cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
34254
Views
10
Helpful
14
Replies

How to setup Port Forwarding on 800 series router

wilder7bc
Level 1
Level 1

             Hi,

I just setup my homelab today, after having Cat5e installed so I can run my servers and network equiptment over wired network as well as setting up a wireless system.  I got everything setup and its going great I can access everything from my office now including a E4200 Linksys router that I setup to do RiP (was only choice pretty much, or NAT), and my 891 Cisco Router which is my internet connection.

I use to have the linksys setup to do port forwarding but now I need to figure out how to do it on the cisco 891 router via command line.

Below is my current configuration.  I need to be able to access my server which is behind my router by Remote Desktop.  I also have a web server, and the kids also play minecraft, and have a server setup so I need to be able to forward their port as well.

I have been researching this for a few minutes now and found a bit of information such as what is found in this link http://forums.whirlpool.net.au/forum-replies.cfm?t=375059&r=5508028#r5508028

However was hoping someone could maybe give me an example I could use as a template.

Ths is from the link above, would I just do like that but then put in my IPs and is that my Private IP I use this or my public facing.   Also he has "interface Dialer1 6881" again after the port in the second and third row.  I dont really understand what they have there.  I understand basic access list and such though I am extremely rusty. 

-----------

!

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.0.0.2 6881 interface Dialer1 6881

ip nat inside source static udp 10.0.0.2 6881 interface Dialer1 6881

!

-----------

------------------- MY CONFIG ON MY 891 BELOW---------------------------------

Router#show run
Router#show running-config
Building configuration...

Current configuration : 2234 bytes
!
! Last configuration change at 00:19:26 UTC Wed Jan 16 2013
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
enable secret 5
!
no aaa new-model
!
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
ip name-server x.x.x.x
no ipv6 cef
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
license udi pid CISCO891W-AGN-A-K9 sn FTX1423818V
!
!
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
!
interface FastEthernet5
no ip address
!
interface FastEthernet6
no ip address
!
interface FastEthernet7
no ip address
!
interface FastEthernet8
ip address x.x.x.x 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
no ip address
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface Vlan1
description This is the LAN facing interface of the router, used as gateway for
PC
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Async1
no ip address
encapsulation slip
!
router rip
network 192.168.1.0
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet8
!
logging esm config
access-list 1 permit any
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp profile default
!
!
!
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin udptn ssh
line aux 0
line vty 0 4
password 7
login
transport input all
!
end

Router#

--------------------------------------------------------------------

Any help is welcome!

Respectfully,

Brian C.

1 Accepted Solution

Accepted Solutions

Julio Carvajal
VIP Alumni
VIP Alumni

Hello my friend,

Let's say you want to access server 192.1.1.10 on port 3389 from the outside

ip nat inside source static tcp 192.168.1.1.10 3389 interface fastethernet8 3389

As simple as that ( The real/private ip goes first) Public ip address goes after

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

14 Replies 14

Julio Carvajal
VIP Alumni
VIP Alumni

Hello my friend,

Let's say you want to access server 192.1.1.10 on port 3389 from the outside

ip nat inside source static tcp 192.168.1.1.10 3389 interface fastethernet8 3389

As simple as that ( The real/private ip goes first) Public ip address goes after

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi,

I am at work so cannot test yet.  I will look up the ports used for RDP, and minecraft, I think those are the big ones, later I will add xbox and start locking down my router. Not alot on there that anyone would want to get at but still for best pratices eventually I will only allow in what I want.

I thought I could access my router from the internet via SSH, or atleast telnet, but it wont let me.

I can access the inside IP of 192.168.1.1  with Telnet without any problems.   I am guessing that I need to setup something differently maybe a NAT problem?  Anyway I was hoping to work on this from work but I cannot login to it.

ceracaza08
Level 1
Level 1

Is your port forwarding working already? We're you able to established internet connectivity?

Hi Cera,

the inside of my network works great I can get out to internet and everything connects great except for the port forwarding.  I have not set that up yet.

I was going to do it from work but my static IP on the router will not let me communicate with it via telnet or SSH.  Not sure what is stopping me.

Before I installed the 891 cisco router, and when I had my E4200 Linksys connected to the internet side I could get to everything, obviously I had used the gui on the linksys to setup put forwarding, and I didnt use telnet on the linksys but I could access the static IP so I know nothing on my ISP side is stopping it and I am pretty sure there is just a configuration change on the router that needs to be made so I can access my static IP on the FastEthernet 8.

In fact I am willing to bet its a NAT issue on the router as well.  I created an ACL to let certain networks out of my router, and I probably need to do something similiar to let things into the router but I am so rusty on NAT and commands that I am having problems.

