Cisco IOS port forward not working

Hi,

I have a basic config on a Cisco 1841, all internet is working and internal network live. I am trying to configure a basic port forward to allow an incoming connection from the internet to a server on a private IP address. However all sites I have looked at say to use the same command, however this does not work:-

ip nat inside source static tcp 10.1.1.2 2221 interface FastEthernet0/0 2221    
ip nat inside source static tcp 10.1.1.2 4443 interface FastEthernet0/0 4443 

Open in new window


My whole config is detailed below:-

Current configuration : 1992 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption                                                     
!                                                                               
hostname r1                                                                     
!                                                                               
boot-start-marker                                                               
boot-end-marker                                                                 
!                                                                               
! card type command needed for slot/vwic-slot 0/0                               
no logging console                                                              
enable secret 5 xxxx                                  
!                                                                               
aaa new-model                                                                   
!                                                                               
!                                                                               
aaa authentication login default local                                          
aaa authorization exec default local                                            
!                                                                               
aaa session-id common                                                           
!                                                                               
resource policy                                                                 
!                                                                               
clock timezone gmt 0                                                            
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00             
ip cef                                                                          
!                                                                               
!                                                                               
no ip dhcp use vrf connected                                                    
ip dhcp excluded-address 10.1.1.1 10.1.1.99                                     
!                                                                               
ip dhcp pool main_dhcp_pool                                                     
   import all                                                                   
   network 10.1.1.0 255.255.255.0                                               
   default-router 10.1.1.254                                                    
   domain-name home.lan                                                         
   dns-server 10.1.1.254                                                        
   lease 0 2                                                                    
!                                                                               
!                                                                               
ip domain name home.lan                                                         
ip host nas.home.lan 10.1.1.2                                                   
ip name-server 8.8.8.8                                                          
ip name-server 8.8.4.4                                                          
username admin-me privilege 15 password 7 xxxx               
!                                                                               
!                                                                               
!                                                                               
interface FastEthernet0/0                                                       
 description -WAN-                                                              
 mac-address 000c.000c.0000                                                     
 ip address dhcp                                                                
 ip nat outside                                                                 
 ip tcp adjust-mss 1460                                                         
 duplex auto                                                                    
 speed auto                                                                     
 no cdp enable                                                                  
!                                                                               
interface FastEthernet0/1                                                       
 description -LAN-                                                              
 ip address 10.1.1.254 255.255.255.0                                            
 ip nat inside                                                                  
 ip tcp adjust-mss 1452                                                         
 duplex auto                                                                    
 speed auto                                                                     
!                                                                               
router rip                                                                      
 network 10.0.0.0                                                               
!                                                                               
ip route 0.0.0.0 0.0.0.0 dhcp                                                   
ip dns server                                                                   
!                                                                               
no ip http server                                                               
ip nat inside source list 1 interface FastEthernet0/0 overload                  
ip nat inside source static tcp 10.1.1.2 2221 interface FastEthernet0/0 2221    
ip nat inside source static tcp 10.1.1.2 4443 interface FastEthernet0/0 4443    
!                                                                               
access-list 1 remark --Default NAT--                                            
access-list 1 permit 10.1.1.0 0.0.0.255                                         
access-list 100 permit ip 10.1.1.0 0.0.0.255 any                                
access-list 100 deny   ip any any log                                           
access-list 100 remark --Telnet Rescriction--                                   
!                                                                               
control-plane                                                                   
!                                                                               
!                                                                               
line con 0                                                                      
 password 7 xxxx                                             
line aux 0                                                                      
line vty 0 4                                                                    
 access-class 100 in                                                            
 exec-timeout 5 0                                                               
 password 7 xxxx                                            
!                                                                               
scheduler allocate 20000 1000                                                   
end

Open in new window


Any feedback would be gratefully received.
AW5000Asked:
Who is Participating?
 
Craig BeckCommented:
Is the device (10.1.1.2) using 10.1.1.254 as its default gateway?
0
 
bigbigpigCommented:
Is it logging the drops?  Check these 2 lines:

access-list 100 permit ip 10.1.1.0 0.0.0.255 any                                
access-list 100 deny   ip any any log  

I believe that's permitting 10.1.1.0 0.0.0.255 to access any outside network but it's blocking all else, including incoming.
0
 
AW5000Author Commented:
@bigbigpig I don't think thats it, thats for allowing telnet from internal network only:-

line vty 0 4                                                                    
 access-class 100 in                                                            
 exec-timeout 5 0                                                               
 password 7 xxxx                                            
!  

Open in new window


To double check I removed access-list 100 completely and port forward still did not work.
0
Cloud Class® Course: CompTIA Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

 
Don JohnstonInstructorCommented:
Try this:

ip nat inside source static tcp 10.1.1.2 2221 interface FastEthernet0/0 2221 extendable
ip nat inside source static tcp 10.1.1.2 4443 interface FastEthernet0/0 4443 extendable
0
 
AW5000Author Commented:
Hi,

I tried that already but extendable is not an option for me. If I do:-

ip nat inside source static tcp 10.1.1.2 4443 interface FastEthernet0/0 4443 ?

The only option is <cr>. If I replace the interface with the public ip extendable is an option but still did not work.

 Could it be that I'm using ipbase?
0
 
AW5000Author Commented:
@craigbeck possibly not as I recently put the cisco in to test, the original router was on .1 so I have not updated it. Will try that and report back.
0
 
SandyCommented:
is the default gateway configuration on the forwarded machine is correct ? Please cross check once

Cheers
SA
0
 
AW5000Author Commented:
@craigbeck was right it was.the gateway. It works now.

Out of interest does anyone know why the extendable option is not available when specifying the interface?
0
 
Craig BeckCommented:
It's available if you don't specify tcp or udp ports AFAIK.
0
 
AW5000Author Commented:
@craigbeck ok, thanks, will give that a try
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.