Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
844
Views
0
Helpful
4
Replies

1 on 1 NAT and port forwarding not working...

femi.agboade
Level 1
Level 1

‎11-15-2011 05:24 AM - edited ‎03-11-2019 02:50 PM

Hello,

This is not the first time i will configure over the internet access to a local server but this particular one is giving me a major headache and i thought to share the config with anyone who can help ppoint where the problem may be. While my NAT transalations seem to be working, when i attempt to browse the public IP, i am supposed to be routed to the local server, but this doesnt happen and i just get a blank page on my web browser. Please see config below:

J#sh run

Building configuration...

Current configuration : 5368 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname J

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$aNyD$j4lIgFXI84Xp9RR5dzwVk0

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone PCTime 1

!

crypto pki trustpoint TP-self-signed-1366127775

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1366127775

revocation-check none

rsakeypair TP-self-signed-1366127775

!

!

crypto pki certificate chain TP-self-signed-1366127775

certificate self-signed 01

  30820255 308201BE A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31333636 31323737 3735301E 170D3032 30333031 30303533

  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33363631

  32373737 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100CCDC 58E9E078 C978DBC5 CD0D97A0 6B506E2B 4843F38C 578721BF 285EC7BF

  F3700E9C FAD9233C A4CC95F6 F29FE5CD 4664F85F 862FB879 1255F21B 725A2773

  E1E4BEC0 632A7FFD C383F08E D5FAA4FC 4558BE6B 1B383D7E 19A871F6 3BAB9BAE

  B7CB84BB 510A09A3 FA260893 B0BD5AB1 027C97C6 2B2D2B6C AE2683FC AC3015B6

  CE8F0203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603

  551D1104 21301F82 1D4C494E 45545241 4C455F41 424A2E6C 696E6574 72616C65

  2E6C6F63 616C301F 0603551D 23041830 16801434 DD7F3F33 59A951AA 1BBBF414

  59302323 10248530 1D060355 1D0E0416 041434DD 7F3F3359 A951AA1B BBF41459

  30232310 2485300D 06092A86 4886F70D 01010405 00038181 00A9C9DF 5D2F2042

  0AA151FF 72F7D52A 8244C102 4AEDDB6E C7FBA201 A283D693 5F5E9376 0D15E7FE

  EBB804A5 C08F6CA1 A416118F D5A06864 EF242404 091F2FFE 3F85B0DE 98E1F747

  AC5FBBDE 1E27AE14 64D71B5F A1A48EC7 90882BD2 C3617E7C 8D6426A0 EDA23AB1

  32350B15 5E2489F6 018A76A0 3E1595DA 6797723E 563D268A 66

            quit

dot11 syslog

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.111 192.168.1.254

!

ip dhcp pool J

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.254

   domain-name linetrale.local

   dns-server 192.168.1.254

!

!

no ip bootp server

ip domain name linetrale.local

!

!

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac

crypto ipsec transform-set 3DES-SHA-compression esp-3des esp-sha-hmac comp-lzs

crypto ipsec transform-set AES-SHA-compression esp-aes esp-sha-hmac comp-lzs

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

interface FastEthernet0

switchport access vlan 101

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description WAN_FW_OUTSIDE$ETH-WAN$

ip address x.x.x.x 255.255.255.192

ip verify unicast reverse-path

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1400

ip nat outside

ip virtual-reassembly

ip route-cache flow

ip tcp adjust-mss 1380

duplex auto

speed auto

!

interface Vlan1

no ip address

!

interface Vlan101

description LAN_FW_INSIDE

ip address 192.168.1.254 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip accounting output-packets

ip nat inside

ip virtual-reassembly

ip route-cache flow

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 y.y.y.y

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip dns server

ip nat inside source list 1 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.243 80 x.x.x.x 80 extendable

! x.x.x.x is the public IP

access-list 1 remark INSIDE_IF=VLAN101

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

!

!

!

control-plane

!

!

line con 0

no modem enable

transport output telnet

speed 115200

line aux 0

modem InOut

transport output telnet

stopbits 1

speed 115200

flowcontrol hardware

line vty 0 4

privilege level 15

terminal-type moni

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Any help will be really appreciated.

Regards,

Femi

Labels:
0 Helpful
4 Replies 4

ajay chauhan
Level 7
Level 7

‎11-15-2011 07:22 AM

Port forwarding statement seems to be Ok . have you performed basic troubleshooing ? checking if the port 80 is Up and running on server and got connectivity from router .you can also verify doing telnet on port 80.

0 Helpful

femi.agboade
Level 1
Level 1
In response to ajay chauhan

‎11-15-2011 10:32 AM

Hi, thanks for your comments. I can telnet on port 80 fine. When I am on the LAN, I can browse to the server's local IP, however, when I attempt to navigate from outside the network through the 1 on 1 NAT, the browser just keeps trying to load and gets stuck there.

0 Helpful

ajay chauhan
Level 7
Level 7
In response to femi.agboade

‎11-15-2011 10:59 AM

Can you please also test this-

remove-

ip nat inside source static tcp 192.168.1.243 80 x.x.x.x 80 extendable

add

ip nat inside source static tcp 192.168.1.243 80 interface FastEthernet4 80 extendable

and try to access using http://interfaceip from outside.

Thanks

Ajay

0 Helpful

femi.agboade
Level 1
Level 1
In response to ajay chauhan

‎11-15-2011 11:16 AM

Hi,

I tried this before but the issue remains the same. I just tried it again and same thing. Note that when specifying an interface instead of an IP, you cannot use the option "extendable" as it is not available.

I think the problem may be firewall or access list because the page does attempt to open, but the browser just gets stuck constantly trying to load the page.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card