08-08-2011 06:22 AM - edited 03-04-2019 01:12 PM
Hi
I'm installing my second cisco router in my home network, I will use it for remote access.
The problem comes with port mapping, I've been HOURS testing with no success, everything works, but the router doesn't forward the data.
Only the 5900 port worked (after a while), the 80 does not. it's a standard HTTP, reachable in LAN, but not outside.
Here's the config:
Current configuration : 3575 bytes
!
! Last configuration change at 23:48:26 CEST Sun Aug 7 2011 by mc128k
! NVRAM config last updated at 23:27:53 CEST Sun Aug 7 2011 by mc128k
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router-2600
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
enable secret 5 allright...
!
no aaa new-model
clock timezone CEST 2
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
no ip bootp server
ip domain name you shouldn't know this
ip name-server 212.48.4.15
ip name-server 151.99.125.1
ip name-server 208.67.222.222
ip name-server 8.8.8.8
ip name-server 10.0.0.64
ip ddns update method sdm_ddns1
HTTP
add you shouldn't know this
remove you shouldn't know this
interval maximum 0 2 0 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username mc128k privilege 15 secret 5 lol
!
!
ip ssh authentication-retries 2
ip ssh source-interface FastEthernet0/1
ip ssh version 2
!
!
!
!
!
interface FastEthernet0/0
description WAN Port
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no mop enabled
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
description LAN Port
ip address 10.0.0.128 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
no mop enabled
!
interface BRI1/0
no ip address
encapsulation hdlc
shutdown
!
interface BRI1/1
no ip address
encapsulation hdlc
shutdown
!
interface BRI1/2
no ip address
encapsulation hdlc
shutdown
!
interface BRI1/3
no ip address
encapsulation hdlc
shutdown
!
interface Dialer1
ip ddns update hostname www.apple.com
ip ddns update sdm_ddns1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
ppp authentication pap callin
ppp pap sent-username aliceadsl password bug
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.64 5900 interface Dialer1 5900
ip nat inside source static tcp 10.0.0.32 80 interface Dialer1 80
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
gatekeeper
shutdown
!
banner login ^C
here lies the banner
^C
!
line con 0
logging synchronous
login local
line aux 0
line vty 0 4
exec-timeout 30 0
logging synchronous
login local
transport preferred ssh
transport input ssh
transport output ssh
line vty 5 6
login
transport preferred ssh
transport input ssh
transport output ssh
!
ntp clock-period 17180164
ntp server 83.103.98.242
!
end
I need to get many, MANY ports working. I can't have unstable configurations.
Thank you very much.
Solved! Go to Solution.
08-08-2011 09:33 AM
When a device from outside tries to reach your internal server, it will use the external IP address of your router.
This address will be translated to your internal IP (port 80 only). When the server responds to this request, it will see the IP address which is a public IP and it will use its default gateway information to forward the packet.
If the default gateway information is pointing to your other router, the communication is broken because the remote device is expecting the reply to come from the 2600 router, not the 2800 router.
If you don't want to follow my suggestions, this is my last post on this thread.
Regards,
Edison
08-08-2011 06:42 AM
When you reuse the same inside or outside address for port mapping, you need to add extendable keyword to the static nat translation:
Regards,
Edison
08-08-2011 06:53 AM
I'm sorry, I don't understand well how the line has to be.
Can you please give an example?
Thank you!
EDIT:
I found the extendable option, but it doesn't work with my configuration: I use the interface parameter, not an IP address. Remember I have a dynamic IP.
08-08-2011 07:01 AM
I just checked the syntax on one of my routers and you are only allowed the extendable keyword when using an IP address instead of an interface. Let me check other options...
08-08-2011 07:22 AM
Can you exclude the inside address to be statically NAT'd from the dynamic NAT? This can be causing some problems.
Can you post the output of
show ip nat translations verbose
08-08-2011 07:28 AM
I need dynamic NAT everywhere...
Isn't there a solution like most home routers? dynamic NAT with static port mapping?
I remember I did make it work one time: one TCP and one UDP port, working together perfectly. Now looks like it's impossible..? The configuration is the same!
08-08-2011 07:34 AM
I need to see the translation table. If HTTP is already mapped to another inside address, how the router will differentiate to use the static or dynamic NAT?
08-08-2011 07:42 AM
there are LOTS and lots of translations like these:
tcp 87.6.44.87:80 10.0.0.32:80 87.10.45.154:57529 87.10.45.154:57529
tcp 87.6.44.87:80 10.0.0.32:80 87.10.45.154:57530 87.10.45.154:57530
tcp 87.6.44.87:80 10.0.0.32:80 87.10.45.154:57543 87.10.45.154:57543
tcp 87.6.44.87:80 10.0.0.32:80 87.10.45.154:57544 87.10.45.154:57544
tcp 87.6.44.87:80 10.0.0.32:80 87.10.45.154:57659 87.10.45.154:57659
tcp 87.6.44.87:80 10.0.0.32:80 87.10.45.154:57660 87.10.45.154:57660
tcp 87.6.44.87:80 10.0.0.32:80 87.10.45.154:57713 87.10.45.154:57713
tcp 87.6.44.87:80 10.0.0.32:80 87.10.45.154:57714 87.10.45.154:57714
tcp 87.6.44.87:80 10.0.0.32:80 87.10.45.154:57716 87.10.45.154:57716
08-08-2011 08:12 AM
All those are mapped to 10.0.0.32 which is the intended server. Do you see them mapped to another internal device?
BTW, you mentioned this is your 2nd Cisco home router. Does the server point to this new router as the default gateway?
08-08-2011 08:20 AM
The other router is isolated, it's in another network, in the same switch.
Router-2600 == 10.0.0.0
Router-2800 == 192.168.0.0
Both make a pppoe connection.
There are no mappings to other IPs.
Default gateway? No, it doesn't. It's a windows server, I prefer to keep only one gateway (to the another interface).
if I connect to 10.0.0.32 from a PC in the lan it just works.
/--10.0.0.1
/-----Router-2600-------|--10.0.0.32 (HTTP SERVER)
---Modem--| \---10.0.0.64
\-----Router-2800--...
08-08-2011 08:32 AM
The server gateway must point to 10.0.0.128 if you want this server to use the router as a gateway to the internet.
08-08-2011 08:38 AM
I don't need it. I only need that the 128 server gives web access to port 80 to the 10.0.0.0 interface. And it does. I don't think it's a server problem.
It's the router that does not forward packets to port 80 internal-external.
08-08-2011 09:33 AM
When a device from outside tries to reach your internal server, it will use the external IP address of your router.
This address will be translated to your internal IP (port 80 only). When the server responds to this request, it will see the IP address which is a public IP and it will use its default gateway information to forward the packet.
If the default gateway information is pointing to your other router, the communication is broken because the remote device is expecting the reply to come from the 2600 router, not the 2800 router.
If you don't want to follow my suggestions, this is my last post on this thread.
Regards,
Edison
08-08-2011 09:50 AM
Worked perfectly! I'm sorry, I'm still learning all this stuff, so sometimes I make confusion.
Now I can reach the web server! I think this will work with all the other stuff too!
THANK YOU!
08-08-2011 09:55 AM
You are welcome. Part of learning is listening
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide