Solved

Cisco IOS port forward not working

Posted on 2013-06-07
10
492 Views
Last Modified: 2013-06-10
Hi,

I have a basic config on a Cisco 1841, all internet is working and internal network live. I am trying to configure a basic port forward to allow an incoming connection from the internet to a server on a private IP address. However all sites I have looked at say to use the same command, however this does not work:-

ip nat inside source static tcp 10.1.1.2 2221 interface FastEthernet0/0 2221    
ip nat inside source static tcp 10.1.1.2 4443 interface FastEthernet0/0 4443 

Open in new window


My whole config is detailed below:-

Current configuration : 1992 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption                                                     
!                                                                               
hostname r1                                                                     
!                                                                               
boot-start-marker                                                               
boot-end-marker                                                                 
!                                                                               
! card type command needed for slot/vwic-slot 0/0                               
no logging console                                                              
enable secret 5 xxxx                                  
!                                                                               
aaa new-model                                                                   
!                                                                               
!                                                                               
aaa authentication login default local                                          
aaa authorization exec default local                                            
!                                                                               
aaa session-id common                                                           
!                                                                               
resource policy                                                                 
!                                                                               
clock timezone gmt 0                                                            
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00             
ip cef                                                                          
!                                                                               
!                                                                               
no ip dhcp use vrf connected                                                    
ip dhcp excluded-address 10.1.1.1 10.1.1.99                                     
!                                                                               
ip dhcp pool main_dhcp_pool                                                     
   import all                                                                   
   network 10.1.1.0 255.255.255.0                                               
   default-router 10.1.1.254                                                    
   domain-name home.lan                                                         
   dns-server 10.1.1.254                                                        
   lease 0 2                                                                    
!                                                                               
!                                                                               
ip domain name home.lan                                                         
ip host nas.home.lan 10.1.1.2                                                   
ip name-server 8.8.8.8                                                          
ip name-server 8.8.4.4                                                          
username admin-me privilege 15 password 7 xxxx               
!                                                                               
!                                                                               
!                                                                               
interface FastEthernet0/0                                                       
 description -WAN-                                                              
 mac-address 000c.000c.0000                                                     
 ip address dhcp                                                                
 ip nat outside                                                                 
 ip tcp adjust-mss 1460                                                         
 duplex auto                                                                    
 speed auto                                                                     
 no cdp enable                                                                  
!                                                                               
interface FastEthernet0/1                                                       
 description -LAN-                                                              
 ip address 10.1.1.254 255.255.255.0                                            
 ip nat inside                                                                  
 ip tcp adjust-mss 1452                                                         
 duplex auto                                                                    
 speed auto                                                                     
!                                                                               
router rip                                                                      
 network 10.0.0.0                                                               
!                                                                               
ip route 0.0.0.0 0.0.0.0 dhcp                                                   
ip dns server                                                                   
!                                                                               
no ip http server                                                               
ip nat inside source list 1 interface FastEthernet0/0 overload                  
ip nat inside source static tcp 10.1.1.2 2221 interface FastEthernet0/0 2221    
ip nat inside source static tcp 10.1.1.2 4443 interface FastEthernet0/0 4443    
!                                                                               
access-list 1 remark --Default NAT--                                            
access-list 1 permit 10.1.1.0 0.0.0.255                                         
access-list 100 permit ip 10.1.1.0 0.0.0.255 any                                
access-list 100 deny   ip any any log                                           
access-list 100 remark --Telnet Rescriction--                                   
!                                                                               
control-plane                                                                   
!                                                                               
!                                                                               
line con 0                                                                      
 password 7 xxxx                                             
line aux 0                                                                      
line vty 0 4                                                                    
 access-class 100 in                                                            
 exec-timeout 5 0                                                               
 password 7 xxxx                                            
!                                                                               
scheduler allocate 20000 1000                                                   
end

Open in new window


Any feedback would be gratefully received.
0
Comment
Question by:AW5000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39230867
Is it logging the drops?  Check these 2 lines:

access-list 100 permit ip 10.1.1.0 0.0.0.255 any                                
access-list 100 deny   ip any any log  

I believe that's permitting 10.1.1.0 0.0.0.255 to access any outside network but it's blocking all else, including incoming.
0
 

Author Comment

by:AW5000
ID: 39230875
@bigbigpig I don't think thats it, thats for allowing telnet from internal network only:-

line vty 0 4                                                                    
 access-class 100 in                                                            
 exec-timeout 5 0                                                               
 password 7 xxxx                                            
!  

Open in new window


To double check I removed access-list 100 completely and port forward still did not work.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 39230888
Try this:

ip nat inside source static tcp 10.1.1.2 2221 interface FastEthernet0/0 2221 extendable
ip nat inside source static tcp 10.1.1.2 4443 interface FastEthernet0/0 4443 extendable
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:AW5000
ID: 39230902
Hi,

I tried that already but extendable is not an option for me. If I do:-

ip nat inside source static tcp 10.1.1.2 4443 interface FastEthernet0/0 4443 ?

The only option is <cr>. If I replace the interface with the public ip extendable is an option but still did not work.

 Could it be that I'm using ipbase?
0
 
LVL 46

Accepted Solution

by:
Craig Beck earned 275 total points
ID: 39231249
Is the device (10.1.1.2) using 10.1.1.254 as its default gateway?
0
 

Author Comment

by:AW5000
ID: 39231260
@craigbeck possibly not as I recently put the cisco in to test, the original router was on .1 so I have not updated it. Will try that and report back.
0
 
LVL 13

Expert Comment

by:Sandy
ID: 39231714
is the default gateway configuration on the forwarded machine is correct ? Please cross check once

Cheers
SA
0
 

Author Comment

by:AW5000
ID: 39231907
@craigbeck was right it was.the gateway. It works now.

Out of interest does anyone know why the extendable option is not available when specifying the interface?
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 39234436
It's available if you don't specify tcp or udp ports AFAIK.
0
 

Author Comment

by:AW5000
ID: 39234679
@craigbeck ok, thanks, will give that a try
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Did you know SD-WANs can improve network connectivity? Check out this webinar to learn how an SD-WAN simplified, one-click tool can help you migrate and manage data in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question