Solved: Static NAT problem on 1841 router

Dimafo123 · ‎09-03-2012

Hi all.

I have a Cisco 1841 router at home with version 12.4(13r)T advanced ip services.

The setup is extremely simple:

1) PPPOE dialer to my service provider over ADSL

2) Nat overload on the dialer interface.

3) 2 Vlans one for home network (wired) and one for wireless both vlans are connected through interface vlans respectively.

My problem is when I configure static NAT to map RDP or any other protocol to inside hosts this doesn`t work.

"

ip nat source static tcp 192.168.20.3 2222 interface Dialer1 2222

ip nat source static tcp 192.168.20.3 3389 xx.xx.xx.xx 3389 extendable

ip nat inside source list 20 interface Dialer1 overload

"

P.S

When I open wireshark and sniff the traffic on home computer which is the one I`m trying to reach I can`t see any traffic.

and While performing nat debuging I am also not able to see traffic going to that port (for example 3389)

Karsten Iwen · ‎09-03-2012

Ok, with your interface-config one problem is visible:

On the interface you use the "legacy" NAT, but the global NAT is the more modern NVI-style.

Change your NAT from

ip nat source static tcp 192.168.20.3 3389 xx.xx.xx.xx 3389 extendable

to

ip nat inside source static tcp 192.168.20.3 3389 xx.xx.xx.xx 3389 extendable

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎09-03-2012

1841 router at home with version 12.4(13r)T

That's not your IOS-version. The IOS-version is printed in "show version" above that.

Regarding your problem: Have you allowed the traffic in your external ACL?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Dimafo123 · ‎09-03-2012

Hi Karsten.

Thanks for quick reply

The IOS is c1841-advipservicesk9-mz.124-25b.bin

and basically I don`t have an ACL on the dialer interface if thats what you are asking:

interface Dialer1

ip address negotiated

ip verify unicast source reachable-via rx allow-default 100

no ip proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp pap sent-username xxxxx

password 7 xxxxxxx

end

Here is the nat overload configuration together with it`s ACL:

< ip nat inside source list 20 interface Dialer1 overload >

< access-list 20 permit 192.168.0.0 0.0.255.255 >

thanks again.

cadet alain · ‎09-03-2012

Hi,

ip nat source static tcp 192.168.20.3 3389 xx.xx.xx.xx 3389 extendable

I suppose this is not for Dialer 1 but for the other ISP connection ?

Regards.

Alain

Don't forget to rate helpful posts.

Dimafo123 · ‎09-03-2012

Hi Alain.

I have only one ISP conenction which I connect to over PPOE at dialer1.

The config line above is when I tried doing a configuration for IP address instead of interface, so basically xxxxxx is the

address I have got from my ISP via dialer 1.

Karsten Iwen · ‎09-03-2012

Ok, with your interface-config one problem is visible:

On the interface you use the "legacy" NAT, but the global NAT is the more modern NVI-style.

Change your NAT from

ip nat source static tcp 192.168.20.3 3389 xx.xx.xx.xx 3389 extendable

to

ip nat inside source static tcp 192.168.20.3 3389 xx.xx.xx.xx 3389 extendable

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Dimafo123 · ‎09-03-2012

Thank you so much!!

works like a charm

cadet alain · ‎09-03-2012

Hi,

good catch

Regards.

Alain.

.

Don't forget to rate helpful posts.