 
					
				
		
08-08-2017 11:39 AM - edited 03-05-2019 08:58 AM
Hi,
i am doing Natting on Cisco router 4321.
for LAN users i am doing dynamic Nat.
ip nat inside source list INTERNET interface Dialer1 overload
ip access-list extended INTERNET
permit ip any any
customer also want to access CCTV from outside.. now the problem starts...when i am doing static NAT port forwarding for access from outside.. i want to open 4 ports for 1 CCTV as per customer requirement.. so i created static NAT entries
ip nat inside source static tcp 192.168.1.20 8080 interface Dialer1 10443
ip nat inside source static tcp 192.168.1.20 554 interface Dialer1 10443
ip nat inside source static udp 192.168.1.20 37778 interface Dialer1 10443
ip nat inside source static tcp 192.168.1.20 37777 interface Dialer1 10443
problem is router accepting only 2 static commands. when i enter 3rd and 4th static commands, these new command over right the previous 2 commands.. so i cannot add more then 2 static NAT entries...
1- why i cannot add more static NAT entries.. i am using IPbase license on router ?
2-is there any limitation for static Nat entries ?
router has ADSL connection
3- is there any other way to add static NAT port forwarding for 4 ports in single command ?
Running Config
ADSL-Router#sh run
Building configuration...
Current configuration : 2258 bytes
!
! Last configuration change at 17:22:06 UTC Sun Aug 6 2017 by admin
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname ADSL-Router
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
 !
 address-family ipv4
 exit-address-family
 !
 address-family ipv6
 exit-address-family
!
enable secret 5 $1$nBpV$rgxALNQ8Wn6Enlx8snLHg0
!
no aaa new-model
!
!
!
!
!
!
!
!
!
ip name-server X.X.X.X
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool LPG
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1 
 dns-server X.X.X.X 
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4321/K9 sn FDO2021134D
!
username admin password 0 Cisco
!
redundancy
 mode none
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
 description LAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 negotiation auto
!
interface GigabitEthernet0/0/1
 description WAN
 no ip address
 negotiation auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
 vrf forwarding Mgmt-intf
 no ip address
 shutdown
 negotiation auto
!
interface Dialer1
 ip address negotiated
 ip mtu 1492
 ip nat outside
 encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 ppp authentication chap pap callin
 ppp chap hostname bplpg
 ppp chap password 0 d1acmmy5
 ppp pap sent-username bplpg password 0 d1acmmy5
 ppp ipcp dns request
 ppp ipcp route default
 ppp ipcp address accept
!
ip nat inside source list INTERNET interface Dialer1 overload
ip nat inside source static tcp 192.168.1.20 8080 interface Dialer1 10443
ip nat inside source static tcp 192.168.1.20 554 interface Dialer1 10443
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip access-list extended CCTV
 permit ip any 192.168.1.0 0.0.0.255
ip access-list extended INTERNET
 permit ip any any
!
access-list 100 permit ip any any
!
!
!
control-plane
!
!
line con 0
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 login local
 transport input all
!
!
end
Solved! Go to Solution.
08-08-2017 11:51 AM
Hello
Nat doesn't like an acl with any any, you need to specify the subnet that you wish to be natted
ip access-list extended INTERNET
 permit ip any any
permit ip 192.168.1.0 0.0.0.255 any
also try this:
ip nat inside source static tcp 192.168.1.20 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.1.20 554 interface Dialer1 554
ip nat inside source static udp 192.168.1.20 37778 interface Dialer1 37778
ip nat inside source static tcp 192.168.1.20 37777 interface Dialer1 37777
res
paul
08-08-2017 11:51 AM
Hello
Nat doesn't like an acl with any any, you need to specify the subnet that you wish to be natted
ip access-list extended INTERNET
 permit ip any any
permit ip 192.168.1.0 0.0.0.255 any
also try this:
ip nat inside source static tcp 192.168.1.20 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.1.20 554 interface Dialer1 554
ip nat inside source static udp 192.168.1.20 37778 interface Dialer1 37778
ip nat inside source static tcp 192.168.1.20 37777 interface Dialer1 37777
res
paul
08-08-2017 12:13 PM
Hi Paul
1-NAT is working fine for LAN users with that ACL (although i will change the ACL for more specific)
2-Customer want to map the single server IP for 4 different ports with single outside port
is is possible to map single outside port 10443 for single inside server IP 192.168.1.20 but 4 different inside ports ?
3- Router is not accepting more then 2 static entries, is it normal behavior ?
thanks for your feed back
08-08-2017 12:32 PM
If you map the same port to 4 different inside ports how will the router know which port you want to send it to on the server ?
If the source IPs for each port were different then it could probably be done but I suspect they aren't.
Jon
08-08-2017 12:45 PM
HI Jhon,
customer was using D-LINK router previously. and they were accessing CCTV from outside via dyndns
so when they click like https://0086760877546e10.hecxnyyur-ddns.com:10443/ they can access there server from outside by clicking this link..
now customer installed the Cisco Router and he gave me that list to create the port forwarding according to given below list.
tcp 192.168.1.20 8080 >>>interface dialer1 10443
tcp 192.168.1.20 554 >>>interface dialer1 10443
tcp 192.168.1.20 37777 >>>interface dialer1 10443
udp 192.168.1.20 37778 >>>interface dialer1 10443
if this is wrong then what should be the right configuration in order to access the CCTV via above given link ?
thanks for your comments
08-08-2017 12:51 PM
To be honest I have no idea because I have not used that application so can't say.
But as I said I can't see how it would work as is because the router would have no way of knowing which real port to send it to.
Jon
08-08-2017 01:56 PM
Hello
I think you should check with the client regards their requirements I don't think a single url would work.
The below port forwarding should however but it wont be on the same url
ip nat inside source static tcp 192.168.1.20 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.1.20 554 interface Dialer1 554
ip nat inside source static udp 192.168.1.20 37778 interface Dialer1 37778
ip nat inside source static tcp 192.168.1.20 37777 interface Dialer1 37777
res
Paul
 
					
				
		
08-08-2017 02:07 PM
It appears the switch is bright enough to know that you're doing something that shouldn't be done...  Using that same destination interface and port.  My switch doesn't like it either. I get one entry after typing all four commands in.
08-08-2017 02:16 PM
Hello Rob
whilst you have the rtr open can you test the static nat port to port as I posted previously the rtr should take it
Just for validation
res
paul
 
					
				
		
08-08-2017 02:42 PM
Entered without issue.
08-08-2017 02:46 PM
Hello
Much appreciated
res
Paul
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide