cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5568
Views
10
Helpful
8
Replies

Router: port forwarding problems.

PMOvchinnikov
Level 1
Level 1

Hello,

I want to make my HTTP-server accessible from the outside (it's located on my LAN).

HTTP-server listens on port TCP 80 on all interfaces, IP address 192.168.112.17/24. (I can ping outside addresses from this machine.) My router - Cisco 2951, here's a part of its config:

interface GigabitEthernet0/0

ip address W.A.N.IPAddress W.A.N.Netmask

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

interface GigabitEthernet0/1

ip address 192.168.112.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

ip forward-protocol nd

!

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 192.168.112.17 80 W.A.N.IPAddress 80 extendable

ip route 0.0.0.0 0.0.0.0 W.A.N.GatewayIP

!

access-list 1 permit 192.168.X.0 0.0.0.255

access-list 1 permit 192.168.112.0 0.0.0.255

access-list 1 permit 192.168.Z.0 0.0.0.255

access-list 101 permit tcp any host W.A.N.IPAddress eq www

So I cannot reach the server from the outside. The router responds to pings (ICMP echo packets). I'm entering router's W.A.N.IPAddress in my browser's address field and there's no result. Help me, please!

1 Accepted Solution

Accepted Solutions

Hi,

Here is simple config:

ip nat inside source static tcp 192.168.112.17 80 46.45.33.X 80

As WAN IP address for server here you need to use one spare address from your scope e.g. 46.45.33.5 as you have big enough subnet /25.

Also I would not recommend to post here real Public IP addresses.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

View solution in original post

8 Replies 8

cadet alain
VIP Alumni
VIP Alumni

Hi,

the easiest way to get this working ( access WAN public IP of server from inside) is to replace your NAT configuration like this:

int g0/0

no ip nat out

no icmp redirect

ip nat enable

int g0/1

no ip nat in

no icmp redirect

ip nat enable

no ip nat inside source list 1 int g0/0

ip nat source list 1 int g0/0

no ip nat inside source static tcp 192.168.112.17 80 x.x.x.x 80

ip nat source static tcp 192.168.112.17 80 x.x.x.x 80

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thank you, Cadet Alain.

One more question: I have two subinterfaces on the router's inside interface (GigabitEthernet0/1) configured this way:

interface GigabitEthernet0/1.X

encapsulation dot1Q X

ip address 192.168.X.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.Z

encapsulation dot1Q Z

ip address 192.168.Z.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

How to configure them using your method?

Hi,

to use NVI just replace ip nat inside and ip nat outside by ip nat enable

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

First attempt failed. Using "old school method" to perform NAT (NAT Inside/Outside) networks connected via GigabitEthernet0/1 interface (and subinterfaces) are automatically routed. (Command "show ip route" lists networks connected to the router and there's no need to configure routes.)

Using your method to perform NAT enables NVI interface (NVI0) on the router. I rolled back to the previous configuration and mention that: NVI0 interface is up (how to shut it down?) and there is no output for command "show ip nat translations".

Maybe I should read more about using NAT and NVI.

Help me, please. Question: I have a website located on my LAN, I have a router inbetween WAN and LAN, I want make the website accessible from WAN.

Router's config:

Current configuration : 2252 bytes

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname edge

!

boot-start-marker

boot-end-marker

!

no aaa new-model

!

no ipv6 cef

!

ip domain name sphti.ru

ip cef

multilink bundle-name authenticated

!

license udi pid CISCO2951/K9 sn FCZ162920ED

!

username privilege 15 password 7

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

ip address 46.45.33.4 255.255.255.128

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address 192.168.112.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1.111

encapsulation dot1Q 111

ip address 192.168.111.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/1.113

encapsulation dot1Q 113

ip address 192.168.113.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0/2

no ip address

shutdown

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

!

ip nat translation timeout 600

ip nat inside source list 1 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 46.45.33.1

!

access-list 1 permit 192.168.111.0 0.0.0.255

access-list 1 permit 192.168.112.0 0.0.0.255

access-list 1 permit 192.168.113.0 0.0.0.255

!

control-plane

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

login local

transport input ssh

line vty 5 15

no login

transport input none

!

scheduler allocate 20000 1000

!

end

Web-server's network config:

IP Address: 192.168.112.17

Netmask: 255.255.255.0

DNS: 192.168.112.2

Gateway: 192.168.112.254

How finally to configure the router? Help me, please!

Hi,

Here is simple config:

ip nat inside source static tcp 192.168.112.17 80 46.45.33.X 80

As WAN IP address for server here you need to use one spare address from your scope e.g. 46.45.33.5 as you have big enough subnet /25.

Also I would not recommend to post here real Public IP addresses.

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

Hope it will help.

Best regards,
Abzal

Best regards,
Abzal

One spare address means that I should configure router's outside (WAN) interface with secondary IP address, right?

Thank you, Abzal Sembay! Everything's allright now!

Review Cisco Networking for a $25 gift card