Solved

Cisco IOS port forward not working

Posted on 2013-06-07
10
483 Views
Last Modified: 2013-06-10
Hi,

I have a basic config on a Cisco 1841, all internet is working and internal network live. I am trying to configure a basic port forward to allow an incoming connection from the internet to a server on a private IP address. However all sites I have looked at say to use the same command, however this does not work:-

ip nat inside source static tcp 10.1.1.2 2221 interface FastEthernet0/0 2221    
ip nat inside source static tcp 10.1.1.2 4443 interface FastEthernet0/0 4443 

Open in new window


My whole config is detailed below:-

Current configuration : 1992 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption                                                     
!                                                                               
hostname r1                                                                     
!                                                                               
boot-start-marker                                                               
boot-end-marker                                                                 
!                                                                               
! card type command needed for slot/vwic-slot 0/0                               
no logging console                                                              
enable secret 5 xxxx                                  
!                                                                               
aaa new-model                                                                   
!                                                                               
!                                                                               
aaa authentication login default local                                          
aaa authorization exec default local                                            
!                                                                               
aaa session-id common                                                           
!                                                                               
resource policy                                                                 
!                                                                               
clock timezone gmt 0                                                            
clock summer-time BST recurring last Sun Mar 2:00 last Sun Oct 2:00             
ip cef                                                                          
!                                                                               
!                                                                               
no ip dhcp use vrf connected                                                    
ip dhcp excluded-address 10.1.1.1 10.1.1.99                                     
!                                                                               
ip dhcp pool main_dhcp_pool                                                     
   import all                                                                   
   network 10.1.1.0 255.255.255.0                                               
   default-router 10.1.1.254                                                    
   domain-name home.lan                                                         
   dns-server 10.1.1.254                                                        
   lease 0 2                                                                    
!                                                                               
!                                                                               
ip domain name home.lan                                                         
ip host nas.home.lan 10.1.1.2                                                   
ip name-server 8.8.8.8                                                          
ip name-server 8.8.4.4                                                          
username admin-me privilege 15 password 7 xxxx               
!                                                                               
!                                                                               
!                                                                               
interface FastEthernet0/0                                                       
 description -WAN-                                                              
 mac-address 000c.000c.0000                                                     
 ip address dhcp                                                                
 ip nat outside                                                                 
 ip tcp adjust-mss 1460                                                         
 duplex auto                                                                    
 speed auto                                                                     
 no cdp enable                                                                  
!                                                                               
interface FastEthernet0/1                                                       
 description -LAN-                                                              
 ip address 10.1.1.254 255.255.255.0                                            
 ip nat inside                                                                  
 ip tcp adjust-mss 1452                                                         
 duplex auto                                                                    
 speed auto                                                                     
!                                                                               
router rip                                                                      
 network 10.0.0.0                                                               
!                                                                               
ip route 0.0.0.0 0.0.0.0 dhcp                                                   
ip dns server                                                                   
!                                                                               
no ip http server                                                               
ip nat inside source list 1 interface FastEthernet0/0 overload                  
ip nat inside source static tcp 10.1.1.2 2221 interface FastEthernet0/0 2221    
ip nat inside source static tcp 10.1.1.2 4443 interface FastEthernet0/0 4443    
!                                                                               
access-list 1 remark --Default NAT--                                            
access-list 1 permit 10.1.1.0 0.0.0.255                                         
access-list 100 permit ip 10.1.1.0 0.0.0.255 any                                
access-list 100 deny   ip any any log                                           
access-list 100 remark --Telnet Rescriction--                                   
!                                                                               
control-plane                                                                   
!                                                                               
!                                                                               
line con 0                                                                      
 password 7 xxxx                                             
line aux 0                                                                      
line vty 0 4                                                                    
 access-class 100 in                                                            
 exec-timeout 5 0                                                               
 password 7 xxxx                                            
!                                                                               
scheduler allocate 20000 1000                                                   
end

Open in new window


Any feedback would be gratefully received.
0
Comment
Question by:AW5000
10 Comments
 
LVL 10

Expert Comment

by:bigbigpig
Comment Utility
Is it logging the drops?  Check these 2 lines:

access-list 100 permit ip 10.1.1.0 0.0.0.255 any                                
access-list 100 deny   ip any any log  

I believe that's permitting 10.1.1.0 0.0.0.255 to access any outside network but it's blocking all else, including incoming.
0
 

Author Comment

by:AW5000
Comment Utility
@bigbigpig I don't think thats it, thats for allowing telnet from internal network only:-

line vty 0 4                                                                    
 access-class 100 in                                                            
 exec-timeout 5 0                                                               
 password 7 xxxx                                            
!  

Open in new window


To double check I removed access-list 100 completely and port forward still did not work.
0
 
LVL 50

Expert Comment

by:Don Johnston
Comment Utility
Try this:

ip nat inside source static tcp 10.1.1.2 2221 interface FastEthernet0/0 2221 extendable
ip nat inside source static tcp 10.1.1.2 4443 interface FastEthernet0/0 4443 extendable
0
 

Author Comment

by:AW5000
Comment Utility
Hi,

I tried that already but extendable is not an option for me. If I do:-

ip nat inside source static tcp 10.1.1.2 4443 interface FastEthernet0/0 4443 ?

The only option is <cr>. If I replace the interface with the public ip extendable is an option but still did not work.

 Could it be that I'm using ipbase?
0
 
LVL 45

Accepted Solution

by:
Craig Beck earned 275 total points
Comment Utility
Is the device (10.1.1.2) using 10.1.1.254 as its default gateway?
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:AW5000
Comment Utility
@craigbeck possibly not as I recently put the cisco in to test, the original router was on .1 so I have not updated it. Will try that and report back.
0
 
LVL 13

Expert Comment

by:Sandy
Comment Utility
is the default gateway configuration on the forwarded machine is correct ? Please cross check once

Cheers
SA
0
 

Author Comment

by:AW5000
Comment Utility
@craigbeck was right it was.the gateway. It works now.

Out of interest does anyone know why the extendable option is not available when specifying the interface?
0
 
LVL 45

Expert Comment

by:Craig Beck
Comment Utility
It's available if you don't specify tcp or udp ports AFAIK.
0
 

Author Comment

by:AW5000
Comment Utility
@craigbeck ok, thanks, will give that a try
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now