08-10-2013 07:26 PM - edited 03-04-2019 08:43 PM
I'm running a Cisco 2811 at my house and I'm trying to figure out how port forwarding translates into NAT.
I currently have my WAN interface (Fa0/0) configured:
interface FastEthernet0/0
ip dhcp client hostname ISP
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
My internal VLAN:
interface Vlan100
description Home_Data
ip address 10.0.0.1 255.255.255.0
ip nat inside
I also have the following:
ip nat inside source list 99 interface FastEthernet0/0 overload
Standard IP access list 99
10 permit 10.0.0.0, wildcard bits 0.0.0.255 (97314 matches)
My goal is to get an application I use called Ventrilo to work. It uses port 3784.
I've configured the following:
ip nat source static tcp 10.0.0.5 3784 interface FastEthernet0/0 3784
This should make it that if anyone tries to hit my external IP (which is the IP address of fa0/0) it should forward them to the PC running the Ventrilo server.
Also, I've used this resource: http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml
This article explains how to use dynamic and static NAT simultaneously.
There is this part of the article that I have no option with:
Note:
Although it is possible to use the same global address for both the Dynamic and Static NAT, whenever possible it is better to use different global addresses. Being a home networking..I only have the single global address.
Any suggestions?
Thanks!
Kyle
Added link which explains simultaneous dynamic/static NAT
Solved! Go to Solution.
08-11-2013 10:19 AM
Hi Kyle,
ip nat source static tcp 10.0.0.5 3784 interface FastEthernet0/0 3784
This exact command appears to be incorrect. Note it is missing the inside keyword. Correctly, it should spell:
ip nat inside source static tcp 10.0.0.5 3784 interface FastEthernet0/0 3784
The reason is that the ip nat source version of the command refers to a so-called NVI (NAT Virtual Interface) style of configuring NAT that allows an interface to be both "inside" and "outside". This style of configuration is not compatible with the usual ip nat inside source style of NAT/PAT configuration, however, so you either use one or the other.
My suggestion is therefore to remove your current ip nat source command and replace it with the ip nat inside source command as shown above.
Best regards,
Peter
08-11-2013 11:21 AM
Hi Kyle,
Okay, good to know.
On Cisco, the NAT applies only if the packets traverse the inside-outside or outside-inside combination of interfaces. As this combination of interfaces is not really hit when your internal clients communicate with the inside machine under its public IP address, the NAT does not apply here.
My personal suggestion is to use the internal IP address for your internal network (the KISS principle ). My primary reason for this is that the packet hairpinning over the router and back out the same interface will incur a performance penalty on the application so it is better to avoid it. Only if using the private IP address would be a major inconvenience for you, I can come up with a modification of your NAT configuration that would allow for this.
Let me know please - and in any case, I am glad it does work!
Best regards,
Peter
08-11-2013 05:01 AM
Wrong forum, post in "WAN and routing". You can move your post using the actions panel on the right.
08-11-2013 10:19 AM
Hi Kyle,
ip nat source static tcp 10.0.0.5 3784 interface FastEthernet0/0 3784
This exact command appears to be incorrect. Note it is missing the inside keyword. Correctly, it should spell:
ip nat inside source static tcp 10.0.0.5 3784 interface FastEthernet0/0 3784
The reason is that the ip nat source version of the command refers to a so-called NVI (NAT Virtual Interface) style of configuring NAT that allows an interface to be both "inside" and "outside". This style of configuration is not compatible with the usual ip nat inside source style of NAT/PAT configuration, however, so you either use one or the other.
My suggestion is therefore to remove your current ip nat source command and replace it with the ip nat inside source command as shown above.
Best regards,
Peter
08-11-2013 10:51 AM
Peter,
Good catch! I now see the following when performing a show ip nat translation:
tcp PUBLICIP:3784 10.0.0.5:3784 --- ---
udp PUBLICIP:3784 10.0.0.5:3784 --- ---
(I created two static maps; one for TCP and one for UDP--not 100% which it uses.)
Also, this website is now showing the port as open, when it was closed before: http://www.yougetsignal.com/tools/open-ports/
Problem is....still isn't working Annoying the hell out of me. I've verified that windows firewall is allowing port 3784 and is allowing the application.
08-11-2013 11:15 AM
Hi Kyle,
Well, can you try installing Wireshark on the machine that runs the Ventrilo, and run it while connecting from outside to the port 3784, and see if the packets can actualy hit that machine?
Are you familiar with the Wireshark software?
Best regards,
Peter
08-11-2013 11:16 AM
Peter,
Update...
It IS working. !! Yay !!
It's working for other external clients (got a friend to try).0
But when I try internally, with my public IP address it doesn't work. This worked before when using traditional port forwarding on the Linksys router.
Any idea to why it wouldn't work when trying from my internal network, pointing to my own public IP? Shouldn't it simply redirect back?
08-11-2013 11:21 AM
Hi Kyle,
Okay, good to know.
On Cisco, the NAT applies only if the packets traverse the inside-outside or outside-inside combination of interfaces. As this combination of interfaces is not really hit when your internal clients communicate with the inside machine under its public IP address, the NAT does not apply here.
My personal suggestion is to use the internal IP address for your internal network (the KISS principle ). My primary reason for this is that the packet hairpinning over the router and back out the same interface will incur a performance penalty on the application so it is better to avoid it. Only if using the private IP address would be a major inconvenience for you, I can come up with a modification of your NAT configuration that would allow for this.
Let me know please - and in any case, I am glad it does work!
Best regards,
Peter
08-11-2013 11:31 AM
Peter,
I hear ya!
I mainly use it for testing purposes. Until I get dynamic DNS working, it is my work around to figure out if my pub IP has changed and I need to give out the new IP address.
Otherwise, internal addressing does work great
You were a big help thank you!
08-11-2013 11:36 AM
Hi Kyle,
It has been a pleasure. You are always welcome!
Best regards,
Peter
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: