cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2544
Views
0
Helpful
14
Replies

Port Mapping Trouble

TheTrueMc128k
Level 1
Level 1

Hi

I'm installing my second cisco router in my home network, I will use it for remote access.

The problem comes with port mapping, I've been HOURS testing with no success, everything works, but the router doesn't forward the data.

Only the 5900 port worked (after a while), the 80 does not. it's a standard HTTP, reachable in LAN, but not outside.

Here's the config:

Current configuration : 3575 bytes

!

! Last configuration change at 23:48:26 CEST Sun Aug 7 2011 by mc128k

! NVRAM config last updated at 23:27:53 CEST Sun Aug 7 2011 by mc128k

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router-2600

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

enable secret 5 allright...

!

no aaa new-model

clock timezone CEST 2

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

!

!

no ip bootp server

ip domain name you shouldn't know this

ip name-server 212.48.4.15

ip name-server 151.99.125.1

ip name-server 208.67.222.222

ip name-server 8.8.8.8

ip name-server 10.0.0.64

ip ddns update method sdm_ddns1

HTTP

  add you shouldn't know this

  remove you shouldn't know this

interval maximum 0 2 0 0

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!        

username mc128k privilege 15 secret 5 lol

!

!

ip ssh authentication-retries 2

ip ssh source-interface FastEthernet0/1

ip ssh version 2

!

!

!

!

!

interface FastEthernet0/0

description WAN Port

no ip address

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no mop enabled

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

description LAN Port

ip address 10.0.0.128 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

duplex auto

speed auto

no mop enabled

!

interface BRI1/0

no ip address

encapsulation hdlc

shutdown

!

interface BRI1/1

no ip address

encapsulation hdlc

shutdown

!

interface BRI1/2

no ip address

encapsulation hdlc

shutdown

!

interface BRI1/3

no ip address

encapsulation hdlc

shutdown

!

interface Dialer1

ip ddns update hostname www.apple.com

ip ddns update sdm_ddns1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp authentication pap callin

ppp pap sent-username aliceadsl password bug

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

!

no ip http server

no ip http secure-server

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 10.0.0.64 5900 interface Dialer1 5900

ip nat inside source static tcp 10.0.0.32 80 interface Dialer1 80

!

access-list 1 permit 10.0.0.0 0.0.0.255

!

!

!

control-plane

!

!

!

!

!

!        

!

!

!

!

gatekeeper

shutdown

!

banner login ^C

here lies the banner

^C

!

line con 0

logging synchronous

login local

line aux 0

line vty 0 4

exec-timeout 30 0

logging synchronous

login local

transport preferred ssh

transport input ssh

transport output ssh

line vty 5 6

login

transport preferred ssh

transport input ssh

transport output ssh

!

ntp clock-period 17180164

ntp server 83.103.98.242

!

end

I need to get many, MANY ports working. I can't have unstable configurations.

Thank you very much.

1 Accepted Solution

Accepted Solutions

When a device from outside tries to reach your internal server, it will use the external IP address of your router.

This address will be translated to your internal IP (port 80 only). When the server responds to this request, it will see the IP address which is a public IP and it will use its default gateway information to forward the packet.

If the default gateway information is pointing to your other router, the communication is broken because the remote device is expecting the reply to come from the 2600 router, not the 2800 router.

If you don't want to follow my suggestions, this is my last post on this thread.

Regards,

Edison

View solution in original post

14 Replies 14

Edison Ortiz
Hall of Fame
Hall of Fame

When you reuse the same inside or outside address for port mapping, you need to add extendable keyword to the static nat translation:

http://www.cisco.com/en/US/technologies/tk648/tk361/tk438/technologies_white_paper09186a0080091cb9.html

Regards,

Edison

I'm sorry, I don't understand well how the line has to be.

Can you please give an example?

Thank you!

EDIT:

I found the extendable option, but it doesn't work with my configuration: I use the interface parameter, not an IP address. Remember I have a dynamic IP.

I just checked the syntax on one of my routers and you are only allowed the extendable keyword when using an IP address instead of an interface. Let me check other options...

Can you exclude the inside address to be statically NAT'd from the dynamic NAT? This can be causing some problems.

Can you post the output of

show ip nat translations verbose

I need dynamic NAT everywhere...

Isn't there a solution like most home routers? dynamic NAT with static port mapping?

I remember I did make it work one time: one TCP and one UDP port, working together perfectly. Now looks like it's impossible..? The configuration is the same!

I need to see the translation table. If HTTP is already mapped to another inside address, how the router will differentiate to use the static or dynamic NAT?

there are LOTS and lots of translations like these:

tcp 87.6.44.87:80     10.0.0.32:80      87.10.45.154:57529    87.10.45.154:57529

tcp 87.6.44.87:80     10.0.0.32:80      87.10.45.154:57530    87.10.45.154:57530

tcp 87.6.44.87:80     10.0.0.32:80      87.10.45.154:57543    87.10.45.154:57543

tcp 87.6.44.87:80     10.0.0.32:80      87.10.45.154:57544    87.10.45.154:57544

tcp 87.6.44.87:80     10.0.0.32:80      87.10.45.154:57659    87.10.45.154:57659

tcp 87.6.44.87:80     10.0.0.32:80      87.10.45.154:57660    87.10.45.154:57660

tcp 87.6.44.87:80     10.0.0.32:80      87.10.45.154:57713    87.10.45.154:57713

tcp 87.6.44.87:80     10.0.0.32:80      87.10.45.154:57714    87.10.45.154:57714

tcp 87.6.44.87:80     10.0.0.32:80      87.10.45.154:57716    87.10.45.154:57716

All those are mapped to 10.0.0.32 which is the intended server. Do you see them mapped to another internal device?

BTW, you mentioned this is your 2nd Cisco home router. Does the server point to this new router as the default gateway?

The other router is isolated, it's in another network, in the same switch.

Router-2600 == 10.0.0.0

Router-2800 == 192.168.0.0

Both make a pppoe connection.

There are no mappings to other IPs.

Default gateway? No, it doesn't. It's a windows server, I prefer to keep only one gateway (to the another interface).

if I connect to 10.0.0.32 from a PC in the lan it just works.

                                                    /--10.0.0.1

                    /-----Router-2600-------|--10.0.0.32 (HTTP SERVER)

---Modem--|                                   \---10.0.0.64

                    \-----Router-2800--...

The server gateway must point to 10.0.0.128 if you want this server to use the router as a gateway to the internet.

I don't need it. I only need that the 128 server gives web access to port 80 to the 10.0.0.0 interface. And it does. I don't think it's a server problem.

It's the router that does not forward packets to port 80 internal-external.

When a device from outside tries to reach your internal server, it will use the external IP address of your router.

This address will be translated to your internal IP (port 80 only). When the server responds to this request, it will see the IP address which is a public IP and it will use its default gateway information to forward the packet.

If the default gateway information is pointing to your other router, the communication is broken because the remote device is expecting the reply to come from the 2600 router, not the 2800 router.

If you don't want to follow my suggestions, this is my last post on this thread.

Regards,

Edison

Worked perfectly! I'm sorry, I'm still learning all this stuff, so sometimes I make confusion.

Now I can reach the web server! I think this will work with all the other stuff too!

THANK YOU!

You are welcome. Part of learning is listening

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: