Solved: Re: Cisco router Port forwarding not working

devloper · ‎07-23-2020

I have a webserver with ip address 192.168.5.6 and it is running port 80 . I am able to access the webserver internally http://192.168.5.6/.

My Cisco 1921 router is having a ip address of 192.168.1.99 and it is connected to another router provided by the service provider on Gigabitport 0/1 port and the gateway address of the service provider router is 192.168.1.1 .

I have added

"ip nat inside source static tcp 192.168.5.6 80 interface GigabitEthernet0/1 9000" on the Cisco router with ip address of 192.168.1.99 . But when I try to access http://192.168.1.99:9000/. the port forwarding configuration is not working and the router is not forwarding to the webserver.

Below you can find my router configuration :

interface Embedded-Service-Engine0/0
 no ip address
 shutdown 
!         
interface GigabitEthernet0/0
 ip address 192.168.2.100 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
!         
interface GigabitEthernet0/0.400
 encapsulation dot1Q 400
 ip address 192.168.4.100 255.255.255.0
!         
interface GigabitEthernet0/0.500
 encapsulation dot1Q 500
 ip address 192.168.5.100 255.255.255.0
!         
interface GigabitEthernet0/1
 ip address 192.168.1.99 255.255.255.0
 ip nat outside
 ip nat enable
 ip virtual-reassembly in
 duplex auto
 speed auto
!         
ip forward-protocol nd
!         
ip http server
ip http authentication local
ip http secure-server
!         
ip dns server
ip nat source list 1 interface GigabitEthernet0/1 overload
ip nat inside source list 10 interface GigabitEthernet0/1 overload
ip nat inside source list 20 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.5.6 80 interface GigabitEthernet0/1 9000
ip route 0.0.0.0 0.0.0.0 192.168.1.1
!         
ipv6 ioam timestamp
!         
!         
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.5.0 0.0.0.255
access-list 20 permit 192.168.4.0 0.0.0.255
!         
control-plane

thee router is connected to cisco catalyst switch on Gigabit port 0/0 and webserver is connected to switch with internal ip 192.168.5.6 and default gateway address 192.168.5.1 for the webserver. Please kindly help me to resolve the port forwarding issue on cisco router, I tried different configurations like by enabling nat on interfaces and remove "ip nat inside/outside" from interfaces but nothing seems to be working . I am able to do a telnet to websever on port 80 from router successfully, but a telnet to 192.168.1.99:9000 is not forwarding to webserver.

devloper · ‎07-23-2020

Yes I know that, The plan was to setup a port forwarding to Cisco 1921 router from the service provider router where it is assigned public IP.Before setting up port forwarding on Service provider router , I was verifying whether the routing rule I configured on the Cisco 1921 router is working . However I was checking whether the port forwarding is working from one another machine which was behind the router where the port forwarding has been setup by accessing http://192.168.1.99:9000/ and the traffic was not going through . I was going through some forums and found that my router will only be doing the port forwarding when the traffic lands from the external interface. So I attached the another laptop to the service provider router and accessed http://192.168.1.99:9000/. To my surpsise the forwarding worked as expected without any change to my existing configuration.

View solution in original post

paul driver · ‎07-23-2020

Hello

I would suggest you still tidy up your nat configuration.
You have both domain and domailess nat enabled which may not be impeading connection but it isn’t viable Also as your are aware your missing nat on the sub interface of gig0/0 500.

Suggest:
no nat source list 1 interface GigabitEthernet0/1 overload
no ip nat inside source list 10 interface GigabitEthernet0/1 overload
no ip nat inside source list 20 interface GigabitEthernet0/1 overload

no access-list 1
no access-list 10
no access-list 20
access-list 1 permit 192.168.1.0
access-list1 permit 192.168.2.0
access-list1 permit 192.168.4,0
access-list1 permit 192.168.5.0
ip nat inside source-list 1 interface GigabitEthernet0/1 overload

Lasly remove IP NAT ENABLE from all the interfaces and apply IP NAT INSIDE to gig0/0.500

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

Jon Marshall · ‎07-23-2020

Where are you trying to access this from ?

You understand that 192.168.1.x is a private IP range so will not route over the internet ?

Jon

devloper · ‎07-23-2020

Yes I know that, The plan was to setup a port forwarding to Cisco 1921 router from the service provider router where it is assigned public IP.Before setting up port forwarding on Service provider router , I was verifying whether the routing rule I configured on the Cisco 1921 router is working . However I was checking whether the port forwarding is working from one another machine which was behind the router where the port forwarding has been setup by accessing http://192.168.1.99:9000/ and the traffic was not going through . I was going through some forums and found that my router will only be doing the port forwarding when the traffic lands from the external interface. So I attached the another laptop to the service provider router and accessed http://192.168.1.99:9000/. To my surpsise the forwarding worked as expected without any change to my existing configuration.

Georg Pauwen · ‎07-23-2020

Hello,

for the static NAT entry to work, the interface the server is connected to needs to be configured as 'ip nat inside':

interface GigabitEthernet0/0.500
encapsulation dot1Q 500
ip address 192.168.5.100 255.255.255.0

--> ip nat inside

devloper · ‎07-23-2020

Infact the configuration is working without ip nat inside for GigabitEthernet0/0.500. The way I was accessing was resulting in the issue.

paul driver · ‎07-23-2020

Hello

I would suggest you still tidy up your nat configuration.
You have both domain and domailess nat enabled which may not be impeading connection but it isn’t viable Also as your are aware your missing nat on the sub interface of gig0/0 500.

Suggest:
no nat source list 1 interface GigabitEthernet0/1 overload
no ip nat inside source list 10 interface GigabitEthernet0/1 overload
no ip nat inside source list 20 interface GigabitEthernet0/1 overload

no access-list 1
no access-list 10
no access-list 20
access-list 1 permit 192.168.1.0
access-list1 permit 192.168.2.0
access-list1 permit 192.168.4,0
access-list1 permit 192.168.5.0
ip nat inside source-list 1 interface GigabitEthernet0/1 overload

Lasly remove IP NAT ENABLE from all the interfaces and apply IP NAT INSIDE to gig0/0.500

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

devloper · ‎07-23-2020

Thank you Paul for pointing this out. I have removed "IP NAT ENABLE" from all the interfaces . I will add " IP NAT INSIDE to gig0/0.500" . Shouldn't I add this to all the sub interfaces ? Right now both inter vlan access between these sub interfaces and internet access for systems being the router is happening without " IP NAT INSIDE" on sub interface. Just for my understanding I would like to know what is the downside of not having this configured on sub interface.

paul driver · ‎07-24-2020

Hello

Yes I would suggest to add nat to just the sub-interfaces, Be specific as possible.
Adding to the physcial interface when you have sub-interfaces shouldnt encompass all the sub-interfaces as now these interfaces become encapsulated and tagged as such i would say NAT should only work for any untagged network running on the physical interface and NOT on any sub-interface unless that is you applied NAT to the sub-interfaces.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul