cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1224
Views
0
Helpful
5
Replies

Forwarding a Port to a LAN Machine

WeidmannsHeil
Level 1
Level 1

Hi,

I have a 1711 router with IOS v. 12.3, and I need to place a web server in the

same LAN where users' PCs are connected to the internet and forward the ports

80 and 1433 from internet to the web server (address 192.168.1.177).

FastEthernet0 has an address 99.99.99.99 and is connected to the internet.
FastEthernet1 is tied to vlan10 and has an address 192.168.1.1. It is

connected to the LAN.

I have this NAT configuration for th LAN PCs to access the internet, and it

works ok:

access-list 1 permit 192.168.1.0 0.0.0.255
ip nat pool overld1 99.99.99.99 99.99.99.99 prefix-length 24
ip nat inside source list 1 pool overld1 overload
ip route 0.0.0.0 0.0.0.0 99.99.99.1

This is how I tried to forward port 80 but it had no effect:

ip nat inside source static tcp 192.168.1.177 80 79.132.95.228 80 extendable

I read somewhere that when there are access lists, they should include the

port to forward. I tried to do that but either my syntax was wrong or I don't

still understand how it works.

So, how do I forward a port to a LAN machine when there are already other user

PCs in the same LAN using an internet connection?

Thanks in advance.

5 Replies 5

Hi,

The syntax for the command is correct:

ip nat inside source static tcp 192.168.1.177 80 79.132.95.228 80 extendable

This means that all traffic that comes on port 80 to IP 79.132.95.228 is going to be forwarded to the internal IP 192.168.1.177

My question is:

Is this public IP 79.132.95.228 part of your public IP address space?

I ask you this because I see the public NAT range is a total different one.

So, the syntax is correct, and if you try from a computer on the Internet to telnet 79.132.95.228 80, assuming your router knows how to handle this IP.

The only other thing is to make sure that if there's an ACL applied to the interfaces on the router, it should allow the traffic to pass through.

Federico.

Thank you, Federico, for the reply.

Yes, the address beginning with 79 is the actual address...

I just wanted to replace it with 99 everywhere for reasons of security but failed to in one place.

As concerns the ACL, that's exactly the part I wanted to ask you. I only have what I posted here and I don't know how to extend the ACL (or add another?) so that it not only permits all hosts in the LAN to access internet but also permits all hosts from internet acess 192.168.1.177 on port 80. A NAT statement for it alone doesn't work. Somehow the existing ACL interferes with it.

You only need an ACL, if you already have an ACL applied to the outside interface of the Router.

If there's no ACL, by default the router permits all traffic thorugh it.

What is the result from doing the following from the command promtp:

telnet 79.132.95.228 80

If it does not work and there's no ACL applied to the outside interface, as a test do the following:

access-list 199 permit tcp any host 79.132.95.228 eq 80

access-list 199 permit ip any any

interface outside

ip access-group 199 in

Then check the hitcounts, doing a ''sh access-list 199'' to make sure the hitcounts on the first line is incrementing.....

This will let us know if the traffic is indeed reaching the router.

Federico.

1. telnet seems to work: it blanks

the screen and does not complain about anythin

g. But I cannot actually browse the web page at the server

I connected to the inside address.

2. The ACL that refers to 99... address is the actual ACL I have but it's for LAN PCs connecting to the internet.

3. I tried what you suggested as the test. I could enter:

access-list 199 permit tcp any host 79.132.95.228 eq 80

access-list 199 permit ip any any

But:

interface outside

ip access-group 199 in

was rejected as incorrect syntax. And nothing really changed.

Ok, I found a confirmation that static and dynamic NATs really have to

work simultaneously, i.e., I can use an ACL and a static NAT simultaneously, and I don't have to change anything to the ACL:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080093f31.shtml

So I checked once more all the cables, walked through the configuration, removed anything that I did not need, and now it works. Thank you, Federico, for the support.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: