Solved: Port forward doesn't seem to be working on Cisco device

WallaceVanDunk1494 · ‎09-23-2019

I have a 7206VXR running Version 12.4(12.2r)T. I have an openfire XMPP server that needs to have port 5222 forwarded.

Server is 10.5.7.18. G0/1 is my WAN interface

I tried ip nat inside source static tcp 10.5.7.18 5222 int g0/1 5222 - when I did this, it said port 5222 is being used by system. I assumed this was because I had first implemented a NAT overload so my subnets could get out to the internet. I got around this by shutting the outside interface, clearing translations, and then it took the static NAT statement.

However, it doesn't seem to be working. sh ip nat translations doesn't show anything for 10.5.7.18:5222 and the chat server is still offline.

Any help would be greatly appreciated.

WallaceVanDunk1494 · ‎09-23-2019

I managed to fix this. The overload 10.5.7.0 0.0.0.255 in the ACL was conflicting. I adjusted the ACL to include the other servers on that subnet, but did not include the one I needed port forwarded. Then I did the static NAT with the port forward and all seems to work.

View solution in original post

Georg Pauwen · ‎09-23-2019

There is a bug in newer XE versions, yours (12.4) is too old for that bug. Can you try and upgrade your 7206VXR to a newer IOS version (e.g. a 15.2 version) ?

You can also try the following:

1. Remove all NAT statements from the configuration (static and overload)

2. Save the configuration

3. Reboot the 7206VXR

4. Configure the static NAT statement(s) first

5. Configure the NAT overload

WallaceVanDunk1494 · ‎09-23-2019

I will try removing the nat statements and rebooting the router. I don't have a smartnet account for this, so I'm not sure how I would go about getting a new IOS version

WallaceVanDunk1494 · ‎09-23-2019

Would I also need an ACL that allows that specific port? I currently have this for my overload ACL

Standard IP access list NAT
10 permit 10.5.5.0, wildcard bits 0.0.0.255 (1 match)
20 permit 10.5.6.0, wildcard bits 0.0.0.255 (1300 matches)
30 permit 10.5.7.0, wildcard bits 0.0.0.255 (31240 matches)
40 permit 192.168.50.0, wildcard bits 0.0.0.255 (61477 matches)

WallaceVanDunk1494 · ‎09-23-2019

I removed the nat statements, the ACL, ip nat inside and outside, shut all the interfaces, rebooted the router, confirmed there was no NAT config present of any kind, re-applied the static, then the overload. Internet works, but still not seeing the port forward happening.

WallaceVanDunk1494 · ‎09-23-2019

I've updated the router version to Version 15.0(1)M3. No change as of yet

WallaceVanDunk1494 · ‎09-23-2019

I'm now seeing this

tcp x.x.x.x:5222 10.5.7.18:5222 --- ---

The outside global and outside local addresses aren't showing apparently

WallaceVanDunk1494 · ‎09-23-2019

Anyone have any ideas? I feel like I'm missing something stupid and simple

WallaceVanDunk1494 · ‎09-23-2019

I managed to fix this. The overload 10.5.7.0 0.0.0.255 in the ACL was conflicting. I adjusted the ACL to include the other servers on that subnet, but did not include the one I needed port forwarded. Then I did the static NAT with the port forward and all seems to work.