Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1368
Views
0
Helpful
11
Replies

port mapping not working

Peter Kiogora
Level 1
Level 1

‎03-14-2011 12:04 AM - edited ‎03-04-2019 11:43 AM

Hi all i have the following mappings in place but something is not right somewhere:

ip nat inside source static tcp 196.201.230.18 2209 41.223.56.43 9000 extendable 
ip nat inside source static tcp 196.201.230.18 2210 41.223.56.44 9000 extendable
ip nat inside source static tcp 196.201.230.18 2007 212.49.88.41 5019 extendable
ip nat inside source static tcp 196.201.230.22 2007 212.49.88.41 5019 extendable
ip nat inside source static tcp 196.201.230.18 10000 41.223.56.33 6200 extendable
ip nat inside source static tcp 196.201.230.18 6200 41.223.56.34 16920 extendable
ip nat inside source static tcp 196.201.230.22 2775 192.168.9.93 6694 extendable
ip nat inside source static tcp 196.201.230.22 5052 192.168.9.93 6694 extendable
ip nat inside source static tcp 196.201.230.22 3395 192.168.9.93 6694 extendable
ip nat inside source static tcp 196.201.230.22 8729 192.168.9.93 6694 extendable
ip nat inside source static tcp 196.201.230.18 16200 41.223.56.34 16920 extendable
ip nat inside source static tcp 196.201.230.18 3365 41.223.56.34 16920 extendable
ip nat inside source static tcp 196.201.230.18 3345 41.223.56.39 3345 extendable
ip nat inside source static tcp 196.201.230.18 5247 41.223.56.39 5247 extendable
ip nat inside source static tcp 196.201.230.18 5000 213.147.68.30 7070 extendable
ip nat inside source static tcp 196.201.230.18 5367 41.223.56.39 5367 extendable
ip nat inside source static tcp 196.201.230.18 2208 41.223.56.39 2208 extendable
ip nat inside source static tcp 196.201.230.18 2248 41.223.56.39 2248 extendable
ip nat inside source static tcp 196.201.230.18 13345 41.223.56.39 3345 extendable
ip nat inside source static tcp 196.201.230.18 15247 41.223.56.39 5247 extendable
ip nat inside source static tcp 196.201.230.18 15000 213.147.68.30 7070 extendable
ip nat inside source static tcp 196.201.230.18 15367 41.223.56.39 5367 extendable
ip nat inside source static tcp 196.201.230.18 12208 41.223.56.39 2208 extendable

i have already setup static routes for the same once the internal ip's have been translated plus there are 3 virtual links coming into the router through one physical link. I have already define the inside and outside interfaces but still it seems traffic can't get back to the router. Should i make an acl for the same?

Labels:
0 Helpful
11 Replies 11

cadet alain
VIP Alumni
VIP Alumni

‎03-14-2011 12:14 AM

Hi,

i have already setup static routes for the same once the internal ip's have been translated

You don't need any static routes when doing static NAT as you're translating from one connected subnet/IP to another connected IP.

Should i make an acl for the same?

No  this is a router not a Pix or ASA so by default all is permitted to WAN interface.

but still it seems traffic can't get back to the router.

How did you test?

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Peter Kiogora
Level 1
Level 1
In response to cadet alain

‎03-14-2011 12:41 AM 

no aaa new-model
!
!
!
memory-size iomem 15
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
ip domain name wasp.com
ip name-server 66.178.2.25
ip name-server 41.220.238.4
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO2811 sn FCZ145120GF
username kiogora privilege 15 password 7 04500256082E5E6E4748574452
username waspafrica privilege 15 password 7 120E250402
!
redundancy
!
!
ip ssh version 2
!
!
!
!
!
!
!
interface FastEthernet0/0
 description CONNECTION TO WASP AFRICA LAN
 mtu 1600
 ip address 196.201.230.129 255.255.255.248 secondary
 ip address 172.31.181.65 255.255.255.248 secondary
 ip address 172.31.180.129 255.255.255.248 secondary
 ip address 196.201.230.22 255.255.255.252 secondary
 ip address 192.168.1.1 255.255.255.0 secondary
 ip address 196.201.230.18 255.255.255.252
 ip access-group INTERNAL_MAPS in
 ip directed-broadcast
 ip nat inside
 ip nat allow-static-host
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface FastEthernet0/1
 no ip address
 ip virtual-reassembly
 duplex auto
 speed auto
 !
!
interface FastEthernet0/1.1
 description CONNECTION TO KDN & INTERNET
 encapsulation dot1Q 3514
 ip address 41.220.228.150 255.255.255.252
 ip nat outside
 ip virtual-reassembly
!
interface FastEthernet0/1.2
 description CONNECTION TO CELTEL
 encapsulation dot1Q 852
 ip address 172.16.10.18 255.255.255.252
 ip access-group INTERNAL_MAPS in
!
interface FastEthernet0/1.3
 description CONNECTION TO SAFARICOM
 encapsulation dot1Q 724
 ip address 192.168.10.62 255.255.255.252
 ip access-group INTERNAL_MAPS in
!
interface FastEthernet0/1.4
 encapsulation dot1Q 130
 ip address 192.168.10.1 255.255.255.252
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list WASP interface FastEthernet0/1.1 overload
ip nat inside source static tcp 196.201.230.18 10000 41.223.56.33 6200 extendable
ip nat inside source static tcp 196.201.230.18 6200 41.223.56.34 16920 extendable
ip nat inside source static tcp 196.201.230.18 2208 41.223.56.39 2208 extendable
ip nat inside source static tcp 196.201.230.18 2248 41.223.56.39 2248 extendable
ip nat inside source static tcp 196.201.230.18 3345 41.223.56.39 3345 extendable
ip nat inside source static tcp 196.201.230.18 5247 41.223.56.39 5247 extendable
ip nat inside source static tcp 196.201.230.18 5367 41.223.56.39 5367 extendable
ip nat inside source static tcp 196.201.230.18 2209 41.223.56.43 9000 extendable
ip nat inside source static tcp 196.201.230.18 2210 41.223.56.44 9000 extendable
ip nat inside source static tcp 196.201.230.22 2775 192.168.9.93 6694 extendable
ip nat inside source static tcp 196.201.230.18 2007 212.49.88.41 5019 extendable
ip nat inside source static tcp 196.201.230.18 5000 213.147.68.30 7070 extendable
ip route 0.0.0.0 0.0.0.0 41.220.228.149 name KDN_Internet
ip route 41.223.56.33 255.255.255.255 172.16.10.17 name Celtel_SMS-C
ip route 41.223.56.34 255.255.255.255 172.16.10.17 name Celtel_SMS-C
ip route 41.223.56.39 255.255.255.255 172.16.10.17 name To_Celtel
ip route 41.223.56.40 255.255.255.255 172.16.10.17 name Celtel_SMS-C
ip route 80.240.206.220 255.255.255.255 172.16.10.17 name Celtel_SMS-C-Test
ip route 80.240.206.221 255.255.255.255 172.16.10.17 name Old_Celtel_SMS-C
ip route 80.240.206.253 255.255.255.255 172.16.10.17 name Old_Celtel_SMS-C
ip route 80.240.206.254 255.255.255.255 172.16.10.17 name Old_Celtel_SMS-C
ip route 172.31.180.64 255.255.255.248 192.168.10.61 name Safaricom_SMS-C
ip route 172.31.180.128 255.255.255.248 192.168.10.61 name Safaricom_SMS-C
ip route 192.168.9.5 255.255.255.255 192.168.10.61 name Safaricom_SMS-C
ip route 192.168.9.93 255.255.255.255 192.168.10.61 name Safaricom_SMS-C
ip route 192.168.9.123 255.255.255.255 192.168.10.61 name Test_service
!
ip access-list extended WASP
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 172.31.180.0 0.0.0.255 any
 permit ip 172.31.181.0 0.0.0.255 any
 permit ip 196.201.230.0 0.0.0.255 any
ip access-list extended WASP_TRANSLATIONS
 permit tcp any host 196.201.230.0
 permit tcp host 196.201.230.18 eq 2209 host 41.223.56.43 eq 9000
 permit tcp host 196.201.230.18 eq 2210 host 41.223.56.44 eq 9000
 permit tcp host 196.201.230.18 eq 2007 host 212.49.88.41 eq 5019
 permit tcp host 196.201.230.22 eq 2007 host 212.49.88.41 eq 5019
 permit tcp host 196.201.230.18 eq 10000 host 41.223.56.33 eq 6200
 permit tcp host 196.201.230.18 eq 6200 host 41.223.56.34 eq 16920
 permit tcp host 196.201.230.22 eq 2775 host 192.168.9.93 eq 6694
 permit tcp host 196.201.230.22 eq 5052 host 192.168.9.93 eq 6694
 permit tcp host 196.201.230.22 eq 3395 host 192.168.9.93 eq 6694
 permit tcp host 196.201.230.22 eq 8729 host 192.168.9.93 eq 6694
 permit tcp host 196.201.230.18 eq 16200 host 41.223.56.34 eq 16920
 permit tcp host 196.201.230.18 eq 3365 host 41.223.56.34 eq 16920
 permit tcp host 196.201.230.18 eq 3345 host 41.223.56.39 eq 3345
 permit tcp host 196.201.230.18 eq 5247 host 41.223.56.39 eq 5247
 permit tcp host 196.201.230.18 eq 5000 host 213.147.68.30 eq 7070
 permit tcp host 196.201.230.18 eq 5367 host 41.223.56.39 eq 5367
 permit tcp host 196.201.230.18 eq 2208 host 41.223.56.39 eq 2208
 permit tcp host 196.201.230.18 eq 2248 host 41.223.56.39 eq 2248
 permit tcp host 196.201.230.18 eq 13345 host 41.223.56.39 eq 3345
 permit tcp host 196.201.230.18 eq 15247 host 41.223.56.39 eq 5247
 permit tcp host 196.201.230.18 eq 15000 host 213.147.68.30 eq 7070
 permit tcp host 196.201.230.18 eq 15367 host 41.223.56.39 eq 5367
 permit tcp host 196.201.230.18 eq 12208 host 41.223.56.39 eq 2208
!
!
!
!
snmp-server engineID local 00000009020000036BAD8160
snmp-server community waspprivate RO
!
!
control-plane
 !
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login local
line aux 0
line vty 0 4
 exec-timeout 0 0
 logging synchronous
 login local
 transport input telnet rlogin ssh
line vty 5 15
 exec-timeout 0 0
 logging synchronous
 login local
 transport input telnet rlogin ssh
!
scheduler allocate 20000 1000
end

Okay here is the running configuration

0 Helpful

Peter Kiogora
Level 1
Level 1
In response to Peter Kiogora

‎03-14-2011 12:45 AM

oh and i'm testing via an applicaton that uses one of the mappings to connect

to the remote end and this is what it's returning back "No connection could be made because the target machine actively refused it"

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Peter Kiogora

‎03-14-2011 01:15 AM 

ip access-group INTERNAL_MAPS in

sh access-list INTERNAL_MAPS

ip access-list extended WASP_TRANSLATIONS

Where is it applied?

ip nat inside source static tcp 196.201.230.18 2007 212.49.88.41 5019 extendable
ip nat inside source static tcp 196.201.230.18 5000 213.147.68.30 7070 extendable

Are the 212 and 213  from the same ISP as the 41 prefix?

ip route 41.223.56.33 255.255.255.255 172.16.10.17 name Celtel_SMS-C

You should get rid of all those static routes  you only need the default route.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Peter Kiogora
Level 1
Level 1
In response to cadet alain

‎03-14-2011 01:30 AM 

ip access-list extended INTERNAL_MAPS
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 172.31.180.0 0.0.0.255 any
 permit ip 172.31.181.0 0.0.0.255 any
 permit ip 196.201.230.0 0.0.0.255 any

The 212 and 213 are no longer in use, as for the WASP_TRANSLATIONS acl it's not applied anywhere.

