IOS Nated port forwarding

Question

I have cisco ios router with ios C1900 Software (C1900-UNIVERSALK9-M), Version 15.2(4)M1. And I have setup Nat with port overload (one public IP). And there is a static mapping:

ip nat source static tcp 192.168.1.42 7780 interface GigabitEthernet0/0 80

Which works fine if I try to access web server from other isp's. (GE0/0 - ext interface, GE0/1 - internal interface) So when traffic goes from GE0/0 to GE0/1.

But when I want to access it from internal network (GE0/1) packet does not go to destination host. NVI nat table entry is created for this connection but packet's are not reaching 192.168.1.42:7780. So is this possible that nat outside address will work as port forward for inside nat pool ?

EDIT: Src ip is from local subnet i.e. 192.168.1.100 but I'm accessing wan addres i.e. 88.88.88.88 that is assigned to GE0/0 external WAN interface, so traffic goes through router.

score 0 · Answer 1 · answered Apr 02 '13 at 08:56

What is your source IP? If you're accessing 192.168.1.42 from something in the same subnet as the server, the traffic will never hit the router and won't get NAT'd.

Also, you may be mixing your tech here. The command you gave uses the new-style NVI NAT and treats all NAT-enabled interfaces as inside. But you're referring to outside interfaces as though you've defined them.

Can you give us the config you have for your NAT statements, your ACLs, and interfaces?

score 0 · Answer 2 · answered Apr 03 '13 at 15:03

The first problem you're going to have is return packet forwarding from the webserver to the client. Imagine the following flow:

Source IP 192.168.1.100  Source Port 64000
Destination IP 88.88.88.88  Destination port 7780

This packet hits the router and gets changed to the following

Source IP 192.168.1.100 Source Port 64000
Destination IP 192.168.1.42 Destination Port 80

This packet then gets sent to the server, which will attempt to REPLY to 192.168.1.100 !! This will bypass the router (Layer 2) so the client will see the reply packet as:

Source IP 192.168.1.42 Source Port 80
Destination IP 192.168.1.100 Source Port 64000

This is a problem - the client expects the source to be 88.88.88.88 ! This is solvable with a route on the server forcing all local traffic back through the router - but that will affect a lot of traffic and I wouldn't really recommend it. If you put the Webeserver off of a different interface (or VLAN) on the router you may have an easier go of this...

score 0 · Accepted Answer · answered Apr 04 '13 at 14:05

0

The key was to add:

no ip redirects

on nat interfaces. It worked.

answered Apr 04 '13 at 14:05

damiankolasa

101
3

IOS Nated port forwarding

3 Answers3