Port forwarding issue

Answered Question
Jul 28th, 2010

Hi all,

I'm trying without success a very straightforward port forwarding for a cisco 877 on port 80, 8080, etc...

Here's the config:

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 877
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxxxxxxxxxxxx
enable password xxxxxxx
!
no aaa new-model
!
!
dot11 syslog
no ip source-route
ip cef
!
!
!
!
ip name-server 172.16.0.7
!
multilink bundle-name authenticated
!
!
!
!
archive
log config
  hidekeys
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
no ip mroute-cache
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface Vlan1
no ip address
!
interface Vlan4
no ip address
shutdown
!
interface Vlan10
ip address 172.16.0.9 255.255.255.240
ip nat inside
ip virtual-reassembly
!
interface Dialer0
ip address negotiated

ip access-group 102 in
no ip redirects
no ip unreachables
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname [email protected]@xxxx
ppp chap password 0 xxxxxx
ppp pap sent-username [email protected]@xxxx password 0 vnt0010
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
no ip http server
no ip http secure-server
ip nat source static tcp 172.16.0.8 80 interface Dialer0 80
ip nat inside source static tcp 172.16.0.8 80 interface Dialer0 80
ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080
ip nat inside source list 10 interface Dialer0 overload
!
access-list 10 permit 172.16.0.0 0.0.0.15
access-list 10 deny   any
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 8080
access-list 102 permit ip any any
dialer-list 1 protocol ip permit
!        
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxxxxxxxxxxxxxx
login
!
scheduler max-task-time 5000
end

I read a lot of post and doc and I dont understand why I can't access to my local server on port 80, 8080 using the WAN ip (213.236.xx.xx).

Here is the log showed by 'debug nat ports' when I run the command [email protected]:~$ nmap -p 80 213.236.xx.xx:

*Mar 14 06:42:42.770: NAT - SYSTEM PORT for 213.236.xx.xx: allocated port 0, refcount 187, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 187, proto 6
*Mar 14 06:42:42.774: NAT - SYSTEM PORT for 213.236.xx.xx: allocated port 0, refcount 188, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 188, proto 6
*Mar 14 06:42:49.274: NAT - SYSTEM PORT for 213.236.xx.xx: allocated port 0, refcount 189, localport 4294967295, localaddr 0.0.0.0, flags 1, syscount 189, proto 6

And the nat translation table:

Pro Inside global         Inside local          Outside local         Outside global
tcp 213.236.xx.xx:80      172.16.0.8:80         ---                   ---
tcp 213.236.xx.xx:8080    172.16.0.8:8080       ---                   ---

BTW, I also show you what IOS firmware version is currently loaded in the router:

Cisco IOS Software, C870 Software (C870-ADVIPSERVICESK9-M), Version 12.4(15)T10, RELEASE SOFTWARE (fc3)

......

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

System image file is "flash:c870-advipservicesk9-mz.124-15.T10.bin"

This product contains cryptographic features.....

Cisco 877 (MPC8272) processor (revision 0x400) with 118784K/12288K bytes of memory.
Processor board ID FHK140577N0
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
28672K bytes of processor board System flash (Intel Strataflash)

Configuration register is 0x2101

May anyone help me please? Any help will be much apreciated!

TIA

I have this problem too.
0 votes
Correct Answer by Nagaraja Thanthry about 6 years 4 months ago

Hello,

Please try the following:

no ip nat source static tcp 172.16.0.8 80 interface Dialer0 80

no ip nat inside source static tcp 172.16.0.8 80 interface Dialer0 80
no ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080

no ip nat source static tcp 172.16.0.8 80 interface dialer 0 80 extendable

no ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080 extendable

int dialer 0

no ip nat outside

exit

int vlan 10

no ip nat inside

exit

int dialer 0

ip nat enable

exit

int vlan 10

ip nat enable

exit

ip nat source static tcp 172.16.0.8 80 interface dialer 0 80 extendable

ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080 extendable

This should allow you to access the internal server on port 80/8080. If you are still unable to access, please check the access-lists to see if the hit counts are increasing. It might be that your ISP is blocking the ports. Also, you can check the default gateway on the servers to make sure that they are pointing to VLAN 10 IP address.

Hope this helps.

Regards,

NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Nagaraja Thanthry Wed, 07/28/2010 - 06:23

Hello,

Can you please try adding "extendable" keyword at the end of the NAT statement?

no ip nat source static tcp 172.16.0.8 80 interface Dialer0 80

no ip nat inside source static tcp 172.16.0.8 80 interface Dialer0 80
no ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080


ip nat source static tcp 172.16.0.8 80 interface dialer 0 80 extendable

ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080 extendable

Hope this helps.

Regards,

NT

minifreak Wed, 07/28/2010 - 07:04

Thanks Nagaraja for your prompt response.


I'm not able to specify 'extended' on a nat static entry for an interface (dialer 0). I'm only allowed if I use the wan ip address but I tried so with no success neither.

I also started to think that it was probably a bug or something so I've searched the caveats for the IOS image I'm using but I didn't find any clue.

https://www9.cisco.com/en/US/docs/ios/12_4t/release/notes/124TCAVS.html#wp2100026

Thanks anyway for your support.

Any other suggestions?

Correct Answer
Nagaraja Thanthry Wed, 07/28/2010 - 21:16

Hello,

Please try the following:

no ip nat source static tcp 172.16.0.8 80 interface Dialer0 80

no ip nat inside source static tcp 172.16.0.8 80 interface Dialer0 80
no ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080

no ip nat source static tcp 172.16.0.8 80 interface dialer 0 80 extendable

no ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080 extendable

int dialer 0

no ip nat outside

exit

int vlan 10

no ip nat inside

exit

int dialer 0

ip nat enable

exit

int vlan 10

ip nat enable

exit

ip nat source static tcp 172.16.0.8 80 interface dialer 0 80 extendable

ip nat inside source static tcp 172.16.0.8 8080 interface Dialer0 8080 extendable

This should allow you to access the internal server on port 80/8080. If you are still unable to access, please check the access-lists to see if the hit counts are increasing. It might be that your ISP is blocking the ports. Also, you can check the default gateway on the servers to make sure that they are pointing to VLAN 10 IP address.

Hope this helps.

Regards,

NT

minifreak Fri, 07/30/2010 - 02:20

Thanks for your support Nagaraja.

You were right, the gateway wasn't correctly defined on the server. Stupid mistake.

Thanks again.

Actions

This Discussion