Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

NAT problem

how can I ensure that NAT will use the same port when changing the address. At the moment anything using port 7777 incoming is changed to port 2967 when I want it to use 7777?

I've enclosed config + some debug at the bottom of the page.

config deleted

no ip cef

!

!

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.100 10.0.0.150

!

ip dhcp pool IP-xxxx

network 10.0.0.0 255.255.255.0

default-router 10.0.0.1

dns-server 212.139.132.4 212.139.132.21

lease infinite

!

!

ip name-server 212.139.132.4

ip name-server 212.139.132.21

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

no snmp trap link-status

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

!

interface BRI0

no ip address

encapsulation hdlc

shutdown

!

interface FastEthernet0

description $ETH-LAN$$FW_INSIDE$

ip address 10.0.0.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

speed auto

full-duplex

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

ip access-group 101 in

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname xxxxx

ppp chap password 0 xxxxx

!

ip route 0.0.0.0 0.0.0.0 Dialer0

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 10.0.0.111 7777 interface Dialer0 7777

!

access-list 1 remark INSIDE_IF=FastEthernet0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit tcp any any eq 7777

access-list 101 permit tcp any any eq 7777 log

access-list 101 permit udp host 212.139.132.21 eq domain any

access-list 101 permit udp host 212.139.132.4 eq domain any

access-list 101 deny ip 10.0.0.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip host 0.0.0.0 any

access-list 101 deny ip any any log

dialer-list 1 protocol ip permit

snmp-server community public RO

!

config deleted

Debug Info:

Apr 21 17:39:19.547: TCP: connection attempt to port 7777

Apr 21 17:39:19.547: TCP: sending RST, seq 0, ack 630516979

Apr 21 17:39:19.547: TCP: sent RST to 10.0.0.111:2967 from 81.86.164.235:7777

1 REPLY
Hall of Fame Super Bronze

Re: NAT problem

Hi,

The translation is working as designed. The external device "81.86.164.235" is requesting data on port "7777" and the router is translating this request to "10.0.0.111", however, this device has a NAT entry using port "2967". I believe is picking that up from the PAT entry "access-list 1 permit 10.0.0.0 0.0.0.255"

Please post the show ip nat trans | i 10.0.0.111 output from this router.

__

Edison.

112
Views
0
Helpful
1
Replies
CreatePlease to create content