Hi,

I think you should change your access-list 1 for NAT:

no access-list 1

access-list 1 permit 192.168.1.0 0.0.0.255

For ssh you need to use user/pass for login so either configure login local under line vty 0 4 or use AAA but in both cases

you will need to configure a local username with username xxx secret xxxx command.

Then you'll need to generate your RSA key with crypto key generate rsa modulus command , you'll need to configure a domain name first with ip domain-name xxx command .

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Yup I remembered that for SSH, well the login part had slipped my mind but setting up the crypto stuff.   However the telnet should have worked, which means there is a core issue deeper such as NAT.

Also the reason I dont have:

access-list 1 permit 192.168.1.0 0.0.0.255

is because I have a second inside network   192.168.2.0 that runs on my linksys E4200 router for my wireless side but is connected and communicates with the cisco 891 router via RIP.

So since I could not remember hwo to make the list permit everything from 192.168.x.x  I saw a any command. and just used that, if I used what you suggested I would block my 192.168.2.0 network.  I know there is a better way just have not had time to research it as I am in kind of emergency, fast time this week.  I need the internet up and running but I dont have a ton of time to research as I am have a Certification to study for that is CIW Associate, and I have been trying to get down all the XHTML before my test on Saturday at 11:30am.

Hi Brian,

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 1 permit 192.168.2.0 0.0.0.255

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks Alain,

I figured out another way to go as well I went ahead and instead of doing two I did one like this:

access-list 1 permit 192.168.0.0 0.0.255.255

I tested it and it seems to have worked as both networks can get to the interenet.

      

I dont think there is any down side to this is there?  

ceracaza08
Level 1
Level 1

Dear Brian,

Since you wanted to access your router outside then do it piece by piece then next would be port forwarding..

1. We're you able to ping your public IP outside? I assume yes since it was working prior with your Cisco router

2. Ok, try to make a dummy ACL(standard acl) allowing IP any

3. Then have it assign to your vty.

Then try to telnet your public IP outside..

Cera,

I am not able to ping my static IP. I ran a tracert and I got all the way to my ISP looks like I hit 3 IP`s on my ISP providers network, (looks like their DNS server IP) then it left there and went to what I think is my IP and it keeps timing out.

my router may be blocking ICMP? I dont know if I have ever pinged my static in the past I think I could, but I never used telnet in the past I always used windows RDP.

ceracaza08
Level 1
Level 1

Dear Brian,

Usually static IP's provided from your ISP don't have any restrictions. So you could ping it anywhere unless you put some

ACL into it. but you only have ACL 1 which permit to ANY

Ping is the initial step in tracing and it's very hard to move forward once ping results to RTO and even traceroute

wouldn't reach to your target IP.

Where are you sourcing your ping? From outside or you're just pinging it within your lan.

Cera,

I am trying to ping from my work LAN but I have reached my IP in the past when using the E4200 Linksys, though I had choose a button to allow ICMP and turned off firewall before it worked.

I can ping my Default Gateyway for the network the ISP assigned me.  x.x.x.129  

I cannot ping my internet side static IP though which is x.x.x.154

      

Also I have an ACL to permit any but thats to the outside from the inside.   Not the reverse.

I seemed to remember that if you do not specificy it automatically blocks everything.   Though that cannot be completely true as its allowing me to get tot he internet but maybe its one of thsoe tykpe where if you start the connection to say an internet it lets the replies come back in but will block anything comign strictly from the internet.

Its been a while since I studied that so may be confusing a few different types of NAT.

I dont have any NAT setup that I am aware of that lets things  in from the outside to the inside, only the reverse.

I think I found the issue was reading a post from another website and the person said the following:

"

Thanks, it wasn't that (I did try that), but I just worked out what it was.

The NAT access-list (101) is NAT'ing everything (any/any) – that would also be NAT'ing my telnet reply packets I think, so the replies would be coming back on a different port than what my telnet client expects.

So I fixed it by changing the access-list to only NAT the LAN subnet:

access-list 101 permit ip 10.2.0.0 0.0.0.255 any

Can now telnet from WAN side fine. Well, I did this on my test router, now need to visit the site tomorrow and apply those changes because I can't get to it remotely "

This makes sense because when we Nat out it creates a two way process.  so I am betting when I take the advice above and change my access-list to be more specific it may resolve the problem.  It sounds a bit like what was listed above but I will go home and test on lunch to be sure!

Ok that was indeed the fix to being able to telnet in and SSH in I have that all setup now and can now reach my router and network from office.

Also in regards to origional question to this qoute the Julio code worked perfectly and that issue is resolved now.

I would like to thank everyone that participated in the discussion and with helping as this got my home network up and running and also allowed me to broaden my understanding.

Respectfully,

Brian C.