Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4538
Views
5
Helpful
16
Replies

Static port address translation

Go to solution
keithlin.7321
Level 1
Level 1

‎06-27-2016 06:09 PM - edited ‎03-05-2019 04:18 AM

Edited: Resolve via teamviwer session it turns out to be a firewall issue at my end blocking strange port. 

1)
Cisco router using ios 15.5. I am trying to setup static port address translation so anywhere in the internet can ssh into my pub ip address and it will go into a linux box in my network. The guides online is really straight forward, asking me to do the following `ip nat inside source static tcp <private_ip> 22 <public_ip> <$any port>`, but it didn't work I got a connection time out. I have a very minimal configuration too, nothing complicated. Iptables in the box is flushed. The windows box that's hosting the vm also have firewall disabled.

interface GigabitEthernet0/0/0
description public facing internet port
no ip dhcp client request dns-nameserver
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
description the box hosted a vm with ip address 192.168.38.225
switchport access vlan 200
!
interface Vlan200
ip address 192.168.38.1 255.255.255.0
ip nat inside
!
ip nat inside source list PRIVATE interface GigabitEthernet0/0/0 overload
interface GigabitEthernet0/0/0
description public facing internet port
no ip dhcp client request dns-nameserver
ip address dhcp
ip nat outside
negotiation auto
!
interface GigabitEthernet0/1/0
description the box I want ssh to with ip .225
switchport access vlan 200
!
interface Vlan200
ip address 192.168.38.1 255.255.255.0
ip nat inside
!
p nat inside source static tcp 192.168.38.225 22 14.7.122.44 13822 extendable
ip nat inside source list PRIVATE interface GigabitEthernet0/0/0 overload
ip access-list extended PRIVATE
permit ip 192.168.38.0 0.0.0.255 any
permit ip 192.168.0.0 0.0.0.255 any
!

Labels:
0 Helpful
16 Replies 16

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to keithlin.7321

‎06-28-2016 04:04 PM

You're very welcome


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
keithlin.7321
Level 1
Level 1
In response to Francesco Molino

‎06-28-2016 04:03 PM

ISR 4331 is more likely ASR config. I don't have it right now in lab for testing.

debug ip packet that's it should be enough. Otherwise you can use monitor capture feature to see if something arrives to your router.

Could you change your nat config with the config below:

ip nat inside source statice 192.168.38.225 22 interface 13822

I already did it, it's in the show run paste bin ip nat inside source static tcp 192.168.38.225 22 interface GigabitEthernet0/0/0 13822

Some stuff have changed between IOS and IOS XE.

Or do you have a possibility to do a team viewer or webex? 

it doesn't seem this forum allow pm. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card