Solved: cisco router4321: how to port forward vpn ports to internal server ip

1300itexpress · ‎02-02-2017

hi, i just bought a new cisco router4321, when i try to port forward vpn ports by using following command:

ip nat inside source static tcp 1723 public_ip LanVPNSvr_IP 1723

got a message "port 1723 is being used by the system", and i need to forward all following vpn ports, please help me with the right commands, thank you in advance:)

L2TP
IKE
GRE
PPTP
IKE-NAT

Philip D'Ath · ‎02-02-2017

It should be:

ip nat inside source static tcp LanVPNSvr_IP 1723 public_ip 1723
ip nat inside source static gre LanVPNSvr_IP public_ip
ip nat inside source static udp LanVPNSvr_IP 500 public_ip 500
ip nat inside source static udp LanVPNSvr_IP 4500 public_ip 4500
ip nat inside source static esp LanVPNSvr_IP public_ip

View solution in original post

Philip D'Ath · ‎02-02-2017

It should be:

ip nat inside source static tcp LanVPNSvr_IP 1723 public_ip 1723
ip nat inside source static gre LanVPNSvr_IP public_ip
ip nat inside source static udp LanVPNSvr_IP 500 public_ip 500
ip nat inside source static udp LanVPNSvr_IP 4500 public_ip 4500
ip nat inside source static esp LanVPNSvr_IP public_ip

1300itexpress · ‎02-05-2017

thank you very much, but how can i port forward following:

L2TP
IKE
GRE
PPTP
IKE-NAT

and also seem those ports are already used by the syste, any way to unblock it? thank you in advance :)

1300itexpress · ‎02-06-2017

"ip nat inside source static tcp LanVPNSvr_IP 1723 public_ip 1723 extendable " works :)

but

ip nat inside source static gre LanVPNSvr_IP public_ip returns error " invalid input detected at > mark"

please help.

Philip D'Ath · ‎02-06-2017

You're right. You can NAT GRE. I made a mistake there. NAT tcp port 1723 is enough. The NAT engine will recognise this is a PPTP connection and forward through the GRE traffic as well.

1300itexpress · ‎02-06-2017

you know what, i forgot to save the config:(, then after reboot, "$port 1723 is being used by the system" error happen again when i do " ip nat inside source static tcp LanVPNSvr_IP 1723 public_ip 1723 extendable", do you know why?

Philip D'Ath · ‎02-06-2017

Try this, and then quickly add in the nat:

clear ip nat translations *

1300itexpress · ‎02-06-2017

got error "invalid input detected at '>' mark

Philip D'Ath · ‎02-06-2017

This is not a configuration command. If you want to execute it it configure mode use:

do clear ip nat translations *

1300itexpress · ‎02-06-2017

same error in config mode: "invalid input detedted at '>' marker

Philip D'Ath · ‎02-06-2017

I just tested that exact command, clearing the IP NAT translations, on a 4331 and it worked perfectly. Please re-produce the input you are using and the error so I can see it in context.

1300itexpress · ‎02-06-2017

cisco4321data(config)#do clear ip nat translations *

^
% Invalid input detected at '^' marker.

Philip D'Ath · ‎02-06-2017

Try this:

do clear ip nat translation *

1300itexpress · ‎02-06-2017

it went ok, but still has " %Port 1723 is being used by system" error

Philip D'Ath · ‎02-06-2017

Try pasting the two lines in at the same time, so there is only a tiny delay between them.

Other possibilities are that you have some kind of VPDN or PPTP service already configured on the router. Do you have any lines with "vpdn" in them?

Failing that, try shutting down your outside interface, apply the NAT config, and then enable the outside interface again.

Failing that, try shutting down the outside interface, save the config, reboot, apply the NAT configuration, bring the interface up again and save the config.