cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1846
Views
0
Helpful
17
Replies

Port Forwarding inbound question - advice please

neilmac
Beginner
Beginner

Hi folks.

I have what I think must be a simple config request, I am sure someone can solve this in no time.

I have a non-cisco router with a public WAN address. This is conencted to a 3750 switch internally. The switch is the default gateway for all VLANs, and the gateway router has static routes back to the 3750. The Router provides NAT, no NAT is done on the switch.

My requirement is to port forward port 29 000 so that I can access a server on VLAN4 via this port.

So, I have:

Router: Port 29000 map to 192.168.4.1 (Switch VLAN4 address)

The question is, how do I route port 29000 from the 3750 to the server on 192.168.4.42 ?

I have the following relevant details:

interface Vlan4

ip address 192.168.4.1 255.255.255.0

ip access-group 104 in

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 104 deny   tcp 192.168.4.0 0.0.0.255 host 192.168.4.1 eq telnet

access-list 104 deny   tcp 192.168.4.0 0.0.0.255 host 192.168.4.1 eq www

access-list 104 deny   tcp 192.168.4.0 0.0.0.255 host 192.168.8.1 eq telnet

access-list 104 deny   tcp 192.168.4.0 0.0.0.255 host 192.168.8.1 eq www

access-list 104 deny   tcp 192.168.4.0 0.0.0.255 host 192.168.8.10 eq www

access-list 104 permit ip any any

So, I want to add a line something like

ip source static tcp 192.168.4.42 29000

However I don't know the syntax well enough.

Please would you advise me on what exactly I should add in order to port forward port 29000 incoming form my router, to my server on 192.168.4.42.

Many thanks in advance,

NM

3 ACCEPTED SOLUTIONS

Accepted Solutions

Hi NM

as you have permitted all traffic other than the subnets of inside network. on switch wise u dont need to do anything.

permit IP any any

check on the router side as suggested by naidu. NAT/PAT prob.

View solution in original post

Hi NM,

It is nothing to do with internal or between vlans as you want the server needs to be accessible from internet on the port 29000. So the way is NAT.

You said in your first post that "The Router provides NAT" what is that router model. Check if you can do NAT on that.

And for your information your 3750 switch which is gateway for your all VLAN's doesnt support NAT.


Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

Hi,

Yes it will be like that.
You have a default route 0.0.0.0 0.0.0.0 non-cisco-router-wanIP right?

If the router support NAT then why cant you check if you can configure NAT for this requirement.
What is that router model?


Please rate the helpfull posts.
Regards,
Naidu.

View solution in original post

17 REPLIES 17

Latchum Naidu
Engager
Engager

Hi,

What do you mean exactly "port 29000 from the 3750 to the server on 192.168.4.42"
Do you want accept the request from other networks to 192.168.4.42 on port 2900?


Please rate the helpfull posts.
Regards,
Naidu.

I have a device out here on the internet that needs to access my internal server, 192.168.4.42, on port 29000.

192.168.4.42 runs a monitoring program I need to be able to connect to from the WAN.

So,

Incoming traffic on port 29000 from my client pc out here in the remote office: http://WAN_IP:29000

    I

     I

    V

WAN with public IP address

NON Cisco Router - incoming traffic UDP port 29000 is forwarded to 192.168.4.1

LAN

      I

     I

    V

Cisco 3570, gateway for all VLANS, NON NAT Router.

INT VLAN 4 192.168.4.1

     I

     I

    V

Server 192.168.4.42 listening on port 29000

Should be easy ?

NM

Hi,

You cleared us now what you are going to achieve.
In that case you need to configure a static NAT with a specific public IP on your router to do this port forwarding from internet to your internal server.

If the router is Cisco then the static nat should configure like below...

ip nat inside source static tcp 192.168.4.42 29000 public_ip 29000 extendable


Please rate the helpfull posts.
Regards,
Naidu.

Hi NM

As the switch is doing intervaln routing

if you want to access the server from one vlanX to vlan4 .

just give  destination ip  with port number inside the interface vlan 4.

ex:

access-list 101 permit tcp 192.168.4.0 0.0.0.255 host eq 29000

If u have the access list at destination subnet interface vlan X.

give a permi rule to reach vlan 4 of host 192.168.4.42 on port 29000

please rate the helpful posts

regards

sreek

Srikanth,

He want the server accessble from internet on the required port which is possible with NAT/PAT.
Please read carefully the original post for better understand


Please rate the helpfull posts.
Regards,
Naidu.

Yeah, but the router is NOT Cisco, and is not the gateway for the vlans.

I have port forwarded port 29000 from the router to 192.168.4.1 which is the 3750. Now I need to know how to get it to 192.168.4.42.

The inter VLAN routing is done at the 3750.

The 3750 is not doing NAT, just routing.

The WAN router has default routes to route each subnet back to the 3750.

NM

Hmm, not sure about this.

Here are my access lists, please would you suggest how I should amend it ?

Thanks again

!

ip subnet zero

ip routing

!

xxxx- non relevant details removed-xxxx

!

interface Vlan1

ip address 192.168.0.1 255.255.255.0

ip access-group 101 in

!

interface Vlan2

ip address 192.168.2.1 255.255.255.0

ip access-group 102 in

!

interface Vlan3

ip address 192.168.3.1 255.255.255.0

ip access-group 103 in

!

interface Vlan4

ip address 192.168.4.1 255.255.255.0

ip access-group 104 in

!

interface Vlan5

ip address 192.168.5.1 255.255.255.0

ip access-group 105 in

!

interface Vlan6

ip address 192.168.6.1 255.255.255.0

ip access-group 106 in

!

interface Vlan7

ip address 192.168.7.1 255.255.255.0

ip access-group 107 in

!

interface Vlan8

ip address 192.168.8.1 255.255.255.0

ip access-group 111 in

!

interface Vlan9

ip address 192.168.9.1 255.255.255.0

ip access-group 108 in

!

interface Vlan10

description Arqlink Vlan

ip address 192.168.10.1 255.255.255.0

ip access-group 109 in

!

ip classless

ip route 0.0.0.0 0.0.0.0 192.168.8.10

ip http server

!

access-list 101 permit ip any any

access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 102 deny   ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 102 deny   tcp 192.168.2.0 0.0.0.255 host 192.168.2.1 eq telnet

access-list 102 deny   tcp 192.168.2.0 0.0.0.255 host 192.168.2.1 eq www

access-list 102 deny   tcp 192.168.2.0 0.0.0.255 host 192.168.8.1 eq telnet

access-list 102 deny   tcp 192.168.2.0 0.0.0.255 host 192.168.8.1 eq www

access-list 102 deny   tcp 192.168.2.0 0.0.0.255 host 192.168.8.10 eq www

access-list 102 permit ip any any

access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 103 deny   ip 192.168.3.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 103 deny   tcp 192.168.3.0 0.0.0.255 host 192.168.3.1 eq telnet

access-list 103 deny   tcp 192.168.3.0 0.0.0.255 host 192.168.3.1 eq www

access-list 103 deny   tcp 192.168.3.0 0.0.0.255 host 192.168.8.1 eq telnet

access-list 103 deny   tcp 192.168.3.0 0.0.0.255 host 192.168.8.1 eq www

access-list 103 deny   tcp 192.168.3.0 0.0.0.255 host 192.168.8.10 eq www

access-list 103 permit ip any any

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 104 deny   ip 192.168.4.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 104 deny   tcp 192.168.4.0 0.0.0.255 host 192.168.4.1 eq telnet

access-list 104 deny   tcp 192.168.4.0 0.0.0.255 host 192.168.4.1 eq www

access-list 104 deny   tcp 192.168.4.0 0.0.0.255 host 192.168.8.1 eq telnet

access-list 104 deny   tcp 192.168.4.0 0.0.0.255 host 192.168.8.1 eq www

access-list 104 deny   tcp 192.168.4.0 0.0.0.255 host 192.168.8.10 eq www

access-list 104 permit ip any any

access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 105 deny   ip 192.168.5.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 105 deny   tcp 192.168.5.0 0.0.0.255 host 192.168.5.1 eq telnet

access-list 105 deny   tcp 192.168.5.0 0.0.0.255 host 192.168.5.1 eq www

access-list 105 deny   tcp 192.168.5.0 0.0.0.255 host 192.168.8.1 eq telnet

access-list 105 deny   tcp 192.168.5.0 0.0.0.255 host 192.168.8.1 eq www

access-list 105 deny   tcp 192.168.5.0 0.0.0.255 host 192.168.8.10 eq www

access-list 105 permit ip any any

access-list 106 permit ip any any

access-list 107 deny   ip 192.168.7.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 107 deny   ip 192.168.7.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 107 deny   ip 192.168.7.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 107 deny   ip 192.168.7.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 107 deny   ip 192.168.7.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 107 deny   ip 192.168.7.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 107 deny   ip 192.168.7.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 107 deny   ip 192.168.7.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 107 deny   tcp 192.168.7.0 0.0.0.255 host 192.168.7.1 eq telnet

access-list 107 deny   tcp 192.168.7.0 0.0.0.255 host 192.168.7.1 eq www

access-list 107 deny   tcp 192.168.7.0 0.0.0.255 host 192.168.8.1 eq telnet

access-list 107 deny   tcp 192.168.7.0 0.0.0.255 host 192.168.8.1 eq www

access-list 107 deny   tcp 192.168.7.0 0.0.0.255 host 192.168.8.10 eq www

access-list 107 permit ip any any

access-list 108 deny   ip 192.168.9.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 108 deny   ip 192.168.9.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 108 deny   ip 192.168.9.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 108 deny   ip 192.168.9.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 108 deny   ip 192.168.9.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 108 deny   ip 192.168.9.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 108 deny   ip 192.168.9.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 108 deny   tcp 192.168.9.0 0.0.0.255 host 192.168.9.1 eq telnet

