?
Solved

Port Forwarding & DNS with a Cisco Router (WWW, DNS, FTP, etc.)

Posted on 2003-03-11
8
Medium Priority
?
37,093 Views
Last Modified: 2011-08-18
Hello!

Two basic parts that go hand in hand.

Unfortunately our CCNA training didn't cover running public services behind a router, etc.  I am attempting to run a Web Server behind a Cisco 806 Router at home.  I would like to forward the web traffic obviously.  In particular, I am looking for commands that would push port 80 destinations to the specific internal static address.  I've seen NAT, PAT and filters throw around information, however I am looking for the instructions that the router receives that causes it to forward that port.  I can see how the filters let it through, but it the incoming port 80 packet guided to the WS via NAT?  It's not clicking for some reason.  Need some definitive information.

Another note, and I am willing to share points with this other half;
DNS!  I presume that I set my www name to point to my DNS server in the "DMZ" area which then points to my internal IP for the WS in the DMZ as well.  My understanding is that the DNS inquiry gets shot over to my DNS server from the big DNS guys (after a user outside the LAN asks for my www name IP) and then is pushed through my Cisco Router via a "port forwarding" concept, then returns the requested www name-to-IP (public) to the inquirer.  Then they throw the port 80 traffic to the (in this case) same IP as the DNS came through, only to be pushed through to the web server by the router once again.  If this is correct then why is NOBODY asking how to get their web names directed to a self-hosted DNS server and they ask just how to push http through?  Anyone else notice that?  Where is the DNS process taking place?  When I registered my www name to the interic, it wants DNS servers.  Is the router or something else performing DNS?  I've got a server ready for DNS and a web server.

So to recap;
1.)"Port Forwarding" concepts for a recent Cisco IOS
2.)Where the heck does DNS fit into my DMZ or inside ranges?

I can REALLY further clarify this if need be.  If you don't believe me about people ONLY asking for port 80 manipulation, then do a search for it.  You'll see what I mean.

I would like to award points based on a good, solid conceptual answer with a practical solution or an idea.  Please bear in mind that there is no open-source software or OS involved in my network.  Haven't picked that up yet.

Much thanks in advance!

Aaron
0
Comment
Question by:ARavoth
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 7

Expert Comment

by:pedrow
ID: 8117435
Hi-

Shall I assume that you've got a static outside IP address since you plan on hosting public services?

So, even if you're overloading(PAT) your outside public address, you can statically map outside address/ports to inside address/ports. So, to the world, its' this world routa ble entity.

So, the static NAT translations that you would do would look like this(assuming 10.0.0.0/24 is your inside network and 1.2.3.4 is your outside one - 10.0.0.2=www, 10.0.0.3=dns):

ip nat inside source static tcp 10.0.0.2 80 1.2.3.4 80 extendable
!
ip nat inside source static udp 10.0.0.3 53 1.2.3.4 53 extendable

With this arrangement, you'll register your dns server as the outside address as you would your webserver.

It actually gets interesting at this point. You might want 'external' dns and 'internal' dns.

i.e. see if your service provider will host dns for your external domain and you can host your internal dns internally.

Externally, you'll want A records pointing to your outside address for www, dns and presumably your MX(or other services for that matter). Internally, you don't want to resolve to the external address, but the internal one. You kinda need to do something like this because if you use your internal webserver as a resource(for example), you don't really want it to resolve to the outside address of your router. Make sense?

0
 

Author Comment

by:ARavoth
ID: 8142519
Sorry about the delay, and the answer is excellent.  I do need a small bit of clarification;

1.) I'm not using PAT currently, I don't think I need to but I'm not sure why it would be important to use in my situation.

2.) I've seen the statements warning about internal resolution to the outside (DMZ) www area being a security threat.  How, then, can I make my internal nodes see my web site?  It doesn't make sence to me to have an internal site that is replicated.  Would that mean I have to replicate the site for the inside people too?  Not sure if I am understanding that part.

3.) Also, I'm not sure if you're using a DMZ type of thing here.  If my internal is the 10. network and my DMZ is the 172. network and my outside router IP is 1.2.3.4, are you originally assuming that my WS and MX, etc. are actually on the inside?  

I'm REALLY sorry if I am overloading you.  If you believe that I am over-doing this question, then please answer what is pertaining to my issue here.  I really appreciate your help.

-Aaron
0
 

Author Comment

by:ARavoth
ID: 8142526
Oh yes;

1.) Yes, I have a static IP
2.) No, they won't do my DNS stuff.  I'm pretty much on my own with that.

-Aaron
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 7

Accepted Solution

by:
pedrow earned 800 total points
ID: 8143704
What kind of routing and switching platforms do you use? It will help in making sound recommendations.

1) So do you have a separate block of routable addresses for your www/smtp/etc... boxes? If so, why bother with NAT at all? If you are going to use NAT, I tend to overload (PAT) to conserve routable addresses, except in cases where you have services that aren't port-aware (like GRE or ESP). Just addressing your webservers in routable address space will make things like DNS a whole lot easier and eliminate the possibility of NAT bugs causing outages.

2) I guess one could make an argument that dns resolution can be a security threat...but in general, folks on the internet are gonna have an interesting time resolving rfc1918 space hosts. I also think that it's a bunch a crap though because mapping names to addresses(or the lack thereof) isn't where security issues lie. It lies in what services you permit people to access and keeping current with the patch levels of those services. I mean, who cares if they can resolve the name of your internal printers...It may be prudent not to call your accounting servers things like wherewekeepourfinancialinfo.company.com, but that's not rocket science.

3) Yeah...i'm kinda making assumptions about your physical topology. Maybe you could do a little line drawing of where your networks lie, equipment you have available and a config or two. Maybe you have a true DMZ, or maybe it's just a bastion host LAN...dunno. Let us know :)
0
 

Expert Comment

by:nateepoo
ID: 8465739
ip nat inside source static zzz x.x.x.x yyy int qq yyy

zzz = 'tcp' or 'udp'
x.x.x.x = ip address of server (address to which the port is forwarded, a.k.a. inside local address)
yyy = the port number you want to forward
qq = name of the wan interface ('e1' or 'e0' or something, a.k.a. inside global)


try that out
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8637194
ARavoth,
No comment has been added lately (29 days), so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area for this question:

RECOMMENDATION: Award points to pedrow

Please leave any comments here within 7 days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Thanks,

lrmoore
EE Cleanup Volunteer
---------------------
If you feel that your question was not properly addressed, or that none of the comments received were appropriate answers, please post a request in Community support (with a link to this page) to refund your points. http://www.experts-exchange.com/Community_Support/
0
 

Expert Comment

by:earlchambers98
ID: 10117373
Use your web interface at 10.10.10.1.  There is no DMZ for this model by the way.  You can use pat in the web interface to setup local to public addresses.  If using the CLI then try something like this;

 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 no ip mroute-cache
 no cdp enable
 hold-queue 32 in
 hold-queue 100 out
!
interface Ethernet1
 ip address 24.199.240.18 255.255.255.252
 ip nat outside
 ip inspect myfw out
 no ip mroute-cache
 no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.7 80 interface Ethernet1 80
ip classless
ip route 0.0.0.0 0.0.0.0 24.199.240.13
ip http server
!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question