Port FWD

ciscocips · ‎05-20-2009

Hello all.

I'm sure I'm missing something...but I can not understand what...

I have a port redirection problem. I have a CISCO router configured as shown in the conf file below.

I'm trying to configure a port forward to an internal server on port 1723 with the following command:

ip nat inside source static tcp 192.168.5.11 1723 interface Serial2/0 1723

the command is accepted without error, but the port redirection does not work. I tried to add

a "permit tcp any any" but no luck.

Any ideas about what I'm doing wrong?

Thanks,

Cips

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname c1841

!

boot-start-marker

boot-end-marker

!

enable secret

!

no aaa new-model

ip cef

!

no ip domain lookup

!

multilink bundle-name authenticated

!

crypto isakmp policy 100

encr 3des

authentication pre-share

group 2

crypto isakmp key key1234 address xx.xx.46.241

!

crypto ipsec transform-set key1234 esp-3des esp-sha-hmac

!

crypto ipsec profile key1234

set transform-set key1234

!

interface Loopback10

ip address xx.xx.243.53 255.255.255.255

!

interface Loopback11

ip address xx.xx.243.54 255.255.255.255

!

interface Tunnel10

description VPN-->OUT

ip address 10.0.0.2 255.255.255.252

tunnel source Loopback11

tunnel destination xx.xx.46.241

tunnel mode ipsec ipv4

tunnel protection ipsec profile key1234

!

interface FastEthernet0/0

ip address 192.168.5.250 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

shutdown

duplex auto

speed auto

!

interface Serial2/0

ip address xx.xx.246.222 255.255.255.252

ip nat outside

ip virtual-reassembly

encapsulation frame-relay IETF

frame-relay map ip xx.xx.246.221 20 broadcast IETF

no frame-relay inverse-arp

!

ip route 0.0.0.0 0.0.0.0 Serial2/0 xx.xx.246.221

ip route 192.168.0.0 255.255.255.0 Tunnel10

!

ip http server

no ip http secure-server

ip nat pool internet xx.xx.243.49 xx.xx.243.50 netmask 255.255.255.252

ip nat inside source list nat pool internet overload

!

ip access-list extended nat

deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255

permit ip 192.168.5.0 0.0.0.255 any

!

control-plane

!

line con 0

logging synchronous

line aux 0

line vty 0 4

logging synchronous

login

!

scheduler allocate 20000 1000

end

Brian Meade · ‎05-20-2009

So it looks like you're trying to forward TCP port 1723 from an internal IP address to an outside interface, is this correct?

If so, you should use this command:

ip nat outside source static tcp 192.168.5.11 1723 interface Serial2/0 1723

If you're trying to forward that part from the outside interface to the internal IP address which sounds more probable, you're command should be:

ip nat inside source static tcp interface Serial2/0 1723 192.168.5.11 1723

Brian Meade · ‎05-20-2009

Actually here is the command for Situation B:

#ip nat outside source static tcp xx.xx.246.222 1723 192.168.5.11 1723

ciscocips · ‎05-21-2009

Thanks so much for the reply.

I'm actually trying to redirect from external interface the port 1723 on an internal server. All the samples I found were using "ip nat inside"....but probably I did not read the sample carefully enough.

Thanks,

Brian Meade · ‎05-21-2009

No problem, I think I may have messed up when specifying inside and outside. For your situation, this would be the appropriate command:

ip nat inside source static tcp xx.xx.246.222 1723 192.168.5.11 1723