05-08-2020 01:01 PM
Hi, i have a 2800 series router running ios 12.4 connected is a 3560 switch with a couple of servers attached to the switch. I can the server over the 10.0.2.x addresses but not by the single public facing IP address.
I am having trouble with port forwarding to the servers.
I have set up over loading on fa0/0 and an access list, this gets my appliances internet access but i can't seem to get access to the servers when i port forward.
Here is the relevant configuration section. What am i doing wrong?
interface FastEthernet0/0 no ip address ip nat outside ip virtual-reassembly duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 10 ! interface FastEthernet0/1 ip address 10.0.2.1 255.255.255.0 ip nat inside ip virtual-reassembly duplex auto speed auto no cdp enable no mop enabled ! interface Serial0/3/0 no ip address shutdown clock rate 2000000 ! interface Dialer1 ip address negotiated ip mtu 1492 ip nat outside ip virtual-reassembly encapsulation ppp ip tcp adjust-mss 1452 dialer pool 10 ppp authentication chap callin ppp chap hostname ****** ppp chap password 0 ******* ppp ipcp dns request ppp ipcp route default ppp ipcp address accept ! ip classless ! ! no ip http server no ip http secure-server ip nat inside source list 10 interface Dialer1 overload ip nat inside source static tcp 10.0.2.33 80 interface Dialer1 80 ip nat inside source static tcp 10.0.2.33 443 interface Dialer1 443 ! access-list 10 permit 10.0.2.0 0.0.0.255 dialer-list 10 protocol ip permit ! ! !
Solved! Go to Solution.
05-10-2020 12:57 PM
Ive found the problem I think.
Pro Inside global Inside local Outside local Outside global icmperr <my ip> 10.0.2.3 --- ---
From what ive research my ios version 12.4 has a bug that causes this which locks up the ip. an updated ios is needed but there isnt one available here at cisco.
If i can find one somewhere else would that be permitted to install? From what ive seen i doubt 15 would run well on this router, not enough dram i dont thing, but all the 12 versions should do. I think the bug was patched in 12.4.5 Just my luck that i bought a router that wasnt updated.
05-10-2020 01:24 PM
Hello,
what can you remove ? Try and remove all 'ip nat inside' and 'ip nat outside' statements from the interfaces, reboot the router, and try to remove the static NAT statement again...
05-10-2020 01:54 PM
I am able to remove them all as long as i shut off the dialer, clear the nat translations and then delete the the static nat lines.
I just think i'm now going to see this again and again requiring regular clearing of the nat database. Ive tried shortening the time out for icmp to just 5 minutes, somebody wrote in a post that it would flush it, but it didn't work.
Seems I have at the moment come as far as i can do with this. I am looking around for some terms at the moment, ive found a source for iso 12.2 25. Cisco compatability chart says it should work with my router spec. Just want to make sure that I'm not breaching any terms by doing so. There is no license requirement for my version but im sure they have policies in place still.
05-11-2020 01:54 AM
Hello
@ChrisUK wrote:
ip nat inside source static 10.0.2.142 interface Dialer1
ip nat inside source static tcp 10.0.2.142 80 interface Dialer1 80
I can get to the website just fine with this but the mail mail ports are routing to the wrong server, and im unable to remove the bold line, static router in use.
Clear ip nat translation forced
no ip nat inside source static 10.0.2.142 interface Dialer1
05-11-2020 04:15 AM
Thank you for the replies. I have been doing some issue tracing on this to track down exactly where this is coming from. I think its the overload of dialer 1. here is what I have at the moment.
ip route 0.0.0.0 0.0.0.0 Dialer1 ! ! no ip http server no ip http secure-server ip nat translation icmp-timeout 5 ip nat inside source list 1 interface Dialer1 overload ip nat inside source static tcp 10.0.2.142 80 interface Dialer1 80 ip nat inside source static tcp 10.0.2.142 443 interface Dialer1 443 ip nat inside source static tcp 10.0.2.3 993 interface Dialer1 993 ip nat inside source static tcp 10.0.2.3 587 interface Dialer1 587 ip nat inside source static tcp 10.0.2.3 25 interface Dialer1 25 ! ip access-list extended LAN_Traffic permit tcp any any reflect ACL ip access-list extended WAN_Websrv permit tcp any any range www 443 permit tcp any any eq 3306 permit tcp any any eq 33060 evaluate ACL ! access-list 1 permit 10.0.0.0 0.255.255.255
I assumed it was a problem only when I visit the website but actually I have just done a further test as i remembered something that I use a hosting control panel to manage the hosts, IE, add websites, create email addresses that kind of thing.
Each host calls "home" once a minute to check for updates.
the time out i have set at 5 minutes would never be cleared, as soon as the next host calls home it would set a new error in the nat routes.
Im at a loss at the moment.
05-11-2020 04:58 AM - edited 05-11-2020 05:00 AM
Hello
I think I have lost track on your problem, In your OP you wanted to only allow traffic initiated internally to be allowed and that Reflective acl provided it, then you went on to change your rtr to allow access for multiple vlans which was retified by @Georg Pauwen now you are saying you have email issues?
05-11-2020 06:53 AM - edited 05-11-2020 07:01 AM
Hi sorry abut the confusion let me clarify where im at.
I setup vlans on the switch and the sub interfaces in the router.
I think I have come full circle but I can't be sure. The ICMP error is resolved, ive updates the routers ios to the last 12.4 version so no longer getting the nat translation error line.
so far as how things are with the nat lines in the config. I have stripped back as suggested and this is all that I have.
ip nat inside source list 1 interface Dialer1 overload ip nat inside source static tcp 10.0.2.142 443 interface Dialer1 443 ip nat inside source static tcp 10.0.2.142 80 interface Dialer1 80 ! ip access-list extended LAN_Traffic permit tcp any any reflect ACL ip access-list extended WAN_Websrv permit tcp any any range www 443 evaluate ACL ! access-list 1 permit 10.0.0.0 0.255.255.255
See the attached file for the full config.
I have added the nat translation list if that helps
05-11-2020 07:19 AM - edited 05-11-2020 07:20 AM
Hello
@ChrisUK wrote:
I cannot connect by the public ip address or fqdn from within the any lan including the server lan. I have plugged my computer into the switch ports of lan 2 to verify this
This is due the way translation is perfromed when running Domain NAT, review this previous post for a solution any problems let us know -Nat Hairpin
05-11-2020 05:37 PM
@paul driverThank you for that link.
I tried to implement both option options in your post there. but no joy. It might be better that I open a new post with the hair pinning as the subject matter, The question here is answered and solved so far as i have the confidence to say that anyway, port forwarding was working correctly but i did not know it.
I thank both yourself and @Georg Pauwen for persevering with me in my greenness.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: