04-10-2008 12:24 PM - edited 03-05-2019 10:20 PM
I have the following:
DSL Modem into a Cisco Wireless Router w/built in switch that goes to 2 servers
(behind NAT) and a cisco catalyst switch connected to the router for all other
network connections.
The problem is when I goto VPN into the network, it VPN's into the server I have
setup for the NAT entry ONLY. I want to be able to add another NAT entry with the
same port number for the 2nd server, which the router will not accept because of 2
servers using the same port number. I will not change the port number either on the
servers b/c this can conflict with some devices that I use outside the network to
use different features that are hosted on these servers. What can I do on the built
in cisco router switch to direct traffic of the same port number when they use the
same port #?
Is there some way around this?
04-16-2008 07:28 AM
Sure.
All you have to do is a simple statement like this:
ip nat inside source static tcp x.x.x.x 3389 interface FastEthernet0 3390
On my router, that takes the outside address on port 3390 and changes it to match an inside address on the default RDP port.
You should be able to do the same thing to VPN to your servers. Provided I understand your question correctly, of course.
04-16-2008 07:40 AM
The thing is I have 2 servers and it will give me an error when I try to enter the VPN Port (1723) into 2 different nat commands.
For example for server1:
ip nat inside source static tcp x.x.x.x 1723 interface fa0 1723
Then server2:
ip nat inside source static tcp x.x.x.x 1723 interface fa0 1723
It won't accept the 2nd command because of the port number being used twice. Also, changing the port number is not an option in my case as well for VPN.
04-16-2008 10:45 PM
Hi,
The observed behaviour is not due to a deficiency of the router or IOS.
Why?
Well, the configuration
ip nat inside source static tcp x.x.x.x 1723 interface fa0 1723
basically states in words: "If a packet with a destination IP of int Fa0 arrives with TCP destination port 1723, then translate the address to x.x.x.x and forward the packet."
A router can forward a unicast IP packet only to ONE host. Therefore IOS rejects a second statement basically saying "Forward the same packet also to another host".
Note: replicating a unicast IP packet several times in a router through NAT would also not be standard compliant.
IOS does not do that.
The two options you have:
1) change the default port for the second server, as already suggested.
2) get a second outside IP address and do NAT IP address1 -> server 1 and IP address2 -> server 2
You need to talk to your provider about the second option, in case the first option is impossible for other reasons in your case.
Hope this helps! Please use the rating system.
Regards, Martin
04-17-2008 06:13 AM
If you'll notice in my example I gave you, the default port (3389) is on the inside, but on the outside, the port is 3390. This should work for you without having to change the default port for your server on the inside.
And since you don't want to change the port on the router, then you're pretty much down to getting a second address.
Just curious, why is changing the port number on the WAN of the router not an option?
04-24-2008 12:38 PM
port 3389 is for remote desktop (RDP), not vpn
04-29-2008 08:10 AM
I'm well aware what the port is for.
You will need to do a little editing to get the commands to work for your situation, ie change 3389 to 1723 for your VPN connection. It is merely an example to show you something you could do that may alleviate your problem.
Spoon-feeding you an answer isn't going to do you any good. I would suggest using the "?" in IOS to help you figure out what you need to change.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide