I'm having some issues with port forwarding on my 1921 ISR, it was all working fine about a week ago... Then overnight (isr restarted due to power failure) it stopped working... I've gone over my config again, and again... Checked IP addresses, firewalls and tested connecting from the LAN and all works as expected. 'I just can't seem to connect from the outside -> in :(
controller VDSL 0/0/0 ! interface GigabitEthernet0/0 no ip address duplex auto speed auto ! interface GigabitEthernet0/0.10 encapsulation dot1Q 10 ip address 192.168.10.254 255.255.255.0 ip nat inside ip virtual-reassembly in no cdp enable ! interface ATM0/0/0 no ip address shutdown no atm ilmi-keepalive ! interface Ethernet0/0/0 mac-address 7050.afb7.c5da no ip address ip nat outside ip virtual-reassembly in ! interface Ethernet0/0/0.101 encapsulation dot1Q 101 ip dhcp client request classless-static-route ip dhcp client client-id hex ************************************ ip dhcp client hostname ************@*****|******** ip address dhcp no ip redirects no ip proxy-arp ip nat outside ip virtual-reassembly in ! ip route 0.0.0.0 0.0.0.0 dhcp ! ip nat inside source list 100 interface Ethernet0/0/0.101 overload access-list 100 permit ip 192.168.10.0 0.0.0.255 any ! ip nat inside source static tcp 192.168.10.202 80 interface Ethernet0/0/0.101 8880
Thanks in advance for any help!
Solved! Go to Solution.
@Y. 'FoAmY' Vandenbossche try it;
no ip nat inside source static tcp 192.168.10.202 80 interface Ethernet0/0/0.101 8880 < certify the port
clear interface ethernet0/0/0.101
clear counters ethernet0/0/0.101
shutdown and shutdown under interface 0/0/0.101
ip nat inside source static tcp 192.168.10.202 80 interface Ethernet0/0/0.101 8880 < certify the port
maybe it is a bug
from the rtr if you telnet to 192.168.10.202 80 source gig0/0.10 - do you get connection?
From outside telnet again to your public IP address on port 8880
sh ip nat translations
Shouldn't really make much difference but can you try using another source port maybe tcp 80 and amend the acl to deny that host from the dynamic nat
access-list 100 permit deny host 192.168.10.202 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any