11-05-2004 11:16 AM - edited 03-09-2019 09:21 AM
I am in a situtation where I need to enable port forwarding on a Cisco 831 router to allow Bittorrent traffic to work. Currently, I have the following statements enabled, however the traffic does not seem to be forwarded because Bittorrent shows that it has no externally connected hosts:
Here is a example of my statements and access lists
ip nat inside source static tcp 192.168.10.7 50000 interface Ethernet1 50000
ip nat inside source static tcp 192.168.10.7 3724 interface Ethernet1 3724
ip nat inside source static tcp 192.168.10.7 6112 interface Ethernet1 6112
ip nat inside source static tcp 192.168.10.7 6881 interface Ethernet1 6881
ip nat inside source static tcp 192.168.10.7 6882 interface Ethernet1 6882
ip nat inside source static tcp 192.168.10.7 6883 interface Ethernet1 6883
ip nat inside source static tcp 192.168.10.7 6884 interface Ethernet1 6884
ip nat inside source static tcp 192.168.10.7 6885 interface Ethernet1 6885
ip nat inside source static tcp 192.168.10.7 6886 interface Ethernet1 6886
ip nat inside source static tcp 192.168.10.7 6887 interface Ethernet1 6887
ip nat inside source static tcp 192.168.10.7 6888 interface Ethernet1 6888
ip nat inside source static tcp 192.168.10.7 6889 interface Ethernet1 6889
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 permit udp any eq bootps any eq bootps
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 224.0.0.0 15.255.255.255 any
access-list 101 deny ip 240.0.0.0 15.255.255.255 any
access-list 101 deny ip 0.0.0.0 0.255.255.255 any
access-list 101 deny ip 169.254.0.0 0.0.255.255 any
access-list 101 deny ip 192.0.2.0 0.0.0.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any unreachable
access-list 101 permit udp any eq domain any
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq 10000
access-list 101 permit gre any any
access-list 101 permit udp host 192.43.244.18 eq ntp any eq ntp
access-list 101 permit tcp X.X.X.X 0.0.0.63 any eq 22
access-list 101 permit tcp any any eq 3724
access-list 101 permit tcp any any eq 6112
access-list 101 permit tcp any any range 6881 6889
access-list 101 permit tcp any any eq 50000
access-list 101 deny ip any any log
... and finally my outside interface.
interface Ethernet1
description **** Remote Office Internet Connection ****
ip address dhcp client-id Ethernet1
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect IOS_FW out
ip virtual-reassembly
service-policy output Shape-384-Cable
ip tcp adjust-mss 542
no ip mroute-cache
duplex auto
no cdp enable
crypto ipsec client ezvpn EZVPN_Client
There is no ip nat outside on the interface however I am told that the crypto ipsec client handles that automatically.
Thoughts?
11-05-2004 12:48 PM
You need to add ip nat outside to your ethernet1 interface for inbound NAT to work correctly.
Also why do you have your tcp adjust value so low?
Daniel
11-05-2004 01:21 PM
Apparently the Crypto client command automatically assumes that ip nat outside is entered (from what I was told). Even though I can enter the command and save it, it never survives a reboot (command removed).
Regarding your other question, I have my tcp adjust value set so low for supporting voice. We have hardware 7960 IP phones behind our 800 series routers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide