# Cisco NAT/PAT forwarding



## joshbuss (Jan 1, 2011)

Hello everybody, I am currenlty trying to configure a 871W to forward a port 3389 to the internal address 192.168.1.240. I have been playing with this for a couple days now, and I have not been able to figure out what I am doing wrong. Any help is appreciated, and if you see anything else wrong, please don't hesitate to correct me. I am still learning everything here :::BTW Outside interface utilizes DHCP for addressing...



Current configuration : 8415 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SuperRT
!
boot-start-marker
boot-end-marker
!
logging buffered 100000 debugging
enable secret 5 REMOVED
enable password 7 REMOVED
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.2.1 192.168.2.100
!
ip dhcp pool VLAN10
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8 8.8.4.4
lease 4
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
lease 4
!
!
ip inspect log drop-pkt
ip inspect name MYFW udp
ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
ip inspect name SDM_MEDIUM cuseeme
ip inspect name SDM_MEDIUM dns
ip inspect name SDM_MEDIUM ftp
ip inspect name SDM_MEDIUM h323
ip inspect name SDM_MEDIUM https
ip inspect name SDM_MEDIUM icmp
ip inspect name SDM_MEDIUM imap reset
ip inspect name SDM_MEDIUM pop3 reset
ip inspect name SDM_MEDIUM netshow
ip inspect name SDM_MEDIUM rcmd
ip inspect name SDM_MEDIUM realaudio
ip inspect name SDM_MEDIUM rtsp
ip inspect name SDM_MEDIUM esmtp
ip inspect name SDM_MEDIUM sqlnet
ip inspect name SDM_MEDIUM streamworks
ip inspect name SDM_MEDIUM tftp
ip inspect name SDM_MEDIUM udp
ip inspect name SDM_MEDIUM vdolive
ip name-server 8.8.4.4
ip name-server 8.8.8.8
!
!
appfw policy-name SDM_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
!
!
crypto pki trustpoint TP-self-signed-3692985937
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3692985937
revocation-check none
rsakeypair TP-self-signed-3692985937
!
!
crypto pki certificate chain TP-self-signed-3692985937
certificate self-signed 01
30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33363932 39383539 3337301E 170D3032 30333031 30303133
31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36393239
38353933 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AF61 3D71E7FC A5126C66 AE63222A F8A7194F C2E02069 673A8689 C0458EAC
44E1AA1A E6FD61F4 89C254A4 69B6A9E2 73FDDD40 A140F9B3 D1D2EB46 3198F509
190D84D3 B77B5314 3FC40310 DF726EFF E99A53A7 C4FE6C05 732BBAC8 9CEF8FE6
25A8F4A8 F1F81D5F 7F9644E7 50CD4ED5 2E953A02 CA2583E2 8C3FA9C8 BE411909
35450203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
551D1104 0C300A82 08537570 65725254 2E301F06 03551D23 04183016 80140A57
B1CF7305 680DA4C3 E7C761BA CB02A278 256E301D 0603551D 0E041604 140A57B1
CF730568 0DA4C3E7 C761BACB 02A27825 6E300D06 092A8648 86F70D01 01040500
03818100 77B8E5CD 5C1EA0F6 7A8FCC98 91A3448D F4E28353 DBF76E01 1EB57A8F
C062C979 7859DBB5 1A2B1DB5 536B283B 32B9323B 78B618F6 5178DECF 95805E78
4821B674 A8B51DFA 15F2AE68 EF372884 7902A2E2 FAF483A6 D9E425DF 32B9F606
EBA4D5DB BE49AC84 30E1118D 4CEE9CC0 D10ABC2D 8744E815 6FFD19ED 448E0502 D7444FBB
quit
username root privilege 15 password 7 REMOVED
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$$ES_WAN$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dot11Radio0
no ip address
!
encryption vlan 10 mode ciphers tkip
!
encryption vlan 20 mode ciphers tkip
!
ssid GuestWireless
vlan 20
authentication open
authentication key-management wpa
wpa-psk ascii 7 REMOVED
!
ssid SuperWRT
vlan 10
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 REMOVED
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2452
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio0.10
encapsulation dot1Q 10
no snmp trap link-status
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no snmp trap link-status
!
interface Vlan1
no ip address
bridge-group 10
bridge-group 10 spanning-disabled
!
interface Dialer1
no ip address
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
!
interface BVI10
description Bridge to Internal Network$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
!
ip classless
!
ip http server
ip http secure-server
ip nat log translations syslog
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.240 3389 interface FastEthernet4 3389
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit tcp any any eq 4000
permit tcp any any eq 3389
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI10
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip any any log
access-list 101 permit udp host 8.8.4.4 eq domain any
access-list 101 permit udp host 8.8.8.8 eq domain any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
!
control-plane
!
bridge 10 route ip
!
line con 0
password 7 REMOVED
no modem enable
line aux 0
line vty 0 4
password 7 REMOVED
!
scheduler max-task-time 5000
end


----------



## Wand3r3r (Sep 17, 2010)

I am no expert in cisco but a couple of observations

ip dhcp excluded-address 192.168.1.1 192.168.1.100
and
ip nat inside source static tcp 192.168.1.240 3389 interface FastEthernet4 3389!

It appears to me you are excluding 1-100 but you have assigned 240 as a static which should be out of the dhcp scope yet it's in the dhcp scope. Not a forwarding issue but can cause a ip conflict.

http://www.cisco.com/en/US/docs/ios/12_3/ipaddr/command/reference/ip1_i2g.html#wp1079180

ip nat inside source static (TCPorUDP) (YourCompsIP) (PortToForward) interface BVI1 (PortToForward)
so
ip nat inside source static tcp 192.168.1.240 3389 interface FastEthernet4 3389
looks good


----------



## joshbuss (Jan 1, 2011)

.240 is being assigned by DHCP, but is assigned VIA mac address, so we will not run into ip conflicts. I still am unable to connect on port 3389 (or any port that i try to forward). I have verified that all local firewalls are turned off and have even tried separate hosts on the LAN with diffrent Ips.

I must be missing something in my config...


----------



## Wand3r3r (Sep 17, 2010)

first test is can you connect from pc to pc via rdp.


----------



## joshbuss (Jan 1, 2011)

Yes, internally I can RDP into it PC-2-PC no problem. The issue is when I try to RDP from outside the LAN. I have verified that all firewalls on the host have been disabled, so they will not interfere with me testing. (I can reenable later)


----------

