I am looking to expose my Internal Web Server to the internet by configuring the CISCO above it with WAN interface.
Im using CISCO ISR4331/K9 with IOS-XE running.
interface GigabitEthernet0/0/0 description To-Firewall ip address 22.214.171.124 255.255.255.252 negotiation auto
2. Default Management Interface for IOS-XE
interface GigabitEthernet0 description MGMT vrf forwarding Mgmt-intf ip address 192.168.100.200 255.255.255.0 negotiation auto
3. Dont know how important it is but this is the interface that connects to the ISP and is the CISCO's default gateway.
interface GigabitEthernet0/0/1 description To_pppoe no ip address negotiation auto pppoe enable group global pppoe-client dial-pool-number 1
Diagram: Attached as network.png
CISCO's Config: Attached as config.txt
Gateway of last resort is 0.0.0.0 to network 0.0.0.0 S* 0.0.0.0/0 is directly connected, Dialer1 (ISP) C 126.96.36.199 is directly connected, Dialer1 (ISP) C 188.8.131.52 is directly connected, Dialer1 (ISP) C 184.108.40.206/30 is directly connected, GigabitEthernet0/0/0 L 220.127.116.11/32 is directly connected, GigabitEthernet0/0/0
2. Mgmt-intf (VRF)
Routing Table: Mgmt-intf Gateway of last resort is not set C 192.168.100.0/24 is directly connected, GigabitEthernet0 L 192.168.100.200/32 is directly connected, GigabitEthernet0
Things I've tried:
1. Simple VRF-AWARE NAT rule like this...
ip nat inside source static tcp 192.168.100.10 80 18.104.22.168 45621 vrf Mgmt-intf
To debug the issue i've ran "sh ip nat statistics" and to my surprise it was showing that i have 0 Hits and 0 Misses on my NAT rule.... Weird...
2. VASI method, you can see on this Post that i already asked and someone suggested the VASI method and was very Helpful on how to apply it to my scenario but still to no avail, In that Post You can see that my base estimate was that the problem is NATing between GRT to VRF but as i said it never got any Hits or Misses so im slowly starting to think that this was not the issue- and this is why im creating this post.
Things I've tried to debug:
1. When trying to access the High port on the WAN interface after applying the NAT rule i was Capturing packets on that interface and i indeed saw the packet reaches the WAN interface, the cisco responded with a normal RST.
2. As i said, tried to see if "sh ip nat statistics" was showing anything other than 0 - NO
Thank you very much! if you got to this point, was long
- Feel free to ask me some more questions about the situation
Firstlly I don't see you having ip nat inside and ip nat outside defined on gig0 and gig0/0/0. You def need that. I'll check the other configuration. Just give me a few moments.
as concerned your Gi0/0/0 interface:
ip address 22.214.171.124 255.255.255.252
This IP with this mask is a broadcast address.... please change this IP !
Its a bit unclear what host you are trying to port-forward on and from where
gi0/0/0 <> firewall <> HIS-ISP
gi0 <> vrf forwarding Mgmt-in > LAN
gi0/0/1<> default route <> pppoe ISP
First of all thank you for replying.
Because of the misunderstanding let me a bit clearer, I need to be able to port forward a HIGH PORT from my WAN interface on my router (126.96.36.199:45621) to my internal web server (192.168.100.10:80).
Changed the config's and the routing tables on the original post, please feel free to download and take a look!
Again, thank you so much for helping ive been stuck on this for several weeks now... and to be honest it doesnt look like a task that should take that long!
thanks for the clarification however you still show 2 wan links is that correct?
The global nat interface you say you want to be used isn’t the wan interface that your static default route or the ppoe isp rtr resides on
Also your rip process is advertising all connected interfaces plus redistributing connected at the same time which isn’t correct