Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4541
Views
0
Helpful
2
Replies

port forwarding on Cisco 800 Router

lquin1978
Level 1
Level 1

‎08-18-2011 09:24 AM - edited ‎03-04-2019 01:19 PM

We have the following port forwards set up on a Cisco 800s router.

All internal IP addresses are NATd out to the IP on fa4 which is the external interface.  Traffic recieved on fa4 is forwarded to different servers depending on the type of traffic recieved.

We can browse the internal websites from the internet fine, but there is one internal server 192.168.1.7 that uses a db server (192.168.1.5).. it accesses it on its external IP (fa4) on port 1433  but for some reason the connection does not work.. could this be because the source and destination IP addresses are the same IP address?

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.7 21 interface FastEthernet4 21

ip nat inside source static tcp 192.168.1.7 80 interface FastEthernet4 80

ip nat inside source static tcp 192.168.1.7 443 interface FastEthernet4 443

ip nat inside source static tcp 192.168.1.5 1433 interface FastEthernet4 1433

ip nat inside source static tcp 192.168.1.7 990 interface FastEthernet4 990

Labels:
0 Helpful
2 Replies 2

raga.fusionet
Level 4
Level 4

‎08-18-2011 09:33 AM

Hello there.

Your connection is not working because you cannot use the public IP address from the LAN when doing port forwarding. This is limitation on the Routers. You are going to have to use the private IP address or use one of the work arounds mentioned below. See the following note: 

** When sitting on the inside LAN segment, you cannot access the internal server 
 using its Public NATted ip. This is a NAT limitation with routers. You will 
 have to use the private ip to access that server.
Ping to that Public Ip from inside host might work because Router will respond back for 
that ping, not the actual server. And if we use "no-alias" keyword at the end of the static 
NAT statement, then even this ping would stop working. And again, this is an expected 
behaviour of router. 
Possible workarounds to accomplish the above requirement i.e access the internal 
server from the same LAN (pre-requisite for this is, use of FQDN to access the server. 
By using the public ip, there is no way we can accomplish this):
 
1. Use one to one static NAT translation for the private ip of the server which will enable 
DNS doctoring
2. Use an internal DNS server with the mapping of this host to the private ip
3. Change the host file on the PC's trying to access this server from inside (which generally 
is not a feasible solution as there could be many hosts in LAN)

Ref:

https://supportforums.cisco.com/docs/DOC-8936

I hope this helps.

Raga

0 Helpful

Amit Aneja
Level 3
Level 3

‎08-18-2011 09:39 AM

So, 192.168.1.7 is trying to access 192.168.1.5 at port 1433 using its external IP address?

If that's the case, it is not suppose to work.

Here are the possible workarounds that you can apply it in order to reach
those hosts.
 
WORKAROUND 1:
 
Instead of using the public IP address, try to access the server through the
private IP address. It's the simplest way to solve this issue.
 
WORKAROUND 2:
 
Configure one of your computers as a local DNS server and add a record
stating that the only way to access the server is with the private IP
address. Here is a useful link that explains how to configure a computer as
a private DNS server:

 

http://technet.microsoft.com/en-us/library/cc750209.aspx

 

WORKAROUND 3:
 
There's something else you can do on each PC. You just have to edit a file
that contains ALIAS for certain domain names pointing to an IP address. Of
course, this only works when trying to access a server through the Domain
Name, not with the IP address.
 
The file is called "hosts". The Windows OS, before asking a DNS for a domain
name checks this file to see if there is a shortcut to know the IP address
belonging to the domain. On Windows 2000 and NT, it is placed in the
following path 
 
C:\WINNT\system32\drivers\etc 
 
On Windows XP, it is placed in the following path.
 
C:\WINDOWS\system32\drivers\etc
 
You just need to edit it with NOTEPAD. Here is what you will find when you
open the file: 
 
# Copyright (c) 1993-1999 Microsoft Corp. 
# 
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows. 
# 
# This file contains the mappings of IP addresses to host names. Each 
# entry should be kept on an individual line. The IP address should 
# be placed in the first column followed by the corresponding host name. 
# The IP address and the host name should be separated by at least one 
# space. 
# 
# Additionally, comments (such as these) may be inserted on individual 
# lines or following the machine name denoted by a '#' symbol. 
# 
# For example: 
# 
#      102.54.94.97     rhino.acme.com          # source server 
#       38.25.63.10     x.acme.com              # x client host 
127.0.0.1       localhost 
 
This is why if you do a PING LOCALHOST on an MS-DOS window, you are pinging
127.0.0.1.

Other than this, you could try NAT on stick configuration, this may/may not work & is officially supported by Cisco.

Regards,

Amit Aneja

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card