cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2327
Views
5
Helpful
21
Replies

Port forwarding not working on 2900 router

hirani89
Level 1
Level 1

Please find my config below:

 

hostname R1

boot-start-marker
boot-end-marker

no aaa new-model

ip cef

ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 192.168.3.1

ip dhcp pool HOME
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 1.1.1.1 1.0.0.1

ip dhcp pool WIN
 host 192.168.0.22 255.255.255.0
 client-identifier 01d4.3d7e.18d9.ce

ip dhcp pool PC
 host 192.168.0.247 255.255.255.0
 client-identifier 0108.0027.3bd7.70

ip dhcp pool Solar
 host 192.168.0.253 255.255.255.0
 client-identifier 01c8.9346.3250.e8

ip dhcp pool Tank-Level
 host 192.168.0.243 255.255.255.0
 client-identifier 018c.aab5.8b8e.40

ip dhcp pool PIP
 host 192.168.0.229 255.255.255.0
 client-identifier 01dc.a632.2ce3.8c

ip domain name somedomain
no ipv6 cef

multilink bundle-name authenticated

license udi pid CISCO2921/K9 sn FGL1813118M

username admin privilege 15 secret 4 GRTVBsdfv/1VtTta/OeXqUIqQROubxT/D40OGFs0c

redundancy

ip ssh version 2

interface Embedded-Service-Engine0/0
 no ip address
 shutdown

interface GigabitEthernet0/0
 description -Ethernet WAN-
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto

interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto

interface GigabitEthernet0/1.1
 encapsulation dot1Q 101
 ip address 192.168.1.1 255.255.255.0
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip cgmp

interface GigabitEthernet0/2
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto

ip forward-protocol nd

no ip http server
no ip http secure-server

ip dns server
ip nat inside source list IoT interface GigabitEthernet0/2 overload
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389
ip nat inside source static udp 192.168.0.222 3389 interface GigabitEthernet0/0 13389
ip route 192.168.2.0 255.255.255.0 192.168.3.2
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp

ip access-list standard IoT
 permit 192.168.2.0 0.0.0.255
ip access-list standard NAT
 permit 192.168.0.0 0.0.0.255

control-plane

line con 0
 logging synchronous
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 5 0
 login local
 transport input ssh

scheduler allocate 20000 1000

end

I want to forward port 13389 coming through my public ip to 192.168.0.222:3389

 

21 Replies 21

balaji.bandi
Hall of Fame
Hall of Fame

Can you please why here 2 NAT to different interface ?

 

interface GigabitEthernet0/2
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto

ip nat inside source list IoT interface GigabitEthernet0/2 overload
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389
ip nat inside source static udp 192.168.0.222 3389 interface GigabitEthernet0/0 13389
ip route 192.168.2.0 255.255.255.0 192.168.3.2
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp

ip access-list standard IoT
 permit 192.168.2.0 0.0.0.255
ip access-list standard NAT
 permit 192.168.0.0 0.0.0.255

is your out going NAT working?

I do not see anything wrong in your port-forwarding - try to remove that RED one and check and advise.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

The reason for having 2 NATs is that I have another router connected to G0/2. It's all explained here.

 

Yes outgoing NAT is working I do have access to the outside world.

Hello


@hirani89 wrote:

The reason for having 2 NATs is that I have another router connected to G0/2. It's all explained here.

Yes outgoing NAT is working I do have access to the outside world.


 NAT isn't enabled on gig0/2 so the static/dynamic PAT statements relating to that interface wont work, if the upstream connected to that interface is performing nat then as @balaji.bandi says you should remove nat statements relating to this interface (gig0/2)

 

However if you want this rtr to nat for that interface than you need enable outside nat on that interface gig0/2

Also confirm which interface would you like PF to occur on if it gig0/0 then try the following
no ip access-list standard NAT
ip access-list extended NAT
deny tcp host 192.168.0.222 eq 3389 any eq 13389
permit 192.168.0.0 0.0.0.255 any


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I tried the config below but no luck.

no ip access-list standard NAT
ip access-list extended NAT
deny tcp host 192.168.0.222 eq 3389 any eq 13389
permit ip 192.168.0.0 0.0.0.255 any  

 

deny tcp host 192.168.0.222 eq 3389 any <- no need eq 133389 here because this is for NAT not real.

Hello
I would say @MHM Cisco World  has highlighted a mistake in my ACL ace entry a source port will be a random ephemeral port so it wouldn’t be required however a specified destination port i would say is required:

correction
deny tcp host 192.168.0.222 any eq 13389
deny udp host 192.168.0.222 any eq 13389


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Hi guys,

Here is the updated config.

ip dns server
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389
ip nat inside source static udp 192.168.0.222 3389 interface GigabitEthernet0/0 13389
ip route 192.168.2.0 255.255.255.0 192.168.3.2
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.0.255 any
 deny   tcp host 192.168.0.222 any eq 13389
 deny   udp host 192.168.0.222 any eq 13389

No access to remote desktop yet.

This static NAT for server behind router,

All user in global will see NAT port not real one.

And you see source in NAT not destiantion so how i be wrong?

Your acl is used of we want to restriction some host from access server not use for acl NAT.

If that is your setup - you marked as in 2020as resolved and you coming with the same issue in 2021? ,

 

If not resolved -  one step at a time. you can see the clear bold there in the post also what to remove - we are also suggesting the same here without referring to the same thread.

 

So remove as suggest and test it. ( still not working post the new config to understand)

 

 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi,

 

Here is the new config. nmap still does not show the open ports.

 

hostname R1

boot-start-marker
boot-end-marker

enable secret 4 GKuIQycLGFn/1VtTta/OeXqUIqQROubxT/D40OGFs0c

no aaa new-model

ip cef

ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 192.168.3.1

ip dhcp pool HOME
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 1.1.1.1 1.0.0.1

ip dhcp pool WIN
 host 192.168.0.22 255.255.255.0
 client-identifier 01d4.3d7e.18d9.ce

ip dhcp pool PC
 host 192.168.0.247 255.255.255.0
 client-identifier 0108.0027.3bd7.70

ip dhcp pool Solar
 host 192.168.0.253 255.255.255.0
 client-identifier 01c8.9346.3250.e8

ip dhcp pool Tank-Level
 host 192.168.0.243 255.255.255.0
 client-identifier 018c.aab5.8b8e.40

ip dhcp pool PIP
 host 192.168.0.229 255.255.255.0
 client-identifier 01dc.a632.2ce3.8c

ip domain name domain.com
no ipv6 cef

multilink bundle-name authenticated

license udi pid CISCO2921/K9 sn FGL1813118M

username admin privilege 15 secret 4 GRTVBsdfv/1VtTta/OeXqUIqQROubxT/D40OGFs0c

redundancy

ip ssh version 2

interface Embedded-Service-Engine0/0
 no ip address
 shutdown

interface GigabitEthernet0/0
 description -Ethernet WAN-
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto

interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto

interface GigabitEthernet0/1.1
 encapsulation dot1Q 101
 ip address 192.168.1.1 255.255.255.0
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip cgmp

interface GigabitEthernet0/2
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto

ip forward-protocol nd

no ip http server
no ip http secure-server

ip dns server
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389
ip nat inside source static udp 192.168.0.222 3389 interface GigabitEthernet0/0 13389
ip route 192.168.2.0 255.255.255.0 192.168.3.2
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list standard NAT
 permit 192.168.0.0 0.0.0.255

control-plane

line con 0
 logging synchronous
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 5 0
 login local
 transport input ssh

scheduler allocate 20000 1000

end

removing the config hasn't broken my connection with the other router. so thats good.

Hello,

 

I cannot see anything wrong with the configuration.

 

Sometimes re-entering the entire NAT configuration might help:

 

1. Remove the 'ip nat inside' and 'ip nat outside' command from the respective interfaces

2. Remove all NAT statements (static and dynamic)

3. Clear all translations (clear ip nat translation *)

4. Add the ip nat inside/outside

5. Add the static entries first, then the dynamic

routing done before the NAT
so if the traffic pass through other interface then the NAT never happened.
you must sure that the traffic pass through this interface. 
if you want use PBR with NAT in case you want all traffic go one way and special traffic go through other way.

I am not sure how to do that.

hirani89
Level 1
Level 1

This is my config up to now. Still no port forwarding.

 

hostname R1

boot-start-marker
boot-end-marker

enable secret 4 GKuIQycLGFn/1VtTta/OeXqUIqQROubxT/D40OGFs0c

no aaa new-model

ip cef

ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 192.168.3.1

ip dhcp pool HOME
 network 192.168.0.0 255.255.255.0
 default-router 192.168.0.1
 dns-server 1.1.1.1 1.0.0.1

ip dhcp pool WIN
 host 192.168.0.22 255.255.255.0
 client-identifier 01d4.3d7e.18d9.ce

ip dhcp pool PC
 host 192.168.0.247 255.255.255.0
 client-identifier 0108.0027.3bd7.70

ip dhcp pool Solar
 host 192.168.0.253 255.255.255.0
 client-identifier 01c8.9346.3250.e8

ip dhcp pool Tank-Level
 host 192.168.0.243 255.255.255.0
 client-identifier 018c.aab5.8b8e.40

ip dhcp pool PIP
 host 192.168.0.229 255.255.255.0
 client-identifier 01dc.a632.2ce3.8c

ip domain name domain.com
no ipv6 cef

multilink bundle-name authenticated

license udi pid CISCO2921/K9 sn FGL1813118M

username admin privilege 15 secret 4 GRTVBsdfv/1VtTta/OeXqUIqQROubxT/D40OGFs0c

redundancy

ip ssh version 2

interface Embedded-Service-Engine0/0
 no ip address
 shutdown

interface GigabitEthernet0/0
 description -Ethernet WAN-
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto

interface GigabitEthernet0/1
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto

interface GigabitEthernet0/1.1
 encapsulation dot1Q 101
 ip address 192.168.1.1 255.255.255.0
 ip pim dense-mode
 ip nat inside
 ip virtual-reassembly in
 ip cgmp

interface GigabitEthernet0/2
 ip address 192.168.3.1 255.255.255.0
 duplex auto
 speed auto

ip forward-protocol nd

no ip http server
no ip http secure-server
!
ip dns server
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 192.168.2.0 255.255.255.0 192.168.3.2
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list extended NAT
 deny   tcp host 192.168.0.222 eq 3389 any eq 23389
 permit ip 192.168.0.0 0.0.0.255 any

control-plane

line con 0
 logging synchronous
 login local
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 exec-timeout 5 0
 login local
 transport input ssh

scheduler allocate 20000 1000

end
Review Cisco Networking for a $25 gift card