02-13-2021 04:09 AM
Please find my config below:
hostname R1 boot-start-marker boot-end-marker no aaa new-model ip cef ip dhcp excluded-address 192.168.0.1 192.168.0.100 ip dhcp excluded-address 192.168.3.1 ip dhcp pool HOME network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 dns-server 1.1.1.1 1.0.0.1 ip dhcp pool WIN host 192.168.0.22 255.255.255.0 client-identifier 01d4.3d7e.18d9.ce ip dhcp pool PC host 192.168.0.247 255.255.255.0 client-identifier 0108.0027.3bd7.70 ip dhcp pool Solar host 192.168.0.253 255.255.255.0 client-identifier 01c8.9346.3250.e8 ip dhcp pool Tank-Level host 192.168.0.243 255.255.255.0 client-identifier 018c.aab5.8b8e.40 ip dhcp pool PIP host 192.168.0.229 255.255.255.0 client-identifier 01dc.a632.2ce3.8c ip domain name somedomain no ipv6 cef multilink bundle-name authenticated license udi pid CISCO2921/K9 sn FGL1813118M username admin privilege 15 secret 4 GRTVBsdfv/1VtTta/OeXqUIqQROubxT/D40OGFs0c redundancy ip ssh version 2 interface Embedded-Service-Engine0/0 no ip address shutdown interface GigabitEthernet0/0 description -Ethernet WAN- ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto interface GigabitEthernet0/1 ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto interface GigabitEthernet0/1.1 encapsulation dot1Q 101 ip address 192.168.1.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp interface GigabitEthernet0/2 ip address 192.168.3.1 255.255.255.0 duplex auto speed auto ip forward-protocol nd no ip http server no ip http secure-server ip dns server ip nat inside source list IoT interface GigabitEthernet0/2 overload ip nat inside source list NAT interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389 ip nat inside source static udp 192.168.0.222 3389 interface GigabitEthernet0/0 13389 ip route 192.168.2.0 255.255.255.0 192.168.3.2 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ip access-list standard IoT permit 192.168.2.0 0.0.0.255 ip access-list standard NAT permit 192.168.0.0 0.0.0.255 control-plane line con 0 logging synchronous login local line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 exec-timeout 5 0 login local transport input ssh scheduler allocate 20000 1000 end
I want to forward port 13389 coming through my public ip to 192.168.0.222:3389
02-13-2021 05:19 AM
Can you please why here 2 NAT to different interface ?
interface GigabitEthernet0/2 ip address 192.168.3.1 255.255.255.0 duplex auto speed auto ip nat inside source list IoT interface GigabitEthernet0/2 overload ip nat inside source list NAT interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389 ip nat inside source static udp 192.168.0.222 3389 interface GigabitEthernet0/0 13389 ip route 192.168.2.0 255.255.255.0 192.168.3.2 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ip access-list standard IoT permit 192.168.2.0 0.0.0.255 ip access-list standard NAT permit 192.168.0.0 0.0.0.255
is your out going NAT working?
I do not see anything wrong in your port-forwarding - try to remove that RED one and check and advise.
02-13-2021 06:43 AM
The reason for having 2 NATs is that I have another router connected to G0/2. It's all explained here.
Yes outgoing NAT is working I do have access to the outside world.
02-13-2021 07:40 AM - edited 02-13-2021 07:49 AM
Hello
@hirani89 wrote:
The reason for having 2 NATs is that I have another router connected to G0/2. It's all explained here.
Yes outgoing NAT is working I do have access to the outside world.
NAT isn't enabled on gig0/2 so the static/dynamic PAT statements relating to that interface wont work, if the upstream connected to that interface is performing nat then as @balaji.bandi says you should remove nat statements relating to this interface (gig0/2)
However if you want this rtr to nat for that interface than you need enable outside nat on that interface gig0/2
Also confirm which interface would you like PF to occur on if it gig0/0 then try the following
no ip access-list standard NAT
ip access-list extended NAT
deny tcp host 192.168.0.222 eq 3389 any eq 13389
permit 192.168.0.0 0.0.0.255 any
02-13-2021 04:44 PM - edited 02-13-2021 04:48 PM
I tried the config below but no luck.
no ip access-list standard NAT ip access-list extended NAT deny tcp host 192.168.0.222 eq 3389 any eq 13389 permit ip 192.168.0.0 0.0.0.255 any
02-13-2021 05:14 PM
deny tcp host 192.168.0.222 eq 3389 any <- no need eq 133389 here because this is for NAT not real.
02-15-2021 02:10 AM - edited 02-15-2021 02:11 AM
Hello
I would say @MHM Cisco World has highlighted a mistake in my ACL ace entry a source port will be a random ephemeral port so it wouldn’t be required however a specified destination port i would say is required:
correction
deny tcp host 192.168.0.222 any eq 13389
deny udp host 192.168.0.222 any eq 13389
02-15-2021 02:51 AM
Hi guys,
Here is the updated config.
ip dns server ip nat inside source list NAT interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389 ip nat inside source static udp 192.168.0.222 3389 interface GigabitEthernet0/0 13389 ip route 192.168.2.0 255.255.255.0 192.168.3.2 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ! ip access-list extended NAT permit ip 192.168.0.0 0.0.0.255 any deny tcp host 192.168.0.222 any eq 13389 deny udp host 192.168.0.222 any eq 13389
No access to remote desktop yet.
02-15-2021 04:57 AM
This static NAT for server behind router,
All user in global will see NAT port not real one.
And you see source in NAT not destiantion so how i be wrong?
Your acl is used of we want to restriction some host from access server not use for acl NAT.
