01-27-2012 01:06 AM - edited 03-04-2019 03:02 PM
On our Cisco 1941, we have 2 gigabit ethernet ports and a 4 port fast ethernet switch EHWIC card configured as follows:
GigabitEthernet0/0 131.x.x.81 255.255.255.248 - internal
GigabitEthernet0/1 131.y.y.234 255.255.255.252 - WAN
Vlan2 192.168.0.249 255.255.255.0 - LAN2, NAT inside
Vlan100 161.z.z.222 255.255.255.248 - WAN SIP, NAT outside
FastEthernet0/0/0 Access mode, Vlan 2
FastEthernet0/0/3 Access mode, Vlan 100
What I'm trying to get working is incoming NAT, aka port forwarding. Outgoing is fine - machines on the 192.168.0.x subnet can browse out, and IP address web sites show 161.z.z.222, as expected. I can also ping 161.z.z.222. However, incoming NAT I can't seem to get working.
The NAT is set up as :
ip nat inside source list 2 interface Vlan100 overload
ip nat outside source static tcp 161.z.z.222 80 192.168.0.247 80 extendable
ip nat outside source static udp 161.z.z.222 6000 192.168.0.247 6000 extendable
And I have even tried:
ip nat outside source static 161.z.z.222 192.168.0.247
I have tested using some UDP packet sending/receiving software (which works through another router), and the packets just aren't getting through. Likewise trying to telnet into the external IP on port 80 doesn't get through to the destination server.
It feels like the route doesn't exist between the Vlan 100 and Vlan 2 when it's coming in, or maybe there's an ACL needed for the incoming traffic? I'm pretty new to Cisco routers, so be gentle :-]
Any suggestions would be appreciated.
01-27-2012 01:49 AM
Hi,
do this:
clear ip nat trans *
no ip nat outside source static tcp 161.z.z.222 80 192.168.0.247 80 extendable
no ip nat outside source static udp 161.z.z.222 6000 192.168.0.247 6000 extendable
ip nat inside source static tcp 192.168.0.247 80 161.z.z.222 80 extendable
ip nat inside source static udp 192.168.0.247 6000 161.z.z.222 6000 extendable
Regards.
Alain
01-27-2012 05:16 AM
Hi,
ip nat outside source static tcp 161.z.z.222 80 192.168.0.247 80 extendable
It is not the right procedure to do a static nat or one to one nat.
ip nat inside source static tcp 192.168.0.247 80 161.z.z.222 80 extendable
This is how should be done for one to one nat.
You need to nat private ip with public ip not public ip with private ip.
Please rate all the helpfull posts.
Regards,
Naidu.
01-27-2012 11:51 PM
Thanks to both of you, it worked perfectly.
It seemed illogical to me that these would be an "inside to outside" rule. I guess the way to think of it is that you're "advertising" the inside port to the outside world.
Now, if only there were a way to add a port range for the 60 UDP ports I need to add... I think I'll write a batch file, to put the commands into a text file, then use good old copy and paste.
Cheers,
Phill
01-28-2012 01:49 AM
Hi,
let's suppose you want to "publish" udp ports 100-200 from 192.168.1.1 to outside world with public address 70.x.x.x
then you can like that:
access-list 199 permit udp any any range 100 200
route-map RANGE
match ip address 199
ip nat inside source static udp 192.168.1.1 70.x.x.x route-map RANGE
Regards.
Alain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide