forwarding is working from one another machine which was behind the router where the port forwarding has been setup by accessing http://192.168.1.99:9000/ and the traffic was not going through . I was going through some forums and found that my router will only be doing the port forwarding when the traffic lands from the external interface. So I attached the another laptop to the service provider router and accessed http://192.168.1.99:9000/. To my surpsise the forwarding worked as expected without any change to my existing configuration.
07-23-2020 11:00 AM
Hello,
for the static NAT entry to work, the interface the server is connected to needs to be configured as 'ip nat inside':
interface GigabitEthernet0/0.500
encapsulation dot1Q 500
ip address 192.168.5.100 255.255.255.0
--> ip nat inside
07-23-2020 10:30 PM
Infact the configuration is working without ip nat inside for GigabitEthernet0/0.500. The way I was accessing was resulting in the issue.
07-23-2020 10:56 PM - edited 07-23-2020 11:25 PM
Hello
I would suggest you still tidy up your nat configuration.
You have both domain and domailess nat enabled which may not be impeading connection but it isn’t viable Also as your are aware your missing nat on the sub interface of gig0/0 500.
Suggest:
no nat source list 1 interface GigabitEthernet0/1 overload
no ip nat inside source list 10 interface GigabitEthernet0/1 overload
no ip nat inside source list 20 interface GigabitEthernet0/1 overload
no access-list 1
no access-list 10
no access-list 20
access-list 1 permit 192.168.1.0
access-list1 permit 192.168.2.0
access-list1 permit 192.168.4,0
access-list1 permit 192.168.5.0
ip nat inside source-list 1 interface GigabitEthernet0/1 overload
Lasly remove IP NAT ENABLE from all the interfaces and apply IP NAT INSIDE to gig0/0.500
07-23-2020 11:25 PM
Thank you Paul for pointing this out. I have removed "IP NAT ENABLE" from all the interfaces . I will add " IP NAT INSIDE to gig0/0.500" . Shouldn't I add this to all the sub interfaces ? Right now both inter vlan access between these sub interfaces and internet access for systems being the router is happening without " IP NAT INSIDE" on sub interface. Just for my understanding I would like to know what is the downside of not having this configured on sub interface.
07-24-2020 12:16 AM
Hello
Yes I would suggest to add nat to just the sub-interfaces, Be specific as possible.
Adding to the physcial interface when you have sub-interfaces shouldnt encompass all the sub-interfaces as now these interfaces become encapsulated and tagged as such i would say NAT should only work for any untagged network running on the physical interface and NOT on any sub-interface unless that is you applied NAT to the sub-interfaces.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide