nat problem please help

Hi, i have a problem redirecting tcp/udp with a Cisco SOHO 97 Normally static Nat port redirection works like this: LOCAL INSIDE GLOBAL INSIDE GLOBAL OUTSIDE LOCAL OUTSIDE

192.168.0.200:3389 82.108.108.250:3389 151.125.171.14:3389 151.125.171.14:3389

Any call to 82.108.108.250 on port 3389 will be redirected to local host

192.168.0.200 on port 3389 3389

Configuring : ip nat inside source static tcp 192.168.0.200 3389 interface ATM0.1 3389 (o ip nat inside source static tcp 192.168.0.200 3389 82.108.108.250 3389) everything works perfectly

But i need to configure as follows : LOCAL INSIDE GLOBAL INSIDE GLOBAL OUTSIDE LOCAL OUTSIDE

192.168.0.200:3389 82.108.108.250:7777 151.125.171.14:7777 151.125.171.14:7777

Therefore any call to 82.108.108.250 on port 7777 should be translated to ip 192.168.0.200 but on port 3389

I configured as follows : ip nat inside source static tcp 192.168.0.200 3389 interface ATM0.1 7777 (o ip nat inside source static tcp 192.168.0.200 3389 82.108.108.250 7777) It shoud works i type show ip nat translations and the result is : tcp 82.108.108.250:7777 192.168.0.200:3389 --- --- and everything should be correct but there's no connection possible DO i need to coonfigure access-list Please help! Thanks in advance Leo fabiani

Reply to
Leo Fabiani
Loading thread data ...

Hi Leo,

It is very possible that the incoming access-list is blocking the port

7777.

Please post your config so we can have a look.

You will need to put an entry in the access-list like this: access-list 101 permit tcp any host 82.108.108.250 eq 7777

I take it the 2 external IP's are static?

Regards,

Rob

Reply to
RobO

looks like your cache was spoiling your new settings

router#clear ip nat translation * to refesh the translation table (after some minutes it is refeshed by default btw)

Reply to
polleke

Here is my config

-> is used to evidence the non working config I try to connect remotely on port 3391 wich should be redirected to 3389 on host 192.168.0.114 It's not working Connecting on port 3389 it works with host 192.168.0.185 perfectly Please help Thanks in advance

Using 3386 out of 131072 bytes ! version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname leo ! no logging buffered enable secret 5 $1$J/70$98jsbaP8wjfmIrwcy9ISc/ ! username leo password 7 135416310F5E517C ip subnet-zero ip name-server 212.216.112.112 ip name-server 212.216.172.62 ip dhcp excluded-address 192.168.0.114 ip dhcp excluded-address 192.168.0.185 ! ! ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 no aaa new-model ! ! ! ! ! ! ! interface Ethernet0 description CRWS Generated text. Please do not delete this:192.168.0.254-255.25

5.255.0 ip address 192.168.0.254 255.255.255.0 secondary ip address 10.10.10.1 255.255.255.0 ip access-group 122 out ip nat inside no ip mroute-cache hold-queue 100 out ! interface ATM0 no ip address atm vc-per-vp 64 no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point ip address 82.126.126.11 255.255.255.0 ip access-group 111 in ip nat outside ip inspect myfw out pvc 8/35 encapsulation aal5snap ! ! ip nat inside source list 102 interface ATM0.1 overload

->>>> ip nat inside source static tcp 192.168.0.114 3389 interface ATM0.1

3391 ip nat inside source static tcp 192.168.0.114 143 interface ATM0.1 143 ip nat inside source static tcp 192.168.0.185 3389 interface ATM0.1 3389 ip nat inside source static tcp 192.168.0.114 80 interface ATM0.1 80 ip nat inside source static tcp 192.168.0.114 110 interface ATM0.1 110 ip nat inside source static tcp 192.168.0.114 25 interface ATM0.1 25 ip classless ip route 0.0.0.0 0.0.0.0 ATM0.1 ip http server no ip http secure-server ! access-list 102 permit ip 192.168.0.0 0.0.0.255 any access-list 111 permit tcp any any eq smtp access-list 111 permit tcp any any eq pop3 access-list 111 permit tcp any any eq www access-list 111 permit tcp any any eq 3389 access-list 111 permit tcp any any eq 143 access-list 111 permit tcp any any eq telnet access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable access-list 111 permit udp any eq bootps any eq bootpc access-list 111 permit udp any eq bootps any eq bootps access-list 111 permit udp any eq domain any access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit udp any any eq 10000 access-list 111 permit tcp any any eq 1723 access-list 111 permit tcp any any eq 139 access-list 111 permit udp any any eq netbios-ns access-list 111 permit udp any any eq netbios-dgm access-list 111 permit gre any any access-list 111 deny ip any any

->>>> access-list 111 permit tcp any any eq 3391 access-list 122 deny tcp any any eq telnet access-list 122 permit ip any any ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 line vty 0 4 exec-timeout 120 0 login local length 0 ! scheduler max-task-time 5000 ! end "RobO" ha scritto nel messaggio news: snipped-for-privacy@f14g2000cwb.googlegroups.com...

Reply to
Leo Fabiani

Hi Leo,

You will have to copy the ACL 111 into a text editor and edit it as follows:

access-list 111 permit tcp any any eq smtp access-list 111 permit tcp any any eq pop3 access-list 111 permit tcp any any eq www access-list remark --------------TERMINAL SERVICES------ access-list 111 permit tcp any any eq 3389 access-list 111 permit tcp any any eq 3391 access-list 111 permit tcp any any eq 7777 access-list remark

----------------------------------------------------- access-list 111 permit tcp any any eq 143 access-list 111 permit tcp any any eq telnet access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable access-list 111 permit udp any eq bootps any eq bootpc access-list 111 permit udp any eq bootps any eq bootps access-list 111 permit udp any eq domain any access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit udp any any eq 10000 access-list 111 permit tcp any any eq 1723 access-list 111 permit tcp any any eq 139 access-list 111 permit udp any any eq netbios-ns access-list 111 permit udp any any eq netbios-dgm access-list 111 permit gre any any access-list 111 deny ip any any

Put the permit statements towards the top the list. Otherwise it will be blocked. The ACL is checked from top to bottom.

Then remove the access-list from ATM0.1 point-to-point:

Reply to
RobO

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.