07-28-2010 04:53 AM - edited 03-06-2019 12:13 PM
Hi all,
I'm trying without success a very straightforward port forwarding for a cisco 877 on port 80, 8080, etc...
Here's the config:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 877
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxx
!
no aaa new-model
!
!
dot11 syslog
no ip source-route
ip cef
!
!
!
!
ip name-server 172.16.0.7
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
no atm ilmi-keepalive
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
no ip address
!
interface Vlan4
no ip address
shutdown
!
interface Vlan10
ip address 172.16.0.9 255.255.255.240
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated
ip access-group 102 in
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname xxxxxxx@xxx@xxxx
ppp chap password 0 xxxxxx
ppp pap sent-username xxxxxxx@xxx@xxxx password 0 vnt0010
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat source static tcp 172.16.0.8 80 interface Dialer0 80
ip nat inside source static tcp 172.16.0.8 80 interface Dialer0 80
ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080
ip nat inside source list 10 interface Dialer0 overload
!
access-list 10 permit 172.16.0.0 0.0.0.15
access-list 10 deny any
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 8080
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxxxxxxxxxxxxxx
login
!
scheduler max-task-time 5000
end
I read a lot of post and doc and I dont understand why I can't access to my local server on port 80, 8080 using the WAN ip (213.236.xx.xx).
Here is the log showed by 'debug nat ports' when I run the command user@host1:~$ nmap -p 80 213.236.xx.xx:
*Mar 14 06:42:42.770: NAT - SYSTEM PORT for 213.236.xx.xx: allocated port 0, refcount 187, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 187, proto 6
*Mar 14 06:42:42.774: NAT - SYSTEM PORT for 213.236.xx.xx: allocated port 0, refcount 188, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 188, proto 6
*Mar 14 06:42:49.274: NAT - SYSTEM PORT for 213.236.xx.xx: allocated port 0, refcount 189, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 189, proto 6
And the nat translation table:
Pro Inside global Inside local Outside local Outside global
tcp 213.236.xx.xx:80 172.16.0.8:80 --- ---
tcp 213.236.xx.xx:8080 172.16.0.8:8080 --- ---
BTW, I also show you what IOS firmware version is currently loaded in the router:
Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)
......
ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE
System image file is "flash:c870-advipservicesk9-mz.124-15.T10.bin"
This product contains cryptographic features.....
Cisco 877 (MPC8272) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FHK140577N0
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
28672K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2101
May anyone help me please? Any help will be much apreciated!
TIA
Solved! Go to Solution.
07-28-2010 09:16 PM
Hello,
Please try the following:
no ip nat source static tcp 172.16.0.8 80 interface Dialer0 80
no ip nat inside source static tcp 172.16.0.8 80 interface Dialer0 80
no ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080
no ip nat source static tcp 172.16.0.8 80 interface dialer 0 80 extendable
no ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080 extendable
int dialer 0
no ip nat outside
exit
int vlan 10
no ip nat inside
exit
int dialer 0
ip nat enable
exit
int vlan 10
ip nat enable
exit
ip nat source static tcp 172.16.0.8 80 interface dialer 0 80 extendable
ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080 extendable
This should allow you to access the internal server on port 80/8080. If you are still unable to access, please check the access-lists to see if the hit counts are increasing. It might be that your ISP is blocking the ports. Also, you can check the default gateway on the servers to make sure that they are pointing to VLAN 10 IP address.
Hope this helps.
Regards,
NT
07-28-2010 06:23 AM
Hello,
Can you please try adding "extendable" keyword at the end of the NAT statement?
no ip nat source static tcp 172.16.0.8 80 interface Dialer0 80
no ip nat inside source static tcp 172.16.0.8 80 interface Dialer0 80
no ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080
ip nat source static tcp 172.16.0.8 80 interface dialer 0 80 extendable
ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080 extendable
Hope this helps.
Regards,
NT
07-28-2010 07:04 AM
Thanks Nagaraja for your prompt response.
I'm not able to specify 'extended' on a nat static entry for an interface (dialer 0). I'm only allowed if I use the wan ip address but I tried so with no success neither.
I also started to think that it was probably a bug or something so I've searched the caveats for the IOS image I'm using but I didn't find any clue.
https://www9.cisco.com/en/US/docs/ios/12_4t/release/notes/124TCAVS.html#wp2100026
Thanks anyway for your support.
Any other suggestions?
07-28-2010 09:16 PM
Hello,
Please try the following:
no ip nat source static tcp 172.16.0.8 80 interface Dialer0 80
no ip nat inside source static tcp 172.16.0.8 80 interface Dialer0 80
no ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080
no ip nat source static tcp 172.16.0.8 80 interface dialer 0 80 extendable
no ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080 extendable
int dialer 0
no ip nat outside
exit
int vlan 10
no ip nat inside
exit
int dialer 0
ip nat enable
exit
int vlan 10
ip nat enable
exit
ip nat source static tcp 172.16.0.8 80 interface dialer 0 80 extendable
ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080 extendable
This should allow you to access the internal server on port 80/8080. If you are still unable to access, please check the access-lists to see if the hit counts are increasing. It might be that your ISP is blocking the ports. Also, you can check the default gateway on the servers to make sure that they are pointing to VLAN 10 IP address.
Hope this helps.
Regards,
NT
07-30-2010 02:20 AM
Thanks for your support Nagaraja.
You were right, the gateway wasn't correctly defined on the server. Stupid mistake.
Thanks again.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide