Re: I can't belive that nobody knows how to do this on Cisco IOS - Page 3

olafmarcos · ‎07-12-2007

I've been looking for a solution to forward a port range for months, and I haven't any solution yet.

I am CCNA Certified and CCNP cursed. I've asked to my teachers, in conferences and my isp support. Nobody knows how to do it.

A common task like this, that in every router is so trivial, why is so dificult in Cisco? Is it possible?

Thanks in advance to everybody.

Olaf

olafmarcos · ‎07-13-2007

Hi Wilson,

Yes, I want to PAT inside to outside traffic and forward port range from outside to inside server.

This can be done with "any" router that isp gives you "free". Why can't do it with a specialized and professional router like Cisco 878?

If to do a simple port forwarding I need to buy a PIX FW, i have the impression that something is in the wrong way by Cisco.

Do you mean what I say?

Regards,

Olaf

olafmarcos · ‎07-15-2007

Does anybody know how to force the source ip address of the router when it is accessing internet?

Here is my problem. When router is pinging, the source ip address is the ip of the interface which is nearer the destination. In my case, the public ip.

I need to force that the source ip will be the internal ip (interface vlan1 - 192.168.1.1).

Any advices?

Thanks in advance,

Olaf

dschuckman · ‎07-16-2007

Olaf,

I know this is not the best resolution but if you stick with the following configuration I think it will work:

ip nat inside source static udp 192.168.99.1 53 interface FastEthernet0/0 53

ip nat inside source static 192.168.99.4 interface FastEthernet0/0

This will allow your router to do dns lookups for all the internal devices. Create the ACL's that you need to protect all remaining ports for the source static 192.168.99.4.

Obviously you will not beable to do all the testing from the inside interface of the router but it is at least a temporary solution.

Rate if this helps.

Thanks,

David

olafmarcos · ‎07-17-2007

Hi David,

I put

ip nat inside source static udp 192.168.1.1 53 interface Dialer1 53

But NAT is doing this

Pro Inside global Inside local Outside local Outside global

udp PublicIP:50076 192.168.99.4:50076 212.145.4.97:53 212.145.4.97:53

So requests are not correctly natted.

With that configuration you mapped requests from external to udp 53 to 192.168.1.1

I see that this hasn't any solution.

It seems incredible.

Thanks and best regards,

Olaf

dschuckman · ‎07-17-2007

Shouldn't it have been:

ip nat inside source static udp 192.168.99.1 53 interface dialer1 53?

You need that inside source IP to be the ip of the internal interface of your router. That will allow the router to receive dns queiries. You may have to flush all nat translations before this change will take affect.

olafmarcos · ‎07-17-2007

Hi David,

I mistyped the ip nat statement in the forum. The rule is ok.

ip nat inside source static 192.168.99.4 interface Dialer1

ip nat inside source static udp 192.168.99.1 53 interface Dialer1 53

But clearing nat entries and doing ping to whatever domain,

Pro Inside global Inside local Outside local Outside global

udp PublicIP:53 192.168.99.1:53 --- ---

udp PublicIP:54328 192.168.99.4:54328 212.145.4.97:53 212.145.4.97:53

udp PublicIP:56878 192.168.99.4:56878 212.145.4.98:53 212.145.4.98:53

--- PublicIP 192.168.99.4 --- ---

The problem is the source port of queries are mapped with high localports "udp PublicIP:54328" and obviously the ip nat source static entry is mapped to receive dns queries, but router is doing queries, not receiving. Is it clear now?

Best regards,

Olaf

I can't belive that nobody knows how to do this on Cisco IOS?