Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1015
Views
5
Helpful
4
Replies

Router ZBF - port forwarding

tomaszaniol
Level 1
Level 1

‎09-04-2018 02:12 AM

Hey, I have problem with port forwarding. 

I want to achieve: 

When I open web browser with 10.223.0.1:22222 on laptop it should be forwarded to 192.168.8.1:80 and admin page from LTE Router should be open. 

net.png

 

Building configuration...

Current configuration : 4817 bytes
!
! Last configuration change at 09:25:23 SUMMER_ Tue Sep 4 2018
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash:c800-universalk9-mz.SPA.153-3.M10.bin
boot-end-marker
!
aqm-register-fnf
!
logging console informational
!
no aaa new-model
clock timezone POLAND 1 0
clock summer-time SUMMER_POLAND recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
!
!
!
!


!
ip dhcp excluded-address 10.223.0.1 10.223.0.20
!
ip dhcp pool POOL
 network 10.223.0.0 255.255.255.0
 default-router 10.223.0.1
 domain-name xxxx.pl
 dns-server 8.8.8.8
 lease 0 2
!
!
!
ip domain name xxxx.pl
ip name-server 194.204.159.1
ip name-server 194.204.152.34
ip inspect log drop-pkt
ip cef
no ipv6 cef
!
parameter-map type inspect global
 log dropped-packets enable
 max-incomplete low 18000
 max-incomplete high 20000
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
class-map type inspect match-all CLASS_Inside_Outside_udp
 match protocol udp
 match access-group name Inside_Outside
class-map type inspect match-all CLASS_Outside_Inside_udp
 match protocol udp
 match access-group name Outside_Inside
class-map type inspect match-all CLASS_Outside_Inside_tcp
 match protocol tcp
 match access-group name Outside_Inside
class-map type inspect match-all CLASS_Inside_Outside
 match protocol tcp
 match access-group name Inside_Outside
class-map type inspect match-all CLASS_Inside_Outside_icmp
 match protocol icmp
 match access-group name Inside_Outside
class-map type inspect match-all CLASS_Outside_Inside_icmp
 match protocol icmp
 match access-group name Outside_Inside
!
policy-map type inspect POLICY_Inside_Outside
 class type inspect CLASS_Inside_Outside
  inspect
 class type inspect CLASS_Inside_Outside_icmp
  inspect
 class type inspect CLASS_Inside_Outside_udp
  inspect
 class class-default
  drop log
policy-map type inspect POLICY_Outside_Inside
 class type inspect CLASS_Outside_Inside_tcp
  inspect
 class type inspect CLASS_Outside_Inside_icmp
  inspect
 class type inspect CLASS_Outside_Inside_udp
  inspect
 class class-default
  drop log
!
zone security INSIDE
 description INSIDE
zone security OUTSIDE
 description OUTSIDE
zone-pair security ZONE_Inside_Outside source INSIDE destination OUTSIDE
 service-policy type inspect POLICY_Inside_Outside
zone-pair security ZONE_Outside_Inside source OUTSIDE destination INSIDE
 service-policy type inspect POLICY_Outside_Inside
!
!
!
!
!
!
!
!
!
!
interface BRI0
 no ip address
 encapsulation hdlc
 shutdown
 isdn termination multidrop
!
interface FastEthernet0
 description WAN LTE
 bandwidth 500
 ip address 192.168.8.2 255.255.255.0
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 zone-member security OUTSIDE
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
!
interface GigabitEthernet0
 no ip address
!
interface GigabitEthernet1
 no ip address
!
interface GigabitEthernet2
 no ip address
!
interface GigabitEthernet3
 no ip address
!
interface GigabitEthernet4
 no ip address
!
interface GigabitEthernet5
 no ip address
!
interface GigabitEthernet6
 no ip address
!
interface GigabitEthernet7
 no ip address
!
interface GigabitEthernet8
 description WAN
 ip address dhcp
 ip nat outside
 ip virtual-reassembly in
 zone-member security OUTSIDE
 load-interval 30
 duplex auto
 speed auto
 no cdp enable
!
interface Vlan1
 description INSIDE
 ip address 10.223.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security INSIDE
!
interface Async3
 no ip address
 encapsulation slip
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map ROUTE-MAP-FW-NAT interface GigabitEthernet8 overload
ip nat inside source route-map ROUTE-MAP-FW-NAT-LTE interface FastEthernet0 overload
ip nat inside source static tcp 192.168.8.1 80 10.223.0.1 22222 extendable
!
ip access-list standard FW-NAT
 permit any
!
ip access-list extended Inside_Outside
 permit ip any any
ip access-list extended Outside_Inside
 permit ip any any
!
logging policy-firewall rate-limit 10
!
route-map ROUTE-MAP-FW-NAT-LTE permit 10
 match ip address FW-NAT
 match interface FastEthernet0
!
route-map ROUTE-MAP-FW-NAT permit 10
 match ip address FW-NAT
 match interface GigabitEthernet8
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
 vstack
!
line con 0
 no modem enable
line aux 0
line 3
 modem InOut
 speed 115200
 flowcontrol hardware
line vty 0 4
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

Router#
Labels:
0 Helpful
4 Replies 4

ADP_89
Level 1
Level 1

‎09-04-2018 08:00 AM

Hello,

 

I am not sure that's possible. You are trying to do a "destination nat" having the router 10.223.0.1 as outside local. 

First you will need to change your nat command from "ip nat inside" to "ip nat outside" but this will change a little bit the game as routing will be done before nat translation on packet arrival. Given the fact that the local address has an administrative distance of 0 you have little chance to supersede it from the RIB.

My suggestion is to use an IP on the inside subnet as VIP for this connection, like 10.223.0.3 and then apply the following command:

"ip nat outside source static tcp 192.168.8.1 80 10.223.0.3 22222 extendable add-route". This will create an entry into the RIB causing packets going to 10.223.0.3 to be first routed and then natted.

 

Give it a go and let me know if this works

 

HTH,

ADP

 

rasmus.elmholt
Level 7
Level 7
In response to ADP_89

‎09-04-2018 08:31 AM

Hi

I got this to work with "ip nat outside source static tcp 192.168.8.1 80 10.223.0.3 22222" witch will make a destination NAT on the outside interface after the normal source nat you already have on the inside interface.
0 Helpful

ADP_89
Level 1
Level 1
In response to rasmus.elmholt

‎09-04-2018 08:36 AM

Perfect. I am glad it worked.

 

Remember to mark the post as solved ;-)

 

ADP

0 Helpful

rasmus.elmholt
Level 7
Level 7

‎09-04-2018 08:53 AM

Hi

I got this to work with "ip nat outside source static tcp 192.168.8.1 80 10.223.0.3 22222" witch will make a destination NAT on the outside interface after the normal source nat you already have on the inside interface.
Try it out and let us know if it works.
0 Helpful
Customers Also Viewed These Support Documents
Top