Solved: Port forward from Internet to IP on VLAN Catalyst 2960-S

daniellaza · ‎05-23-2018

Hello,

I am struggling to get a working configuration on my Catalyst 2960-S in my home lab. I currently have this configuration:
ISP (WAN <some public IP>) -- Router (LAN 192.168.1.0/24) -- Cisco Catalyst 2960-S (Trunk 192.168.1.2) -- VLAN 10 (192.168.65.0/24)

I have a static route on my router for 192.168.65.0 (GW 192.168.1.2), which works fine to allow traffic from outside to reach VLAN 10 on the switch.

I would like to configure a port forwarding rule on the 2960-S to permit traffic on TCP port xyz to IP 192.168.65.x (double NAT from the router which is forwarding to 192.168.1.2), however I am not sure of the correct way to do this (or if it is something that this switch supports even).

I would really like to avoid setting up a second router in the environment for VLAN 10 since it seems like port forwarding to a device in the VLAN should work, but perhaps I am missing something?

Any help would be greatly appreciated!

Here is my switch config:

#sh running-config full

Building configuration...

Current configuration : 5428 bytes

!

! Last configuration change at 15:21:38 UTC Thu Jan 5 2006

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$ls2A$PSHaWTx3wIisW0aPemssT0

!

no aaa new-model

clock timezone UTC -5 0

clock summer-time UTC recurring

switch 1 provision ws-c2960s-24td-l

ip routing

ip dhcp excluded-address 192.168.65.1 192.168.65.30

ip dhcp excluded-address 192.168.150.1 192.168.150.10

!

ip dhcp pool vlan10

network 192.168.65.0 255.255.255.0

domain-name lab.local

dns-server 192.168.65.5 192.168.1.1

default-router 192.168.65.1

lease 3

!

ip dhcp pool vlan400

network 192.168.150.0 255.255.255.0

domain-name iot.local

dns-server 192.168.1.1

default-router 192.168.150.1

lease 3

!

vtp mode transparent

!

crypto pki trustpoint TP-self-signed-3446038528

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3446038528

revocation-check none

rsakeypair TP-self-signed-3446038528

!

crypto pki certificate chain TP-self-signed-3446038528

certificate self-signed 01

30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33343436 30333835 3238301E 170D3933 30333031 30303032

34355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34343630

33383532 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100CF08 C5AB0ADB DA5D8420 34BFD1DB 771D02A3 4B816952 E3CC61B9 AE386700

27B84C90 971DDBAF 320791F8 FD5DCAEC 96F9F9F7 BA0A08EB 9B6BAA78 DFB881ED

BD735207 2FD0BED6 C10AB234 948F853A FF2A1CBB 32CA97A6 34041AA5 D4E06506

EA5A7B1D 89318BF2 6CEBFFF1 FF18872E 18D05153 D9A373CF 0231F956 EA0A826F

EDFD0203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603

551D1104 0E300C82 0A4C617A 53776974 63682E30 1F060355 1D230418 30168014

632DBEF2 7A1DE9F0 25F5E641 5DB3F47E 545E64DD 301D0603 551D0E04 16041463

2DBEF27A 1DE9F025 F5E6415D B3F47E54 5E64DD30 0D06092A 864886F7 0D010104

05000381 81005133 0FA495B4 D59A5EF1 1BE9FCD6 D74235DC 72995C41 B4A4925A

9972E0DF F43B1112 9408798D 7D074747 F38306BB C4F680F4 E12852A5 28BA964E

CC4D3CBC 0E1F052A 42C8EB0D 960122EE 6233E39D B89B732E 955EC312 0CA924BA

0FA34DF3 0E444944 9F6AEB9A B3AB7258 DC6EA800 0B9CA85B 8C720406 255EF978

28BE332B CCB3

quit

spanning-tree mode pvst

spanning-tree extend system-id

!

vlan internal allocation policy ascending

!

vlan 10,400

!

interface Port-channel5

switchport mode access

!

interface FastEthernet0

ip address 10.0.1.3 255.255.255.0

no ip route-cache

!

interface GigabitEthernet1/0/1

switchport mode trunk

!

interface GigabitEthernet1/0/2

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/3

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/4

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/5

switchport mode access

spanning-tree portfast trunk

channel-group 5 mode active

!

interface GigabitEthernet1/0/6

switchport mode access

spanning-tree portfast trunk

channel-group 5 mode active

!

interface GigabitEthernet1/0/7

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/8

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/9

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/10

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/11

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/12

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/13

switchport access vlan 10

switchport mode access

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/14

switchport access vlan 10

switchport mode access

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/15

switchport access vlan 10

switchport mode access

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/16

switchport access vlan 10

switchport mode access

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/17

switchport access vlan 10

switchport mode access

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/18

switchport access vlan 10

switchport mode access

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/19

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/20

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/21

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/22

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/23

switchport access vlan 400

switchport mode access

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/24

switchport access vlan 400

switchport mode access

spanning-tree portfast trunk

!

interface GigabitEthernet1/0/25

!

interface GigabitEthernet1/0/26

!

interface TenGigabitEthernet1/0/1

spanning-tree portfast trunk

!

interface TenGigabitEthernet1/0/2

spanning-tree portfast trunk

!

interface Vlan1

ip address 192.168.1.2 255.255.255.0

!

interface Vlan10

ip address 192.168.65.1 255.255.255.0

!

interface Vlan400

ip address 192.168.150.1 255.255.255.0

!

ip default-gateway 192.168.1.1

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 192.168.1.1

!

vstack

!

line con 0

line vty 0 4

login

line vty 5 15

login

!

end

Jon Marshall · ‎05-23-2018

Dan

Surprised your router cannot do port forwarding to a non connected subnet but if it can’t then yes you could use another device for the NAT.

Jon

View solution in original post

Jon Marshall · ‎05-23-2018

Most Catalyst switches do not support NAT and your switch doesn’t.

It it is not clear why you need to NAT on the switch and what you are trying to achieve.

Jon

daniellaza · ‎05-23-2018

Hi Jon,

Thanks for responding. I need to open a port to be reachable via the Internet to a device on VLAN 10. I should have also mentioned that I tried to create a port forwarding rule on my home router directly to the IP on VLAN 10 (192.168.65.x), however this is not working. I am not sure why as the router is able to ping IPs on VLAN 10 without issue, and I do have a static route in place to 192.168.65.0/24.

Port forwarding works fine if I forward a port to the default LAN on the router (192.168.1.x) but I get a connection timeout trying to forward to the VLAN network.

I think this must be a limitation of my home router since it would seem to me this should have worked? I was looking for a way to circumvent the problem using the 2960-S, but you have confirmed that it cannot do NAT, so I think I will need to either figure out how to get my home router to correctly forward the traffic, or set up a second router inside my network to do double NAT?

Thank you for the assistance.

-Dan

Jon Marshall · ‎05-23-2018

Dan

Surprised your router cannot do port forwarding to a non connected subnet but if it can’t then yes you could use another device for the NAT.

Jon