Help with 1700 series router

bzaayer299 · ‎12-29-2004

Hi all,

I am a novice and I need some help. I have a 1700 router and I need to know what commands to give the router to point an external ip address to an internal ip address. We already have 3 external ip address pointing to 3 internal ip addresses. I need to point xxx.xxx.xxx.xxx to 192.168.1.252. I have no idea on how to do this and when I have finished inputting the commands into the router I do not know how to save the new configuration. Please help. My boss needs me to get this working! Please be as detailed as possible. I appreciate the help. You will be saving my butt.

Brian

Georg Pauwen · ‎12-29-2004

Hello Brian,

since you say you already have three external IP addresses pointing to three internal IP addresses, chances are that there is some sort of NAT configured on your router.

Check for lines like 'ip nat inside source' or 'ip nat outside'. The new mapping most likely is similar to the already existing ones.

If you cannot get this to work, can you post the configuration of your router ?

Regards,

GP

bzaayer299 · ‎12-29-2004

I'm sorry I was mistaken. The NAT is being done with our PIX box. How do I add the fowarding of 65.170.13.91 to 192.168.1.252 allowing only port 25 through? Below is my Pix config:

PIX Version 5.1(2)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxxx

passwd xxxx

hostname const1pix

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol smtp 25

fixup protocol sqlnet 1521

names

pager lines 24

logging on

no logging timestamp

no logging standby

no logging console

no logging monitor

no logging buffered

no logging trap

no logging history

logging facility 20

logging queue 512

interface ethernet0 auto

interface ethernet1 auto

mtu outside 1500

mtu inside 1500

ip address outside 65.x.x.x.255.255.248

ip address inside 192.168.1.1 255.255.255.0

arp timeout 14400

global (outside) 1 65.x.x.90

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) 65.170.x.x.x.1.254 netmask 255.255.255.255 0 0

static (inside,outside) 65.x.x.x.168.1.168 netmask 255.255.255.255 0 0

conduit permit icmp any any

conduit permit tcp host 65.170.13.91 eq smtp any

conduit permit tcp host 65.170.13.91 eq pop3 any

conduit permit tcp host 65.170.13.91 eq www any

conduit permit tcp host 65.170.13.92 eq 1494 any

conduit permit tcp host 65.170.13.91 eq ftp any

route outside 0.0.0.0 0.0.0.0 65.170.13.94 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

no snmp-server location

no snmp-server contact

snmp-server community grevnoc

no snmp-server enable traps

floodguard enable

isakmp identity hostname

telnet 192.168.1.0 255.255.255.0 inside

telnet timeout 5

terminal width 80

Cryptochecksum:xxxx

Thanks,

Brian

konigl · ‎12-30-2004

Brian,

Your PIX configuration shows that you are currently fowarding 65.170.13.91 to 192.168.1.254, and that you are allowing TCP ports 25 (SMTP), 110 (POP3), 80 (HTTP or WWW), and 21 (FTP).

If you want to change the inside IP address to 192.168.1.252, and restrict the allowed ports to TCP port 25 (SMTP) only, then enter the following commands in config mode:

no conduit permit tcp host 65.170.13.91 eq pop3 any

no conduit permit tcp host 65.170.13.91 eq www any

no conduit permit tcp host 65.170.13.91 eq ftp any

no static (inside,outside) 65.170.13.91 192.168.1.254 netmask 255.255.255.255 0 0

static (inside,outside) 65.170.13.91 192.168.1.252 netmask 255.255.255.255 0 0

Don't forget to exit config mode and "write memory" to save the changes.

Hope this helps.