Solved

Port forwarding on Cisco 837

Posted on 2003-11-25
6
2,602 Views
Last Modified: 2008-02-01
OK people,

I have a Cisco 837 with the 12.3.(4)T IOS and the PLUS feature set.
I have also loaded SDM V1.0.1b.
My private network uses the 10.0.0.0/24 network address range.

I have configured the router so that my internal network can access the external network using NAT. I have also secured the external interface so that it doesn't respond to any external request.

Now, what I'm attempting to do is have say port 80 on the external interface forwarded to port 80 on my server(10.0.0.1)
I am also looking to get a couple of other ports (WinMX) on the external interface forwarded to my client PC.

How do I do this? I would preferably like to do this via SDM as this is how I have configured the router already, but am willing to do this via access-list commands. I know I will need to learn the IOS access-list commands for my CCNA, but was hoping to try doing this via SDM untill I can get to the relevant point in my self taught course.

Thanks
:-)
0
Comment
Question by:InteraX
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 16

Author Comment

by:InteraX
ID: 9816936
Would this example work?
http://www.ifm.net.nz/cookbooks/nat.html
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 225 total points
ID: 9817235
First you'll have to setup static ip addresses for the web server and the box with WinMX
You'll have to permit  port 80 tcp for the web server, 6257 UDP  and 6699 TCP for WinMX.


<existing access list entries
access-list 101 permit tcp any any eq 6699
access-list 101 permit udp any any eq 6257

access-list 101 permit tcp any any eq 80
<access-list 101 deny ip any host 255.255.255.255>


and forward the requests to the machines

ip nat inside source static udp <winmx address> 6257 interface <outside interface> 6257
ip nat inside source static tcp <winmx address> 6699 interface <outside interface> 6699

ip nat inside source static tcp <web server address> 80 interface <outside interface> 80

and apply the access list

interface <outside interface>
  ip access-group 101 in

or apply these entries through the browser interface.

WinMX works without those ports open, though I'm not sure how well.


0
 
LVL 16

Author Comment

by:InteraX
ID: 9817240
Thanks.
As the <outside interface> variable can I use dialer1?
0
Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

 
LVL 7

Expert Comment

by:NicBrey
ID: 9817266
Yes, using dialer 1 is fine
0
 
LVL 7

Expert Comment

by:NicBrey
ID: 9817346
The ip nat statements of chacagoan is on the money for the inbound port forwarding.

For your users to access the internet using NAT, you will need:

Access list defining internal network:
access-list 1 permit 192.168.0.0  0.0.0.255           <--- assuming here that your private addresses are in the 192.168.0.0  255.255.255.0 range.

NAT statement:
ip nat inside source list 1 interface dialer 1 overload


The access list 101 on the outside interface will not allow the internal users to get onto the internet as it is not going to allow anything through except the port forwarding NAT traffic.

suggest you add the following as the first line of the access-list:
access-list 101 permit ip any any established

The established keyword only allows packets with the ACK or RST bit set through. Meaning that a session was innitiated from the internal network. If the SYN bit is set (someone from outside trying to establish a session), the packet will be discarded unless a match is found lower down the access-list.

The last line in brackets is not necessary. There is a implicit deny any any statement at the end of each access list.
Only usefull if you want to log wat is denied with the "log" keyword

access-list 101 deny ip any any log





 
0
 
LVL 16

Author Comment

by:InteraX
ID: 9850598
Guys, I'm hyaving some problems here.
Sorry it's been so long in relying properly, but I can't seem to get this to work.
When I have the Access listr statements in place, the ports are closed. I have used shields-up on grc.com to test them. This is a good start. However, as soon as I put the nat statements in, they seem to be back in stealth mode.
Any ideas?
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question