02-13-2021 12:28 PM
If that is your setup - you marked as in 2020as resolved and you coming with the same issue in 2021? ,
If not resolved - one step at a time. you can see the clear bold there in the post also what to remove - we are also suggesting the same here without referring to the same thread.
So remove as suggest and test it. ( still not working post the new config to understand)
02-13-2021 04:41 PM
Hi,
Here is the new config. nmap still does not show the open ports.
hostname R1 boot-start-marker boot-end-marker enable secret 4 GKuIQycLGFn/1VtTta/OeXqUIqQROubxT/D40OGFs0c no aaa new-model ip cef ip dhcp excluded-address 192.168.0.1 192.168.0.100 ip dhcp excluded-address 192.168.3.1 ip dhcp pool HOME network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 dns-server 1.1.1.1 1.0.0.1 ip dhcp pool WIN host 192.168.0.22 255.255.255.0 client-identifier 01d4.3d7e.18d9.ce ip dhcp pool PC host 192.168.0.247 255.255.255.0 client-identifier 0108.0027.3bd7.70 ip dhcp pool Solar host 192.168.0.253 255.255.255.0 client-identifier 01c8.9346.3250.e8 ip dhcp pool Tank-Level host 192.168.0.243 255.255.255.0 client-identifier 018c.aab5.8b8e.40 ip dhcp pool PIP host 192.168.0.229 255.255.255.0 client-identifier 01dc.a632.2ce3.8c ip domain name domain.com no ipv6 cef multilink bundle-name authenticated license udi pid CISCO2921/K9 sn FGL1813118M username admin privilege 15 secret 4 GRTVBsdfv/1VtTta/OeXqUIqQROubxT/D40OGFs0c redundancy ip ssh version 2 interface Embedded-Service-Engine0/0 no ip address shutdown interface GigabitEthernet0/0 description -Ethernet WAN- ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto interface GigabitEthernet0/1 ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto interface GigabitEthernet0/1.1 encapsulation dot1Q 101 ip address 192.168.1.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp interface GigabitEthernet0/2 ip address 192.168.3.1 255.255.255.0 duplex auto speed auto ip forward-protocol nd no ip http server no ip http secure-server ip dns server ip nat inside source list NAT interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389 ip nat inside source static udp 192.168.0.222 3389 interface GigabitEthernet0/0 13389 ip route 192.168.2.0 255.255.255.0 192.168.3.2 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ! ip access-list standard NAT permit 192.168.0.0 0.0.0.255 control-plane line con 0 logging synchronous login local line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 exec-timeout 5 0 login local transport input ssh scheduler allocate 20000 1000 end
removing the config hasn't broken my connection with the other router. so thats good.
02-13-2021 07:38 AM
Hello,
I cannot see anything wrong with the configuration.
Sometimes re-entering the entire NAT configuration might help:
1. Remove the 'ip nat inside' and 'ip nat outside' command from the respective interfaces
2. Remove all NAT statements (static and dynamic)
3. Clear all translations (clear ip nat translation *)
4. Add the ip nat inside/outside
5. Add the static entries first, then the dynamic
02-13-2021 01:58 PM
routing done before the NAT
so if the traffic pass through other interface then the NAT never happened.
you must sure that the traffic pass through this interface.
if you want use PBR with NAT in case you want all traffic go one way and special traffic go through other way.
02-13-2021 11:25 PM
I am not sure how to do that.
02-13-2021 11:29 PM
This is my config up to now. Still no port forwarding.
hostname R1 boot-start-marker boot-end-marker enable secret 4 GKuIQycLGFn/1VtTta/OeXqUIqQROubxT/D40OGFs0c no aaa new-model ip cef ip dhcp excluded-address 192.168.0.1 192.168.0.100 ip dhcp excluded-address 192.168.3.1 ip dhcp pool HOME network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 dns-server 1.1.1.1 1.0.0.1 ip dhcp pool WIN host 192.168.0.22 255.255.255.0 client-identifier 01d4.3d7e.18d9.ce ip dhcp pool PC host 192.168.0.247 255.255.255.0 client-identifier 0108.0027.3bd7.70 ip dhcp pool Solar host 192.168.0.253 255.255.255.0 client-identifier 01c8.9346.3250.e8 ip dhcp pool Tank-Level host 192.168.0.243 255.255.255.0 client-identifier 018c.aab5.8b8e.40 ip dhcp pool PIP host 192.168.0.229 255.255.255.0 client-identifier 01dc.a632.2ce3.8c ip domain name domain.com no ipv6 cef multilink bundle-name authenticated license udi pid CISCO2921/K9 sn FGL1813118M username admin privilege 15 secret 4 GRTVBsdfv/1VtTta/OeXqUIqQROubxT/D40OGFs0c redundancy ip ssh version 2 interface Embedded-Service-Engine0/0 no ip address shutdown interface GigabitEthernet0/0 description -Ethernet WAN- ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto interface GigabitEthernet0/1 ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto interface GigabitEthernet0/1.1 encapsulation dot1Q 101 ip address 192.168.1.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp interface GigabitEthernet0/2 ip address 192.168.3.1 255.255.255.0 duplex auto speed auto ip forward-protocol nd no ip http server no ip http secure-server ! ip dns server ip nat inside source list NAT interface GigabitEthernet0/0 overload ip route 192.168.2.0 255.255.255.0 192.168.3.2 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ! ip access-list extended NAT deny tcp host 192.168.0.222 eq 3389 any eq 23389 permit ip 192.168.0.0 0.0.0.255 any control-plane line con 0 logging synchronous login local line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 exec-timeout 5 0 login local transport input ssh scheduler allocate 20000 1000 end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide