cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3215
Views
10
Helpful
4
Replies

Incoming NAT to VLAN on 1941

ToniqPhill
Level 1
Level 1

On our Cisco 1941, we have 2 gigabit ethernet ports and a 4 port fast ethernet switch EHWIC card configured as follows:

GigabitEthernet0/0 131.x.x.81 255.255.255.248 - internal

GigabitEthernet0/1 131.y.y.234 255.255.255.252 - WAN

Vlan2 192.168.0.249 255.255.255.0 - LAN2, NAT inside

Vlan100 161.z.z.222 255.255.255.248 - WAN SIP, NAT outside

FastEthernet0/0/0 Access mode, Vlan 2

FastEthernet0/0/3 Access mode, Vlan 100

What I'm trying to get working is incoming NAT, aka port forwarding.  Outgoing is fine - machines on the 192.168.0.x subnet can browse out, and IP address web sites show 161.z.z.222, as expected.  I can also ping 161.z.z.222.  However, incoming NAT I can't seem to get working.

The NAT is set up as :

ip nat inside source list 2 interface Vlan100 overload

ip nat outside source static tcp 161.z.z.222 80 192.168.0.247 80 extendable

ip nat outside source static udp 161.z.z.222 6000 192.168.0.247 6000 extendable

And I have even tried:

ip nat outside source static 161.z.z.222 192.168.0.247

I have tested using some UDP packet sending/receiving software (which works through another router), and the packets just aren't getting through. Likewise trying to telnet into the external IP on port 80 doesn't get through to the destination server.

It feels like the route doesn't exist between the Vlan 100 and Vlan 2 when it's coming in, or maybe there's an ACL needed for the incoming traffic?  I'm pretty new to Cisco routers, so be gentle :-]

Any suggestions would be appreciated.

4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

Hi,

do this:

clear ip nat trans *

no ip nat outside source static tcp 161.z.z.222 80 192.168.0.247 80 extendable

no ip nat outside source static udp 161.z.z.222 6000 192.168.0.247 6000 extendable

ip nat inside source static tcp  192.168.0.247 80 161.z.z.222  80 extendable

ip nat inside source static udp  192.168.0.247 6000  161.z.z.222  6000 extendable

Regards.

Alain

Don't forget to rate helpful posts.

Hi,

ip nat outside source static tcp 161.z.z.222 80 192.168.0.247 80 extendable
It is not the right procedure to do a static nat or one to one nat.

ip nat inside source static tcp  192.168.0.247 80 161.z.z.222  80 extendable
This is how should be done for one to one nat.
You need to nat private ip with public ip not public ip with private ip.


Please rate all the helpfull posts.
Regards,
Naidu.

ToniqPhill
Level 1
Level 1

Thanks to both of you, it worked perfectly.

It seemed illogical to me that these would be an "inside to outside" rule.  I guess the way to think of it is that you're "advertising" the inside port to the outside world.

Now, if only there were a way to add a port range for the 60 UDP ports I need to add...  I think I'll write a batch file, to put the commands into a text file, then use good old copy and paste.

Cheers,

Phill

Hi,

let's suppose you want to "publish" udp ports 100-200 from 192.168.1.1 to outside world with public address 70.x.x.x

then you can like that:

access-list 199 permit udp any any range 100 200

route-map RANGE

match ip address 199

ip nat inside source static udp 192.168.1.1 70.x.x.x route-map RANGE

Regards.

Alain

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco