Solved

Port forwarding on Cisco 837

Posted on 2003-11-25
6
2,595 Views
Last Modified: 2008-02-01
OK people,

I have a Cisco 837 with the 12.3.(4)T IOS and the PLUS feature set.
I have also loaded SDM V1.0.1b.
My private network uses the 10.0.0.0/24 network address range.

I have configured the router so that my internal network can access the external network using NAT. I have also secured the external interface so that it doesn't respond to any external request.

Now, what I'm attempting to do is have say port 80 on the external interface forwarded to port 80 on my server(10.0.0.1)
I am also looking to get a couple of other ports (WinMX) on the external interface forwarded to my client PC.

How do I do this? I would preferably like to do this via SDM as this is how I have configured the router already, but am willing to do this via access-list commands. I know I will need to learn the IOS access-list commands for my CCNA, but was hoping to try doing this via SDM untill I can get to the relevant point in my self taught course.

Thanks
:-)
0
Comment
Question by:InteraX
  • 3
  • 2
6 Comments
 
LVL 16

Author Comment

by:InteraX
Comment Utility
Would this example work?
http://www.ifm.net.nz/cookbooks/nat.html
0
 
LVL 18

Accepted Solution

by:
chicagoan earned 225 total points
Comment Utility
First you'll have to setup static ip addresses for the web server and the box with WinMX
You'll have to permit  port 80 tcp for the web server, 6257 UDP  and 6699 TCP for WinMX.


<existing access list entries
access-list 101 permit tcp any any eq 6699
access-list 101 permit udp any any eq 6257

access-list 101 permit tcp any any eq 80
<access-list 101 deny ip any host 255.255.255.255>


and forward the requests to the machines

ip nat inside source static udp <winmx address> 6257 interface <outside interface> 6257
ip nat inside source static tcp <winmx address> 6699 interface <outside interface> 6699

ip nat inside source static tcp <web server address> 80 interface <outside interface> 80

and apply the access list

interface <outside interface>
  ip access-group 101 in

or apply these entries through the browser interface.

WinMX works without those ports open, though I'm not sure how well.


0
 
LVL 16

Author Comment

by:InteraX
Comment Utility
Thanks.
As the <outside interface> variable can I use dialer1?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Expert Comment

by:NicBrey
Comment Utility
Yes, using dialer 1 is fine
0
 
LVL 7

Expert Comment

by:NicBrey
Comment Utility
The ip nat statements of chacagoan is on the money for the inbound port forwarding.

For your users to access the internet using NAT, you will need:

Access list defining internal network:
access-list 1 permit 192.168.0.0  0.0.0.255           <--- assuming here that your private addresses are in the 192.168.0.0  255.255.255.0 range.

NAT statement:
ip nat inside source list 1 interface dialer 1 overload


The access list 101 on the outside interface will not allow the internal users to get onto the internet as it is not going to allow anything through except the port forwarding NAT traffic.

suggest you add the following as the first line of the access-list:
access-list 101 permit ip any any established

The established keyword only allows packets with the ACK or RST bit set through. Meaning that a session was innitiated from the internal network. If the SYN bit is set (someone from outside trying to establish a session), the packet will be discarded unless a match is found lower down the access-list.

The last line in brackets is not necessary. There is a implicit deny any any statement at the end of each access list.
Only usefull if you want to log wat is denied with the "log" keyword

access-list 101 deny ip any any log





 
0
 
LVL 16

Author Comment

by:InteraX
Comment Utility
Guys, I'm hyaving some problems here.
Sorry it's been so long in relying properly, but I can't seem to get this to work.
When I have the Access listr statements in place, the ports are closed. I have used shields-up on grc.com to test them. This is a good start. However, as soon as I put the nat statements in, they seem to be back in stealth mode.
Any ideas?
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now