02-13-2021 04:09 AM
Please find my config below:
hostname R1 boot-start-marker boot-end-marker no aaa new-model ip cef ip dhcp excluded-address 192.168.0.1 192.168.0.100 ip dhcp excluded-address 192.168.3.1 ip dhcp pool HOME network 192.168.0.0 255.255.255.0 default-router 192.168.0.1 dns-server 1.1.1.1 1.0.0.1 ip dhcp pool WIN host 192.168.0.22 255.255.255.0 client-identifier 01d4.3d7e.18d9.ce ip dhcp pool PC host 192.168.0.247 255.255.255.0 client-identifier 0108.0027.3bd7.70 ip dhcp pool Solar host 192.168.0.253 255.255.255.0 client-identifier 01c8.9346.3250.e8 ip dhcp pool Tank-Level host 192.168.0.243 255.255.255.0 client-identifier 018c.aab5.8b8e.40 ip dhcp pool PIP host 192.168.0.229 255.255.255.0 client-identifier 01dc.a632.2ce3.8c ip domain name somedomain no ipv6 cef multilink bundle-name authenticated license udi pid CISCO2921/K9 sn FGL1813118M username admin privilege 15 secret 4 GRTVBsdfv/1VtTta/OeXqUIqQROubxT/D40OGFs0c redundancy ip ssh version 2 interface Embedded-Service-Engine0/0 no ip address shutdown interface GigabitEthernet0/0 description -Ethernet WAN- ip address dhcp ip nat outside ip virtual-reassembly in duplex auto speed auto interface GigabitEthernet0/1 ip address 192.168.0.1 255.255.255.0 ip nat inside ip virtual-reassembly in duplex auto speed auto interface GigabitEthernet0/1.1 encapsulation dot1Q 101 ip address 192.168.1.1 255.255.255.0 ip pim dense-mode ip nat inside ip virtual-reassembly in ip cgmp interface GigabitEthernet0/2 ip address 192.168.3.1 255.255.255.0 duplex auto speed auto ip forward-protocol nd no ip http server no ip http secure-server ip dns server ip nat inside source list IoT interface GigabitEthernet0/2 overload ip nat inside source list NAT interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389 ip nat inside source static udp 192.168.0.222 3389 interface GigabitEthernet0/0 13389 ip route 192.168.2.0 255.255.255.0 192.168.3.2 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ip access-list standard IoT permit 192.168.2.0 0.0.0.255 ip access-list standard NAT permit 192.168.0.0 0.0.0.255 control-plane line con 0 logging synchronous login local line aux 0 line 2 no activation-character no exec transport preferred none transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 exec-timeout 5 0 login local transport input ssh scheduler allocate 20000 1000 end
I want to forward port 13389 coming through my public ip to 192.168.0.222:3389
02-13-2021 11:41 PM
Hello,
what if you just add the static entry, and no dynamic NAT ? So just these two entries ?
--> ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389
--> ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
Also, when you say it is not forwarding, what are you actually doing, where (and how) are you connecting to ?
02-14-2021 02:59 AM
Made no difference. As expected, I lost internet. That's all.
02-14-2021 04:19 AM - edited 02-14-2021 06:07 AM
Static with dynamic need three thing
1- acl
deny traffic which will Static nat
ip access-list extended NAT
deny tcp host 192.168.0.222 eq 3389 any
permit ip 192.168.0.0 0.0.0.255 any
2- Static nat
ip nat inside source static tcp 192.168.0.222 3389 interface GigabitEthernet0/0 13389
3- dynamic nat
ip nat inside source list NAT interface GigabitEthernet0/0 overload
in your config above you config two of three
where is Static NAT?
and again check routing pointing to correct next hop
complete config
02-14-2021 04:36 PM
Upon doing some research, nmap will only list a port as open if something is listening on that port. I tried a few online tools such as https://www.yougetsignal.com/tools/open-ports/ and a few mobile apps. These show that the ports are indeed open. And they show closed when I disable port forwarding for that port. I am able to remote desktop via local IP. So I suppose RDP is setup correctly. What might be happening here?
02-15-2021 02:08 AM
Hello
I think we are going around in circles, you have now reverted back to the config you had origninally?
no ip nat inside source list IoT interface GigabitEthernet0/2 overload
no ip access-list standard IoT
no ip access-list standard NAT
ip access-list extended NAT
deny tcp host 192.168.0.222 any eq 13389
deny udp host 192.168.0.222 any eq 13389
permit ip 192.168.0.0 0.0.0.255 any
Once you have completed this, Do you have reachability to host 192.168.0.222 from the rtr itself.
telnet 192.168.0.222 3389
if that is successful, the next step is to test from the internet from any external internet host
telnet <public ip> 13389
02-16-2021 07:09 PM
Mostly some good news.
based on the config below, I can access the port from an outside network(internet). But if I am in the same LAN I can not access the port using public IP. And I would really like that.
ip nat inside source list NAT interface GigabitEthernet0/0 overload ip nat inside source static tcp 192.168.0.222 3389 1.2.3.4 13389 extendable ip nat inside source static udp 192.168.0.222 3389 1.2.3.4 13389 extendable ip nat inside source static tcp 192.168.0.22 3389 1.2.3.4 23389 extendable ip nat inside source static udp 192.168.0.22 3389 1.2.3.4 23389 extendable ip route 192.168.2.0 255.255.255.0 192.168.3.2 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp ! ip access-list extended NAT permit ip 192.168.0.0 0.0.0.255 any
(1.2.3.4 is being my public IP)
02-16-2021 09:31 PM
interface GigabitEthernet0/1.1
encapsulation dot1Q 101
Is the above a typo or is that configuration intentional regarding the VLAN #? Disregard question if intentional.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide