cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

802
Views
0
Helpful
2
Replies
Highlighted
Beginner

Port Forwarding Problem

Hi

This is my first time working with Cisco routers and I'm setting up a brand new 1812 with IOS 12.4.

I  used CCP to configure it including the ZFW with DMZ on 10.10.3.1. Traffic flows from  in to out but now I need to open some ports for inbound ssh traffic. I  want connections on port 29 to be directed to a specific  machine 10.10.0.199 on the inside. CCP didn't add any inbound rules so  I'm trying to figure this out by hand but it's not working.

I'm not sure where to start asking questions so let  me start with the following and hopefully someone can point me in the  right direction or at least get the discussion going.

Now, it looks to me that I should be using port mapping so I've added the following (via CCP):

ip port-map user-ssh-29 port tcp 29 list 3
access-list 3 permit 10.10.0.199

From discussions I've read on this forum and around the net I'm seem to be missing some NAT rule(s). Something like
ip nat inside source static tcp 10.10.0.199 29 interface FastEthernet0 29

The rules that were created are:
class-map type inspect match-any user-ssh-29
match protocol user-ssh-29
class-map type inspect match-all ccp-cls--1
match class-map user-ssh-29
match access-group name incoming-abc

ip access-list extended incoming-abc
remark CCP_ACL Category=128
permit ip any host 10.10.0.199


The  net effect is that inbound connections are not getting through, they  don't fail with a connection refused, but they hang waiting ...

Using the CCP monitoring features it looks like the  router is taking these connection attempts to be outside->self rather  than outside->inside as the the packets show up in Firewall Status  out->self dropped packets monitor

The 1812's outside interface in on a subnet 10.10.2.0 behind a DSL modem/router.

Thanks

Everyone's tags (3)
2 REPLIES 2
Highlighted

Re: Port Forwarding Problem

Hi,

For port forwarding you need the NAT rule you mentioned:

ip nat inside source static tcp 10.10.0.199 29 interface FastEthernet0 29

The above command says that when the router receives an inbound TCP packet on port 29 on its FastEthernet interface, it will redirect it to 10.10.0.199 on the same port.

If you have an ACL applied to this FastEthernet interface, the ACL should permit this traffic in.

Federico.

Highlighted
Beginner

Re: Port Forwarding Problem

Hi

I've been away ... but still need help. I know that I'm missing something.

What exactly would ACL look like? I've tried a number of things that haven't worked.

In order to understand this stuff I've stripped it down to the below, having removed the fw parts. Outgoing is ok but the incoming map on port 29 doesn't work. The debug trace produces stuff like this:

NAT*: o: tcp (10.10.0.100, 37237) -> (10.10.0.8, 29) [0]

NAT*: s=10.10.0.100, d=10.10.0.8->10.10.5.20 [0]

NAT*: i: tcp (10.10.5.20, 29) -> (10.10.0.100, 37237) [14190]

NAT*: s=10.10.5.20->10.10.0.8, d=10.10.0.100 [14190]

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname gw1

!

boot-start-marker

boot-end-marker

!

dot11 syslog

no ip source-route

!

ip cef

no ip bootp server

ip domain name xx.com

ip name-server 10.10.0.5

no ipv6 cef

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface FastEthernet0

ip address 10.10.0.8 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

ip address 10.10.5.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.10.0.5 permanent

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source static tcp 10.10.5.20 29 interface FastEthernet0 29

ip nat inside source list 1 interface FastEthernet0 overload

!

logging trap debugging

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.5.20 0.0.0.255

no cdp run

control-plane

!

end