4 Replies Latest reply: Feb 1, 2012 11:30 AM by Stephen RSS

    NAT Port Forwarding

    ScottK

      I have NAT configured and all is working well.  I have a static NAT translation for telnet requests for 10.0.0.2 to forward to an internal host of 192.168.1.100.  When the outside host telnets to 10.0.0.2 all works as it should.

       

      Now I need this to work for the inside hosts as well.  When host 192.168.2.100 telnets to 10.0.0.2 it should forward to 192.168.1.100.  This does not work "connection refused".  I have the same issue in a live environment but it's to a webserver.  I've googled and read several Cisco NAT documents as well as searching CLN but I'm just not finding what I need.  Maybe I'm not searching for the right thing.

       

      Does anyone here have a solution or can you point me in the right direction?  Below is my test setup and the config from the router.  Very basic configure since all I'm testing is the NAT.

      nat_setup.png

       

      Current configuration : 1513 bytes

      !

      version 12.4

      service timestamps debug datetime msec

      service timestamps log datetime msec

      no service password-encryption

      !

      hostname R1

      !

      boot-start-marker

      boot-end-marker

      !

      no aaa new-model

      memory-size iomem 5

      ip cef

      !

      no ip domain lookup

      !

      multilink bundle-name authenticated

      !

      archive

      log config

        hidekeys

      !

      interface FastEthernet0/0

      ip address 192.168.1.1 255.255.255.0

      ip nat inside

      ip virtual-reassembly

      duplex auto

      speed auto

      !

      interface FastEthernet0/1

      ip address 192.168.2.1 255.255.255.0

      ip nat inside

      ip virtual-reassembly

      duplex auto

      speed auto

      !

      interface FastEthernet1/0

      ip address 10.0.0.1 255.255.255.0

      ip nat outside

      ip virtual-reassembly

      duplex auto

      speed auto

      !

      ip forward-protocol nd

      !

      no ip http server

      no ip http secure-server

      ip nat pool NAT_Pool 10.0.0.1 10.0.0.2 netmask 255.255.255.0

      ip nat inside source route-map NAT_RMAP pool NAT_Pool overload

      ip nat inside source static tcp 192.168.1.100 23 10.0.0.2 23 extendable

      !

      ip access-list extended ACL_NAT_RMAP

      permit ip 192.168.1.0 0.0.0.255 any

      permit ip 192.168.2.0 0.0.0.255 any

      !

      route-map NAT_RMAP permit 1

      match ip address ACL_NAT_RMAP

      !

      control-plane

      !

      line con 0

      exec-timeout 0 0

      logging synchronous

      line aux 0

      line vty 0 4

      !

      end

        • 1. Re: NAT Port Forwarding
          CiscoLoco - CCNP

          What you are trying to do is not well supported in Cisco IOS.  If you search NAT loopback or NAT on a stick you may find a solution.  Below is a link that has an example they may be helpful.

           

          http://blog.internetworkexpert.com/category/ccie-routing-switching/ip-services/

          • 2. Re: NAT Port Forwarding
            Stephen

            Is this a live environment?  I'm not sure why you need a pool, why can't you just use ports?

             

            ip nat inside source list 150 int fa1/0 overload

            access-list 150 permit ip 192.168.1.0 0.0.0.255 any

            access-list 150 permit ip 192.168.2.0 0.0.0.255 any

             

            ip nat inside source static 192.168.1.100 10.0.0.2 extendable

            ip nat inside source static 192.168.2.100 10.0.0.3 extendable

             

            Anyone who telnets to 10.0.0.2 will be sent to 192.168.1.100 , and anyone who telnets to 10.0.0.1 gets sent to 192.168.2.100. 

             

             

            When it says refused, it usually indicates a firewall, or acl depending on the device your telnetting to.  So if 192.168.2.100 was a router, and i used #transput input ssh.  When you telnet to 10.0.0.1 it would be "connection refused".  With SSH it can also be because you didnt put #crypto key gen rsa on it.  So I'd check the firewall permits telnet to the device having a problem if its a PC.

             

            Regards,

            Stephen

            • 3. Re: NAT Port Forwarding
              ScottK

              CiscoLoco, I came across the Cisco docs for NAT on a stick and gave it a try yesterday.  That didn't change anything.

               

              Stephen,  I have a similar issue in a live environment on with http traffic going to a webserver.  I've worked this up in GNS3 to find a fix.  The pool was just setup with all our external IP addresses but the first IP is the only IP that ever gets used out of the pool.  We're not have an issue with this part of NAT.  I have static NAT setup to forward telnet traffic to the inside host and it works as long as your coming from the outside but not the other inside host.  Above is the full basic config with no additional ACLs which could be blocking the telnet traffic and the host 192.168.1.100 has no security setup to block telnet traffic.

               

              Thanks for the suggestions.

              • 4. Re: NAT Port Forwarding
                Stephen

                If you're connecting interally, just use the actual private IP assigned to the host.

                 

                I don't understand why you would ever connect from the inside network, TO another host on the inside network, but use the outside natted IP..?  It doesn't make sense.

                 

                Think about the processing in the router.  You come from 192.168.1.50.  You then telnet to 10.0.0.2.  The router checks the routing table and see's the 10.0.0.0/24 network is directly connected to the fa1/0 interface.   When the packet hits fa1/0 , it sees there is a NAT statement, and uses an IP from the NAT pool to go out.   When it hits the next device, it hasn't got a clue how to get to 10.0.0.2.