Re: Port forwarding

shehab-eldin · ‎12-15-2020

appreciate your support as we have a case that WAN connection is 4G transmedia, HW is Cisco Router 1921 +4G HWIC) we need to configure port forwarding between cellular interface (WAN) and Gig interface (LAN), configuration is not working, however, port forwarding is working normally between G0/0 and G0/1 on the same Router. is the 4G HWIC has a special command line for port forwarding? , or it is not supported on the cellular interface.

Georg Pauwen · ‎12-15-2020

Hello,

the commands should be the same for the Cellular as for the GigabitEthernet interfaces. What exactly are you trying to do (static NAT, dynamic NAT) ? Post the running config of your 1921...

balaji.bandi · ‎12-16-2020

in general it should work as expected any interface coming from outside to inside (as long as provider allowing incoming traffic) - most of them do, but some provider block.

you can check on router when you telenet to that port, as this packet arriving at router, before you translate.

here is example. this is already added i guess - for port 80 example

ip nat inside source static tcp 192.168.1.10 80 interface XXXX 80

still not working please post full configuration for our review and suggestion.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

shehab-eldin · ‎12-17-2020

thanks for your reply the full configuration is as below

Router#sh run

controller Cellular 0/0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
!
!
!
!
interface Loopback10
ip address 5.120.26.200 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.11.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 172.16.18.2 255.255.255.252
duplex auto
speed auto
!
interface Cellular0/0/0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
async mode interactive
!
interface Cellular0/0/1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool XYZ10.88.0.4 10.88.0.4 netmask 255.255.255.252
ip nat inside source list 1 interface Cellular0/0/0 overload
ip nat inside source static 192.168.1.100 10.88.0.4
ip route 0.0.0.0 0.0.0.0 172.17.111.5
ip route 0.0.0.0 0.0.0.0 172.16.18.1
ip route 0.0.0.0 0.0.0.0 172.17.139.181 150
ip route 1.1.1.0 255.255.255.252 172.16.18.1
ip route 10.107.158.194 255.255.255.255 Cellular0/0/0
!
dialer-list 1 protocol ip permit
!
!
snmp-server community ciscoread RO 80
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 80 permit 1.1.1.1
!
control-plane
!
!
!
line con 0
login local
line aux 0
login local
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
exec-timeout 0 0
script startup lte
script dialer lte
script reset lte
script activation lte
modem InOut
no exec
line 0/0/1
no exec
line vty 0 4
login local
transport input all
!
scheduler allocate 20000 1000
event manager applet ping
event timer cron cron-entry "* * * * * "
action 1.0 cli command "enable"
action 1.1 cli command "ping 10.107.158.194 "
!
end

shehab-eldin · ‎12-17-2020

done thanks

balaji.bandi · ‎12-17-2020

Still this is valid for your NAT - ip nat inside source static tcp 192.168.1.10 80 interface XXXX 80

you may need to remove not required static route make it simple to test and advise what is not working ? with new config.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver · ‎12-16-2020

Hello

port forwarding (port address translation- PAT) should be applicable on your rtr

Can you share your nat/pat statements please in a file and attach to your post

sh run | in nat
sh ip access-list

sh ip route

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

shehab-eldin · ‎12-17-2020

done Paul

Router#sh run
Building configuration...

C
controller Cellular 0/0
lte modem link-recovery rssi onset-threshold -110
lte modem link-recovery monitor-timer 20
lte modem link-recovery wait-timer 10
lte modem link-recovery debounce-count 6
!
!
!
!
!
interface Loopback10
ip address 5.120.26.200 255.255.255.255
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 192.168.11.1 255.255.255.0 secondary
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 172.16.18.2 255.255.255.252
duplex auto
speed auto
!
interface Cellular0/0/0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string lte
dialer-group 1
async mode interactive
!
interface Cellular0/0/1
no ip address
encapsulation slip
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat pool XYZ10.88.0.4 10.88.0.4 netmask 255.255.255.252
ip nat inside source list 1 interface Cellular0/0/0 overload
ip nat inside source static 192.168.1.100 10.88.0.4
ip route 0.0.0.0 0.0.0.0 172.17.111.5
ip route 0.0.0.0 0.0.0.0 172.16.18.1
ip route 0.0.0.0 0.0.0.0 172.17.139.181 150
ip route 1.1.1.0 255.255.255.252 172.16.18.1
ip route 10.107.158.194 255.255.255.255 Cellular0/0/0
!
dialer-list 1 protocol ip permit
!
!
snmp-server community ciscoread RO 80
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 80 permit 1.1.1.1
!
control-plane
!
!
!
line con 0
login local
line aux 0
login local
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line 0/0/0
exec-timeout 0 0
script startup lte
script dialer lte
script reset lte
script activation lte
modem InOut
no exec
line 0/0/1
no exec
line vty 0 4
login local
transport input all
!
scheduler allocate 20000 1000
event manager applet ping
event timer cron cron-entry "* * * * * "
action 1.0 cli command "enable"
action 1.1 cli command "ping 10.107.158.194 "
!
end

paul driver · ‎12-17-2020

Hello

You are specifying a static nat translation to an 10.x.x.x address which isnt a routeable internet address, Also you have multiple default static routes which isnt correct.

Apply the following please and confirm the addressing regards your nat.
no ip nat pool tedata 10.88.0.4 10.88.0.4 netmask 255.255.255.252
no ip route 0.0.0.0 0.0.0.0 172.17.111.5
no ip route 0.0.0.0 0.0.0.0 172.16.18.1
no ip route 0.0.0.0 0.0.0.0 172.17.139.181 150

access-list 1 permit 192.168.11.0 0.0.0.255
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0

As for you static nat/pat statement, expect for you to use either static nat or pat
static nat example
ip nat inside source static 192,168.100.1 x.x.x.x < routable ip address or ip address exisiting on cellular interface

static pat example:
ip nat inside source static tcp 192,168.100.1 80 interface fa0/0 80 interface Cellular0/0/0 < specifys tcp/udp port

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul