Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2622
  • Last Modified:

Port forwarding on Cisco 837

OK people,

I have a Cisco 837 with the 12.3.(4)T IOS and the PLUS feature set.
I have also loaded SDM V1.0.1b.
My private network uses the 10.0.0.0/24 network address range.

I have configured the router so that my internal network can access the external network using NAT. I have also secured the external interface so that it doesn't respond to any external request.

Now, what I'm attempting to do is have say port 80 on the external interface forwarded to port 80 on my server(10.0.0.1)
I am also looking to get a couple of other ports (WinMX) on the external interface forwarded to my client PC.

How do I do this? I would preferably like to do this via SDM as this is how I have configured the router already, but am willing to do this via access-list commands. I know I will need to learn the IOS access-list commands for my CCNA, but was hoping to try doing this via SDM untill I can get to the relevant point in my self taught course.

Thanks
:-)
0
InteraX
Asked:
InteraX
  • 3
  • 2
1 Solution
 
InteraXAuthor Commented:
Would this example work?
http://www.ifm.net.nz/cookbooks/nat.html
0
 
chicagoanCommented:
First you'll have to setup static ip addresses for the web server and the box with WinMX
You'll have to permit  port 80 tcp for the web server, 6257 UDP  and 6699 TCP for WinMX.


<existing access list entries
access-list 101 permit tcp any any eq 6699
access-list 101 permit udp any any eq 6257

access-list 101 permit tcp any any eq 80
<access-list 101 deny ip any host 255.255.255.255>


and forward the requests to the machines

ip nat inside source static udp <winmx address> 6257 interface <outside interface> 6257
ip nat inside source static tcp <winmx address> 6699 interface <outside interface> 6699

ip nat inside source static tcp <web server address> 80 interface <outside interface> 80

and apply the access list

interface <outside interface>
  ip access-group 101 in

or apply these entries through the browser interface.

WinMX works without those ports open, though I'm not sure how well.


0
 
InteraXAuthor Commented:
Thanks.
As the <outside interface> variable can I use dialer1?
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
NicBreyCommented:
Yes, using dialer 1 is fine
0
 
NicBreyCommented:
The ip nat statements of chacagoan is on the money for the inbound port forwarding.

For your users to access the internet using NAT, you will need:

Access list defining internal network:
access-list 1 permit 192.168.0.0  0.0.0.255           <--- assuming here that your private addresses are in the 192.168.0.0  255.255.255.0 range.

NAT statement:
ip nat inside source list 1 interface dialer 1 overload


The access list 101 on the outside interface will not allow the internal users to get onto the internet as it is not going to allow anything through except the port forwarding NAT traffic.

suggest you add the following as the first line of the access-list:
access-list 101 permit ip any any established

The established keyword only allows packets with the ACK or RST bit set through. Meaning that a session was innitiated from the internal network. If the SYN bit is set (someone from outside trying to establish a session), the packet will be discarded unless a match is found lower down the access-list.

The last line in brackets is not necessary. There is a implicit deny any any statement at the end of each access list.
Only usefull if you want to log wat is denied with the "log" keyword

access-list 101 deny ip any any log





 
0
 
InteraXAuthor Commented:
Guys, I'm hyaving some problems here.
Sorry it's been so long in relying properly, but I can't seem to get this to work.
When I have the Access listr statements in place, the ports are closed. I have used shields-up on grc.com to test them. This is a good start. However, as soon as I put the nat statements in, they seem to be back in stealth mode.
Any ideas?
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now