Hi , Cisco IOS router doesnt

r3330790 · ‎07-09-2014

Hi all.

I have an 1811 router running IOS c181x-advipservicesk9-m 12.4(9)T5. I have a cable modem connected to Fa0 and computers connected to ports Fa2-9 (switch ports). I forwarded port 80 to my HTTP server. I can't connect to it through my WAN IP address from my local network. However, I can connect to it if I'm at a remote network.

I'm assuming this is the correct command (I have a DHCP IP address from my ISP, so I can't use a static address):
ip nat inside source static tcp 10.0.0.10 80 interface FastEthernet0 80

If I nmap scan my WAN IP (pretend it's 1.1.1.1) from a computer connected to the 1811:
nmap -p 80 1.1.1.1
80/tcp closed http

However, if I go into my VPS (hosted far away, not on my network):
nmap -p 80 1.1.1.1
80/tcp open http

To make sure it wasn't something with nmap, I also tried telnetting to port 80 (telnet 1.1.1.1 80) on a local computer and again on my VPS. I can't connect to it on a local computer, but I can connect from the VPS.

Why can't I access port 80 when I'm on my local network? Could someome shed some light on this strange issue?

Any help is appreciated.

SANTHOSHKUMAR SARAVANAN · ‎07-09-2014

Hi ,

I can't connect to it through my WAN IP address from my local network - Yes you cant connect using WAN IP address from your local LAN , because your NAT statement takes into action only for the traffic originating from outside to inside traffic , not for IP traffic originating inside to inside .

when you try accessing your WAN IP address from your local segment , during this time you are trying to take HTTP service from your router , not from your server . Because your NAT action does not comes into place .

Since router doesnt have HTTP service . IT drop the connection

Below is reset message from router

1. The requesting port or connection does not exist on this device. TCP sends back a RST+ACK and drops the segment.

Router#show running-config
Building configuration...

Current configuration : 752 bytes
!
version 15.1
no service timestamps log datetime msec
no service timestamps debug datetime msec
!
!
!
interface GigabitEthernet0/0
ip address 10.0.0.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address dhcp
ip nat outside
duplex auto
speed auto
!
interface Vlan1
no ip address
shutdown

ip nat inside source static tcp 10.0.0.10 80 1.1.1.1 80
ip classless
!
!
!

Router#show ip nat translations
Pro Inside global Inside local Outside local Outside global
tcp 1.1.1.1:80 10.0.0.10:80 --- ---

Router#

You need to access only via real IP Address 10.0.0.10:80 not with NAT IP Address

HTH

Sandy

r3330790 · ‎07-10-2014

Hi Sandy. Thanks for your response. I understand that I can connect to my local server (10.0.0.10) on port 80, but I need to be able to connect via the WAN IP address (IIS web server uses virtual hosts). I believe this is called hairpinning (http://en.wikipedia.org/wiki/Hairpinning). When I do port forwarding on cheap Linksys residential routers, I'm able to connect to the port via the WAN IP, so I'd be surprised if a Cisco IOS router can't do it.

SANTHOSHKUMAR SARAVANAN · ‎07-10-2014

Hi ,

Cisco IOS router doesnt support Hair Pinning .

HTH

Sandy

r3330790 · ‎07-10-2014

I understnad. Thanks for your help.

Cisco IOS: Can't access forwarded ports on local network