Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Nat Problem

Status
Not open for further replies.

gpet

Technical User
May 18, 2007
17
GR
Hi everyone

I have a 876 router with an adsl with dynamic ip and i want
to port forward some ports in my network.

here is the conf that i have made

nat statements

ip nat inside source static tcp 192.168.100.1 8383 interface Dialer0 8383
ip nat inside source static tcp 192.168.100.1 4899 interface Dialer0 4899

dialer 0
ip access-group 101 in


access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq 8383
access-list 101 permit tcp any any eq 4899
access-list 101 deny ip 192.168.100.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any


it is not working what am i doing wrong


thanks all in advanced
 
Show your whole config please, minus public IP addresses and passwords. You have to have ip nat inside on the inside interface and ip nat outside on the outside interface.

Burt
 
thanks for repling

here is conf


Building configuration...

Current configuration : 7183 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime 2
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 4:00
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name xxxxxxxx
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-374076096
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-374076096
revocation-check none
rsakeypair TP-self-signed-374076096
!
!
crypto pki certificate chain TP-self-signed-374076096
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373430 37363039 36301E17 0D303631 31313531 36303834
325A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3337 34303736
30393630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
D73756E9 C1C1B4DA 14EE77E1 EE127CAF 049BDDDF DE973D6D 8B0BEDFC 2F225EEA
91CC2DB9 823B7D96 A414573E FBA00234 13755D13 4A33ED03 CD239EA2 73B81ACF
C7150E5C 21FF27D8 59362180 48A148F2 CC172C39 76FC3E3D C60A17B3 608F3BAC
D57D9520 49892A30 4EB9138E 35C62EBA C15F832B E577B5C5 9C13B638 DC21330F
02030100 01A37730 75300F06 03551D13 0101FF04 05300301 01FF3022 0603551D
11041B30 19821763 79626572 726F7574 652E6379 62657273 706F742E 6772301F
0603551D 23041830 168014FD 595D25EF 6DF1A056 E02EC158 6FD350F1 ABDA0B30
1D060355 1D0E0416 0414FD59 5D25EF6D F1A056E0 2EC1586F D350F1AB DA0B300D
06092A86 4886F70D 01010405 00038181 0000C5E5 B5141140 CE60E3D4 7B4201FC
858E6D25 3C812372 1B12BEBF 769DAD9C 12519121 BA2A933B 86D50EED 8523F2F8
D3C3D0F6 BB0F887D E50D58C4 587964DA 3AD4D9A9 DAFE579A EB169FA1 488B9A67
22E259A1 4D2BF1F9 EC39C6F4 89605289 BE6EEADB BA860DCB 34A51D57 2CEC2A43
3B899D4C 5E417EF9 5EC9F277 FC4F154D 3B
quit
username xxxxxxxx privilege 15 secret 5 xxxxxxxx
!
!
!
!
!
!
interface BRI0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation hdlc
ip route-cache flow
shutdown
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.100.211 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
ip policy route-map forthnet
!
interface Dialer0
description $FW_OUTSIDE$
bandwidth 2000
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxxxxxx
ppp chap password 7 xxxxxxxx
ppp pap sent-username xxxxxxxx password 7 xxxxxxxxxxxxx
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.1.0 255.255.255.0 192.168.100.254
ip route 192.168.2.0 255.255.255.0 192.168.100.254
ip route 192.168.3.0 255.255.255.0 192.168.100.254
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.100.1 8383 interface Dialer0 8383
ip nat inside source static tcp 192.168.100.1 4899 interface Dialer0 4899
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp any any eq 8383
access-list 101 permit tcp any any eq 4899
access-list 101 deny ip 192.168.100.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 permit tcp any any eq 7777
access-list 102 permit tcp any any eq 3724
access-list 102 permit tcp any any eq 6112
access-list 102 permit tcp any any eq 2009
access-list 102 permit tcp any any eq 2106
access-list 102 permit tcp any any eq 8891
access-list 102 permit tcp any any eq 2222
access-list 102 permit tcp any any eq 7778
access-list 102 permit tcp any any eq 7775
access-list 105 permit tcp any host 194.219.227.2 eq domain
access-list 105 permit tcp any host 193.92.150.3 eq domain
access-list 105 permit udp any host 194.219.227.2 eq domain
access-list 105 permit udp any host 193.92.150.3 eq domain
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map forthnet permit 10
match ip address 102
set ip next-hop 192.168.100.254
!
route-map forthnet permit 30
match ip address 105
set ip next-hop 192.168.100.254
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
 
Hi again


Please anyone help me


thanks all in advanced
 
I don't see an ip nat outside anywhere in your config. Type show ip nat translation to verify that your inside interface is being translated to an outside interface. See thread557-1382383 where I give a step by step configuration for setting up overloaded NAT.

Check out this link for help configuring Static NAT.

- Configuring Static and Dynamic NAT Simultaneously


Also check out the Cisco link below for help verifying and troubleshooting NAT configuration.

- Verifying NAT Operation and Basic NAT Troubleshooting


Joey
A+, Network+, MCP
 
He's got NAT outside on his dialer interface the way it is supposed to be.
Can you ping the dialer interface from 192.168.100.1? I don't know much about the applications associated with those two ports, so I don't know what questions to ask...what kind of servers are they? I assume you can get out to the internet with any other device? Any reason you have a VLAN set up? What does the topology look like, and what all specifically are you having problems with???
Without answering these questions, I don't know what to tell you.

Burt
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top