Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco 1941 Router NAT Problem

Hi,

Just to give one example on my local web server ip 192.168.1.237 from outside the web server on port 80 with port 80 i want to be redirected to

"ip nat inside source static tcp 192.168.1.237 80 interface GigabitEthernet0/0 80"

and

"ip nat inside source static tcp 192.168.1.237 80 interface x.x.x.x 80 extendable"

i tried as, opened ports but not not redirected

believes that caused server. But both of these existing linksys E4200 router port forwarding is working with. In the same way as I did for the camera does not reach the DVR.

Firstly, I think you need to resolve the DNS server. I'm nat inside her like this;

"ip nat inside source static tcp 192.168.1.227 53 interface GigabitEthernet0/0 53"

Port 53 opened but not redirected

Do you think that might cause or DNS server needs to be done for something different?

My config file is;

http://pastie.org/9395740#

 

Everyone's tags (1)
9 REPLIES

If you're forwarding DNS via

If you're forwarding DNS via NAT for queries, you need to forward 53/udp and not 53/tcp. 53/tcp is used for DNS zone transfers between servers.

Try this:

ip nat inside source static udp 192.168.1.227 53 interface GigabitEthernet0/0 53

If you want to test the actual NAT for the web server, try connecting via GigabitEthernet0/0's IPv4 address with either a web browser or a telnet client using port 80/tcp. That will test the web server forwarding without relying on DNS.

New Member

I've tried everything did not

I've tried everything did not work

I found one more problem.

I found one more problem.

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0

With broadcast interfaces, this should point to your default gateway from your ISP rather than the interface. Pointing to the interface relies on the ISP's device performing proxy ARP, which most don't do.

Try this, substituting the default gateway assigned by your ISP for x.x.x.x.

no ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
ip route 0.0.0.0 0.0.0.0 x.x.x.x
New Member

Thanks for your help, i'll

Thanks for your help, i'll try it tomorrow

What result did you get when

What result did you get when you attempted to telnet to the outside IP address on port 80/tcp from an outside network?

New Member

thank you from outside

thank you from outside connection its ok, NAT's is work, I noticed when trying to telnet but by using the domain name in local not connected,  using from local ip address "192.168.1.237" connection is provided 

This is a limitation of

This is a limitation of standard NAT configurations on IOS. You can't establish a connection from the inside NAT network to the outside NAT IP address and have it come back inside to the inside NAT network again. This is called "hairpin NAT" and doesn't work (without some fairly advanced hacking) with standard NAT.

If you need this to work, you can replace your standard NAT configuration with a NAT Virtual Interface (NVI) configuration that supports hairpinning.

To do this, you would change your configuration as follows:

interface GigabitEthernet0/0
 no ip nat outside
 ip nat enable
!
interface GigabitEthernet0/1
 no ip nat inside
 ip nat enable
!
no ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat source list 1 interface GigabitEthernet0/0 overload
no ip nat inside source static tcp 192.168.1.237 80 interface GigabitEthernet0/0 80
ip nat source static tcp 192.168.1.237 80 interface GigabitEthernet0/0 80
New Member

I can not connect to the

I can not connect to the internet in this way change...

how to configuration interface loopback...

It looks like your ACL for

It looks like your ACL for NAT may be getting in the way by applying NAT rules to more traffic than it should. Sorry for missing that.

Let's address this with the NVI configuration:

no access-list 1 permit any
no ip nat source list 1 interface GigabitEthernet0/0 overload
!
ip access-list extended ACL_NAT
 permit ip 192.168.1.0 0.0.0.255 any
ip nat source list ACL_NAT interface GigabitEthernet0/0 overload

I don't see any loopback interface in your configuration, so I'm not quite understanding what you mean by that portion of your comment. Can you please clarify?

442
Views
0
Helpful
9
Replies
CreatePlease to create content