Re: Port Forwarding

patpawlowski · ‎05-14-2005

I come from the iptables world an I was looking for the IOS command to translate and forward ports from our external IP address to our internal machines. I realized that I need to use an access-list for basic firewalling but I didn't seen any provisions in there for forwarding the traffic. e.g.when someone point their browser at our external 197.133.33.194 they actually connect to port 80 on our internal machine 192.168.5.5 but if a mail server tries to connect to port 25 of 197.133.33.194 it gets forwarded to port 25 of 192.168.5.11. I looked at all the ip nat commands but didn't see anything that looked right.

Thanks for the help,

Harold Ritter · ‎05-14-2005

Try:

ip nat inside source static tcp 192.168.5.5 80 197.133.33.194 80

ip nat inside source static tcp 192.168.5.11 25 197.133.33.194 25

Hope this helps,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

tommy.smith · ‎05-14-2005

I am also trying to forward one tcp-port to a local PC. I added some lines to the access-lists, and did the static routing as you suggested, but the router just ignore the changes.

Do we have to reboot after changes like this, or?

Harold Ritter · ‎05-14-2005

Can you elaborate on what you mean by the router ignores the changes. Once the configuration has been changed, you don't need to reboot it to take effect.

Thanks,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

tommy.smith · ‎05-15-2005

I do:

- Enable

- Type password

- Open Interface to config

- Add changes

After I add the changes I do a "show config", but the changes are not there.

Harold Ritter · ‎05-15-2005

"show config" lists the content of the configuration in nvram. The current configuration is not saved in nvram until you do a "wr mem" or "copy running-config startup-config".

If you do a "show running-config" you should see the changes that you made. Don't forget to do a "copy running-config startup-config" to save the changes before you reload the router otherwise you will loose your changes.

Hope this helps,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)

tommy.smith · ‎05-15-2005

Thanks, I understand!

Now I can see my changes, but still the port is not forwarding as it should.

I added the following access list:

access-list 101 permit tcp any host 192.168.1.5 eq 9223

Then I added the following IP routing:

ip nat inside source static tcp 192.168.1.5 9223 1.2.3.4 9223

Where 1.2.3.4 is my public IP.

Still external TCP socket connections to port 9223 is not working. Ive tested the internal server 192.168.1.5 at port 9223, and it is working well in my local network!

My Cisco 800 Series G.SHDSL router is configured with the following interfaces:

Ethernet0

ATM0

Dialer1

Dialer1 having the following settings:

!

interface Dialer1

ip address negotiated

ip access-group 101 in

ip mtu 1492

ip nat outside

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer remote-name redback

dialer-group 1

no cdp enable

ppp authentication...

...

!

Thanks for any help!

patpawlowski · ‎05-15-2005

I'm still very new to this so I don't know how much help I can be but I believe that you have to configure an access list as well. I don't think the connection will be allowed past the interfaces without explicit permission. I can't give you specifics because all my documentation is at work, but this might give you a place to start looking until someone else chimes in.

Harold Ritter · ‎05-15-2005

Your access-list has to specify the global address rather than the local address as follow because the access-list is checked before the address translation occurs:

access-list 101 permit tcp any host 1.2.3.4 eq 9223

Please refer to the following URL for the NAT order of operations:

http://www.cisco.com/warp/customer/556/5.html

Hope this helps,

Regards,
Harold Ritter, CCIE #4168 (EI, SP)