Hey All! I'm using a 2600 with the Firewall Feature Set, but I'm just buggin out on this problem!!!
I'm using basic dynamic NAT translation for my network to get out to the internet. Now, I want to statically open a couple of ports to my email server. I open ports 25 and 110, but I can't telnet into them using the outside address. I can, however, with my inside address. I can also ping the outside address just fine.
ip nat inside source static tcp w.x.y.z 25 a.b.c.d 25
where "w.x.y.z" is my inside address
where "a.b.c.d" is my outside address
I've also played with other settings, such as setting it to a static outside, rather than inside, or not even setting the ports. I am just not getting any luck here. Anyone have any ideas??
You won't be able to telnet to the outside interface if you are also nat'ing out our connection. Try doing the telnet to the 25 or 110 ports from a host that has a real public ip address ( not nat), and I'll bet you will be able to; this is working as designed.
You are exactly right. I can telnet from an outside address. But, why can I not from an internal address? My concern being, if I have users not getting to my email server, how can I verify port 25/110 through NAT works?
'show ip nat tranlations' definately shows me my static definition. But how can I verify it's working? Or would I even need to?
It would really disappoint me if I have to physically move to a machine outside of my network to verify connection.
i would hope that you have more than one public ip right?? if you do not, this will be a pain. The idea is to static a public ip to an internal ip, set the ACL for permissions and bind it either to the ip or the interface - depends on which command you use. If you only have one external ip, all incoming traffic might be seen as subject to that rule. anyway, look for the "ip nat inside source static tcp [internal addr] [port - like 25] [external addr] [port - same] extendable" commmand.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :