local port forwarding from nat

ronpitts1 · ‎09-04-2013

Hi All,

I'm wondering how I go about solving port forwarding from the LAN when using a public ip address.

I've setup a Cisco 2911 to NAT certain ports to various internal ip address via this command

ip nat inside source static tcp 192.168.1.200 80 some.internet.ip.address 80 extendable

This works fine from outside (public internet) and the port is forwarded correctly.

However any internal IP's are sent to the Cisco router instead of the 192.168.1.200 when they use the "some.internet.ip.address".

I could in theory update the DNS to use the internal IP but I'm wondering if there is another way around this? Maybe the reverse of the command?

Thanks

cadet alain · ‎09-04-2013

Hi,

configuring NAT NVI should let you do NAT hairpinning like you want to.

int x/x

no ip nat in

ip nat enable

no ip redirect

int y/y

no ip nat out

ip nat enable

no ip redirect

no ip nat inside source static tcp 192.168.1.200 80 some.internet.ip.address 80 extendable

ip nat source static tcp 192.168.1.200 80 some.internet.ip.address 80 extendable

Regards

Alain

Don't forget to rate helpful posts.

vinodsh · ‎09-04-2013

Hello,

the best way to do this is update your DNS, however either you can configure NVI nat or can configure NAT hairpinning to make it work with legacy nat.

sample config on NATROUTER:

interface FastEthernet0/1

description "internal interface"

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface FastEthernet0/0

description "outside interface"

ip address 202.2.2.1 255.255.255.252

ip nat outside

ip nat pool public 202.2.2.129 202.2.2.254 prefix-length 25

ip nat inside source list 101 pool public overload

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

sample config on NATROUTER:

interface FastEthernet0/1

description "internal interface"

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface FastEthernet0/0

description "outside interface"

ip address 202.2.2.1 255.255.255.252

ip nat outside

interface Loopback0

ip address 10.1.1.1 255.255.255.0

ip nat outside

ip nat pool public 202.2.2.129 202.2.2.254 prefix-length 25

ip nat pool INTERNAL 10.1.1.2 10.1.1.254 prefix-length 24

ip nat inside source list 101 pool public overload

ip nat inside source static 192.168.1.200 202.2.2.222

ip nat outside source list 102 pool INTERNAL

access-list 101 deny ip 192.168.1.0 0.0.0.255 host 202.2.2.222

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 permit ip 192.168.1.0 0.0.0.255 host 202.2.2.222

ip route 202.2.2.222 255.255.255.255 10.1.1.2

Thanks

Vinod

ronpitts1 · ‎09-04-2013

Thanks Cadet.

I'll give it a retry.

I;m assuming the key commands are :

no ip redirect

ip nat source static tcp 192.168.1.200 80 some.internet.ip.address 80 extendable

cadet alain · ‎09-04-2013

Hi Ron,

The key here is no more nat inside/nat outside just ip nat enable on the interfaces and no more inside keyword in the static nat.I've never tried without no ip redirect but I think it won't work without if I reckon correctly.

Regards

Alain

Don't forget to rate helpful posts.

saavedra29_orig · ‎01-02-2014

cadet alain I didn't know that the 'inside' keyword in the static nat and nat inside/nat outside are deprecated!

I ended here after searching a solution about accessing my local server. I wonder how can someone get a briefing when Cisco makes such major changes. It's not good to spend half an hour for something so simple.

Thanks.

Peter Paluch · ‎01-02-2014

Aristeidis,

The inside keyword is not deprecated. The way of configuring NAT without inside/outside designations is a different approach to NAT and stands in parallel to the existing NAT functionality.

Best regards,

Peter

saavedra29_orig · ‎01-04-2014

Peter sorry, i thought it was deprecated because it didn't work just in my case.