Cisco NAT – Troubleshooting Port Forwarding to the Wrong Machine

cisconat;

We are running a few services in our internal network that we would like
to expose to the outside world. At first we were having trouble with email,
dns, and www. Not sure what happened but email and dns started working all
of a sudden.

In regards to www, we are forwarding the traffic to our apache server (192.168.2.15), with the following port forward rule:

ip nat inside source static tcp 192.168.2.15 80 interface Dialer0 80

For some reason it's getting routed to another server on the network.
We know this due to the firewall of that server burning the request.
Is there any way to make these static rules more enforced, and getting
the traffic to the right server.

Update

tcp <public>:53       192.168.2.5:53        ---                   ---
tcp <public>:25       192.168.2.10:25       ---                   ---
tcp <public>:465      192.168.2.10:465      ---                   ---
tcp <public>:993      192.168.2.10:993      ---                   ---
--- <public>          192.168.2.5       ---                   ---

NAT Definitions

no ip nat service sip udp port 5060
no ip nat service sip udp port 5080         
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.2.5 53 interface Dialer0 53
ip nat inside source static tcp 192.168.2.15 80 interface Dialer0 80
ip nat inside source static tcp 192.168.2.10 25 interface Dialer0 25
ip nat inside source static tcp 192.168.2.10 465 interface Dialer0 465
ip nat inside source static tcp 192.168.2.10 993 interface Dialer0 993
ip nat inside source static tcp 192.168.2.10 995 interface Dialer0 995
ip nat inside source static tcp 192.168.2.15 443 interface Dialer0 443
ip nat inside source static udp 192.168.2.5 5060 interface Dialer0 5060
ip nat inside source static udp 192.168.2.20 5080 interface Dialer0 5080
access-list 130 permit udp any any range 8000 65535
route-map voip-rtp permit 1
match ip address 130
ip nat inside source static 192.168.2.5 <public ip> route-map voip-rtp

NAT Trans

tcp public-ip:53       192.168.2.5:53        ---                   ---
tcp public-ip:25       192.168.2.10:25       ---                   ---
tcp public-ip:465      192.168.2.10:465      ---                   ---
tcp public-ip:993      192.168.2.10:993      ---                   ---
--- public-ip          192.168.2.5           ---                   ---

Thanks in Advance,

Nick from Toronto.

Best Answer

Is there somehow a second port 80 rule? (shouldn't be possible, but I've seen it happen)

show ip nat translations | include ---

Is the arp cache on the router somehow wrong -- i.e. it thinks 2.15 is at a different machine?

show ip arp <inside interface>

And lastly, IOS has, in the past, had significant issues with NAT and dynamic interface addresses. On my cablemodem-feed router, I have to replace the NAT rules with full IP addresses (every time the address changes!) to make it work; the rules won't apply correctly if dhcp is setting the address, or if the address later changes with the interface up. I've never used "interface nat" on the DSL line with a static address.

[UPDATE]

ip nat inside source static 192.168.2.5 <public ip> route-map voip-rtp

That is what's causing the error. As you can see in the firewall output, the DST is 2.5, not 2.15. And there's no port 80 translation in the table.

[Further Update]

There is no way to make a Cisco IOS device NAT a UDP port range. It'll work perfectly for TCP, but completely ignores UDP. (nice of Cisco to do that.) If you attempt to use route-maps with an acl that specifies ports, it generates an error matching the acl. (turn on various debug's to see it) Inside destination NAT ignores the UDP part.

Related Topic