Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3600
Views
20
Helpful
23
Replies

Port forwarding on 2800 series.

Go to solution
ChrisUK
Level 1
Level 1

‎05-08-2020 01:01 PM

Hi, i have a 2800 series router running ios 12.4 connected is a 3560 switch with a couple of servers attached to the switch. I can the server over the 10.0.2.x addresses but not by the single public facing IP address.

 

I am having trouble with port forwarding to the servers.


I have set up over loading on fa0/0 and an access list, this gets my appliances internet access but i can't seem to get access to the servers when i port forward.

 

Here is the relevant configuration section. What am i doing wrong?

 

interface FastEthernet0/0
 no ip address
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 10
!
interface FastEthernet0/1
 ip address 10.0.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 no mop enabled
!
interface Serial0/3/0
 no ip address
 shutdown
 clock rate 2000000
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 10
 ppp authentication chap callin
 ppp chap hostname ******
 ppp chap password 0 *******
 ppp ipcp dns request
 ppp ipcp route default
 ppp ipcp address accept
!
ip classless
!
!
no ip http server
no ip http secure-server
ip nat inside source list 10 interface Dialer1 overload
ip nat inside source static tcp 10.0.2.33 80 interface Dialer1 80
ip nat inside source static tcp 10.0.2.33 443 interface Dialer1 443
!
access-list 10 permit 10.0.2.0 0.0.0.255
dialer-list 10 protocol ip permit
!
!
!

 

 

Labels:
0 Helpful
23 Replies 23

Go to solution
ChrisUK
Level 1
Level 1
In response to Georg Pauwen

‎05-10-2020 12:57 PM

Ive found the problem I think.

Pro Inside global         Inside local          Outside local         Outside global
icmperr <my ip>     10.0.2.3              ---                   ---

From what ive research my ios version 12.4 has a bug that causes this which locks up the ip. an updated ios is needed but there isnt one available here at cisco.

If i can find one somewhere else would that be permitted to install? From what ive seen i doubt 15 would run well on this router, not enough dram i dont thing, but all the 12 versions should do. I think the bug was patched in 12.4.5 Just my luck that i bought a router that wasnt updated.

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to ChrisUK

‎05-10-2020 01:24 PM

Hello,

 

what can you remove ? Try and remove all 'ip nat inside' and 'ip nat outside' statements from the interfaces, reboot the router, and try to remove the static NAT statement again...

Go to solution
ChrisUK
Level 1
Level 1
In response to Georg Pauwen

‎05-10-2020 01:54 PM

I am able to remove them all as long as i shut off the dialer, clear the nat translations and then delete the the static nat lines.

I just think i'm now going to see this again and again requiring regular clearing of the nat database. Ive tried shortening the time out for icmp to just 5 minutes, somebody wrote in a post that it would flush it, but it didn't work.

 

Seems I have at the moment come as far as i can do with this. I am looking around for some terms at the moment, ive found a source for iso 12.2 25.  Cisco compatability chart says it should work with my router spec. Just want to make sure that I'm not breaching any terms by doing so. There is no license requirement for my version but im sure they have policies in place still.

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ChrisUK

‎05-11-2020 01:54 AM

Hello

@ChrisUK wrote:

ip nat inside source static 10.0.2.142 interface Dialer1
ip nat inside source static tcp 10.0.2.142 80 interface Dialer1 80

 

I can get to the website just fine with this but the mail mail ports are routing to the wrong server, and im unable to remove the bold line, static router in use.

Clear ip nat translation forced
no ip nat inside source static 10.0.2.142 interface Dialer1


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
ChrisUK
Level 1
Level 1
In response to paul driver

‎05-11-2020 04:15 AM

Thank you for the replies. I have been doing some issue tracing on this to track down exactly where this is coming from. I think its the overload of dialer 1. here is what I have at the moment.

 

ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat translation icmp-timeout 5
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.0.2.142 80 interface Dialer1 80
ip nat inside source static tcp 10.0.2.142 443 interface Dialer1 443
ip nat inside source static tcp 10.0.2.3 993 interface Dialer1 993
ip nat inside source static tcp 10.0.2.3 587 interface Dialer1 587
ip nat inside source static tcp 10.0.2.3 25 interface Dialer1 25
!
ip access-list extended LAN_Traffic
 permit tcp any any reflect ACL
ip access-list extended WAN_Websrv
 permit tcp any any range www 443
 permit tcp any any eq 3306
 permit tcp any any eq 33060
 evaluate ACL 
!
access-list 1 permit 10.0.0.0 0.255.255.255

I assumed it was a problem only when I visit the website but actually I have just done a further test as i remembered something that I use a hosting control panel to manage the hosts, IE, add websites, create email addresses that kind of thing.

Each host calls "home" once a minute to check for updates.

the time out i have set at 5 minutes would never be cleared, as soon as the next host calls home it would set a new error in the nat routes.

Im at a loss at the moment.

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ChrisUK

‎05-11-2020 04:58 AM - edited ‎05-11-2020 05:00 AM

Hello
I think I have lost track on your problem, In your OP you wanted to only allow traffic initiated internally to be allowed and that Reflective acl provided it, then you went on to change your rtr to allow access for multiple vlans which was retified by @Georg Pauwen  now you are saying you have email issues?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
ChrisUK
Level 1
Level 1
In response to paul driver

‎05-11-2020 06:53 AM - edited ‎05-11-2020 07:01 AM

Hi sorry abut the confusion let me clarify where im at.

I setup vlans on the switch and the sub interfaces in the router.

 

I think I have come full circle but I can't be sure. The ICMP error is resolved, ive updates the routers ios to the last 12.4 version so no longer getting the nat translation error line.

 

so far as how things are with the nat lines in the config. I have stripped back as suggested and this is all that I have.

 

ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.0.2.142 443 interface Dialer1 443
ip nat inside source static tcp 10.0.2.142 80 interface Dialer1 80
!
ip access-list extended LAN_Traffic
 permit tcp any any reflect ACL
ip access-list extended WAN_Websrv
 permit tcp any any range www 443
 evaluate ACL 
!
access-list 1 permit 10.0.0.0 0.255.255.255

See the attached file for the full config.

 

  1. I can connect via an online web proxy to the website using public ip and fqdn
  2. I can connect using the local ip address of 10.0.2.142 but SSL errors block parts of the page loading
  3. I cannot connect by the public ip address or fqdn from within the any lan including the server lan. I have plugged my computer into the switch ports of lan 2 to verify this.

I have added the nat translation list if that helps

Preview file
4 KB
Preview file
21 KB
0 Helpful

Go to solution
paul driver
VIP
VIP
In response to ChrisUK

‎05-11-2020 07:19 AM - edited ‎05-11-2020 07:20 AM

Hello

@ChrisUK wrote:

I cannot connect by the public ip address or fqdn from within the any lan including the server lan. I have plugged my computer into the switch ports of lan 2 to verify this

This is due the way translation is perfromed when running Domain NAT, review this previous post for a solution any problems let us know -Nat Hairpin


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
ChrisUK
Level 1
Level 1
In response to paul driver

‎05-11-2020 05:37 PM

@paul driverThank you for that link.

 

I tried to implement both option options in your post there. but no joy. It might be better that I open a new post with the hair pinning as the subject matter, The question here is answered and solved so far as i have the confidence to say that anyway, port forwarding was working correctly but i did not know it.

I thank both yourself and @Georg Pauwen for persevering with me in my greenness.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card