As you can see from the config i can't get rid of all the static routes because not all the traffic is being routed through one gateway. the f0/0.1 is used for internet and the other 2 are used to connect to different  mobile service operators through our isp

0 Helpful

Peter Kiogora
Level 1
Level 1
In response to Peter Kiogora

‎03-14-2011 04:20 AM

May somebody please help me on this port forwarding issues, thanks

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Peter Kiogora

‎03-14-2011 07:41 AM

How are you testing exactly: from which IP to which IP and which protocol?

Try to connect from outside again but this time with the following debugs:

  1)debug ip nat

  2)debug ip packet   where ACL is a standard/extended ACL with a permit statement to restrict traffic you want the debug to see which will put less weight on the device and will help see things more clearly

You can also disable timestamps for debugs with the no timestamps debugging command so the output from above will be more clearer to read.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Peter Kiogora
Level 1
Level 1
In response to cadet alain

‎03-16-2011 05:35 AM

A follow up on my issue.

i have already put the static nating configs,and after the translations the traffic is supposed to go out through 2 routes separately as indicated on the static routes, but still nothing. some of the traffic is trying to go out through the secondary interfaces which i have already declared them to be nat inside :-(

ip nat inside source static tcp 196.201.230.18 10000 41.223.56.33 6200 extendable
ip nat inside source static tcp 196.201.230.18 6200 41.223.56.34 1692 extendable
ip nat inside source static tcp 196.201.230.18 2208 41.223.56.39 2208 extendable
ip nat inside source static tcp 196.201.230.18 2248 41.223.56.39 2248 extendable
ip nat inside source static tcp 196.201.230.18 3345 41.223.56.39 3345 extendable
ip nat inside source static tcp 196.201.230.18 5247 41.223.56.39 5247 extendable
ip nat inside source static tcp 196.201.230.18 5367 41.223.56.39 5367 extendable
ip nat inside source static tcp 196.201.230.18 2209 41.223.56.43 9000 extendable
ip nat inside source static tcp 196.201.230.18 2210 41.223.56.44 9000 extendable
ip nat inside source static tcp 196.201.230.22 2775 192.168.9.93 6694 extendable
ip nat inside source static tcp 196.201.230.18 2007 212.49.88.41 5019 extendable
ip nat inside source static tcp 196.201.230.18 5000 213.147.68.30 7070 extendable

ip classless
ip route 0.0.0.0 0.0.0.0 41.220.228.149 name KDN_Internet
ip route 41.223.56.33 255.255.255.255 172.16.10.17 name Celtel_SMS-C
ip route 41.223.56.34 255.255.255.255 172.16.10.17 name Celtel_SMS-C
ip route 41.223.56.39 255.255.255.255 172.16.10.17 name To_Celtel
ip route 41.223.56.40 255.255.255.255 172.16.10.17 name Celtel_SMS-C
ip route 80.240.206.220 255.255.255.255 172.16.10.17 name Celtel_SMS-C-Test
ip route 80.240.206.221 255.255.255.255 172.16.10.17 name Old_Celtel_SMS-C
ip route 80.240.206.253 255.255.255.255 172.16.10.17 name Old_Celtel_SMS-C
ip route 80.240.206.254 255.255.255.255 172.16.10.17 name Old_Celtel_SMS-C
ip route 172.31.181.64 255.255.255.248 192.168.10.61 name Safaricom_SMS-C
ip route 172.31.181.128 255.255.255.248 192.168.10.61 name Safaricom_SMS-C
ip route 192.168.9.5 255.255.255.255 192.168.10.61 name Safaricom_SMS-C
ip route 192.168.9.93 255.255.255.255 192.168.10.61 name Safaricom_SMS-C
ip route 192.168.9.123 255.255.255.255 192.168.10.61 name Test_service

