Solved: port forwarding

roncro · ‎04-16-2020

Hello,

I posted this, as a reply to an old post, but probably was in the wrong place

I would want to forward an "incoming request" from the "outside", public IP, to a specific port on a specific host in a private network, the "inside".

I am trying to set up and play with a Cisco 2921, older I know, but still.

I used to use older, small business routers, and basically what you'd have there is a "port Forwarding Table" (for example on a Cisco RV320). Of course the added complication is that the public IP is not static, and can change.

So instead of something like (which I found in the old post):

ip nat inside source static tcp 1.2.3.4 80 10.20.30.40 80 (assuming 1.2.3.4 80 is the private network IP) I would like to "connect" that to the incoming interface.

Let's assume that gi0/0 is connected to a cable modem "the internet"

I would want something like (and probably have this totally wrong):

ip nat inside source static tcp 1.2.3.4 80 gi0/0 80

But what I want is that if "something" comes in on port 80 on/through gi0/0 directed at my public IP (that is dynamic and can change) it gets forwarded to 192.168.x.y port 80 for example regardless of what the public/outside IP is.

Hope this is not too convoluted/vague.

thanks,

Ron

roncro · ‎04-16-2020

I have no idea what NVI NAT is, but will look into that.

I actually used: ip route 0.0.0.0 0.0.0.0 ethernet0/0

for my default route, so again it would send "unknown traffic" to the interface, instead of the IP associated with it.

(I did see a warning that about latency, in case the interface is not associated with just one IP addr)

In the docs I saw emphasized that the preferred name for a default route, on a Cisco router is "... of last resort"

, but what's in aname .. right?

thanks, I'll use the "accept as solution" button.

Ron

View solution in original post

roncro · ‎04-16-2020

I just found a post with something like this:

ip nat source static tcp 192.168.1.98 80 interface GigabitEthernet0/0 80

Does this mean what I think it means?; anything tcp coming in over port 80 on gi0/0 will be forwarded to host 192.168.1.98 port 80 ?

thanks,

Ron

Martin L · ‎04-16-2020

Yes, ip nat source static tcp <IP add ><port #> Interface or IP add <>port <<should work fine. if u have static IP on outgoing interface, use IP; otherwise use interface x/y. I think this is called NVI NAT.
you also need interface-level commands but not ip nat in|out ; let me check on details. Use ip nat enable on interfaces.

Regards, ML
**Please Rate All Helpful Responses **

roncro · ‎04-16-2020

well, I have an IP on the interface, but I get that with dhcp (ip address dhcp), which get's it's IP from the modem (and of course dns etc etc).

So knowing that the IP it gets from the modem/ISP and is due to change, I would want to refer to the interfaceinstead of the interface's IP addr.

I already have the nat inside/outside interface-level things set up. I can actuall ping www.google.com for example, which means dns etc etc (getting the name servers from ISP) seems to work too. (Although I want to have a local "dns table" too, 'a la' dnsmasq. I noticed in Cisco docs that you can make a local address table even add some more dns servers and use overload to 'combine' that with what you get back from the ISP. (still have to implement that).

So the router connected to the modem seems to work, and I can generate traffic, but want a few ports on the public side mapped to a host on the private part (like ssh, http, https)

Also, isn't it funny that one usualy finds a mostly correct answer right after posting the question... ?)

Ron

Martin L · ‎04-16-2020

Yes, you can find here lots of info and configs;
nat inside/outside is traditional NAT but see if your IOS takes ip nat enable under interface to see if u can do NVI NAT; not all version do NVI.

If your Public IP (outside) changes, you may need to add keyword dhcp to ip route 0.0.0.0 0.0.0.0 so that you have default route via ISP.

roncro · ‎04-16-2020