09-03-2012 03:03 AM - edited 03-07-2019 08:40 AM
Hi all.
I have a Cisco 1841 router at home with version 12.4(13r)T advanced ip services.
The setup is extremely simple:
1) PPPOE dialer to my service provider over ADSL
2) Nat overload on the dialer interface.
3) 2 Vlans one for home network (wired) and one for wireless both vlans are connected through interface vlans respectively.
My problem is when I configure static NAT to map RDP or any other protocol to inside hosts this doesn`t work.
"
ip nat source static tcp 192.168.20.3 2222 interface Dialer1 2222
ip nat source static tcp 192.168.20.3 3389 xx.xx.xx.xx 3389 extendable
ip nat inside source list 20 interface Dialer1 overload
"
P.S
When I open wireshark and sniff the traffic on home computer which is the one I`m trying to reach I can`t see any traffic.
and While performing nat debuging I am also not able to see traffic going to that port (for example 3389)
Solved! Go to Solution.
09-03-2012 05:19 AM
Ok, with your interface-config one problem is visible:
On the interface you use the "legacy" NAT, but the global NAT is the more modern NVI-style.
Change your NAT from
ip nat source static tcp 192.168.20.3 3389 xx.xx.xx.xx 3389 extendable
to
ip nat inside source static tcp 192.168.20.3 3389 xx.xx.xx.xx 3389 extendable
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-03-2012 03:20 AM
1841 router at home with version 12.4(13r)T
That's not your IOS-version. The IOS-version is printed in "show version" above that.
Regarding your problem: Have you allowed the traffic in your external ACL?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-03-2012 04:04 AM
Hi Karsten.
Thanks for quick reply
The IOS is c1841-advipservicesk9-mz.124-25b.bin
and basically I don`t have an ACL on the dialer interface if thats what you are asking:
interface Dialer1
ip address negotiated
ip verify unicast source reachable-via rx allow-default 100
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username xxxxx
password 7 xxxxxxx
end
Here is the nat overload configuration together with it`s ACL:
< ip nat inside source list 20 interface Dialer1 overload >
< access-list 20 permit 192.168.0.0 0.0.255.255 >
thanks again.
09-03-2012 05:10 AM
Hi,
ip nat source static tcp 192.168.20.3 3389 xx.xx.xx.xx 3389 extendable
I suppose this is not for Dialer 1 but for the other ISP connection ?
Regards.
Alain
09-03-2012 05:18 AM
Hi Alain.
I have only one ISP conenction which I connect to over PPOE at dialer1.
The config line above is when I tried doing a configuration for IP address instead of interface, so basically xxxxxx is the
address I have got from my ISP via dialer 1.
09-03-2012 05:19 AM
Ok, with your interface-config one problem is visible:
On the interface you use the "legacy" NAT, but the global NAT is the more modern NVI-style.
Change your NAT from
ip nat source static tcp 192.168.20.3 3389 xx.xx.xx.xx 3389 extendable
to
ip nat inside source static tcp 192.168.20.3 3389 xx.xx.xx.xx 3389 extendable
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-03-2012 05:26 AM
Thank you so much!!
works like a charm
09-03-2012 06:15 AM
Hi,
good catch
Regards.
Alain.
.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide