Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

[NAT]Ports Filtered on C2503


We've a C2503 on which I have set NAT rules as following :


ip nat inside source static tcp 21 x.x.x.x 21 extendable

ip nat inside source static tcp 22 x.x.x.x 22 extendable

ip nat inside source static tcp 25 x.x.x.x 25 extendable


==> FTP, SSH and SMTP are forwarded on a local server in order to reach it from the Internet.

But sometimes we cannot initialize a FTP or a SSH connection on it.

I used the "nmap" tool from a linux in order to test the router ports and it appears that FTP and/or SSH ports are filtered.

Only a reboot of the router can help it but it doesn't work all the time, and it is not bearable to do this each time the ports are filtered...

Any help would be appreciated


R. B-G

  • Other Network Infrastructure Subjects
New Member

Re: [NAT]Ports Filtered on C2503

Do you have a NAT pool set up? is x.x.x.x in your pool?

If so, another host may be using it. When the problem occurs, try doing:

show ip nat translations

It will show you if the mapping you think you should be getting is what you are actually getting.

New Member

Re: [NAT]Ports Filtered on C2503

Hi Renaud,

Is it possible for you to post the complete show run of your router.

In the meantime I have a working configuration here in our laboratory but this one only allows SSH traffic.



PIX=> Ethernet0 ip address=

2621=> Fa0/1 ip address=

=> Fa0/0 ip address=

PC=> ip address=


"show run" of 2621 Router

interface FastEthernet0/0

ip address

ip nat outside

speed auto



interface FastEthernet0/1

ip address

ip nat inside

duplex auto

speed auto


ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static tcp 22 22 extendable

ip classless

ip route

no ip http server


access-list 101 deny tcp host eq 22 any

access-list 101 permit ip any



"show ip nat translation" of 2621 Router

Pro Inside global Inside local Outside local Outside global

tcp --- ---


Here is how I tested it.

1) The PIX firewall will act as the server(the one that you have on your network) and I configured

the PIX to allow SSH session.

2) The 2621 router is configured almost the same as your SOHO91 device the only difference is I

didn't use DHCP and I assigned an IP address to the outside interface of the 2621 router rather than

using ip address negotiated.

3) Here is the output when I tried connecting to the PIX firewall from my PC using PUTTY (SSH client

software) with an IP address of

login as: ansley

Sent username "ansley"

ansley@'s password:

Type help or '?' for a list of available commands.


pixfirewall> en

Password: *****

Invalid password


pixfirewall# login as: ansley

4) As you can see I was able to connect successfully connect to the PIX firewall in which its

outside interface has an IP address of and is statically translated to

Please see below the 'show ssh session' on my pix firewall.

pixfirewall# sh ssh session

Session ID Client IP Version Encryption State Username

0 1.5 3DES 6 ansley

I hope these helps.

Best Regards,

Ansley R. Verzosa

New Member

Re: [NAT]Ports Filtered on C2503

Hi there,

My config looks like to Ansley's one.

At The moment the SSH port is filtered, and I've checked the "IP NAT TRANSLATIONS" table. I Found this :

tcp x.x.x.x:22

It appears that port 22 is used... by what exactly ? I don't understand clearly because the IP address is unknown in my company.

x.x.x.x is my public address and it is in a nat pool (only this IP is in) :

ip nat pool test x.x.x.x x.x.x.x prefix-length 30

Should I remove this nat pool ?



New Member

Re: [NAT]Ports Filtered on C2503

I suspect that your problem is the pool. Here's an example of a problem I had somewhat like this. Notice there are 2 addresses in the pool:

ip nat pool NATPOOL a.b.c.1 a.b.c.2 netmask

ip nat inside source list 1 pool NATPOOL overload

ip nat inside source static tcp 25 a.b.c.1 23 extendable

access-list 1 permit

Notice that a.b.c.1 is in the pool AND is also in the static translation statement.

When the router starts, if someone on the inside on a host other than begins a connection, they will be assigned the public address a.b.c.d.1 - and ALL ports associated with that address. Thus when you try to connect to your host on a.b.c.1:23, it doesn't work. If you clear the translation table, then re-try, you might get connected.

The same result will happen with a single address in the pool if you omit the "overload" keyword.

Try adding the "overload" to your pool.

As for removing the pool, you need it if you want outbound traffic to be translated without static entries. for example, from other hosts on this network.

Good luck.


New Member

Re: [NAT]Ports Filtered on C2503

Well I see the problem... But I've already set the "overload" keyword. here's my config :

ip nat pool MASQ a.b.c.182 a.b.c.182 prefix-length 30

ip nat inside source list 7 MASQ test overload

ip nat inside source static tcp 21 a.b.c.182 21 extendable

ip nat inside source static tcp 22 a.b.c.182 22 extendable

ip nat inside source static tcp 25 a.b.c.182 25 extendable

ip nat inside source static tcp 80 a.b.c.182 8080 extendable

access-list 7 permit

New Member

Re: [NAT]Ports Filtered on C2503

I have a question I did not think to ask earlier.

Is the IP address in your pool the same address you have on the outside interface?

If so, you might try

ip nat inside source list 7 MASQ interface Serial0/0 overload

(I'm assuming here the interface outside is Serial 0/0 - change as needed)

Posting as much of your config as you can would help.