11-15-2010 04:40 PM - edited 03-04-2019 10:28 AM
Hi,
I am trying to set up port forwarding on my router so it will point to my web/ftp/mail servers on my network. I have a dynamic ip on the outside of my network and a static on the inside of my router.
FastEthernet 0/0
ip address dhcp
ip nat outside
FastEthernet 0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
I am trying to point the Internet users to my port 80,21,25 and can not find resources online to show how to set the external ip to dhcp and internal to static. I can only find how to statically set the internal and external ip addresses for nat. I already have my nat set up and access lists set up for my internal hosts to reach the Internet but can not find out how to allow the Internet users to reach my internal hosts. I am using IOS 12.4, please let me know if you need a copy of my config.
11-15-2010 04:52 PM
scott.mikus wrote:
Hi,
I am trying to set up port forwarding on my router so it will point to my web/ftp/mail servers on my network. I have a dynamic ip on the outside of my network and a static on the inside of my router.
FastEthernet 0/0
ip address dhcp
ip nat outside
FastEthernet 0/1
ip address 192.168.0.1 255.255.255.0
ip nat inside
I am trying to point the Internet users to my port 80,21,25 and can not find resources online to show how to set the external ip to dhcp and internal to static. I can only find how to statically set the internal and external ip addresses for nat. I already have my nat set up and access lists set up for my internal hosts to reach the Internet but can not find out how to allow the Internet users to reach my internal hosts. I am using IOS 12.4, please let me know if you need a copy of my config.
Scott
ip nat inside source static tcp 
ip nat inside source static tcp 
Jon
11-15-2010 04:55 PM
Thank you Jon i will try this as soon as i get home. where in my config will this fall? Under Config Terminal, not within a interface just inside config?
11-16-2010 01:57 AM
Scott
Under global config mode ie. not under an interface.
Jon
11-16-2010 08:26 AM
Jon,
I have added the two strings to my config and i still can not access it from the outside. I can not access my router or any thing within my network. I am using PIX on the router. I ust to be able to put in my url and access the gui for my router and now, my web browser just says the page can not be displayed. I have disabled the http server and enabled the https server, but no luck. Any input would be appreciated.
Scott
11-16-2010 08:30 AM
scott.mikus wrote:
Jon,
I have added the two strings to my config and i still can not access it from the outside. I can not access my router or any thing within my network. I am using PIX on the router. I ust to be able to put in my url and access the gui for my router and now, my web browser just says the page can not be displayed. I have disabled the http server and enabled the https server, but no luck. Any input would be appreciated.
Scott
Scott
What do you mean by "i am using PIX on the router". A pix is a separate firewall device, you can't use PIX on a router.
Jon
11-16-2010 08:53 AM
Jon
I am using the firewall built into my router. I thought it was PIX but i must have misread the documentation online.
Scott
11-16-2010 09:07 AM
Scott
Have you allowed that incoming traffic in your firewall config then ?
Jon
11-16-2010 09:16 AM
Jon
Tcp/udp any any is allowed, but i am not sure if i have done it correctly.
Scott
11-16-2010 09:25 AM
Jon
here is my config:
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$HveF$I8FUKsLRU0qQGkSExhRs2.
enable password XXXXX
!
no aaa new-model
clock timezone CST -6
clock summer-time CDT recurring
ip cef
!
!
!
!
no ip domain lookup
ip name-server 192.168.0.250
ip inspect name cbac tcp
ip inspect name cbac udp
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-114386441
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-114386441
 revocation-check none
 rsakeypair TP-self-signed-114386441
!
!
crypto pki certificate chain TP-self-signed-114386441
 certificate self-signed 01
  30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313433 38363434 31301E17 0D313031 30323732 33323533
  375A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3131 34333836
  34343130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  D9F63AEE E0A06A2A 1E4B7C0B BAE2803F AA86A1BE 542A61A8 58A1CCA3 ADF3102D
  40FE817A A55F24B5 BF68BD33 CC841BB0 90CDDE7F 188AAC6C 031675A5 43C2C5B1
  1B9E8E9F 231DF54D 13CDFC1B CCFC7CF7 66443F66 371C47B9 72DCA515 07CAE80E
  A55A5011 B2D552C6 1FA97351 5301B3B5 257BB9C4 7D0D7394 8F77D749 DBEB7773
  02030100 01A37030 6E300F06 03551D13 0101FF04 05300301 01FF301B 0603551D
  11041430 12821052 6F757465 722E7478 2E72722E 636F6D30 1F060355 1D230418
  30168014 B3544322 7446D076 A8B8C5D2 D6ED1E1C D9F610FE 301D0603 551D0E04
  160414B3 54432274 46D076A8 B8C5D2D6 ED1E1CD9 F610FE30 0D06092A 864886F7
  0D010104 05000381 810028A1 72F12CF2 1EE49626 E5867DC9 52235160 F96C9CF4
  6F9A2571 3F9D1642 4B93F7F6 5732B4E4 F1E96C22 DEFA6CA6 13BC7349 38A2B780
  5636DB4B 0B219730 84F721E7 82EC259D AFE95E36 CADEDBB4 3603BEEE 2AB1D4B8
  41E20CE5 87D85A26 AF0A8A17 C4835FB0 59B10B23 9F0FB7B6 2B47C5E6 CEC7DD85
  A37CC75A 2B3B477C CFD4
  quit
!
!
username smikus privilege 15 password 0 XXXXXX
username bgauntt privilege 15 password 0 XXXXXX
!
!
!
!
!
!
interface FastEthernet0/0
 description WAN
 ip address dhcp
 ip access-group cbac in
 ip nat outside
 ip inspect cbac out
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 no shutdown
!
interface FastEthernet0/1
 description LAN
 ip address 192.168.0.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 no shutdown
!
!
!
no ip http server
no ip http secure-server
ip nat source list natacl interface FastEthernet0/0
ip nat inside source static tcp 192.168.0.250 80 interface fa0/0 80
ip nat inside source list natacl interface FastEthernet0/0 overload
!
ip access-list extended cbac
 permit udp any eq bootps any eq bootpc
 permit gre any any
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any traceroute
ip access-list extended natacl
 permit ip 192.168.0.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
line con 0
 exec-timeout 0 0
 login local
line aux 0
line vty 0 4
 password Tech1710
 login local
line vty 5 15
 login local
!
scheduler allocate 20000 1000
no process cpu extended
no process cpu autoprofile hog
ntp clock-period 17179033
ntp server 192.43.244.18 key 0 prefer
end
Scott
11-16-2010 09:42 AM
Scott
Add this your cbac access-list and retest -
permit tcp any any eq www
Jon
11-16-2010 09:56 AM
Jon
Thank you I will try it and get right back to you.
Scott
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide