Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
31714
Views
20
Helpful
10
Replies

Static Nat issue on Router: router not accepting more then 2 static NAT commands

Go to solution
hashimwajid1
Level 3
Level 3

‎08-08-2017 11:39 AM - edited ‎03-05-2019 08:58 AM

Hi,

i am doing Natting  on Cisco router 4321. 

 for LAN users i am doing dynamic Nat. 

 ip nat inside source list INTERNET interface Dialer1 overload

 ip access-list extended INTERNET 

   permit ip any any

customer also want to access CCTV from outside.. now the problem starts...when i am doing static NAT port forwarding for access from outside.. i want to open 4 ports for 1 CCTV as per customer requirement.. so i created static NAT entries 

ip nat inside source static tcp 192.168.1.20 8080 interface Dialer1 10443
ip nat inside source static tcp 192.168.1.20 554 interface Dialer1 10443
ip nat inside source static udp 192.168.1.20 37778 interface Dialer1 10443
ip nat inside source static tcp 192.168.1.20 37777 interface Dialer1 10443

problem is router accepting only 2 static commands. when i enter 3rd and 4th static commands, these new command over right the previous 2 commands.. so i cannot add more then 2 static NAT entries...

1- why i cannot add more static NAT entries.. i am using IPbase license on router ?

 2-is there any limitation for static Nat entries ?

    router has ADSL connection

3- is there any other way to add static NAT port forwarding for 4 ports in single command ?

 

Running Config

ADSL-Router#sh run
Building configuration...

Current configuration : 2258 bytes
!
! Last configuration change at 17:22:06 UTC Sun Aug 6 2017 by admin
!
version 15.4
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
!
hostname ADSL-Router
!
boot-start-marker
boot-end-marker
!
!
vrf definition Mgmt-intf
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
!
enable secret 5 $1$nBpV$rgxALNQ8Wn6Enlx8snLHg0
!
no aaa new-model
!
!
!
!
!
!
!
!
!


ip name-server X.X.X.X

ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool LPG
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server X.X.X.X
!
!
!
!
!
!
!
!
!
!
subscriber templating
multilink bundle-name authenticated
!
!
!
!
license udi pid ISR4321/K9 sn FDO2021134D
!
username admin password 0 Cisco
!
redundancy
mode none
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
description LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
negotiation auto
!
interface GigabitEthernet0/0/1
description WAN
no ip address
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
no ip address
shutdown
negotiation auto
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname bplpg
ppp chap password 0 d1acmmy5
ppp pap sent-username bplpg password 0 d1acmmy5
ppp ipcp dns request
ppp ipcp route default
ppp ipcp address accept
!

ip nat inside source list INTERNET interface Dialer1 overload
ip nat inside source static tcp 192.168.1.20 8080 interface Dialer1 10443
ip nat inside source static tcp 192.168.1.20 554 interface Dialer1 10443
no ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip tftp source-interface GigabitEthernet0
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip access-list extended CCTV
permit ip any 192.168.1.0 0.0.0.255
ip access-list extended INTERNET
permit ip any any
!
access-list 100 permit ip any any
!
!
!
control-plane
!
!
line con 0
stopbits 1
line aux 0
stopbits 1
line vty 0 4
login local
transport input all
!
!
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul driver
VIP
VIP

‎08-08-2017 11:51 AM

Hello

Nat doesn't like an acl with any any, you need to specify the subnet that you wish to be natted

ip access-list extended INTERNET
permit ip any any
permit ip 192.168.1.0 0.0.0.255 any

also try this:

ip nat inside source static tcp 192.168.1.20 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.1.20 554 interface Dialer1 554
ip nat inside source static udp 192.168.1.20 37778 interface Dialer1 37778
ip nat inside source static tcp 192.168.1.20 37777 interface Dialer1 37777

res
paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

0 Helpful
10 Replies 10

Go to solution
paul driver
VIP
VIP

‎08-08-2017 11:51 AM

Hello

Nat doesn't like an acl with any any, you need to specify the subnet that you wish to be natted

ip access-list extended INTERNET
permit ip any any
permit ip 192.168.1.0 0.0.0.255 any

also try this:

ip nat inside source static tcp 192.168.1.20 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.1.20 554 interface Dialer1 554
ip nat inside source static udp 192.168.1.20 37778 interface Dialer1 37778
ip nat inside source static tcp 192.168.1.20 37777 interface Dialer1 37777

res
paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
hashimwajid1
Level 3
Level 3
In response to paul driver

‎08-08-2017 12:13 PM

Hi Paul

1-NAT is working fine for LAN users with that ACL (although i will change the ACL for more specific) 

2-Customer want to map the single server IP for 4 different ports with single outside port

    is is possible to map single outside port 10443  for single inside server IP 192.168.1.20 but 4 different inside ports ?

3- Router is not accepting more then 2 static entries, is it normal behavior ?

thanks for your feed back 

 

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to hashimwajid1

‎08-08-2017 12:32 PM

If you map the same port to 4 different inside ports how will the router know which port you want to send it to on the server ?

If the source IPs for each port were different then it could probably be done but I suspect they aren't. 

Jon

Go to solution
hashimwajid1
Level 3
Level 3
In response to Jon Marshall

‎08-08-2017 12:45 PM

HI Jhon,

customer was using D-LINK router previously. and they were accessing CCTV from outside via dyndns 

so when they click like https://0086760877546e10.hecxnyyur-ddns.com:10443/ they can access there server from outside by clicking this link..

now customer installed the Cisco Router and he gave me that list to create the port forwarding according to given below list.

 tcp 192.168.1.20 8080 >>>interface dialer1 10443

 tcp 192.168.1.20 554 >>>interface dialer1 10443

 tcp 192.168.1.20 37777 >>>interface dialer1 10443

 udp 192.168.1.20 37778 >>>interface dialer1 10443

if this is wrong then what should be the right configuration in order to access the CCTV via above given link ? 

thanks for your comments

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to hashimwajid1

‎08-08-2017 12:51 PM

To be honest I have no idea because I have not used that application so can't say. 

But as I said I can't see how it would work as is because the router would have no way of knowing which real port to send it to. 

Jon

0 Helpful

Go to solution
paul driver
VIP
VIP
In response to hashimwajid1

‎08-08-2017 01:56 PM

Hello

I think you should check with the client regards their requirements I don't think a single url would work.

The below port forwarding should however but it wont be on the same url

ip nat inside source static tcp 192.168.1.20 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.1.20 554 interface Dialer1 554
ip nat inside source static udp 192.168.1.20 37778 interface Dialer1 37778
ip nat inside source static tcp 192.168.1.20 37777 interface Dialer1 37777



res
Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Go to solution
Rob Cluett
Level 1
Level 1

‎08-08-2017 02:07 PM

It appears the switch is bright enough to know that you're doing something that shouldn't be done...  Using that same destination interface and port.  My switch doesn't like it either. I get one entry after typing all four commands in.

Go to solution
paul driver
VIP
VIP
In response to Rob Cluett

‎08-08-2017 02:16 PM

Hello Rob 

whilst you have the rtr open can you test the static nat port to port as I posted previously the rtr should take it

Just for validation 

res

paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Go to solution
Rob Cluett
Level 1
Level 1
In response to paul driver

‎08-08-2017 02:42 PM

Entered without issue.

Go to solution
paul driver
VIP
VIP
In response to Rob Cluett

‎08-08-2017 02:46 PM

Hello

Much appreciated

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card