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Peter Kiogora

‎03-16-2011 05:46 AM

Hi,

i have already put the static nating configs,and after the translations 
the traffic is supposed to go out through 2 routes separately as 
indicated on the static routes

Don't forget that routing is always for longest match and I didn't see 2 different static routes for the same prefix( same longest match) so it won't take 2 different paths unless you do Policy based routing(PBR).

But I don't see any debugs here so only the config( and a partial one) and a lack of topology diagram is a handicap for troubleshooting( for me at least) when there is no debugs whatsoever.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Peter Kiogora
Level 1
Level 1
In response to cadet alain

‎03-16-2011 06:11 AM

ok then, sorry here is a sample ip nat debug:

Pro Inside global      Inside local       Outside local      Outside global
tcp 192.168.9.93:6694  196.201.230.22:2775 196.31.80.247:24083 196.31.80.247:24083
tcp 192.168.9.93:6694  196.201.230.22:2775 196.31.80.247:24087 196.31.80.247:24087
tcp 192.168.9.93:6694  196.201.230.22:2775 196.31.80.247:24088 196.31.80.247:24088
tcp 192.168.9.93:6694  196.201.230.22:2775 196.31.80.247:24091 196.31.80.247:24091
tcp 192.168.9.93:6694  196.201.230.22:2775 ---               ---
tcp 41.220.228.150:3395 196.201.230.22:3395 204.232.166.163:1926 204.232.166.163:1926
tcp 41.220.228.150:3395 196.201.230.22:3395 204.232.166.163:1932 204.232.166.163:1932

tcp 192.168.9.93:6694  196.201.230.22:2775 172.31.180.129:42090 172.31.180.129:42090
tcp 192.168.9.93:6694  196.201.230.22:2775 172.31.180.129:42091 172.31.180.129:42091
tcp 192.168.9.93:6694  196.201.230.22:2775 172.31.180.129:42092 172.31.180.129:42092
tcp 192.168.9.93:6694  196.201.230.22:2775 172.31.180.129:42093 172.31.180.129:42093

tcp 41.223.56.43:9000  196.201.230.18:2209 196.31.80.247:24014 196.31.80.247:24014
tcp 41.223.56.43:9000  196.201.230.18:2209 196.31.80.247:24090 196.31.80.247:24090

and here is the running config

interface FastEthernet0/0

description CONNECTION TO WASP AFRICA LAN$ETH-LAN$

mtu 1600

ip address 196.201.230.129 255.255.255.248 secondary

ip address 172.31.181.65 255.255.255.248 secondary

ip address 172.31.180.129 255.255.255.248 secondary

ip address 196.201.230.22 255.255.255.252 secondary

ip address 196.201.230.18 255.255.255.252 secondary

ip address 192.168.1.1 255.255.255.0

ip directed-broadcast

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

!

interface FastEthernet0/1

ip address 192.168.1.100 255.255.255.0

ip directed-broadcast

ip virtual-reassembly

duplex auto

shutdown

speed auto

!

!

interface FastEthernet0/1.1

description CONNECTION TO KDN & INTERNET

encapsulation dot1Q 3514

ip address 41.220.228.150 255.255.255.252

ip nat outside

ip virtual-reassembly

!

interface FastEthernet0/1.2

description CONNECTION TO CELTEL

encapsulation dot1Q 852

ip address 172.16.10.18 255.255.255.252

ip directed-broadcast

ip nat outside

ip virtual-reassembly

!

interface FastEthernet0/1.3

description CONNECTION TO SAFARICOM

encapsulation dot1Q 724

ip address 192.168.10.62 255.255.255.252

ip directed-broadcast

ip nat outside

ip virtual-reassembly

!

interface FastEthernet0/1.4

encapsulation dot1Q 130

ip address 192.168.10.1 255.255.255.252

!

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

!

!

ip nat inside source list WASP interface FastEthernet0/1.1 overload

ip nat inside source static tcp 196.201.230.18 10000 41.223.56.33 6200 extendable

ip nat inside source static tcp 196.201.230.18 6200 41.223.56.34 1692 extendable

ip nat inside source static tcp 196.201.230.18 2208 41.223.56.39 2208 extendable

ip nat inside source static tcp 196.201.230.18 2248 41.223.56.39 2248 extendable

ip nat inside source static tcp 196.201.230.18 3345 41.223.56.39 3345 extendable

ip nat inside source static tcp 196.201.230.18 5247 41.223.56.39 5247 extendable

ip nat inside source static tcp 196.201.230.18 5367 41.223.56.39 5367 extendable

ip nat inside source static tcp 196.201.230.18 2209 41.223.56.43 9000 extendable

ip nat inside source static tcp 196.201.230.18 2210 41.223.56.44 9000 extendable

ip nat inside source static tcp 196.201.230.22 2775 192.168.9.93 6694 extendable

ip nat inside source static tcp 196.201.230.18 2007 212.49.88.41 5019 extendable

ip nat inside source static tcp 196.201.230.18 5000 213.147.68.30 7070 extendable

ip route 0.0.0.0 0.0.0.0 41.220.228.149 name KDN_Internet

ip route 41.223.56.33 255.255.255.255 172.16.10.17 name Celtel_SMS-C

ip route 41.223.56.34 255.255.255.255 172.16.10.17 name Celtel_SMS-C

ip route 41.223.56.39 255.255.255.255 172.16.10.17 name To_Celtel

ip route 41.223.56.40 255.255.255.255 172.16.10.17 name Celtel_SMS-C

ip route 80.240.206.220 255.255.255.255 172.16.10.17 name Celtel_SMS-C-Test

ip route 80.240.206.221 255.255.255.255 172.16.10.17 name Old_Celtel_SMS-C

ip route 80.240.206.253 255.255.255.255 172.16.10.17 name Old_Celtel_SMS-C

ip route 80.240.206.254 255.255.255.255 172.16.10.17 name Old_Celtel_SMS-C

ip route 172.31.181.64 255.255.255.248 192.168.10.61 name Safaricom_SMS-C

ip route 172.31.181.128 255.255.255.248 192.168.10.61 name Safaricom_SMS-C

ip route 192.168.9.5 255.255.255.255 192.168.10.61 name Safaricom_SMS-C

ip route 192.168.9.93 255.255.255.255 192.168.10.61 name Safaricom_SMS-C

ip route 192.168.9.123 255.255.255.255 192.168.10.61 name Test_service

!

ip access-list extended WASP

permit ip 192.168.1.0 0.0.0.255 any

permit ip 172.31.180.0 0.0.0.255 any

permit ip 172.31.181.0 0.0.0.255 any

permit ip 196.201.230.0 0.0.0.255 any

!

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Peter Kiogora

‎03-16-2011 09:05 AM

Hi,

You didn't post a debug ip nat output but a sh ip nat translation output which is useless as you are doing static NAT and you already posted the static NAT config so it's 2 times the same info.

Can you really post a diagram (not in Visio please) with ip addressing and then explain what is you are trying to achieve like ping from x.x.x.x to x.x.x.x and post debug ip nat to see if nat is doing its job correctly and then after that do a debug ip packet detail to see  if routing is ok or L2-L3 is ok

then we will try to investigate further.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card