12-27-2022 02:16 PM
I have a Cisco 3925 Router..
I want to "redirect" Port 80/443 to a different port ...I am hoping you may let me know if this is right..
ip nat inside source static tcp xxxx.xxxx.x.x 80 interface GigabitEthernet0/0 30080
ip nat inside source static tcp xxxx.xxxx.x.x 443 interface GigabitEthernet0/0 30443
access-list 101 permit tcp any any eq 30080 log
access-list 101 permit tcp any any eq 30443 log
Also do i always need to specify an ACL when oprening Ports?
Thanks.....
Solved! Go to Solution.
12-27-2022 03:52 PM - edited 12-27-2022 03:53 PM
access-list 1 remark --- GigabitEthernet0/2 MY LAN-(LAN) --- access-list 100 remark --- GigabitEthernet0/2 MY LAN --- access-list 101 remark --- GigabitEthernet0/0 SPECTRUM-(WAN)(DHCP-bootps/bootpc) ---
ONLY you need what you mention in your original post, this ACL need to pass the ACL you apply to WAN interface.
access-list 101 permit tcp any any eq 30080 log
access-list 101 permit tcp any any eq 30443 log
no need any other change. you config is perfect.
12-27-2022 02:18 PM
no need acl, only NAT need.
12-27-2022 02:32 PM
i am hoping the traffic coming from out side and you like to port-forward to internal Server ?
xxxx.xxxx.x.x - is the internal IP ?
GigabitEthernet0/0 - IP getting from ISP ? or static ?
so the router knows internal server xxxxxxxx how to reach? never connect IP address ?
12-27-2022 02:53 PM
xxxx.xxx.xx.x is internal IP
Gigabitethernet0/0 is OUTSIDE (DDNS)
12-27-2022 02:57 PM
the only case that we use ACL with port forwarding it to exclude the IP-L4Port from dynamic NAT applied to same interface.
12-27-2022 03:12 PM
so just to clarify...so I really understand...all of the ACL'S I have been using a worthless in my configuration?
access-list 101 remark *******************************
access-list 101 remark --- SOME SERVICE ---
access-list 101 permit tcp any any eq 31000 log
access-list 101 permit udp any any eq 32000 log
access-list 101 remark *******************************
12-27-2022 03:20 PM
the ACL you sharing is no need, the port is open by default since you dont config any other ACL.
so you dont need it.
why you think that you need it ?
12-27-2022 03:18 PM
below lines work as exected for port-forward external to internal (taking grant router not running any service on 30090 and 300443 port)
ip nat inside source static tcp xxxx.xxxx.x.x 80 interface GigabitEthernet0/0 30080
ip nat inside source static tcp xxxx.xxxx.x.x 443 interface GigabitEthernet0/0 30443
access-list 101 - is this ACL you match to NAT going out ?
then I would deny the host NAT traffic.
access-list 101 deny TCP x.x.x.x eq 80 any
access-list 101 deny TCP x.x.x.x eq 443 any
I also take into account that you do not have any ACL configured on gig 0/0 coming in traffic.
12-27-2022 03:20 PM
here is g0/0
ip nat inside source list 1 interface GigabitEthernet0/0 overload
12-27-2022 03:22 PM
ip nat inside source list 1 interface GigabitEthernet0/0 overload <<- this the answer why you need ACL for port fowrding
12-27-2022 03:22 PM
also thhis
access-list 101 remark --- GigabitEthernet0/0 SPECTRUM-(WAN)(DHCP-bootps/bootpc) ---
access-list 101 permit udp any any eq bootps log
access-list 101 permit udp any any eq bootpc log
12-27-2022 03:32 PM
replace my example 101 with 1 - that should work as expected.
access-list 1 deny TCP x.x.x.x eq 80 any
access-list 1 deny TCP x.x.x.x eq 443 any
still an issue, post complete show run (removing passwords and any confidential information - not need to remove RFC 1918 address)
12-27-2022 03:23 PM - edited 12-27-2022 03:44 PM
ip nat inside source list 1 interface GigabitEthernet0/0 overload
the above nat must be
ip nat inside source list 101 interface GigabitEthernet0/0 overload <<- if you use ACL 101 in other place please make it 110
!
ip access-list extended 101
deny TCP x.x.x.x eq 80 any
deny TCP x.x.x.x eq 443 any
permit ip any any <<- instead of source any you can specify your local LAN