05-20-2009 01:44 AM - edited 03-06-2019 05:49 AM
Hello all.
I'm sure I'm missing something...but I can not understand what...
I have a port redirection problem. I have a CISCO router configured as shown in the conf file below.
I'm trying to configure a port forward to an internal server on port 1723 with the following command:
ip nat inside source static tcp 192.168.5.11 1723 interface Serial2/0 1723
the command is accepted without error, but the port redirection does not work. I tried to add
a "permit tcp any any" but no luck.
Any ideas about what I'm doing wrong?
Thanks,
Cips
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c1841
!
boot-start-marker
boot-end-marker
!
enable secret
!
no aaa new-model
ip cef
!
!
!
!
no ip domain lookup
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
crypto isakmp policy 100
encr 3des
authentication pre-share
group 2
crypto isakmp key key1234 address xx.xx.46.241
!
!
crypto ipsec transform-set key1234 esp-3des esp-sha-hmac
!
crypto ipsec profile key1234
set transform-set key1234
!
!
!
!
!
interface Loopback10
ip address xx.xx.243.53 255.255.255.255
!
interface Loopback11
ip address xx.xx.243.54 255.255.255.255
!
interface Tunnel10
description VPN-->OUT
ip address 10.0.0.2 255.255.255.252
tunnel source Loopback11
tunnel destination xx.xx.46.241
tunnel mode ipsec ipv4
tunnel protection ipsec profile key1234
!
interface FastEthernet0/0
ip address 192.168.5.250 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial2/0
ip address xx.xx.246.222 255.255.255.252
ip nat outside
ip virtual-reassembly
encapsulation frame-relay IETF
frame-relay map ip xx.xx.246.221 20 broadcast IETF
no frame-relay inverse-arp
!
ip route 0.0.0.0 0.0.0.0 Serial2/0 xx.xx.246.221
ip route 192.168.0.0 255.255.255.0 Tunnel10
!
!
ip http server
no ip http secure-server
ip nat pool internet xx.xx.243.49 xx.xx.243.50 netmask 255.255.255.252
ip nat inside source list nat pool internet overload
!
ip access-list extended nat
deny ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 192.168.5.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
logging synchronous
line aux 0
line vty 0 4
logging synchronous
login
!
scheduler allocate 20000 1000
end
05-20-2009 07:44 AM
So it looks like you're trying to forward TCP port 1723 from an internal IP address to an outside interface, is this correct?
If so, you should use this command:
ip nat outside source static tcp 192.168.5.11 1723 interface Serial2/0 1723
If you're trying to forward that part from the outside interface to the internal IP address which sounds more probable, you're command should be:
ip nat inside source static tcp interface Serial2/0 1723 192.168.5.11 1723
05-20-2009 07:50 AM
Actually here is the command for Situation B:
#ip nat outside source static tcp xx.xx.246.222 1723 192.168.5.11 1723
05-21-2009 01:17 AM
Thanks so much for the reply.
I'm actually trying to redirect from external interface the port 1723 on an internal server. All the samples I found were using "ip nat inside"....but probably I did not read the sample carefully enough.
Thanks,
05-21-2009 06:47 AM
No problem, I think I may have messed up when specifying inside and outside. For your situation, this would be the appropriate command:
ip nat inside source static tcp xx.xx.246.222 1723 192.168.5.11 1723
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide