Skip navigation
Login   |   Register
Cisco Learning Home > Certifications > Routing & Switching (CCNP) > Discussions

_Communities

This Question is Not Answered 1 Correct Answer available (4 pts) 2 Helpful Answers available (2 pts)
4498 Views 4 Replies Latest reply: Feb 1, 2012 11:30 AM by Stephen RSS

Currently Being Moderated

NAT Port Forwarding

Jan 31, 2012 10:34 AM

ScottK 16 posts since
Jun 26, 2008

I have NAT configured and all is working well.  I have a static NAT translation for telnet requests for 10.0.0.2 to forward to an internal host of 192.168.1.100.  When the outside host telnets to 10.0.0.2 all works as it should.

 

Now I need this to work for the inside hosts as well.  When host 192.168.2.100 telnets to 10.0.0.2 it should forward to 192.168.1.100.  This does not work "connection refused".  I have the same issue in a live environment but it's to a webserver.  I've googled and read several Cisco NAT documents as well as searching CLN but I'm just not finding what I need.  Maybe I'm not searching for the right thing.

 

Does anyone here have a solution or can you point me in the right direction?  Below is my test setup and the config from the router.  Very basic configure since all I'm testing is the NAT.

nat_setup.png

 

Current configuration : 1513 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

no aaa new-model

memory-size iomem 5

ip cef

!

no ip domain lookup

!

multilink bundle-name authenticated

!

archive

log config

  hidekeys

!

interface FastEthernet0/0

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet1/0

ip address 10.0.0.1 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

ip forward-protocol nd

!

no ip http server

no ip http secure-server

ip nat pool NAT_Pool 10.0.0.1 10.0.0.2 netmask 255.255.255.0

ip nat inside source route-map NAT_RMAP pool NAT_Pool overload

ip nat inside source static tcp 192.168.1.100 23 10.0.0.2 23 extendable

!

ip access-list extended ACL_NAT_RMAP

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

!

route-map NAT_RMAP permit 1

match ip address ACL_NAT_RMAP

!

control-plane

!

line con 0

exec-timeout 0 0

logging synchronous

line aux 0

line vty 0 4

!

end

  • CiscoLoco - CCNP 1,314 posts since
    Feb 11, 2009
    Currently Being Moderated
    1. Jan 31, 2012 1:22 PM (in response to ScottK)
    Re: NAT Port Forwarding

    What you are trying to do is not well supported in Cisco IOS.  If you search NAT loopback or NAT on a stick you may find a solution.  Below is a link that has an example they may be helpful.

     

    http://blog.internetworkexpert.com/category/ccie-routing-switching/ip-services/

    Join this discussion now: Login / Register
  • Stephen 527 posts since
    Apr 22, 2011
    Currently Being Moderated
    2. Jan 31, 2012 2:10 PM (in response to ScottK)
    Re: NAT Port Forwarding

    Is this a live environment?  I'm not sure why you need a pool, why can't you just use ports?

     

    ip nat inside source list 150 int fa1/0 overload

    access-list 150 permit ip 192.168.1.0 0.0.0.255 any

    access-list 150 permit ip 192.168.2.0 0.0.0.255 any

     

    ip nat inside source static 192.168.1.100 10.0.0.2 extendable

    ip nat inside source static 192.168.2.100 10.0.0.3 extendable

     

    Anyone who telnets to 10.0.0.2 will be sent to 192.168.1.100 , and anyone who telnets to 10.0.0.1 gets sent to 192.168.2.100. 

     

     

    When it says refused, it usually indicates a firewall, or acl depending on the device your telnetting to.  So if 192.168.2.100 was a router, and i used #transput input ssh.  When you telnet to 10.0.0.1 it would be "connection refused".  With SSH it can also be because you didnt put #crypto key gen rsa on it.  So I'd check the firewall permits telnet to the device having a problem if its a PC.

     

    Regards,

    Stephen

    Join this discussion now: Login / Register
  • Stephen 527 posts since
    Apr 22, 2011
    Currently Being Moderated
    4. Feb 1, 2012 11:30 AM (in response to ScottK)
    Re: NAT Port Forwarding

    If you're connecting interally, just use the actual private IP assigned to the host.

     

    I don't understand why you would ever connect from the inside network, TO another host on the inside network, but use the outside natted IP..?  It doesn't make sense.

     

    Think about the processing in the router.  You come from 192.168.1.50.  You then telnet to 10.0.0.2.  The router checks the routing table and see's the 10.0.0.0/24 network is directly connected to the fa1/0 interface.   When the packet hits fa1/0 , it sees there is a NAT statement, and uses an IP from the NAT pool to go out.   When it hits the next device, it hasn't got a clue how to get to 10.0.0.2.

    Join this discussion now: Login / Register

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)