access-list 108 deny   tcp 192.168.9.0 0.0.0.255 host 192.168.9.1 eq www

access-list 108 deny   tcp 192.168.9.0 0.0.0.255 host 192.168.8.1 eq telnet

access-list 108 deny   tcp 192.168.9.0 0.0.0.255 host 192.168.8.1 eq www

access-list 108 deny   tcp 192.168.9.0 0.0.0.255 host 192.168.8.10 eq www

access-list 108 permit ip any any

access-list 109 deny   ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 109 deny   ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 109 deny   ip 192.168.10.0 0.0.0.255 192.168.3.0 0.0.0.255

access-list 109 deny   ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 109 deny   ip 192.168.10.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 109 deny   ip 192.168.10.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 109 deny   ip 192.168.10.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 109 deny   ip 192.168.10.0 0.0.0.255 192.168.9.0 0.0.0.255

access-list 109 deny   tcp 192.168.10.0 0.0.0.255 host 192.168.10.1 eq telnet

access-list 109 deny   tcp 192.168.10.0 0.0.0.255 host 192.168.10.1 eq www

access-list 109 deny   tcp 192.168.10.0 0.0.0.255 host 192.168.8.1 eq telnet

access-list 109 deny   tcp 192.168.10.0 0.0.0.255 host 192.168.8.1 eq www

access-list 109 deny   tcp 192.168.10.0 0.0.0.255 host 192.168.8.10 eq www

access-list 109 permit ip any any

access-list 111 deny   ip host 192.168.8.2 192.168.3.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.2 192.168.4.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.2 192.168.5.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.2 192.168.7.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.2 192.168.9.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.2 192.168.10.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.8 192.168.2.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.8 192.168.3.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.8 192.168.4.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.8 192.168.5.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.8 192.168.7.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.8 192.168.9.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.8 192.168.10.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.11 192.168.2.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.11 192.168.3.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.11 192.168.4.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.11 192.168.5.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.11 192.168.7.0 0.0.0.255

access-list 111 deny   ip host 192.168.8.11 192.168.10.0 0.0.0.255

access-list 111 permit ip any any

Hi NM

as you have permitted all traffic other than the subnets of inside network. on switch wise u dont need to do anything.

permit IP any any

check on the router side as suggested by naidu. NAT/PAT prob.

Hi NM,

It is nothing to do with internal or between vlans as you want the server needs to be accessible from internet on the port 29000. So the way is NAT.

You said in your first post that "The Router provides NAT" what is that router model. Check if you can do NAT on that.

And for your information your 3750 switch which is gateway for your all VLAN's doesnt support NAT.


Please rate the helpfull posts.
Regards,
Naidu.

Hi, The router does provide NAT of course, for all of the routed subnets that come to it.

The router is NOT cisco and has a limited feature set.

The default route back to the subnet is VIA the Cisco 3750, so all traffic coming from the router goes to the 3750. The 3750 needs to transfer incoming traffic on 29000 to the server.

The router has a static route: 192.168.4.0, gateway 192.168.8.1

192.168.8.1 is the interface on the 3750 that connects to the router on 192.168.8.10.

If I port forward directly from the router, 29000 -> 192.168.4.42, it does not work.

Should I instead forward 29000 to 192.168.8.1 then have a rule on the 3750 ?

At present, none of this works, I can't access the server.

NM

Hi,

Yes it will be like that.
You have a default route 0.0.0.0 0.0.0.0 non-cisco-router-wanIP right?

If the router support NAT then why cant you check if you can configure NAT for this requirement.
What is that router model?


Please rate the helpfull posts.
Regards,
Naidu.

The router is a hybrid device, quite proprietary, and nothing you would know.

Actually, your answers have prompted me to check a few things, I have another port map set up to another device on another subnet and it's working, so probably the config is sound and it's the server or some other issue.

Let me look into it firther and post back.

Thanks again for the help.

NM

Dear all, thanks for the help - my bad, I was mistakenly given the connection as UDP, I tested with TCP and it worked, the config was correct all along.

:>)

NM

Hi NM,

I am little feeling uncomfortable with your rating.
Your actual post is to access one internal LAN server from WAN on port 2900 which is possible with NAT and for which I put my efforts and made clear about that but you didnt recognized it. Even the post to which you rated is said that to follow my suggestion.

But you rated to the post which is completely different answer to your actual post.
Please use the rating whcih will be gift for the whole efforts and time the contributor spent on it.

However feel good to post in CSC as there are lot of experts can help you.


Please rate the helpfull posts.
Regards,
Naidu.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: