Solved: Fully functioning NAT on IOS, port forwarding

jacksonp2008 · ‎01-08-2016

This one has been bugging me (npi) as I believe I have it configured properly and it's a terribly simple use case.

Outside (10.2.234.x) --Router--(10.12.1.x) Inside

Outbound NAT works great with:

ip nat inside source list 1 interface GigabitEthernet0 overload

however, I also want to port forward inbound. I have a secondary address on the outbound interface:

interface GigabitEthernet0

ip address 10.2.234.3 255.255.254.0 secondary

ip address 10.2.234.2 255.255.254.0

ip nat outside

ip nat enable

This seems to create the translations:

ip nat pool PRTFWD 10.12.1.62 10.12.1.62 netmask 255.255.255.0 type rotary

ip nat inside destination list 100 pool PRTFWD

Here is an example using port 80:

show ip nat tr

Pro Inside global Inside local Outside local Outside global

tcp 10.2.234.3:80 10.12.1.62:80 10.10.120.119:64589 10.10.120.119:64589

tcp 10.2.234.3:80 10.12.1.62:80 10.10.120.119:64594 10.10.120.119:64594

So translations appear correct, but the host on browser 10.10.120.119 never gets a page back on port 80.

I must be missing something... ideas?

Masoud Pourshabanian · ‎01-09-2016

Hello,

Show IP nat translations shows that NAT is working correctly. You do not need the extendable at the end of the command. Please post your latest configuration so that I can take a look.

Your web server is on port 80 and also has default gateway which is 10.12.1.253. Correct?

Masoud

View solution in original post

Masoud Pourshabanian · ‎01-08-2016

Hello,

First, you need to correct your access-list

ip nat inside source list 1 interface GigabitEthernet0 overload

I do not see any access-list 1 in your configuration

And then for inbound port forwarding you need to use static NAT.

Something like this. Just add this line to your configuration

IP NAT inside source static tcp [your real server address] [port] 10.12.1.62 80

And remove your destination nat

Hope it helps

Masoud

jacksonp2008 · ‎01-09-2016

That does help Masoud, thank-you.

I must have dropped the ACL for outbound, working now.

My inbound is still not working however using static, here is what I have:

ip nat inside source static tcp 10.12.1.62 80 10.2.234.2 80 extendable

(10.12.1.62 is my real inside web server and it is answering on 80 )

(10.2.234.2 is the external interface address on my router)

It creates the translations:

Pro Inside global Inside local Outside local Outside global

tcp 10.2.234.2:80 10.12.1.62:80 10.10.120.80:64442 10.10.120.80:64442

tcp 10.2.234.2:80 10.12.1.62:80 10.10.120.80:64443 10.10.120.80:64443

tcp 10.2.234.2:80 10.12.1.62:80 --- ---

But no data is passed... , I tried a few other ports as well like ssh, etc. any other ideas?

Masoud Pourshabanian · ‎01-09-2016

Hello,

Show IP nat translations shows that NAT is working correctly. You do not need the extendable at the end of the command. Please post your latest configuration so that I can take a look.

Your web server is on port 80 and also has default gateway which is 10.12.1.253. Correct?

Masoud

jacksonp2008 · ‎01-09-2016

Great! If NAT is correct that's what I needed to know.

Note: "extendable" is inserted by IOS, I did not add that. Must be the default.

Thanks!!

Masoud Pourshabanian · ‎01-09-2016

You are most welcome.