Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with ip nat inside source static

Hi,

I need to open a port in a Cisco 2911 router to permit the conexion to an equipment that is inside the LAN, but I my configuration doesn't workt.

I have 3 interfaces configured: two WAN interfaces (one is a backup of the other) and a LAN interface. The configuration is this (public IPs are changed):

track 1 ip sla 1 reachability

!

!

interface GigabitEthernet0/0

description backup

ip address 176.55.25.25 255.255.255.252

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

!

interface GigabitEthernet0/1

description primary

ip address 192.168.2.2 255.255.255.252

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

!

!

interface Vlan1

description LAN segment

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

load-interval 30

!

ip forward-protocol nd

!

ip nat inside source route-map backup interface GigabitEthernet0/0 overload

ip nat inside source route-map primary interface GigabitEthernet0/1 overload

ip nat inside source static udp 192.168.1.3 6000 176.55.25.25 5995 extendable

ip route 0.0.0.0 0.0.0.0 192.168.2.1 track 1

ip route 0.0.0.0 0.0.0.0 176.55.25.26 254

!

ip sla 1

icmp-echo 95.110.100.100

threshold 2

timeout 4000

frequency 10

ip sla schedule 1 life forever start-time now

access-list 5 permit any

!

!

route-map backup permit 10

match ip address 5

match interface GigabitEthernet0/0

!

route-map primary permit 10

match ip address 5

match interface GigabitEthernet0/1

!

track 1 ip sla 1 reachability

!

I would appreciate if somebody could help me to find what is wrong in this configuration.

Thanks in advance

16 REPLIES
New Member

Problem with ip nat inside source static

Hi,

I am still trying to solve this problem. I have tried also with this "nat inside source static" configuration:

ip nat inside source static udp 192.168.1.3 6000 176.55.25.25 6995 route-map GigabitEthernet0/0

ip nat inside source static udp 192.168.1.3 6000 192.168.2.2 6995 route-map GigabitEthernet0/1

But with no success,

i would appreciate if somebody could help me with this.

Thanks in advance

New Member

Problem with ip nat inside source static

Hi,

I would appreciate if somebody could help me with this problem. It's very important.

Thanks in advance

Problem with ip nat inside source static

What isn't working? Can you post your access-list 5?

HTH, John *** Please rate all useful posts ***
New Member

Problem with ip nat inside source static

I cannot open the port to remotely connect to the equipment with IP:192.168.1.3 through port:6000 With this command:

ip nat inside source static udp 192.168.1.3 6000 176.55.25.25 5995 extendable

Access-list 5 is:

access-list 5 permit any

Thanks!

Problem with ip nat inside source static

You'll want to change your acl to permit only the subnet you want to translate:

access-list 5 permit 192.168.1.0 0.0.0.255

I didn't see the access-list above, but I see it now

HTH, John *** Please rate all useful posts ***
New Member

Problem with ip nat inside source static

Thanks a lot,

I am changing the configuration remotely, so, do you think that I will lose the ssh connection if I change one access list to the other one?

Thanks!

Problem with ip nat inside source static

You may....SSH into the public side and you should be able to change it.

HTH, John *** Please rate all useful posts ***
New Member

Problem with ip nat inside source static

Hi,

I have changed the access-list, but I still can't connect to the IP and Port. The current configuration is:

track 1 ip sla 1 reachability

!

!

interface GigabitEthernet0/0

description backup

ip address 176.55.25.25 255.255.255.252

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

!

interface GigabitEthernet0/1

description primary

ip address 192.168.2.2 255.255.255.252

ip nat outside

ip virtual-reassembly in

load-interval 30

duplex auto

speed auto

!

!

interface Vlan1

description LAN segment

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

load-interval 30

!

ip forward-protocol nd

!

ip nat inside source route-map backup interface GigabitEthernet0/0 overload

ip nat inside source route-map primary interface GigabitEthernet0/1 overload

ip nat inside source static udp 192.168.1.3 6000 176.55.25.25 5995 extendable

ip route 0.0.0.0 0.0.0.0 192.168.2.1 track 1

ip route 0.0.0.0 0.0.0.0 176.55.25.26 254

!

ip sla 1

icmp-echo 95.110.100.100

threshold 2

timeout 4000

frequency 10

ip sla schedule 1 life forever start-time now

access-list 5 permit 192.168.1.0 0.0.0.255

!

!

route-map backup permit 10

match ip address 5

match interface GigabitEthernet0/0

!

route-map primary permit 10

match ip address 5

match interface GigabitEthernet0/1

!

Thanks

Purple

Problem with ip nat inside source static

Hi,

can you try adding this:

ip nat inside source static udp 192.168.1.3 6000 192.168.2.2 5995 extendable

Regards.

Alain

Don't forget to rate helpful posts.
New Member

Problem with ip nat inside source static

Thanks a lot for your help, but that also doesn't work...

Problem with ip nat inside source static

What direction are you trying? From the outside or in? Can you do a "debug ip nat", try to get into the port, and then post the results from the debug? Are you 100% certain that this port is udp and whatever application that uses it is running?

Can you get into port 6000 from a local host?

HTH, John *** Please rate all useful posts ***
New Member

Problem with ip nat inside source static

I try to connect to IP: 176.55.25.25 through port 5995, to connect to a equipment inside the router with IP: 192.168.1.3 and port: 6000.

The first thing I though was that there was a problem with the program to connect, but I have also tried opening port 23 and trying telnet, but also doesn't work.

ip nat inside source static tcp 192.168.1.3 23 176.55.25.25 5995

From the router I can telnet the IP 192.168.1.3 (from inside the network)

I cannot do a "debug" because with the last command I lost the connection ssh to the router...

I will try later, or I will ask to reload the router.

Thanks

Problem with ip nat inside source static

If you can telnet to the host from the router, then your static translation should work. What is the default gateway on the host?

HTH, John *** Please rate all useful posts ***

Problem with ip nat inside source static

Hello,

Configuration related the NAT looks good, I would say there is something else Stoping that traffic.

So the first thing I will suggest is to do a capture

ip access-list e Test

permit ip tcp any host 176.55.25.25 eq 5995

permit ip udp  any host 176.55.25.25 eq 5995

permit ip any any

interface GigabitEthernet0/0

ip access-group TEST in

Then try to connect to that server.

Afterwards do a show access-list TEST... We will need to see if there is  hit on that ACL. If not well the traffic is not reaching the router.

Regards,

Julio

Do rate all the helpful posts

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Problem with ip nat inside source static

I'm sorry for not answering before. I couldn't debug because with some of the changes I lost the remote connection.

In the next days I will be able to continue testing.

Thanks to all for your help!

New Member

Problem with ip nat inside source static

I am working to try to solve this problem again. Now I am trying to open Telnet port for that equipment. But, when I do:

Debug IP nat

Nothing regarding to nat is shown in the log.

When I do: show ip nat traslations there are no "Outside local" and "Outside global" for my command. Only:

 

tcp 176.52.162.14:5995 192.168.1.3:23

Thanks

1385
Views
0
Helpful
16
Replies
CreatePlease login to create content