Port Forwarding Problem

reseauxjcnet · ‎01-13-2011

Hi

This is my first time working with Cisco routers and I'm setting up a brand new 1812 with IOS 12.4.

I used CCP to configure it including the ZFW with DMZ on 10.10.3.1. Traffic flows from in to out but now I need to open some ports for inbound ssh traffic. I want connections on port 29 to be directed to a specific machine 10.10.0.199 on the inside. CCP didn't add any inbound rules so I'm trying to figure this out by hand but it's not working.

I'm not sure where to start asking questions so let me start with the following and hopefully someone can point me in the right direction or at least get the discussion going.

Now, it looks to me that I should be using port mapping so I've added the following (via CCP):

ip port-map user-ssh-29 port tcp 29 list 3

access-list 3 permit 10.10.0.199

From discussions I've read on this forum and around the net I'm seem to be missing some NAT rule(s). Something like

ip nat inside source static tcp 10.10.0.199 29 interface FastEthernet0 29

The rules that were created are:

class-map type inspect match-any user-ssh-29

match protocol user-ssh-29

class-map type inspect match-all ccp-cls--1

match class-map user-ssh-29

match access-group name incoming-abc

ip access-list extended incoming-abc

remark CCP_ACL Category=128

permit ip any host 10.10.0.199

The net effect is that inbound connections are not getting through, they don't fail with a connection refused, but they hang waiting ...

Using the CCP monitoring features it looks like the router is taking these connection attempts to be outside->self rather than outside->inside as the the packets show up in Firewall Status out->self dropped packets monitor

The 1812's outside interface in on a subnet 10.10.2.0 behind a DSL modem/router.

Thanks

Federico Coto Fajardo · ‎01-14-2011

Hi,

For port forwarding you need the NAT rule you mentioned:

ip nat inside source static tcp 10.10.0.199 29 interface FastEthernet0 29

The above command says that when the router receives an inbound TCP packet on port 29 on its FastEthernet interface, it will redirect it to 10.10.0.199 on the same port.

If you have an ACL applied to this FastEthernet interface, the ACL should permit this traffic in.

Federico.

reseauxjcnet · ‎01-26-2011

Hi

I've been away ... but still need help. I know that I'm missing something.

What exactly would ACL look like? I've tried a number of things that haven't worked.

In order to understand this stuff I've stripped it down to the below, having removed the fw parts. Outgoing is ok but the incoming map on port 29 doesn't work. The debug trace produces stuff like this:

NAT*: o: tcp (10.10.0.100, 37237) -> (10.10.0.8, 29) [0]

NAT*: s=10.10.0.100, d=10.10.0.8->10.10.5.20 [0]

NAT*: i: tcp (10.10.5.20, 29) -> (10.10.0.100, 37237) [14190]

NAT*: s=10.10.5.20->10.10.0.8, d=10.10.0.100 [14190]

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname gw1

!

boot-start-marker

boot-end-marker

!

dot11 syslog

no ip source-route

!

ip cef

no ip bootp server

ip domain name xx.com

ip name-server 10.10.0.5

no ipv6 cef

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

interface FastEthernet0

ip address 10.10.0.8 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

ip address 10.10.5.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.10.0.5 permanent

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source static tcp 10.10.5.20 29 interface FastEthernet0 29

ip nat inside source list 1 interface FastEthernet0 overload

!

logging trap debugging

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.10.5.20 0.0.0.255

no cdp run

control-plane

!

end