Buy or Renew
Buy or Renew
Join the Catalyst Center Onboarding Ask Me Anything event happening now!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
9
Replies

Port forward issue

mohammad saeed
Level 5
Level 5

‎01-31-2016 02:10 AM - edited ‎03-05-2019 03:14 AM

Hi Guys,

I did port forward for Fortigate inside my 2951 Internet gateway but when I use my public IP it sends me to the Internet Gateway not to Fortigate Firewall!

here is my configuration

int gig0/0

ip address XXXXXX

ip nat enable

Ip nat outside

int gig0/1

ip address 10.60.20.2 255.255.255.0 connected to firewall

ip nat enable

ip nat inside

ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.60.20.1 443 XXXXXX 443 extendable
ip nat inside source static tcp 10.60.20.1 500 XXXXX 500 extendable
ip nat inside source static tcp 10.60.20.1 10443 XXXXX 10443 extendable
ip nat inside source static tcp 10.60.20.1 4500 XXXXX 4500 extendable
ip route 0.0.0.0 0.0.0.0 XXXXX

Any Idea please

thanks for you :)

Mohammad 

Labels:
0 Helpful
9 Replies 9

Elliott Willink
Level 1
Level 1

‎01-31-2016 02:40 AM

You are using both "ip nat enable" and "ip nat inside/outside". I've never tried using both at the same time, but without labbing it up (and assuming you have access-list 1 in place and your statements with IP's are correctly addressed) the rest of the config looks fine, and I would guess the "ip nat enable" is potentially over-ruling the ip nat inside/outside commands, and therefore your port forwards (which have syntax to work with nat inside/outside commands) are not coming into play.

I would remove the "ip nat enable" commands, and also turn off the ip http server (though the static nat/port forwards should overrule this):

int gig0/0

 no ip nat enable

int gig0/1

 no ip nat enable

no ip http server

0 Helpful

mohammad saeed
Level 5
Level 5
In response to Elliott Willink

‎01-31-2016 04:07 AM

Hi Elliott,

I did that :

no ip nat enable

no ip http server

but still I can't be able to access!

0 Helpful

mohammad saeed
Level 5
Level 5
In response to mohammad saeed

‎01-31-2016 04:10 AM

Shall I need to open these ports in 2951 GW??

0 Helpful

Elliott Willink
Level 1
Level 1
In response to mohammad saeed

‎01-31-2016 04:30 AM

Can you dump the whole config?

0 Helpful

mohammad saeed
Level 5
Level 5
In response to Elliott Willink

‎01-31-2016 04:41 AM

GW1#show run
Building configuration...

Current configuration : 3865 bytes
!
! Last configuration change at 12:41:10 UTC Sun Jan 31 2016 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GW1
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
enable password adminmanager
!
no aaa new-model
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1038393723
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1038393723
revocation-check none
rsakeypair TP-self-signed-1038393723
!
!
crypto pki certificate chain TP-self-signed-1038393723
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303338 33393337 3233301E 170D3132 31303130 30373534
33315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30333833
39333732 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CA57 324F95FE D4CDCA5D D0B8CC9A 0DF04F1E E56F74F6 60E8D4BE 29B439C5
980C8ABE 82AD6FBC 8B92E010 C64E292C 0E00337D 31873A55 8980C948 87814322
451056AC E32FFAAF 6B4443C7 C3881072 77A36865 384D6AF8 3ABA888D 7B7F5C9C
62304DC0 D99EA270 A82B340A 5D0FF570 3DB28C6B 03C6F867 CFAA56A2 53D92E3B
C6C50203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14D888B7 00E31C0A 82F119A6 7E7B3B6F 8DF14AEC A8301D06
03551D0E 04160414 D888B700 E31C0A82 F119A67E 7B3B6F8D F14AECA8 300D0609
2A864886 F70D0101 05050003 81810074 1D35DE79 23C03E7C 7D86E55A E3BACED1
2736DB78 B012359F 1E78C0FD 1F9D48AD 2F458B48 225E845E E362A7F0 14D23252
7FD846A3 F3F08CD2 247A531C 3F7E8472 73369619 78CB55F2 00B42378 010772B1
C05DDCD8 9BC3F5DF 85E475D5 1B4E434A 7F0ECB34 366167A4 683D6ABA 10A8C86B
3729E02C 0D56E6BB 869EB93D 55EB5E
quit
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name xxxxxx
ip name-server xxxxxx
ip name-server xxxxxx
!
multilink bundle-name authenticated
!
!
license udi pid CISCO2951/K9 sn FGL164112E4
!
!
username 12345 privilege 15 password 0 12345
!
redundancy
!
!
!
!
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address xxxxxx 255.255.255.254
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 10.60.20.2 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
duplex auto
speed auto
!
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 10.60.20.1 443 xxxxxx 443 extendable
ip nat inside source static tcp 10.60.20.1 500 xxxxxx 500 extendable
ip nat inside source static tcp 10.60.20.1 10443 xxxxxx 10443 extendable
ip nat inside source static tcp 10.60.20.1 4500 xxxxxx 4500 extendable
ip route 0.0.0.0 0.0.0.0 xxxxxx 2
!
access-list 1 permit any
!
!
!
!
!
snmp-server group NCSGW v3 auth
snmp-server host 10.60.1.90 version 3 auth gwuser
!
control-plane
!
!
!
line con 0
login local
transport preferred ssh
speed 115200
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
end

0 Helpful

Elliott Willink
Level 1
Level 1
In response to mohammad saeed

‎01-31-2016 04:47 AM

I'm assuming your fortigate inside is 10.60.20.1? Give this a shot:

no access-list 1

access-list 1 permit 10.60.20.0 0.0.0.255

0 Helpful

mohammad saeed
Level 5
Level 5
In response to Elliott Willink

‎01-31-2016 04:57 AM

I changed the access list and still no access!

0 Helpful

Elliott Willink
Level 1
Level 1
In response to mohammad saeed

‎01-31-2016 05:13 AM

Strange, I can't fault the config now. Looks like it may be an issue with your fortigate configuration.


Can you confirm if the fortigate is on 10.60.20.1, has its gateway set to 10.60.20.2,  has internet access, and is not firewalling/blocking traffic from the outside?

The only other thing I could suggest is turning nat off & back on (or just writing the config and rebooting) - There may be some strange-ness left over from having NVI-based NAT and legacy NAT (inside/outside) enabled at the same time, on the same interface.

0 Helpful

mohammad saeed
Level 5
Level 5
In response to Elliott Willink

‎01-31-2016 04:18 AM

I noticed that in show ip nat trans

GW1#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp xxxxxxx:443 10.60.20.1:443 --- ---
tcp xxxxxxx 10.60.20.1:500 --- ---
tcp xxxxxxx 10.60.20.1:4500 --- ---
tcp xxxxxxx 10.60.20.1:10443 --- ---

there is no translation!!!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card