Solved: Port forwarding issue from external IP to LAN

Piotr Pawlowski · ‎10-22-2012

Dear all,

First of all I need to explain, that I am quite new in in Cisco routers.

I have router 2911/k9 sec which is designated to be a edge router of my LAN.

I made some basic configuration (NAT) and till now everything works. Unfortunately I stuck with port forwarding.

From external IP attached to my router I need to forward several ports (two in this example) to servers located in LAN. I used 'ip nat inside source static' command , but only thing I get is following result from nmap scan:

666/tcp filtered doom

3306/tcp filtered mysql

Below is full configuration of my router. Any help or tip will be helpful.

!

! Last configuration change at 08:22:51 PCTime Tue Oct 23 2012

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

service sequence-numbers

!

hostname Gdansk

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

!

no aaa new-model

!

clock timezone PCTime 1 0

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

!

no ipv6 cef

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

ip domain name mydomain.net

ip name-server 10.0.0.2

ip name-server 10.0.0.24

ip cef

!

multilink bundle-name authenticated

!

crypto pki trustpoint TP-self-signed-1717998411

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1717998411

revocation-check none

rsakeypair TP-self-signed-1717998411

!

crypto pki certificate chain TP-self-signed-1717998411

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31373137 39393834 3131301E 170D3132 30383032 31333236

31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37313739

39383431 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B739 4575E476 1C271022 23258FA7 ABF85DB1 F376EC75 6A1CDDD9 BCCB9EBC

FDCB44E7 1727CCD1 F65BFD45 AC8A90CF D68AE9AE 10765ED6 835825CE 3BEFB08B

D133BEE0 183666E7 33C0344B 58E84E97 B1951597 D9396981 E8942A8A 2CC8722E

59DE9B96 FF639EFF 605F9A2F 203E47DC B7634402 2DF1D7D3 21C4D1DF 82F32F3B

A2690203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14FA462C 0F04FBEF 4CDFAFB6 019FCD3D 7270F6DC CA301D06

03551D0E 04160414 FA462C0F 04FBEF4C DFAFB601 9FCD3D72 70F6DCCA 300D0609

2A864886 F70D0101 05050003 818100AB 5F85219A ED4AD5D7 7550A993 D69E089B

9D38D37E FBF6E84D F37076C4 DD360B74 9D60E18F 2C96F705 2DA89E62 40655BC5

5D7CAFF6 C8C73BA2 BEFAB50B DE916D59 F7046ACD 4D4C5714 543DC7F4 0F2A5E4F

F89CDE3D 2BC6DE6C 56F3AE07 DBAC1877 73FB7B92 5C42B812 1393D8E5 191F14C9

FE813EA0 9186A172 297C64BB E90346

quit

license udi pid CISCO2911/K9 sn FCZ163120Y4

!

file privilege 0

username gyadmin privilege 15 secret 5 $1$sNpI$djN.gxR08ssB5y4zhQtAA0

!

redundancy

!

ip ftp username backup

ip ftp password SecretPassword

ip ssh maxstartups 4

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$

ip address 10.0.0.1 255.255.254.0

ip access-group 101 in

ip access-group 101 out

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description "TASK"

ip address 213.192.65.74 255.255.255.252

ip access-group 101 in

ip access-group 101 out

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

description "Wit-Net"

ip address 193.107.215.133 255.255.255.224

duplex auto

speed auto

!

ip default-gateway 213.192.65.73

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip http path flash:

!

ip nat pool GoyellonNat 10.0.0.1 10.0.1.254 netmask 255.255.254.0

ip nat inside source list 1 interface GigabitEthernet0/1 overload

ip nat inside source list 199 interface GigabitEthernet0/2 overload

ip nat inside source static tcp 10.0.0.24 666 interface GigabitEthernet0/1 666

ip nat inside source static tcp 10.0.0.24 3306 interface GigabitEthernet0/1 3306

ip route 0.0.0.0 0.0.0.0 213.192.65.73

!

ip access-list extended inbound

permit ip any any

ip access-list extended outbound

permit ip any any

!

access-list 1 permit any

access-list 10 permit 195.2.255.11

access-list 10 permit any

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 23 permit 10.0.0.0 0.0.1.255

access-list 100 permit tcp any eq www any

access-list 100 permit tcp any eq 443 any

access-list 101 permit ip any any

access-list 110 permit icmp any any echo

access-list 110 permit icmp any any echo-reply

access-list 110 permit icmp any any source-quench

access-list 110 permit icmp any any packet-too-big

access-list 110 permit icmp any any time-exceeded

access-list 110 deny icmp any any

access-list 110 permit icmp any any unreachable

access-list 110 permit icmp any any port-unreachable

access-list 199 permit ip any any

!

control-plane

!

line con 0

password Password

login

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

login local

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

scottogden_2 · ‎12-18-2012

From your translations table your static entries are in there:

Pro Inside global Inside local Outside local Outside global

tcp 213.192.65.74:666 10.0.0.24:666 --- ---

tcp 213.192.65.74:3306 10.0.0.24:3306 --- ---

Is server 10.0.0.24 online and listening on TCP ports 666 and 3306?

It's not best practice to allow anything inbound on your outside interface

You might want to restrict inbound untrusted traffic by modifying ACL 101

access-list 101 permit ip any any

View solution in original post

Muhammad Thanveer · ‎10-23-2012

Can you please provide the output for sh ip nat translation ?

Regards
Thanveer
"Everybody is genius. But if you judge a fish by its ability to climb a tree, it will live its whole life believing that it is a stupid."

Piotr Pawlowski · ‎10-23-2012

Hi Muhammad

Thank you for you reply.

Below you can find the output of command show ip nat translation:

Pro Inside global Inside local Outside local Outside global

tcp 213.192.65.74:666 10.0.0.24:666 --- ---

tcp 213.192.65.74:3306 10.0.0.24:3306 --- ---

tcp 213.192.65.74:32981 10.0.1.12:32981 23.62.144.214:443 23.62.144.214:443

tcp 213.192.65.74:32988 10.0.1.12:32988 23.62.144.214:443 23.62.144.214:443

tcp 213.192.65.74:32989 10.0.1.12:32989 23.62.144.214:443 23.62.144.214:443

tcp 213.192.65.74:32990 10.0.1.12:32990 23.62.144.214:443 23.62.144.214:443

tcp 213.192.65.74:32991 10.0.1.12:32991 23.62.144.214:443 23.62.144.214:443

tcp 213.192.65.74:32992 10.0.1.12:32992 23.62.144.214:443 23.62.144.214:443

tcp 213.192.65.74:33386 10.0.1.12:33386 78.141.179.16:12350 78.141.179.16:12350

tcp 213.192.65.74:33796 10.0.1.12:33796 80.247.163.112:777 80.247.163.112:777

tcp 213.192.65.74:33852 10.0.1.12:33852 75.101.129.255:443 75.101.129.255:443

tcp 213.192.65.74:35325 10.0.1.12:35325 209.85.148.102:80 209.85.148.102:80

tcp 213.192.65.74:35538 10.0.1.12:35538 31.13.80.20:443 31.13.80.20:443

tcp 213.192.65.74:35576 10.0.1.12:35576 31.13.80.20:443 31.13.80.20:443

tcp 213.192.65.74:35577 10.0.1.12:35577 31.13.80.20:443 31.13.80.20:443

tcp 213.192.65.74:36943 10.0.1.12:36943 184.73.185.83:443 184.73.185.83:443

tcp 213.192.65.74:37359 10.0.1.12:37359 174.129.236.25:443 174.129.236.25:443

tcp 213.192.65.74:37981 10.0.1.12:37981 108.160.160.160:80 108.160.160.160:80

tcp 213.192.65.74:38024 10.0.1.12:38024 74.125.136.104:443 74.125.136.104:443

tcp 213.192.65.74:38460 10.0.1.12:38460 199.47.217.173:443 199.47.217.173:443

tcp 213.192.65.74:38770 10.0.1.12:38770 72.163.5.80:443 72.163.5.80:443

Pro Inside global Inside local Outside local Outside global

tcp 213.192.65.74:38978 10.0.1.12:38978 83.81.169.228:56975 83.81.169.228:56975

udp 213.192.65.74:40839 10.0.1.12:40839 46.44.144.140:49174 46.44.144.140:49174

udp 213.192.65.74:40839 10.0.1.12:40839 65.55.223.16:40021 65.55.223.16:40021

udp 213.192.65.74:40839 10.0.1.12:40839 65.55.223.23:40024 65.55.223.23:40024

udp 213.192.65.74:40839 10.0.1.12:40839 65.55.223.38:40034 65.55.223.38:40034

udp 213.192.65.74:40839 10.0.1.12:40839 83.81.169.228:56975 83.81.169.228:56975

udp 213.192.65.74:40839 10.0.1.12:40839 83.218.98.159:5954 83.218.98.159:5954

udp 213.192.65.74:40839 10.0.1.12:40839 111.221.74.14:40012 111.221.74.14:40012

udp 213.192.65.74:40839 10.0.1.12:40839 111.221.74.15:40024 111.221.74.15:40024

udp 213.192.65.74:40839 10.0.1.12:40839 111.221.74.30:40004 111.221.74.30:40004

udp 213.192.65.74:40839 10.0.1.12:40839 111.221.77.143:40045 111.221.77.143:40045

udp 213.192.65.74:40839 10.0.1.12:40839 111.221.77.152:40021 111.221.77.152:40021

udp 213.192.65.74:40839 10.0.1.12:40839 111.221.77.166:40023 111.221.77.166:40023

Pro Inside global Inside local Outside local Outside global

udp 213.192.65.74:40839 10.0.1.12:40839 129.16.138.32:10159 129.16.138.32:10159

udp 213.192.65.74:40839 10.0.1.12:40839 145.97.202.245:37174 145.97.202.245:37174

udp 213.192.65.74:40839 10.0.1.12:40839 157.55.130.149:40044 157.55.130.149:40044

udp 213.192.65.74:40839 10.0.1.12:40839 157.56.52.26:40015 157.56.52.26:40015

udp 213.192.65.74:40839 10.0.1.12:40839 157.56.52.27:40030 157.56.52.27:40030

udp 213.192.65.74:40839 10.0.1.12:40839 157.56.52.29:40038 157.56.52.29:40038

udp 213.192.65.74:40839 10.0.1.12:40839 157.56.52.34:40009 157.56.52.34:40009

udp 213.192.65.74:40839 10.0.1.12:40839 157.56.52.37:40021 157.56.52.37:40021

udp 213.192.65.74:40839 10.0.1.12:40839 188.205.97.185:58695 188.205.97.185:58695

tcp 213.192.65.74:44793 10.0.1.12:44793 157.56.126.107:443 157.56.126.107:443

tcp 213.192.65.74:45209 10.0.1.12:45209 199.47.219.159:443 199.47.219.159:443

tcp 213.192.65.74:45479 10.0.1.12:45479 80.247.163.112:777 80.247.163.112:777

tcp 213.192.65.74:46054 10.0.1.12:46054 80.247.163.35:777 80.247.163.35:777

tcp 213.192.65.74:47295 10.0.1.12:47295 83.218.98.159:5954 83.218.98.159:5954

tcp 213.192.65.74:48749 10.0.1.12:48749 67.228.181.218:80 67.228.181.218:80

tcp 213.192.65.74:49641 10.0.1.12:49641 199.7.59.72:80 199.7.59.72:80

tcp 213.192.65.74:49836 10.0.1.12:49836 157.55.56.141:40039 157.55.56.141:40039

Pro Inside global Inside local Outside local Outside global

tcp 213.192.65.74:50120 10.0.1.12:50120 23.62.127.139:443 23.62.127.139:443

tcp 213.192.65.74:51745 10.0.1.12:51745 31.13.80.20:80 31.13.80.20:80

tcp 213.192.65.74:53752 10.0.1.12:53752 195.2.255.11:22 195.2.255.11:22

tcp 213.192.65.74:54580 10.0.1.12:54580 129.16.138.32:10159 129.16.138.32:10159

tcp 213.192.65.74:56832 10.0.1.12:56832 54.243.219.91:443 54.243.219.91:443

tcp 213.192.65.74:57134 10.0.1.12:57134 2.16.4.176:443 2.16.4.176:443

tcp 213.192.65.74:57137 10.0.1.12:57137 2.16.4.176:443 2.16.4.176:443

tcp 213.192.65.74:58098 10.0.1.12:58098 157.56.248.166:443 157.56.248.166:443

tcp 213.192.65.74:58153 10.0.1.12:58153 157.56.248.166:443 157.56.248.166:443

tcp 213.192.65.74:58608 10.0.1.12:58608 88.198.132.241:443 88.198.132.241:443

tcp 213.192.65.74:58627 10.0.1.12:58627 88.198.132.241:443 88.198.132.241:443

tcp 213.192.65.74:58673 10.0.1.12:58673 199.47.216.172:443 199.47.216.172:443

tcp 213.192.65.74:59333 10.0.1.12:59333 145.97.202.245:37174 145.97.202.245:37174

tcp 213.192.65.74:59365 10.0.1.12:59365 93.138.47.24:44247 93.138.47.24:44247

tcp 213.192.65.74:60117 10.0.1.12:60117 81.26.219.122:80 81.26.219.122:80

tcp 213.192.65.74:60118 10.0.1.12:60118 81.26.219.122:80 81.26.219.122:80

tcp 213.192.65.74:60119 10.0.1.12:60119 81.26.219.122:80 81.26.219.122:80

Piotr Pawlowski · ‎12-18-2012

Anybody?

During last month I didn't have time to work on it, but recently I started from scratch. I restored default router configuration and configured everything as it is present on

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic5 and

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080094e77.shtml#topic9 - nothing less nothing more. Unfortunately this still doesn't work for me.

I am confused... Guys, please help - what am I doing wrong ?

scottogden_2 · ‎12-18-2012

From your translations table your static entries are in there:

Pro Inside global Inside local Outside local Outside global

tcp 213.192.65.74:666 10.0.0.24:666 --- ---

tcp 213.192.65.74:3306 10.0.0.24:3306 --- ---

Is server 10.0.0.24 online and listening on TCP ports 666 and 3306?

It's not best practice to allow anything inbound on your outside interface

You might want to restrict inbound untrusted traffic by modifying ACL 101

access-list 101 permit ip any any

Piotr Pawlowski · ‎12-21-2012

OK, I finally figured out why it was not working.

Of course IOS configuration was correct. The problem was in gateway of the 10.0.0.24 server.

Because currently my Cisco router is still in testing stage, all servers are not using it as default gateway. In order to have working port forwarding I had to change gateway on the server to 10.0.0.1 . After that, everything started to work.

Thank you all of you, who participated in my problem and shared knowledge.

scottogden_2 · ‎12-21-2012

Please rate helpful posts

[SOLVED] Port forwarding issue from external IP to LAN