Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Incoming NAT to VLAN on 1941

On our Cisco 1941, we have 2 gigabit ethernet ports and a 4 port fast ethernet switch EHWIC card configured as follows:

GigabitEthernet0/0 131.x.x.81 255.255.255.248 - internal

GigabitEthernet0/1 131.y.y.234 255.255.255.252 - WAN

Vlan2 192.168.0.249 255.255.255.0 - LAN2, NAT inside

Vlan100 161.z.z.222 255.255.255.248 - WAN SIP, NAT outside

FastEthernet0/0/0 Access mode, Vlan 2

FastEthernet0/0/3 Access mode, Vlan 100

What I'm trying to get working is incoming NAT, aka port forwarding.  Outgoing is fine - machines on the 192.168.0.x subnet can browse out, and IP address web sites show 161.z.z.222, as expected.  I can also ping 161.z.z.222.  However, incoming NAT I can't seem to get working.

The NAT is set up as :

ip nat inside source list 2 interface Vlan100 overload

ip nat outside source static tcp 161.z.z.222 80 192.168.0.247 80 extendable

ip nat outside source static udp 161.z.z.222 6000 192.168.0.247 6000 extendable

And I have even tried:

ip nat outside source static 161.z.z.222 192.168.0.247

I have tested using some UDP packet sending/receiving software (which works through another router), and the packets just aren't getting through. Likewise trying to telnet into the external IP on port 80 doesn't get through to the destination server.

It feels like the route doesn't exist between the Vlan 100 and Vlan 2 when it's coming in, or maybe there's an ACL needed for the incoming traffic?  I'm pretty new to Cisco routers, so be gentle :-]

Any suggestions would be appreciated.

Everyone's tags (3)
4 REPLIES
Purple

Incoming NAT to VLAN on 1941

Hi,

do this:

clear ip nat trans *

no ip nat outside source static tcp 161.z.z.222 80 192.168.0.247 80 extendable

no ip nat outside source static udp 161.z.z.222 6000 192.168.0.247 6000 extendable

ip nat inside source static tcp  192.168.0.247 80 161.z.z.222  80 extendable

ip nat inside source static udp  192.168.0.247 6000  161.z.z.222  6000 extendable

Regards.

Alain

Don't forget to rate helpful posts.

Incoming NAT to VLAN on 1941

Hi,

ip nat outside source static tcp 161.z.z.222 80 192.168.0.247 80 extendable
It is not the right procedure to do a static nat or one to one nat.

ip nat inside source static tcp  192.168.0.247 80 161.z.z.222  80 extendable
This is how should be done for one to one nat.
You need to nat private ip with public ip not public ip with private ip.


Please rate all the helpfull posts.
Regards,
Naidu.

New Member

Incoming NAT to VLAN on 1941

Thanks to both of you, it worked perfectly.

It seemed illogical to me that these would be an "inside to outside" rule.  I guess the way to think of it is that you're "advertising" the inside port to the outside world.

Now, if only there were a way to add a port range for the 60 UDP ports I need to add...  I think I'll write a batch file, to put the commands into a text file, then use good old copy and paste.

Cheers,

Phill

Purple

Incoming NAT to VLAN on 1941

Hi,

let's suppose you want to "publish" udp ports 100-200 from 192.168.1.1 to outside world with public address 70.x.x.x

then you can like that:

access-list 199 permit udp any any range 100 200

route-map RANGE

match ip address 199

ip nat inside source static udp 192.168.1.1 70.x.x.x route-map RANGE

Regards.

Alain

Don't forget to rate helpful posts.
2807
Views
10
Helpful
4
Replies