Solved: Problem with Cisco 831 router NAT translation or routing

ggutstadt · ‎02-03-2012

Hello,

I’ve reviewed several post on this forum, very useful, and I think this 831 router config should allow for NAT'ng port 8080 to the ‘inside’ ip address, per this statement below. but my efforts have not been successful, no responses get back to outside client (xx.24.40). clients on inside can communicate outbound fine. The iis server at .10.3 is definitely up and running on port 8080. I know this is probably a duplicate of other posts but if anyone can pinpoint my error I would really appreciate it!!

ip nat inside source static tcp 10.10.10.3 8080 interface Ethernet1 8080

Here is some debug ip nat output when attemping to connect on port 8080, do not get response back from server to external client (xx.24.40)….

Feb 03 13:22:49 10.10.10.1 297472: *Mar 2 00:09:31.894: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21674]

Feb 03 13:22:49 10.10.10.1 297473: *Mar 2 00:09:31.894: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21674]

Feb 03 13:22:52 10.10.10.1 297474: *Mar 2 00:09:34.906: NAT: o: tcp (xx.xx.254.40, 44122) -> (xx.xx.254.128, 8080) [21678]

Feb 03 13:22:52 10.10.10.1 297475: *Mar 2 00:09:34.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21678]

Feb 03 13:22:52 10.10.10.1 297476: *Mar 2 00:09:34.906: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21679]

Feb 03 13:22:52 10.10.10.1 297477: *Mar 2 00:09:34.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21679]

Feb 03 13:22:58 10.10.10.1 297478: *Mar 2 00:09:40.906: NAT: o: tcp (xx.xx.254.40, 44122) -> (xx.xx.254.128, 8080) [21684]

Feb 03 13:22:58 10.10.10.1 297479: *Mar 2 00:09:40.906: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21684]

Feb 03 13:22:58 10.10.10.1 297480: *Mar 2 00:09:40.906: NAT: o: tcp (xx.xx.254.40, 44123) -> (xx.xx.254.128, 8080) [21685]

Feb 03 13:22:58 10.10.10.1 297481: *Mar 2 00:09:40.910: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21685]

Feb 03 13:23:10 10.10.10.1 297482: *Mar 2 00:09:52.922: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21698]

Feb 03 13:23:10 10.10.10.1 297483: *Mar 2 00:09:52.922: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21698]

Feb 03 13:23:13 10.10.10.1 297484: *Mar 2 00:09:55.930: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21702]

Feb 03 13:23:13 10.10.10.1 297485: *Mar 2 00:09:55.930: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21702]

Feb 03 13:23:19 10.10.10.1 297486: *Mar 2 00:10:01.934: NAT: o: tcp (xx.xx.254.40, 44124) -> (xx.xx.254.128, 8080) [21709]

Feb 03 13:23:19 10.10.10.1 297487: *Mar 2 00:10:01.934: NAT: s=xx.xx.254.40, d=xx.xx.254.128->10.10.10.3 [21709]

Feb 03 13:23:58 10.10.10.1 297489: *Mar 2 00:10:41.306: NAT: expiring xx.xx.254.128 (10.10.10.3) tcp 8080 (8080)

538-R1023-C830#sh running-config full

Building configuration...

Current configuration : 4329 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname 538-R1023-C830

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

no logging console

!

no aaa new-model

!

resource policy

!

ip subnet-zero

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

!

ip dhcp pool sdm-pool

import all

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 10.1.18.152

lease 0 2

!

ip cef

ip domain list sd.cox.net

ip domain name sd.cox.net

no ip ips deny-action ips-interface

!

no ftp-server write-enable

!

crypto pki trustpoint TP-self-signed-75609932

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-75609932

revocation-check none

rsakeypair TP-self-signed-75609932

!

crypto pki certificate chain TP-self-signed-75609932

certificate self-signed 01

<snip>

!

interface Ethernet0

description inside

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Ethernet1

description outside

ip address dhcp

ip access-group 101 in

ip nat outside

ip virtual-reassembly

duplex auto

!

interface Ethernet2

no ip address

shutdown

!

interface FastEthernet1

no ip address

duplex auto

speed auto

!

interface FastEthernet2

no ip address

duplex auto

speed auto

!

interface FastEthernet3

no ip address

duplex auto

speed auto

!

interface FastEthernet4

no ip address

duplex auto

speed auto

!

no ip classless

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip nat inside source list 1 interface Ethernet1 overload

ip nat inside source static tcp 10.10.10.3 8080 interface Ethernet1 8080

!

logging trap debugging

logging 10.10.10.3

access-list 1 permit 10.10.10.0 0.0.0.255

access-list 101 permit ip any any

!

control-plane

!

banner login ^C

^C

!

line con 0

login local

no modem enable

line aux 0

line vty 0 4

privilege level 15

login local

transport input telnet ssh

!

scheduler max-task-time 5000

end

cadet alain · ‎02-04-2012

Hi,

Is the client on the same subnet as the public IP of the router?

Have you verified the firewall on IIS machine?

Regards.

Alain

Don't forget to rate helpful posts.

View solution in original post

cadet alain · ‎02-04-2012

Hi,

Is the client on the same subnet as the public IP of the router?

Have you verified the firewall on IIS machine?

Regards.

Alain

Don't forget to rate helpful posts.

ggutstadt · ‎02-04-2012

Hi Alain,

yes, the client i was testing with is on the same subnet as public router ip. Good thought on the firewall, I will disable any firewall on iis machine (my laptop) and re-test. will reply with those results on Monday. ultimately i'm needing to test nat for port 9100 to a printer, I'll add that and test as well, firewall shouldn't be a factor with printer.

thank you.

Grant

ggutstadt · ‎02-06-2012

Yup, that was it. DUH! thanks for the assist Alain. -grant