cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
767
Views
0
Helpful
5
Replies

Cisco 800 NAT rule

iano8888888
Level 1
Level 1

Hi,


We have a Cisco 800 that I am struggling to get an inbound NAT rule working for. I want to forward port 80 to 192.168.1.20.

Below are sections I think are relevant.

interface Vlan1
description LAN interface
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
ip tcp adjust-mss 1452
!

interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname ****@*****.net
ppp chap password 7 1307051D0A08062B252079
crypto map HQ_VPN

no access-list 105
access-list 105 permit tcp any any eq 80
access-list 105 permit udp any any eq 80
access-list 105 permit gre any any
access-list 105 deny icmp any any echo
access-list 105 deny ip any any log

ip nat inside source static tcp 192.168.1.20 80 <Public IP> 80

I have also tried 

ip nat inside source static tcp 192.168.1.20 80 interface Dialer1 80

Each time I apply the 105 access list to the Dialer1 the site loses internet connectivity and I have to revert change. NAT rules also does not work.

interface Dialer1

ip access-group 105 in

Any ideas appreciated?

Thanks.

5 Replies 5

Brandon Buffin
VIP Alumni
VIP Alumni

Try adding the following:

ip inspect name FWOUT tcp
ip inspect name FWOUT udp
ip inspect name FWOUT icmp
ip inspect name FWOUT ftp

interface dialer1
ip inspect FWOUT out

Brandon

Hi Brandon, 


Thanks for response.


I get the below when adding the "ip inspect FWOUT out" command to the dialer 1 interface.

%Cannot configure inspect rule on an interface which is member of a zone . Remove the interface from the zone and retry.

Sorry, didn't notice you had zone based firewall configured. The inspection I was recommending is likely being accomplished with this config. I don't see the rest of the config in your post, but I'm assuming that is the case. Are you applying access list 105 inbound such as - "ip access-group 105 in"?

Yep I'm applying it to the Dialer1 interface.


As soon as I apply it inbound the connection to the site just drops. 
Its a remote site so I need to get someone to reboot ISR to revert.

Couple of things to help your troubleshooting:

1. Add a couple of lines to your ACL to allow telnet/ssh to the router. This will allow you to access the device after applying the ACL to troubleshoot.

access-list 105 permit tcp 1.1.1.1 (your public IP address) 0.0.0.255 (your wildcard bits) 2.2.2.2 (public IP of the remote router) 0.0.0.0 eq telnet

access-list 105 permit tcp 1.1.1.1 (your public IP address) 0.0.0.255 (your wildcard bits) 2.2.2.2 (public IP of the remote router) 0.0.0.0 eq 22

2. When you have a doubt regarding the outcome of a command, enter "reload in 5" before issuing the command. This will reload the router in 5 minutes and bring you back to the config before the command was entered. After you're sure the command has not caused a problem, enter "reload cancel"

Review Cisco Networking for a $25 gift card