Re: Port Forwarding on a 831 w/CBAC

mlinsemier · ‎11-05-2004

I am in a situtation where I need to enable port forwarding on a Cisco 831 router to allow Bittorrent traffic to work. Currently, I have the following statements enabled, however the traffic does not seem to be forwarded because Bittorrent shows that it has no externally connected hosts:

Here is a example of my statements and access lists

ip nat inside source static tcp 192.168.10.7 50000 interface Ethernet1 50000

ip nat inside source static tcp 192.168.10.7 3724 interface Ethernet1 3724

ip nat inside source static tcp 192.168.10.7 6112 interface Ethernet1 6112

ip nat inside source static tcp 192.168.10.7 6881 interface Ethernet1 6881

ip nat inside source static tcp 192.168.10.7 6882 interface Ethernet1 6882

ip nat inside source static tcp 192.168.10.7 6883 interface Ethernet1 6883

ip nat inside source static tcp 192.168.10.7 6884 interface Ethernet1 6884

ip nat inside source static tcp 192.168.10.7 6885 interface Ethernet1 6885

ip nat inside source static tcp 192.168.10.7 6886 interface Ethernet1 6886

ip nat inside source static tcp 192.168.10.7 6887 interface Ethernet1 6887

ip nat inside source static tcp 192.168.10.7 6888 interface Ethernet1 6888

ip nat inside source static tcp 192.168.10.7 6889 interface Ethernet1 6889

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 permit udp any eq bootps any eq bootps

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 224.0.0.0 15.255.255.255 any

access-list 101 deny ip 240.0.0.0 15.255.255.255 any

access-list 101 deny ip 0.0.0.0 0.255.255.255 any

access-list 101 deny ip 169.254.0.0 0.0.255.255 any

access-list 101 deny ip 192.0.2.0 0.0.0.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 permit icmp any any administratively-prohibited

access-list 101 permit icmp any any echo

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any packet-too-big

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any traceroute

access-list 101 permit icmp any any unreachable

access-list 101 permit udp any eq domain any

access-list 101 permit esp any any

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq 10000

access-list 101 permit gre any any

access-list 101 permit udp host 192.43.244.18 eq ntp any eq ntp

access-list 101 permit tcp X.X.X.X 0.0.0.63 any eq 22

access-list 101 permit tcp any any eq 3724

access-list 101 permit tcp any any eq 6112

access-list 101 permit tcp any any range 6881 6889

access-list 101 permit tcp any any eq 50000

access-list 101 deny ip any any log

... and finally my outside interface.

interface Ethernet1

description **** Remote Office Internet Connection ****

ip address dhcp client-id Ethernet1

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip inspect IOS_FW out

ip virtual-reassembly

service-policy output Shape-384-Cable

ip tcp adjust-mss 542

no ip mroute-cache

duplex auto

no cdp enable

crypto ipsec client ezvpn EZVPN_Client

There is no ip nat outside on the interface however I am told that the crypto ipsec client handles that automatically.

Thoughts?

dbellazetin · ‎11-05-2004

You need to add ip nat outside to your ethernet1 interface for inbound NAT to work correctly.

Also why do you have your tcp adjust value so low?

Daniel

mlinsemier · ‎11-05-2004

Apparently the Crypto client command automatically assumes that ip nat outside is entered (from what I was told). Even though I can enter the command and save it, it never survives a reboot (command removed).

Regarding your other question, I have my tcp adjust value set so low for supporting voice. We have hardware 7960 IP phones behind our 800 series routers.